02 Sep Brıef Regardıng Personal Data Protectıon Board’s Decısıon On Commercıal E-Messagıng
The Personal Data Protection Board (“Board“), continuing to lead the data controller companies , provides guidance to companies who wants to engage in promotional activities, in terms of personal data law in its decision which will be examined in this brief. With the evaluations it makes within the scope of the Personal Data Protection Law No. 6698 (“KVKK“), The Board underlines that even the information obtained legally, it cannot be used by companies for their own arbitrary activities.
Within the framework of the Board's decision dated 18.01.2022 and numbered 2022/31, whether explicit consent is required for sending commercial electronic messages has been evaluated.
In the complaint submitted to the Board; it has been stated that commercial electronic messages were sent to the complainant even though their explicit consent was not obtained, and that the personal data was processed by the data controller without taking the necessary technical and administrative measures.
On the other hand, in the defense of the data controller, following claims have been made; (i) the e-mail address of the data subject was acquired after the application made by him, (ii) the e-mail address of the data subject was transferred to the Social Security Institution systems, (iii) that the e-mail in question was sent because of a temporary lack of coordination between units and was inadvertently made without the consent of the person concerned and (iv) necessary measures were taken to prevent the repetition of the current situation and the data subject’s e-mail address was removed from the list.
In light of this information, the Board ruled that;
- that there was no illegality in obtaining contact information during the registration of the patient,
- however, said data has been utilized in promotional activity and
- thus, the data processing is not in compliance with the law and an administrative fine amounting to 100.000 TRY shall be imposed.
.
This decision of the Board bears significance since it does not just provide a legal review regarding the way data is obtained by the data controller companies but also regarding the purposes of data processing and use. In addition, another noteworthy issue with respect to mentioned decision was the strategy implemented by the data controller in his defense. The data controller, who is aware of a clear violation, instead of trying to defend the violation, talked about the precautions has implemented and planning to implement in the future so that this violation does not occur again. In return, the Board acted tolerantly in the administrative fine imposed considering the market the company was in and size of the company. This shows us how companies who are in violation can get through this process with the least damage with appropriate legal advice.
