13 Jun Personal Data Protectıon Authorıtıes Decısıons on Cargo Companıes dated 05.01.2023 and dated 24.03.2022
İçindekiler
The Personal Data Protection Board (“Board”) has evaluated the personal data violations arising from the shipping errors made by the cargo companies in two separate incidents, with its decisions numbered 2023/4 dated 05.01.2023 and numbered 2022/277 dated 24.03.2022. Considering the similarities and differences of the events, we will compare and evaluate the decisions of the Board.
First of all, the Board, with its decision dated 24.03.2022 and numbered 2022/277, evaluated the delivery of a cargo package containing the personal data of the person concerned to a third party within the scope of the Personal Data Protection Law No. 6698 (“KVKK“).
In summary of the complaint made to the Board; the person concerned gave their headphones to an electronics retail store for repair. The store gave the headphones to a cargo company with a form containing the information of the person concerned to be delivered to the distributor company for repair. However, it was stated that the cargo was delivered to an unrelated third party.
In summary of the retail store’s defense;
- in the cargo package, besides the product, there is a document required by the distributor company for the repair of the headset,
- the cargo company delivered the package containing the personal data to a third party other than the address specified on the cargo, thus this was due to cargo company and
- as stated in the Data Processor and Data Controller's Guide’ of the Board, cargo companies are data controllers in terms of personal data obtained to manage the shipment, therefore the store is not responsible for this situation.
.
After hearing the complaint of the person concerned and the defense of the data controller, the Board decided to continue the investigation by taking the defense of the cargo company.
In summary of the cargo company’s defense;
- the aforementioned cargo was delivered to a third party and the cargo company became aware of the situation from the third party contact,
- pre-service training was given to all employees of the company in the areas of personal data privacy and information security, and this training was given 3 times to the personnel who made the mistake and
- the company has no knowledge of the content of the cargo and the retail company can follow a more secure way when transmitting personal data to the distributor company.
.
In the light of this information, the Board made its own assessments. The Board stated that the data processing/transfer activity of the retail company by sending the information of the person concerned to the distributor company is based on the legal condition that "it is necessary for the establishment or performance of a contract". And that this situation is in accordance with the law, but that data should be shared as minimally as possible in the future.
When the Board evaluates the retail company in terms of data security; it states that there is no violation since the company delivered the cargo package containing the personal data of the person concerned to the cargo company with correct information.
According to paragraph 5 of Article 12 of the KVKK, data controllers have an obligation to notify the Board within 72 hours in case of breach of data security. When the situation of the retail company is evaluated from this perspective; it is seen that the person concerned learned about this situation before the retail company, and after the person become aware about the situation, he made an application to the retail company. In addition, it was determined that 72 hours did not pass between the application made to the retail company and the complaint of the person concerned to the Board. Therefore, the Board become aware of the situation in that 72-hour timeline.
In the case, it has been determined that there is no illegality in retail company transmitting personal data via cargo. However, after learning that the data security has been violated, it has been stated that the retail company is obliged to notify the person concerned and the Board regarding the issue. However, it has been considered that it is controversial whether the person concerned would have taken other measures if the Board had been notified since the person concerned learned about the situation and notified the Board. The retail company is instructed to notify both the person concerned and the Board for similar events that may occur in the future.
When the situation is evaluated in terms of the cargo company, it has been evaluated that the cargo company, which is not expected to know the cargo content, does not carry out any personal data processing activities about the data subject as a data controller nor as a data processor, therefore, the cargo company does not have a notification obligation arising from KVKK.
Based on these evaluations, the Board ruled that;
- it is legal for the retail company to send the document containing some personal data to the distributor company, but the retail company should be warned to minimize the information contained in this document in the future,
- retail company should be instructed to notify both the person concerned and the Board as soon as possible in accordance with KVKK for similar events that may occur in the future,
- keeping the facts that are the basis of the complaint of the person concerned and its role in this event in mind, the cargo company does not have the title of data controller or data processor in terms of cargo content, therefore there is no action to be taken by the Board about the cargo company, and
- considering the case at hand, the person concerned should be informed that he or she can take action before the judicial authorities to pursue the civil and/or criminal liability that may arise from the aforementioned erroneous transaction.
.
This decision offers us a good perspective when considering another similar cargo company decision of the Board. In the other decision, the Board evaluated that the cargo company who made a wrongful cargo delivery by making a cross barcoding error has the title of data controller and decided to punish the cargo company that did not report the wrongful delivery made due to this barcode error to the Board in accordance with the KVKK.
Although the difference between these two decisions is not obvious at first, it reveals an important distinction. In the first decision we have given above, the personal information obtained; due to incorrect delivery of the cargo company, from a form placed in the cargo package. And in the other decision which have resulted in imposition of an administrative fine, the personal data which was violated because of the transaction made due to the cross-barcoding error was the recipient and sender information placed on the cargo package. While cargo companies do not have the title of data controller or data processor regarding the information contained in the package; they have the title of data controller in terms of the information that is placed on the cargo package. Therefore, if the recipient and sender information on the cargo package does not contain any personal data, any action taken by the cargo company is outside the jurisdiction of the Board. In the decision that did not result in an administrative fine there was no personal information on the cargo package because the package had the information of the retail store and the distributor company.
You can reach our İzmir Personal Data Lawyers to get expert legal support on the protection of your personal data or your company's personal data law compliance.
