The Personal Data Protection Board (“Board”) published a new Ruling (“Ruling”) on the confirmation of personal data.
In the Ruling, the Board examined the practice of delivering documents containing personal data of the data subjects such as invoices, statements, reservation documents to the data subjects via SMS and/or e-mail by data controllers operating in various sectors such as e-commerce, telecommunications, transportation, and tourism. In this practice, data controllers request the data subjects to declare their phone numbers and / e-mail addresses. However, it was observed that these documents belonging to the data subject are transmitted to third parties due to several mistakes such as inaccuracy in the statements of the data subjects or the declaration of information belonging to third parties.
In its examination, the Board emphasized that the general principles should be followed in the processing of personal data within the scope of Article 4 of the Law on Protection of Personal Data ("Law") numbered 6698. As per the principle of “keeping the processed data accurate and up-to-date when necessary” which is one of these principles, the data controller has an active-duty of care to ensure that the personal data is accurate and, when necessary, up-to-date. The Board ruled that the data controllers are obliged to take necessary technical and administrative measures in order to comply with the active-duty of care. In this regard, the reasonable measures to be taken by the data controller are exemplified as sending a confirmation code/link to the phone number and/or e-mail address of the data subject. In addition, it was stated that the data controller should always keep the channels open for data subjects to correct and update their data.
In conclusion, with this Ruling, the Board provided the requirement for data controllers to take necessary administrative and technical measures to establish mechanisms to confirm the accuracy of the personal data in accordance with paragraph 1 of Article 12 of the Law which regulates the obligations of data controllers to ensure data security. Due to the binding nature of Ruling, in case of non-compliance with this Ruling, legal consequences shall be possible against individuals and entities acting as data controller.