The Turkish Personal Data Protection Board (“Board”) is published the Resolution on blacklisting in the car rental industry (“Resolution”) in the Official Gazette dated January 20, 2022 and numbered 31725. In particular, the Resolution includes evaluations on the privacy violations arising out of the blacklisting through software that allow personal data of blacklisted data subjects between rental companies and the joint data controller relationship of rental companies and software service providers in these circumstances.

It has been determined by the Board that car rental software developers and software service providers offer car rental software, including blacklist, to car rental companies or real persons operating in car rental business, and car rental firms use this software to record the lessees' personal information, which includes “blacklist” data consisting of problems that occur during the use of vehicles and rental companies’ comments. Within this framework, it has been stated that the blacklist data is recorded in the system, and it can be accessed not only by the relevant car rental company and software company but also by all other car rental companies using the software, in a manner that might be considered personal data transfer across industry companies. However, it has been understood that the data subjects are not informed about this data transfer to an unknown number of users.

Another subject discussed in the resolution is the roles of the parties as data controllers. The service offered by software companies, in general, is a ready-made service type, where the database and software management are performed by the software companies as part of the Software as a Service model (“SaaS”), and users with admin authority are appointed in car rental companies and software companies to provide technical support and development when necessary. In addition, it has been stated that since it is a SaaS, in source codes of the software are not provided, car rental companies are not allowed to interfere with software codes, therefore, the authorities of car rental companies are limited to providing the content. Therefore, considering the fact that all rental companies using the software can access and control the blacklist data, the Board concluded that all of the car rental companies who use the blacklist data for their benefit and the software companies are joint controllers.

Furthermore, the Board emphasized that determining the responsibilities of joint data controllers should be done on a case-by-case basis. According to Resolution, the following factors should be considered in these evaluations: (i) the first and last user of the data, (ii) the data controller who input the data, (iii) the purpose of processing the data, (iv) the data controller who decides to change, delete, and transfer the data, and (v) data processing activities of data controllers other than the data controller who collected the data.

Moreover, the Board evaluated the data processing and transfer activities in question within the scope of the articles of Turkish Personal Data Protection Law No. 6698 (“Law”) regarding legal reasons, general principles, transfer, and data subjects’ requests. In its assessment on legal grounds, the Board stated that the blacklist data in question may only be accepted within the scope of the legitimate interest of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject, on a case-by-case basis, only if the data is processed by the company from which the vehicle is rented. However, the Board has decided that the disclosure of the said data to other car rental companies cannot be considered within the scope of the legitimate interest of the data controller. In addition, the Board has emphasized that the sharing of the said data with an unknown number of car rental companies is against the General Principles of processing under the Article 4 of the Law, such as complying with the law, processing for specified, explicit and legitimate purposes, processing in a manner that is adequate, relevant and limited to the purposes of processing. The Board has also evaluated that since the data subjects do not know with which car rental companies the data is shared, it is not clear which data controllers they can assert their rights against per Article 11 of the Law, and this will make it difficult to exercise data subjects’ rights.

Finally, in the light of these evaluations, the Board decided that in case personal data is processed within the scope of black list practices in the car rental sector in violation of the provisions regarding the transfer regulated in the Law, the car rental companies that have control over the said data will be considered as joint data controllers with the software companies, the relevant data controllers should take the necessary technical and administrative measures within the scope of Law and stated that continuing the blacklisting practice without taking the necessary measures may result in administrative fines.

Kortan Gödekoğlu, Esra Temur