The Personal Data Protection Board (“Board”) has issued a principal decision regarding the technical and administrative measures to be taken by data controllers in order to verify the contact addresses provided by data subjects.
Within the scope of the complaints and notifications submitted to the Board; the principal decision includes the following points:
- By data controllers operating in various sectors such as e-commerce, telecommunications, transportation, tourism to, data subjects are requested to submit their e-mail addresses and/or phone numbers in order to send documents containing personal data such as invoices, statements, reservation documents via SMS and / or e-mail,
- however, there may be errors in the submission of such information by the data subjects or information belonging to third parties may be submitted by the data subjects,
- as a result, the said documents containing the data of the persons concerned were forwarded to third parties.
Issues included in the complaint subject to the decision were previously discussed by the Board and one has been subject to the Board’s decision dated 7 November 2019 and numbered 2019/333. In the incident subject to the decision involved invoices of two customers who declared the same e-mail address being sent to this same e-mail address. Due to the fact that the invoices of the customer who misrepresented his e-mail address were also sent to the e-mail address in question, an unlawful sharing of personal data of a customer with another customer occurred. As a result of this incident, the Board imposed an administrative fine on the data controller who did not take necessary measures to prevent more than one customer to declare the same e-mail address.
By evaluating negative consequences, in order to ensure that personal data are kept accurate and up-to-date when necessary, the Board has decided that reasonable measures should be taken to verify the contact information declared by the data subjects via sending a verification code and/or link to the phone number and / or e-mail address, etc.
For this reason, the Board has published a principal decision on taking necessary administrative and technical measures to verify the accuracy of contact information by data controllers in order to prevent sending documents containing personal data to third parties.
Please see this link for the summarized decision numbered 2020/966 dated 22 December 2020 published on the Board’s official website (only available in Turkish.)