top of page

gdpr.com.tr

Data Privacy Consultancy

Personal Data Protection Board – Principle Decisions

  • Writer: A. F. Hanyaloglu
    A. F. Hanyaloglu
  • Sep 29
  • 21 min read

Updated: Oct 6

Introduction


The Personal Data Protection Board’s principle decisions form a cornerstone of Turkish data-protection practice. Adopted under Article 15(6) of the Personal Data Protection Law No. 6698 (the "Law"), these decisions provide authoritative interpretations on recurring compliance issues such as unauthorized disclosure, marketing communications, insider misuse, and data-sharing mechanisms. They serve as practical guidance both for organizations established in Türkiye and for those abroad that process personal data of Turkish individuals. By presenting the key principle decisions, this article aims to serve your organization as a practical checklist to update policies, vendor/processor contracts, and technical controls.


Contents


  1. 2017/61 - Directory-style sites/apps: immediate cessation of sharing contact data without a legal basis; potential access-blocking and criminal referrals.

  2. 2017/62 - Counters/tellers/desks: physical and organizational measures to prevent customers from hearing/seeing one another’s personal data.

  3. 2018/63 - Insider misuse: personnel with access must not process beyond authority/purpose; controllers must implement robust access controls and monitoring.

  4. 2018/119 - Unsolicited marketing by SMS/e-mail/calls: stop processing absent explicit consent or another lawful basis; joint responsibility where processors act for controllers.

  5. 2019/308 - Unlawful lookup software: coordination with judicial authorities; referrals to prosecutors; administrative action against controllers using such tools.

  6. 2020/966 - Misdelivery of third-party data to wrong numbers/e-mails: duty to verify contact details and keep data accurate and up to date.

  7. 2021/1304 - Car-rental “blacklists”: cross-controller sharing via SaaS risks breaching general principles and transfer rules; potential joint controllership with software vendors.


1– Principle Decision dated 21/12/2017 and numbered 2017/61 on the protection of personal data on websites/applications providing directory services.


Subject: Protection of personal data on websites/applications providing directory services.


As a result of the assessments conducted within the scope of notices and complaints submitted to the Personal Data Protection Authority regarding websites and applications providing directory services in the form of querying a name to find a phone number, or querying a phone number to find a name, without obtaining the data subjects’ explicit consent in violation of the provisions of the the Law, it has been determined that there are many applications and websites which, by collecting personal data through various applications, websites, or social media accounts and enabling the sharing of such data, provide services such as accessing phone number information when a name is queried, accessing name information when a phone number is queried, and learning how one is saved in other persons’ phone directories.


In subparagraph (e) of paragraph (1) of Article 3 of the Law, “any operation which is performed on personal data, wholly or partially by automated means or by non-automated means which provided that form part of a data filing system, such as collection, recording, storage, protection, alteration, adaptation, disclosure, transfer, retrieval, making available for collection, categorization, or preventing the use thereof” is regulated as the processing of personal data; in order for any of the enumerated actions to be carried out, one of the processing conditions set forth in Articles 5 and 6 of the Law must first exist, and the other obligations envisaged by the Law must also be fulfilled.


Within this scope, it was unanimously decided that:


  • It is required, pursuant to paragraph (7) of Article 15 of the Law, that the data processing activity carried out by websites and mobile applications that share the contact information of data subjects without any basis in the Law and the relevant legislation be immediately ceased;

  • In the event it is learned that the aforementioned websites/applications have not terminated such activities, applications shall be made to the competent authorities to ensure that access to these websites/applications is blocked; moreover, considering that personal data may have been obtained unlawfully, the matter shall be reported ex officio to the Office of the Chief Public Prosecutor pursuant to Article 158 of the Code of Criminal Procedure, for the initiation of the necessary legal proceedings against the relevant websites/applications within the framework of Article 136 of the Turkish Penal Code No. 5237 titled “Unlawful Delivery or Acquisition of Data”, and the public shall be informed in this regard;

  • Pursuant to paragraph (6) of Article 15 of the Law, this principle decision shall be published in the Official Gazette and on the website of the Authority, and action shall be taken against those who do not comply with this decision within the scope of Article 18 of the Law.


2- Principle Decision dated 21/12/2017 and numbered 2017/62 regarding the protection of personal data in service areas such as counters, teller windows, and desks.


Subject: Protection of personal data in service areas such as counters, teller windows, and desks.


As a result of the assessment carried out within the scope of notices submitted to the Personal Data Protection Authority regarding personal data security breaches occurring in areas where services are provided to citizens such as counters, teller windows, and desks, to ensure prevention of practical problems, it was unanimously decided that:


  • Public and private sector institutions and organisations providing services—particularly in the banking and health sectors, and including postal and cargo services operating with multiple adjacent staff, travel agencies, customer service departments of chain stores, organisations where various subscription transactions are conducted, and services such as municipal, tax, and population registry procedures—shall, pursuant to Article 12 of the Law, take the necessary technical and administrative measures concerning the protection of personal data that will prevent unauthorised persons from being present in sections such as counters/teller windows/desks, and that will prevent persons receiving service simultaneously and in close proximity from hearing, seeing, learning, or obtaining one another’s personal data;

  • Pursuant to paragraph (6) of Article 15 of the Law, this principle decision shall be published in the Official Gazette and on the website of the Authority, and action shall be taken against those who do not comply with this decision within the scope of Article 18 of the Law.


3- The Personal Data Protection Board’s Principle Decision dated 31/05/2018 and numbered 2018/63 regarding the assessment of the processing of the personal data in question by personnel who have access to personal data under the data controller but process such data beyond their authority and purpose


Subject: Assessment of the issue of processing the personal data in question, beyond authority and purpose, by personnel who have access to personal data under the data controller.


As a result of the assessments carried out regarding the notices and complaints submitted to the Personal Data Protection Authority concerning the processing of the personal data in question beyond the purpose of processing and by exceeding their authority, by those who, due to their position or duty under the data controller, have access to personal data; in order to prevent practical problems, it was unanimously decided that:


  • Since the processing of the personal data in question beyond the purpose of processing and/or the sharing of such data with third parties, by those who, due to their position or duty under a data controller, have access to personal data, by exceeding and/or abusing their authority, and based on personal purposes or reasons, would constitute a breach of paragraph (1) of Article 12 of the Law, the data controllers shall be informed that all necessary technical and administrative measures must be taken to ensure an appropriate level of security in order to prevent acts within this scope;

  • Pursuant to paragraph (6) of Article 15 of the Law, this principle decision shall be published in the Official Gazette and on the website of the Authority.


4- The Personal Data Protection Board’s Principle Decision dated 16/10/2018 and numbered 2018/119 regarding the prevention of directing advertising notifications/calls to data subjects’ e-mail addresses or to their mobile phones by SMS or calls by data controllers and data processors


Subject: Taking a principle decision to prevent advertising notifications/calls from being directed to data subjects’ e-mail addresses or to their mobile phones by SMS or calls by data controllers and data processors.


Taking into account the large number of applications submitted to the Personal Data Protection Authority (Authority) and the findings reached within the scope of the ongoing examinations concerning the matter that advertising notifications/calls are sent to data subjects’ e-mail addresses or to their mobile phones by SMS or calls without obtaining their explicit consent, in violation of the provisions of the Law, it was decided unanimously to inform the public on the following matters and to publish this principle decision on the Authority’s website and in the Official Gazette:


  • That data controllers who direct advertising-content communications by sending SMS to telephone numbers, making calls, or sending mail to e-mail addresses without obtaining the consent of data subjects or without satisfying the processing conditions set forth in paragraph (2) of Article 5 of the Law, and data processors who, on behalf of data controllers, send advertising-content messages/e-mails or make calls by using such data without the explicit consent of data subjects, must immediately cease such data processing activities pursuant to paragraph (7) of Article 15 of the Law,

  • That within the scope of Article 12 of the Law, the data controller is obliged to take all necessary technical and administrative measures to ensure an appropriate level of security in order to prevent the unlawful processing of personal data, prevent unlawful access to personal data, and ensure the preservation of personal data; and that, where personal data are processed by another natural or legal person on behalf of the data controller, the data controller is jointly responsible with such persons for taking the aforementioned measures,

  • That action shall be taken against the data controllers engaged in the activities in question as specified above within the framework of the provisions of Article 18 of the Law,

  • That, considering that the personal data processed in the manner in question may have been obtained unlawfully, the matter shall be reported ex officio to the Office of the Chief Public Prosecutor pursuant to Article 158 of the Code of Criminal Procedure No. 5271, for the initiation of the necessary legal proceedings against the relevant data controllers within the framework of Article 136 of the Turkish Penal Code No. 5237 titled “Unlawful Delivery or Acquisition of Data”.


5- The Personal Data Protection Board’s Principle Decision dated 18/10/2019 and numbered 2019/308 regarding software/programs/applications that enable querying citizens’ personal data such as identity and contact information based on data obtained unlawfully


Subject: Regarding software/programs/applications that allow the querying of citizens’ personal data such as identity and contact information obtained unlawfully.


With the application transmitted by the Ministry of Justice to the Personal Data Protection Authority and the Office of the Chief Public Prosecutor via CİMER, it was summarized that: a data controller is using a program that serves to find Turkish Republic (T.R.) identity numbers and addresses; when the name of any person is entered into this program, it provides that person’s T.R. identity number, residence address, relatives, and all identity information of those living in the same household; a video recording was made to demonstrate how the program works as evidence of the allegation, and in this video some names were queried and the program returned identity and address information at the press of a single key; it was the opinion that this program is unlawful; and it was stated that the program is installed and operational on the data controller’s desktop computers and laptops at the workplace and on the individual’s personal laptop, and that the necessary action be taken.


Upon our Authority also receiving the application in question, and upon the person who made the notification being informed that, in the event he submitted to our Authority concrete information or documents of a nature to substantiate his allegation, the notification would be treated as a tip-off and could be taken under examination within the scope of the the Law, the video recording submitted with the application to the Authority was examined, and it was identified that:


  • When the program icon located on the home page of the laptop seen on the screen is clicked, a query page appears in the menu that opens after a user name and password are entered;

  • When a search is conducted by entering a person’s first name and surname, it is possible to access address information in a manner that includes the T.R. identity number, name, surname, gender, mother’s name, father’s name, place of birth, date of birth, the province and district of civil registry, as well as records relating to previous years concerning the province and district of civil registry, of the data subject and, if any, of other persons who have the same first name and surname as the person searched;

  • Although an example query was not carried out in the video recording, it was seen that there was also a field on the query page that could be marked as “Same Household”, and that the program also contained a tab titled “Bulk Query”; and it was understood that the recording in question had a nature substantiating the allegations made by the relevant person in his CİMER application.


In the data subject’s tip-off application, although there was no information as to whether the program was written/created by the data controller against whom the allegation was directed or obtained/purchased from a third person/persons/legal person, and if obtained in such a manner, who this third person/persons/legal person was/were; based on the statement and explanations on the login screen images in the video recording of the program in question reading “Member Login: ………”, “SMS Activation Code” and “Please Note! Our application will switch to a Fixed IP system in one month. We kindly ask all our users to take the necessary action in this regard.”, it was concluded that the program was obtained/purchased by the data controller against whom the allegation was directed from a third person/persons/legal person.


At this point, in the research conducted on the internet regarding the program and the company owning the program, it was observed that there are several programs created under the same name in different service branches and for different purposes; however, no internet page could be reached that could, without leaving room for doubt, be assessed as related to the program that is the subject of the tip-off application.


Nevertheless, it was seen that certain explanations on the subject were included in some news items reflected to the public. As can be seen in these news items as well, programs similar to the one subject to the data subject’s tip-off application—i.e., other programs/applications that allow the querying of citizens’ personal data such as identity and address through data considered to have been obtained unlawfully—are sold by criminal organizations for money to persons including lawyers; and it is understood that these unlawful activities have been the subject of various judicial investigations at different times.


As is known, the purpose of the Law is to protect, in the processing of personal data, the fundamental rights and freedoms of persons—primarily the right to privacy—and to regulate the obligations of natural and legal persons who process personal data and the procedures and principles to be complied with. The Law aims to prevent the collection of personal data in an unlimited and random manner, their acquisition by unauthorized persons, their disclosure, or the violation of personality rights as a result of their use for purposes other than those intended or their misuse. The Law, which seeks to bring under control the question of which rules personal data are subject to and under what conditions they may be processed, also aims, by introducing oversight mechanisms with respect to the processing of personal data, to prevent the unlawful processing of such data.


Articles 135, 136 and 137 of the Turkish Penal Code No. 5237 set out sanctions regarding the offences of unlawfully recording personal data and unlawfully giving, disseminating or obtaining personal data, and Article 17(1) of the the Law stipulates that Articles 135 to 140 of the Turkish Penal Code shall apply in respect of offences relating to personal data. In addition, pursuant to Article 6 of the Law No. 3071 on the Exercise of the Right to Petition, no action can be taken by our Authority regarding matters falling within the jurisdiction of judicial bodies.


According to the reply given by the Office of the Chief Public Prosecutor to the application of the data subject—which had been forwarded both to our Authority and to the Office of the Chief Public Prosecutor via CİMER by the Ministry of Justice—it is seen that the CİMER application in question was processed by the correspondence offices of the Office of the Chief Public Prosecutor, the Ministry of Justice and the Council of Judges and Prosecutors.


Pursuant to Article 15(1) titled “Procedures and principles of examination upon complaint or ex officio” of the the Law, the Personal Data Protection Board shall ex officio carry out the necessary examination in matters within its remit in the event it learns of an alleged violation upon a complaint or ex officio. In addition, pursuant to paragraph five of the same article, in the event that, as a result of an examination conducted upon a complaint or ex officio, the presence of a violation is established, the Board shall decide that the unlawfulness it has identified be remedied by the data controller and notify the relevant parties; and pursuant to paragraph six of the same article, in the event that the presence of a widespread violation is established as a result of an examination conducted upon a complaint or ex officio, the Board shall take a principle decision in this regard and publish that decision.


In consideration of the allegations in the tip-off application made to our Authority by the relevant person to the effect that a program belonging to the data controller was used to unlawfully obtain and sell personal data together with the employees working on site, the Board has unanimously decided:


  • With regard to the program that is the subject of the tip-off, to initiate an examination in respect of the data controllers who will be identified by the relevant judicial authorities as having used the program, in matters falling within the remit of the Board;

  • In order not to prejudice the proper conduct of the investigation processes initiated/to be initiated by the judicial authorities with respect to the allegation subject to the tip-off, to carry out the examination to be conducted by the Board in coordination with the judicial authorities and the administrative authorities deemed appropriate;

  • Furthermore, within the scope of the tip-offs transmitted to our Authority, it has been determined that software/programs/applications that allow the querying of citizens’ personal data such as identity and contact information through data obtained by various means are being used by certain persons and organisations operating in sectors such as legal services/law firms, finance, real estate consultancy, insurance, etc. In consequence of the assessment made, considering that this situation constitutes a breach of the obligations of data controllers regarding data security under Article 12 of the Law, and in order to prevent potential personal data security violations that may occur;

  • Those determined to be using software/programs/applications of this nature shall be reported, by way of tip-off, to the relevant Chief Public Prosecutors’ Offices pursuant to Article 158 of the Code of Criminal Procedure No. 5271 for the conduct of judicial proceedings under the Turkish Penal Code;

  • And, in terms of matters falling within the remit of the Board, the public shall be informed that administrative action will be taken against the data controllers within the framework of Article 18 of the Law;

  • That, pursuant to Article 15(6) of the Law, this principle decision has been adopted to be published in the Official Gazette and on the Authority’s website.


6 – Principle Decision of the Personal Data Protection Board dated 22/12/2020 and numbered 2020/966 on personal data of third parties unlawfully sent by data controllers to individuals’ communication channels such as phone numbers and e-mail addresses


Subject Summary: Principle Decision on personal data of third parties unlawfully sent by data controllers to individuals’ communication channels such as phone numbers and e-mail addresses.


Within the scope of complaints and tip-offs conveyed to the Personal Data Protection Authority, it is observed that in various sectors such as e-commerce, telecommunications, transportation and tourism, data controllers request data subjects to declare their phone numbers and/or e-mail addresses in order to send documents containing personal data—such as invoices, account statements and reservation documents—via SMS and/or e-mail; however, errors may occur when data subjects declare such information, or third parties’ information relating to data subjects may be declared, as a result of which the aforementioned documents containing personal data of the data subjects are transmitted to third parties.


As is known, Article 4(1) of the the Law stipulates that personal data may be processed only in accordance with the procedures and principles set forth in this Law and other laws; and Article 4(2) provides that, in the processing of personal data, it is mandatory to comply with the following principles: “(a) Being processed lawfully and fairly. (b) Being accurate and, where necessary, up to date. (c) Being processed for specific, explicit and legitimate purposes. (ç) Being relevant, limited and proportionate to the purposes for which they are processed. (d) Being retained for the period stipulated in the relevant legislation or required for the purpose for which they are processed.”


Among these principles, keeping personal data accurate and, where necessary, up to date is required not only in line with the data controller’s interests but also for the protection of the data subject’s fundamental rights and freedoms; if the data controller produces a result regarding the data subject based on personal data and verifies it, the controller has an active duty of care to ensure that the personal data are accurate and, where necessary, up to date. Beyond this, it is important that the data controller always keeps channels open to ensure that the data subject’s information is accurate and, where necessary, up to date. Otherwise, individuals may suffer material and non-material damage due to personal data that are outdated or kept inaccurately. In this sense, in order to ensure that personal data are accurate and, where necessary, up to date; it is deemed necessary that the sources from which personal data are obtained be identifiable and that the accuracy of the source from which personal data are collected be verified, and—so as to prevent adverse consequences for data subjects arising from inaccurate personal data—that reasonable measures be taken to verify the contact information declared by data subjects (such as sending a verification code/link to the phone number and/or e-mail address).


On the other hand, Article 12 of the Law sets forth that data controllers are obliged to take all kinds of technical and administrative measures necessary to ensure an appropriate level of security for the purpose of preventing the unlawful processing of personal data, preventing unlawful access to personal data, and ensuring the safeguarding of personal data.


Within this scope; in order to prevent data controllers from sending documents such as account statements, invoices, etc., containing third parties’ personal data to individuals’ communication channels such as phone numbers and e-mail addresses in a manner that would constitute a violation of the Law; and, pursuant to Article 12(1) of the Law, to ensure that data controllers take the necessary administrative and technical measures to establish mechanisms to verify the accuracy of the contact information they hold, it has been decided unanimously to adopt this Principle Decision under Article 15(6) of the Law and to publish the said Principle Decision on the Authority’s website and in the Official Gazette.


7 – Principle Decision of the Personal Data Protection Board dated 23/12/2021 and numbered 2021/1304 regarding blacklist practices in the car-rental sector


Subject Summary: Principle Decision regarding blacklist practices in the car-rental sector.


Within the scope of tip-offs conveyed to the Personal Data Protection Authority (Authority), it has been understood, as a result of examinations carried out by the Personal Data Protection Board pursuant to Article 15 of the Law, that “blacklist” software/programs/applications are resorted to in the car-rental sector.


With respect to the said “blacklist” practices used in the car-rental sector, it has been ascertained that:


  • Software providers and vendors offer car-rental software to car-rental companies (or to natural persons engaging in car rental) that includes a “blacklist” feature;

  • Car-rental companies process, in the said software, the personal data of natural persons who rent vehicles as their customers; that among these data are information concerning any damage caused to the vehicle by these persons, adverse records, and “blacklist” information included in the rental companies’ comments;

  • These data are processed by car-rental companies to be used for decision-making in respect of subsequent rentals;

  • On the other hand, the said software are designed as systems that allow the data entered by one car-rental company to be made available to other car-rental companies;

  • Accordingly, a system is formed whereby the software provides a data flow/sharing concerning the blacklist to other car-rental companies that use the same software, and thus the personal data of the relevant persons who rent vehicles are mutually shared;

  • In general, the service offered by software companies is in the form of SaaS (Software as a Service); as required by the SaaS service, the database and software management rest with the software companies, and users with administrative authorization are assigned so that the software company can provide the necessary technical support and development to car-rental companies; the service offered is not hosted on the rental companies’ own servers; car-rental companies are not permitted to interfere with the software code, and therefore the authority of car-rental companies to control the content is limited;

  • Persons who rent vehicles are not aware that their personal data—such as identity and contact information, information regarding damage caused to the vehicle, and problems encountered during the payment process—are shared, via software including a blacklist feature, with an unknown number of users other than the car-rental company of which they are customers.


As is known, in Article 3 titled “Definitions” of the Law, paragraph (1)(ç) defines data subject as “the natural person whose personal data are processed,” paragraph (d) defines personal data as “any information relating to an identified or identifiable natural person,” paragraph (e) defines processing of personal data as “any operation which is performed on personal data, wholly or partially by automated means or non-automated means which provided that form part of a data filing system, such as collection, recording, storage, retention, alteration, re-arrangement, disclosure, transfer, taking over, making available for retrieval, classification, or preventing the use thereof,” and paragraph (ı) defines data controller as “the natural or legal person who determines the purposes and means of processing personal data and is responsible for establishment and management of the data filing system.”


In Article 5 titled “Conditions for processing of personal data,” paragraph (1) provides that personal data may not be processed without the explicit consent of the data subject; and paragraph (2) provides that, in cases where the conditions set forth in the laws are met, it shall be possible to process personal data without seeking the explicit consent of the data subject, if one of the following conditions exists: it is mandatory for the protection of the life or physical integrity of the person who is unable to express his consent due to actual impossibility or whose consent is not deemed legally valid, or of another person; it is necessary to process personal data of the parties to a contract, provided that it is directly related to the conclusion or performance of the contract; it is mandatory for the data controller to be able to fulfil its legal obligation; the data have been made public by the data subject; it is mandatory for the establishment, exercise or protection of a right; it is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.


Article 8 of the Law provides that “(1) Personal data cannot be transferred without the explicit consent of the data subject. (2) Personal data may be transferred without seeking explicit consent of the data subject if one of the conditions set forth in Article 5(2) and Article 6(3) is present, provided that adequate measures are taken. (3) Provisions contained in other laws regarding the transfer of personal data are reserved.”


On the other hand, Article 11 of the Law includes among the rights of the data subject the right “to object to a result against the person arising as a consequence of analysis of the processed data exclusively through automated systems,” as set forth in subparagraph (g) of paragraph (1).


Article 12 of the Law provides that data controllers are obliged to take all kinds of technical and administrative measures necessary to ensure an appropriate level of security for the purpose of preventing the unlawful processing of personal data, preventing unlawful access to personal data, and ensuring the safeguarding of personal data.


Pursuant to the relevant provisions of the Identity Notification Law No. 1774, there is an obligation to notify law-enforcement authorities of car-rental activities. Accordingly, the processing of personal data by car-rental companies in connection with entering data into the Rental Car Notification System (KABİS) may be assessed within the scope of the processing condition set forth in Article 5(2)(a) of the Law, “explicitly stipulated by laws,” as well as the processing condition set forth in subparagraph (ç), “it is mandatory for the data controller to be able to fulfil its legal obligation.”


Furthermore, since car-rental activity is carried out under a contract concluded between the parties, the processing of the personal data of data subjects by car-rental companies may be carried out within the scope of the processing condition set forth in Article 5(2)(c) of the Law, namely “it is necessary to process personal data of the parties to a contract, provided that it is directly related to the conclusion or performance of the contract.”


With respect to records such as blacklists, it is considered that there is a difference between processing personal data limited to business operations and making them available to other data controllers through software providers. Article 5(2)(f) of the Law regulates the processing condition “it is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.” Where, as a result of the balancing test to be conducted between the data subject’s fundamental rights and freedoms and the data controller’s legitimate interests, the legitimate interest prevails, keeping a blacklist record limited to business operations—i.e., within the body of the data controller—may, subject to separate assessment according to the concrete case, be applicable; however, it is considered that, where the personal data processed are made available to other data controllers (other car-rental companies) using the same software, the condition that the data subject’s fundamental rights and freedoms not be infringed cannot be met.


It is also considered that the sharing, by a car-rental company, of the personal data it processes with an unknown number of car-rental companies via software would contravene the General Principles set forth in Article 4 of the Law—namely “being processed lawfully and fairly,” “being processed for specific, explicit and legitimate purposes,” and “being relevant, limited and proportionate to the purposes for which they are processed.”


On the other hand, in the blacklist applications that are the subject of the tip-offs, the data controllers that collect the personal data of natural person customers firsthand are the car-rental companies. However, considering that access to the blacklist record is not limited to a single company and that other car-rental companies using the software can access the personal data transferred to the software and exercise control over the data, it is assessed that joint controllership between the car-rental companies that use the blacklist for their own interests and the software companies will arise.


For the purpose of determining the responsibilities of joint controllers and the degrees of fault, in any case, the data processing processes must be examined on a case-by-case basis; it will be necessary to identify by whom control over the data rests and who has control of the data. In determining fault among joint controllers, attention will be paid to factors such as who is the first and last user in the processing, who made the data entry, which party provided the data in question, who allowed the data to be changed or deleted or transferred, who granted access, and which data controllers other than the collecting party carried out which activities with these data.


Blacklist applications in the car-rental sector must also be evaluated in terms of the rights of the data subject. Since processing of personal data within the scope of a blacklist may lead to the use of the data subject’s personal data in a way that results in an adverse outcome for the person due to the very nature of blacklist practices, where a decision is made on the basis of this outcome, an adverse result will arise for the person as a consequence of profiling; however, since it may not be known which other car-rental companies the personal data of the relevant person renting the vehicle have been shared with, the exercise of the rights arising from Article 11 of the Law against these data controllers will become more difficult.


In light of all these assessments:


  • In cases where personal data are processed within the scope of blacklist applications in the car-rental sector in a manner contrary to the General Principles set forth in Article 4 of the Law, the processing conditions set forth in Article 5 of the Law, and the provisions regarding transfer set forth in Article 8 of the Law, the car-rental companies that have control over the data in question together with the software companies will be considered joint data controllers;

  • In order to put an end to such unlawful practices and ensure that personal data processing activities in the car-rental sector are in compliance with the Law, data controllers must take the necessary administrative and technical measures regulated under Article 12 of the Law;

  • The public shall be informed, within the framework of Article 18 of the Law, that administrative action will be taken against data controllers in the car-rental sector who, without taking the said measures and in violation of the provisions of the Law, carry out blacklist applications that are contrary to the Law;

  • Pursuant to Article 15(6) of the Law, it has been decided unanimously to publish this Principle Decision in the Official Gazette and on the Authority’s website.



Comments

bottom of page