Legal AlertThe Decision of the Personal Data Protection Board Regarding Processing of Personal Data by Sending the Invoice to the Data Subject, Upon the Use of the E-Mail Address of the Data Subject by a Person with the Same Name When Placing an Order on the Internet, Has Been Published.

7 September 2022

The decision of the Personal Data Protection Board (“Board”) dated 17.03.2022 and numbered 2022/243 (“Decision”) regarding processing of personal data by sending the invoice to the data subject, upon the use of the e-mail address of the data subject by a person with the same name when placing an order on the internet, has been published.

Within the scope of the complaint submitted to the Board:

  • It has been stated that a person with the same name as the data subject, has become a member of the data controller providing services on the internet and has placed an order. This person used the e-mail address of the data subject when placing the order.
  • The data controller sent the invoice for the order to the data subject to realize the membership process without checking and confirming the accuracy of the e-mail address. It has been requested that the necessary action be taken about the data controller within the scope of the Personal Data Protection Law Numbered 6698 (‘‘PDPL’’).

As a result of its investigation on the subject, the Board addressed the following issues;

  • A person with the same name as the data subject, has placed an order by mistakenly entering the e-mail address of the data subject, without creating a membership and there is no membership account for the data subject or any other person for the e-mail address in question.
  • The e-mail address did not match any data belonging to the data subject and the identity information of the data subject was not processed. There is not yet a control mechanism for confirming the e-mail address and phone numbers provided for purchases made via the guest customer login.
  • When the order details are examined; it is evaluated that sender’s name, surname and e-mail address are the same as the data subject. In addition, the address of a third party is clearly included in the invoice as recipient information.
  • Although it may be said that the data controller’s basis for the processing of the e-mail address is Article 5 of the PDPL, it cannot be ignored that there is an active duty of care for the processing of personal data in accordance with the principle of “being accurate and up-to-date when necessary” pursuant to Article 4/2(b) of the PDPL.
  • While the data controller should implement the necessary measures/verification mechanisms to confirm whether the e-mail address is used by the purchaser, it has been evaluated that a verification mechanism for such is not in place.

Due to the reasons listed above, in the light of the evaluations made by the Board:

  • Considering that the data controller’s activities resulted in the e-mail address of the person who is not a party to the distance sales contract to be processed without establishing a verification mechanism for the recipient groups to whom the invoice will be sent, and that the data controller indirectly disclosed the information of the sender and the recipient specified in the invoice to the data subject, it has been decided to impose an administrative fine of 100.000 TL to the data controller, since the processing activity in question has not been based on any legal grounds of processing and the obligations regarding data security have not been fulfilled by the data controller.

You may reach the full Turkish text of the Decision via the link below.

https://kvkk.gov.tr/Icerik/7297/2022-243