Upon a complaint of a passenger acting as data subject to the Turkish Personal Data Protection Board (“Board”) against the data controller, in which is claimed that response and actions taken by the data controller upon his application were insufficient, the Board has been requested to examine whether the data controller failed to fulfill its obligations regarding data security required by the Law on the Protection of Personal Data (“Law”). The Board concluded its investigation and ruled that the data controller has violated the Law on the grounds stated below.
The complainant asserted that an employee of the data controller obtained the flight information of himself/herself from the data records of the airline company and shared those with another employee. The complainant further added that after each flight she/he was called and disturbed by the employee who has conflict with himself/herself as to the conflict has been subject to several judicial processes.
The complainant notified the airline company via e-mail, which was followed by a notification through notary stating that the disturbance and calls by the employee is continuing and further added she/he was exposed to threats due to the lack of action against the employee.
In response to the complainant, the airline company claimed that the complainant’s e-mail was regarding fraud and unfair advantage, and no company records is found regarding the complaint.
In response to the notice sent through notary, an investigation regarding access to the PNR records was conducted by the airline company acting as data controller which was limited with the PNR records since the employee and data subject are in the position to know their identity and contact information. The internal investigation concluded by the airline company that the employee has the right to access information as per the Turkish Civil Aviation Law Numbered 2920 (“Civil Aviation Law”). It has been further added that although the usage of the data for personal interest is not compliant with the Law, the data subject to complaint is not shared with unauthorized third parties and therefore should not be considered as the violation of the Law. Lastly, the airline company emphasized that training on data security for employees is carried out regularly intervals, and the employee subject to complaint has completed training program.
The Board’s Approach
The Board first evaluated the statements of the employee, the investigation report of the data controller, and the claims and proofs of the data subject and concluded that personal phone records shall not be considered as evidentiary as there is no information about whether the mobile application conversation and phone call history images in the filing belong to the data controller’s employees and the data controller is obliged to take all necessary technical and administrative measures in order to prevent unlawful processing of personal data, and unlawful access to personal data, and to ensure the retention of personal data.
The Board decided that although the access to personal data was lawful due to the authorization given as per the Civil Aviation Law; the technical and administrative measures taken by the data controller were not sufficient and the data controller did not limit the number of PNR inquiries or develop a surveillance mechanism for the inquiries. Furthermore, the Board did not consider the completion of training sufficient for data security purposes and decided to impose an administrative fine of TRY 100,000 due to lack of sufficient measures to ensure data security.
In this ruling, the Board clarified that even the action which falls under the scope of the Law constitutes a lawful action, the data controllers’ responsibility to take all necessary measures maintains.