The Turkish Personal Data Protection Authority (“Authority”) imposed an administrative fine of 120.000 Turkish Liras to a Bank due to the fact that the information notice published by the Bank was not prepared in accordance with the provisions of the Communiqué on the Principles and Procedures to be followed in Fulfilling the Obligation to Inform (“Communiqué”) and the instructions given by the Authority. The summary of the decision was published on the website of the Authority on 22 December 2020. You may reach the full summary of the decision here (in Turkish).
The Authority stated that information on personal data, processed by the data controller, should be included in the information notice.
Furthermore, it has been stated that simply referring to the relevant articles of the regulation would not be enough to meet the requirements of the regulation and detailed information about the personal data processing grounds should be provided.
It has been stated that a general information notice would not be sufficient to fulfill the obligation to inform data subjects. Rather, separate information notices based on specific processes should be prepared and presented to the data subjects while collecting their personal data. In the decision, the Authority provided an example and stated that when a customer applies for a “credit card” or a “consumer loan”, information notices prepared specifically for these services, which include information on purposes and legal grounds for processing personal data only for these services, should be presented to data subjects.
Upon the complaint submitted by the data Upon the complaint submitted by the data subject to the Authority, the Authority has sent instructions to the Bank to change their information notice. However, after the Bank changed their information notice, the Authority decided to impose a administrative fine of 120.000 Turkish Liras on the grounds that the information notice still did not meet the requirements of the
Communiqué and did not fulfill the instructions given by the Authority.
As a conclusion, in the present case, the Authority stated that the following points should be taken into consideration while informing data subjects on how their personal data are processed:
– The data controller should explain which personal data are processed in the information notice.
– The data controller should explain in detail the legal grounds for processing personal data.
– Specific and different information notices for different services should be presented to data subjects while collecting their personal data.