Turkey’s Personal Data Protection Board (“Board”) in its latest ruling, examined a complaint filed against the data controller airline company asserting that a short message was sent to data subject’s mobile phone although no flight ticket was booked by him/herself. In furtherance of significant considerations, the Board resolved that no necessary action to be taken against the data controller airline company.
Background on Complaint
A data subject filed a complaint against the data controller airline company (“Airline Company”) asserting that a short message was sent to its mobile phone by the Airline Company on July 1, 2019 regarding an information of booked flight ticket from Oman to İstanbul. Data subject further stated that he/she tried to contact with the Airline Company subsequent to the message however no one responded from the company. After, she/he filed an online complaint and received an information regarding the cancellation of the booked flight.
However as per the complaint, data subject requested Airline Company to be informed regarding who booked the flight ticket by using his/her name and mobile phone number, however no response was given and then, applied to the Board for relief.
Airline Company’s Response
In response to the complaint, the Airline Company claimed that (i) mobile phone information was the only personal data belonging to the data subject under the PNR subject to the complaint and this data entry into the PNR record was also made by the mobile application user who booked the ticket, (ii) the phone number of the data subject was entered by the mobile application user only in the optional “paid SMS notification” field and only the phone number was shared with the line operator for the transmission of the SMS content.
Airline Company further stated that the phone number of data subject and the PNR subject to the complaint did not systematically match and receiving SMS notification service was not mandatory to book a flight therefore the identity of the data subject was not processed within the scope of the relevant PNR.
The Board’s Approach
The Board firstly highlighted that personal data is referred to any information relating to an identified or identifiable natural person. However, the Board further considered that in the incident subject to the complaint, it was understood that the phone number of the data subject did not match any record belonging to him/her, on the contrary, the number was written and entered into the data controller system by the person who bought the ticket by mistake.
The Board before issuing its ruling, considered that the contact information of the data subject was processed by the data controller without any intent but by means of another user’s entry of the information to the system and there was not systematic matching or database for determining who belongs to the phone numbers entered into the system allowing for these manual data entries. Therefore, the Board resolved that there was no determination of the data controller regarding non-taking of all kinds of technical and administrative measures to ensure the appropriate security level in order to prevent unlawful processing of personal data by thus, there was no necessary action to be taken against the data controller Airline Company.
Ezgi Ceren Aydoğmuş