25 Apr Decısıon of the Personal Data Protectıon Board dated 17.08.2023 and numbered 2023/1430 on Requırıng a TR ID Number ın the Meal Card Applıcatıon
In the notice submitted to the Personal Data Protection Board (“Board”), it was stated that TR ID numbers were requested when registering to use the mobile application belonging to the data controller providing the meal card service, and an ex officio investigation was initiated by the Personal Data Protection Board (Board) on the issue.
In summary, in the defense of the data controller company it was stated that
- since phone number data is processed by the parties through the employer when issuing mobile meal cards, verification is made with the phone number in the application and the TR ID number of the relevant people is not requested and
- if the employee wants to benefit from the mobile payment feature by registering the physical meal card into the mobile application, the TR ID number is requested in the application for the verification of the employee and for security purposes, since no data belonging to the employees is processed by the parties when the physical meal cards are given, the information entered is verified with the TR ID number.
.
With the Decision of the Personal Data Protection Board dated 17.08.2023, and numbered 2023/1430 ;
- although phone number and TR ID number are in the general personal data category, the TR ID number is more important data than the phone number because of its nature and
- considering that a data breach may cause greater harm to individuals; to protect the interests of the relevant persons, arrangements can be made to ensure verification with information such as card information and telephone number to be submitted to the data controller through the employer will comply with the principles of privacy in design, data minimization and appropriate and proportionate processing of personal data.
Based on these evaluations Board decided that;
- since it is possible to perform verification in the application in ways that will protect the relevant persons more, such as processing card and phone number information through the employer, without processing the TR ID number information, the processing of the TR ID number data is subject to the legal provisions in Article 5 of the Personal Data Protection Law No. 6698 (" Law "). An administrative fine of 200,000 TL will be imposed on the data controller, who is deemed to have failed to fulfill his obligations to take all kinds of technical and administrative measures to prevent the unlawful processing and access of personal data, since it is considered to be done without any justification and is contrary to the principle of proportionate processing of personal data for the purpose for which they are processed.
- instructing the data controller to provide verification through methods such as card information and phone number information to be submitted to the data controller through the employer, and to inform the Board of the results, and
- to instruct the data controller to destroy TR ID numbers that do not have a legal reason to be processed in accordance with the Law and the relevant regulation, and to inform the Board with documents proving that the destruction has been carried out (such as a log record).
.
With this decision, the Board emphasized that data controllers must ensure that the data they process not only meets the data processing requirement in the Law, but also that it can be done without processing personal data or by processing personal data of relatively less importance.
