The Personal Data Protection Board (“Board”) published two new decisions regarding the disclosure of personal data in a local newspaper without explicit consent and the processing of e-Government passwords illegally and beyond the purpose.
- The matter subject to complaint is the sharing of the exam result document without the explicit consent of the data subject, by a local news website. The website published the exam result document containing the name, surname, photograph, higher education program and placement score of the data subject, by masking the T.R. identity number (“TCKN”).
- While data controller who published the news relies on freedom of the press, data subject has right to demand for protection of his personal data. The Board decided that the personal data processing activity subject to the complaint cannot be considered within the scope of freedom of expression in paragraph 1 of article 28 of Personal Data Protection Law numbered 6698 (“Law”), and that the personal data of the data subject is processed in violation of article 12 of the Law in the news on the website of the data controller.
- Considering the mitigating factor that personal data has been removed from the website as of the date of the decision, the Board decided to impose an administrative fine of TRY 30,000 on the data controller pursuant to subparagraph (b) of paragraph 1 of article 18 of the Law.
Summary of decision dated 17 February 2022 and numbered 2022/137 (Only available in Turkish):
- The matter subject to complaint was a shopping center’s unlawful processing of personal data by obtaining an e-Government password from the data subjects for billed purchases, and a TCKN for creating membership on the website.
- The Board determined that the personal data processing activities are carried out without relying on any of the data processing conditions in article 5 of the Law. In addition, the Board stated that the fact that the personal data of people who have previously signed up for the website by entering their TCKN on the page related to the membership application on the website of the data controller can be viewed by third parties indicates a data security gap. The Board decided to impose an administrative fine of TRY 300,000 in accordance with subparagraph (b) of paragraph 1 of article 18 of the Law for the data controller who does not fulfill the obligation to take the necessary technical and administrative measures to ensure data security in the processing of personal data due to the violation of paragraph 1 of article 12 of the Law.