The Personal Data Protection Authority (“Authority”) published its principal decision on the blacklist applications of car rental companies, which conceptually includes joint data responsibility for the first time, in Official Gazette dated 20 January 2022 and numbered 31725.

When the notifications made to the Authority in the last period are evaluated, the following issues have been determined:

  • Personal data is processed by using some software, programs and applications called “blacklist” in car rental,
  • The data includes the negative comments that occurred during the use of the vehicles or the comments of the car rental company; and
  • The data is used by the said car rental company in subsequent car rental processes and made available to other car rental companies.

The decision stated that in accordance with article 5 of the Personal Data Protection Law numbered 6698 (“DP Law”), personal data cannot be processed without explicit consent, except in exceptional cases and data controllers should take all necessary technical and administrative measures to ensure the appropriate level of security in order to process personal data in accordance with the DP Law and ensure the security of personal data.

Accordingly, the Authority ruled on the following:

  • Car rental companies that have control over the said data will be considered as joint data controllers with software companies,
  • Illegal practices should be terminated, and necessary technical and administrative measures stipulated in the DP Law should be taken in data processing processes in the car rental sector
  • Necessary actions will be taken in accordance with the DP Law on data controllers who continue to use the blacklist application.

The full text of the principal decision is available at this link. (Only available in Turkish).