Turkish Personal Data Protection Board (“Board”) in its latest ruling, resolved that the company in the case is considered as a data controller by means of dealing with marketing purposes of the hospital and calling new customers who are not in the hospital records. Therefore, the Board decided that the company has violated the obligation to prevent the unlawful processing of personal data by means of using the mobile phone number for advertising purposes of the person who is not a patient of the hospital.
Background on Complaint
According to the complaint filed by the complainant with the Board against the so-called data controller, which is operating as a hospital, requested the necessary action to be taken from the Board within the scope of Data Protection Law Numbered 6698 (“Law No. 6698”). According to the complaint received, the complainant was called by a person through his/her mobile phone on behalf of the hospital and the person tried to advertise the hospital on the phone call. Thereupon, having being disturbed by this situation, the complainant applied to the hospital via e-mail and requested for information based on the Law No. 6698. However, as per the complaint, the complainant did not become satisfied with the answer given by the hospital and then, applied to the Board for relief.
The Response Given by the Hospital and the Company Concerned
Primarily, in response to the complaint, the hospital claimed that (i) the complainant does not have explicit consent for receiving short messages, (ii) the personal data of the complainant is not processed by them at all, (iii) the calling phone number does not have a line belonging to them, and (iv) since the phone call made to the complainant is not made with the knowledge of them, the allegations subject to the complaint cannot be attributable. In furtherance of the response given by the hospital, when the phone number subject to the complaint was called by the Board, it was determined that the line belonged to the checkup department of the hospital in question. Therefore, the hospital was asked to convey the Board whether it has received services from various companies in relation to checkup services, patient guidance, advertising and promotion, examples of contracts related to these services, if so, and how the phone numbers used in the phone calls made or SMS messages are obtained within the scope of the contract.
According to the second response, the hospital claimed that (i) the calling phone number does not have a line belonging to them, (ii) but it belongs to a company which they have signed a contract with as to the marketing and sales of checkup service to third parties by the company and the hospital providing the checkup service to the customers that the company has found.
Upon this second response given by the hospital, the Board asked the relevant company to give an explanation regarding the case. With regard to this, the company has claimed that (i) the complainant was called on behalf of the hospital, (ii) they were following the appointment of the hospital's patients, (iii) however, the complainant was not the patient of the hospital and called by mistake, (iv) the phone call was hung up when the situation was noticed, (v) the personal data of the complainant is not obtained by them at all, (vi) the personal data obtained by the hospitals were used with the written approval of the relevant hospital and by thus, there is no transfer of personal data in the country or abroad.
The Board’s Approach
The Board firstly considered that a contract was signed between the hospital and a company regarding the marketing and sale of the checkup service to third parties and that the complainant was originally called by this company, and this contract was examined in order to determine who is responsible for the call of the complainant.
Within the consideration and review, the Board concluded that the company is a call center that acts on behalf of the hospital and markets the checkup panel to both the old customers of the hospital and the customers they find and the decision on where to find new customers and the ways in which products will be marketed to these customers is assigned to the discretion of the company by the contract. Therefore, the Board resolved that (i) the company is considered as a data processor in the processing of personal data for marketing the hospital's checkup panel to customers in the hospital's records; and (ii) the company is considered as a data controller calling new customers who are not in the hospital records but found by the company itself for marketing purposes.
In this context, the Board concluded that the company has violated the obligation to prevent the unlawful processing of personal data by means of using the mobile phone number of the complainant for advertising purposes and decided to impose an administrative fine of TRY 50.000,00 against the company.
Ezgi Ceren Aydoğmuş