Turkey’s Personal Data Protection Board (“Board”) in its latest ruling, examined a complaint filed against the data controller company (“Company”) asserting that the Company did not fulfill the request for access to the personal data of the data subject in relation to account movements of the meal card allocated to him/her by the employer. In furtherance of significant evaluations, the Board resolved that no necessary action to be taken against the Company, since the additional security measures taken by the Company shall not be a violation of personal data protection legislation but rather constitute meticulous implementation of its obligations.

Background on Complaint

A data subject stated that he/she requested from the Company to transmit the account movements of the meal card allocated to him/her by his employer, and then sent the requested petition and the image of the identity by the Company via e-mail in order to verify his/her identity. Later, in the e-mail sent by the Company, the relevant information was shared in the attachment, but it was stated that the mobile phone number in the e-mail should be called in order to access the personal data included in the attached document due to their additional security measures.

The data subject claimed that this additional security measure shall be deemed as unlawful, since it prevents him/her from accessing his/her personal data. Thereupon, the data subject applied to the Board for relief.

The Company’s Response

In response to the complaint, the Company claimed that the data subject claimed that he/she stated that he/she was a meal card user, gave his/her card number to them, and requested explanations regarding all account activities and processed data in accordance with article 11 of the Personal Data Protection Law numbered 6698 (“Law”), in the e-mail sent by the data subject from his/her Gmail address to them. As a result of the examination made by the Company, it was determined that since the e-mail address of the data subject was not registered in the system, the relevant communication channel could not be confirmed, and the card number presented by the data subject was inaccurate. Upon the request of the Company, an e-mail was sent by the data subject included a petition with his/her wet signature to verify his/her identification.

The Company claimed that since the data subject was requested to send his/her personal data to an e-mail address whose infrastructure is hosted abroad such as "gmail" and that was not previously defined in the data controller. Furthermore, the Company stated that for said reasons, a risk assessment was made, and the request was responded to ensure the highest level of security in the e-mail environment and the file sent to the data subject was encrypted. It has also been stated that the phone number that is sent to the data subject by the Company via e-mail, shall assist the data subject to access his/her own personal data by only having a direct call with that given number.

The Board’s Approach

The Board firstly highlighted that article 11 of the Law covers each data subjects’ right to request to the data controller about him/her personal data to: (i) to learn whether his/her personal data are processed or not, (ii) demand for information as to if his/her personal data have been processed, and (iii) learn the purpose of the processing of his/her personal data and whether these personal data are used in compliance with the purpose.

The Board before issuing its ruling stated that the file sent via e-mail sent to the data subject was encrypted for security purposes and a phone number to access the data subject’s personal data was included in the e-mail, so that such action taken by the Company cannot be considered as a prevention of accessing the data subject's personal data. In addition, the Board has evaluated that the additional security measures taken by the Company, who is under the obligation to prevent unlawful access to personal data, is not a violation of the Law. In fact, the Board considered that additional security measures taken by the Company constitute meticulous implementation of its obligations stipulated under the Law. Consequently, the Board resolved that there was no necessary action to be taken against the Company.

Ezgi Ceren Aydoğmuş, Esra Temur