The Personal Data Protection Board (“Board”) rendered a decision dated 20.04.2020 and numbered 2021/389 (“Decision”)regarding an insurance company (“Data Controller”), based on the fact that the insurance company provided its services with the condition of explicit consent.
Pursuant to the Decision, it is stated by the data subject that an individual pension contract was issued by the subject insurance company for the data subject, the data subject was obliged to consent to the processing of personal data by being presented with a confirmation box while trying to access the insurance policy information on the website of the insurance company, and taking any action without filling the confirmation box was not possible. For these reasons, the data subject has notified the insurance company to the Personal Data Protection Authority (“Notice”).
As a result of the Notice, the Board made the following evaluations:
- Personal data processing activities by the Data Controller must be carried out in accordance with the Communiqué on Principles and Procedures to be Followed in Fulfillment of the Obligation to Inform (“Communiqué”);
- When the privacy notices provided in the separate links on the website of the Data Controller are examined, it is determined that the texts are identical;
- There is no information in the privacy notice regarding which of the Article 5 or Article 6 of the Personal Data Protection Law numbered 6698 (“PDPL”) should be based on as a legal reason;
- The legislation under which the personal data is transferred should be clearly and separately stated in the privacy notice, and the privacy notice should be kept up to date;
- In cases where the legal reason for the processing of personal data is explicit consent, the obligation to inform and obtaining explicit consent should be fulfilled separately and a separate explicit consent text should be formed;
- It should be clearly stated on which subject the express consent declaration is requested by the Data Controller, the data subject should be aware of his/her behavior, and it should be his/her own decision, and in this context, the provision of the service should not be conditional on the explicit consent of the data subject;
- In the cases where the parties are not in an equal position or one of the parties has influence over the other, then it should be carefully evaluated whether the consent is given freely or not;
- In the event that one of the conditions clearly stipulated in the law exists, then it is possible to process personal data without seeking the explicit consent of the data subject;
- If it is possible to carry out the data processing activity on a basis other than explicit consent, basing it on explicit consent would be deceptive and abuse of rights, and this would be contrary to the principle of “compliance with the law and good faith” regulated within the PDPL.
In the light of its evaluations, the Board decided that if there are other processing conditions present which are mentioned in the Article 5 of the PDPL, then it is against the principle of “compliance with the law and good faith” stated under Article 4 of the PDPL to request the explicit consent of the data subject; and taking into consideration that the Data Controller has a large customer base in terms of the service provided, the faults of the Data Controller, its economic situation and the content of injustice, an administrative fine of TRY 250.000,- shall be imposed on the Data Controller who did not fulfill its obligations under paragraph 1 of Article 12 of the PDPL. The Board further decided to instruct the Data Controller to regulate the explicit consent and privacy notice presented to the data subjects separately, and to revise the same in order the texts not to include ambiguous expressions and to harmonize them with the provisions of the PDPL and the Communiqué, and to inform the Board accordingly.
You may reach the full Turkish version of the Decision via the link below.
