Summary of KVKK Decision on Unlawful Processing of Personal Data for the Purpose of Subscription Establishment

Kişisel Verilerin Korunması Hukuku, Data Protection Law

The summary of the decision of the Turkish Personal Data Protection Authority (‘KVKK’, ‘Authority’) dated 18/07/2024 and numbered 2024/1176 was published on the official website of the Authority.

In the complaint submitted to the Authority, it has been stated;

  • Due to the expiration of the internet commitment period of the Relevant Person, while looking for new tariffs on the internet, he accidentally entered a website that shares the same / very similar visuals with the Türk Telekom website, he wrote only his mobile phone number in the live help box on the site, he was called by a person who introduced himself as a customer representative within a few minutes, this person asked for his T.R. ID number in order to access the data registered in the system. identity number in order to access the data stored in the system, thinking that the data stored in the system could not be accessed through the mobile phone number, he also gave his T.R. identity number to the caller, after giving his T.R. identity number, this person accessed all the information that only Türk Telekom customer representatives can access, such as the residence address where the internet is installed, the type of tariff, the tariff start date, the commitment period, and when he saw that all of this information transmitted to him was correct, he thought that he was talking to a Türk Telekom customer representative,
  • The caller stated that he could use faster and cheaper internet by transferring the Relevant Person to the port that was rented to D-Smart company using Türk Telekom infrastructure, which was idle and extra because it was not used, and when he stated that he was satisfied with Türk Telekom and that he would not change his company, he was informed that his company would not change, only the internet port would be changed, whereupon he gave his consent to the transaction thinking that he had a conversation with a Türk Telekom customer representative, then he received an SMS that he switched to D-Smart on the same day and that the caller was not a Türk Telekom customer representative, he realised that his will was crippled and his information was obtained unlawfully, he first called the Türk Telekom customer representative and reported the situation, on the same day he called the D-Smart customer representative and stated that he did not make any subscription, if a subscription pre-application was made on his behalf, it was against his consent and requested cancellation, despite this, a few days later, the D-Smart service in the province where he was located for the installation of the subscription called the Relevant Person, said that he did not make a subscription and did not apply for a subscription, and told them to cancel the work order in their hands

In the framework of the investigation initiated in this case, the defence of Demirören Internet ve İletişim Hizmetleri Ticaret Anonim Şirketi ("Demirören"), the complainant, was requested and summarised in the reply of the complainant;

  • In the specific case, it was found that the personal data of the relevant person was added to the systems by İkra İletişim as part of the subscription application, İkra İletişim transferred the relevant person, who was not registered in Demirören's systems, to the relevant system by obtaining the data of the potential subscriber independently as the data controller without the instruction or knowledge of Demirören, İkra İletişim, as the data controller, independently obtained the data of the potential subscriber without the instruction or knowledge of Demirören and, in this respect, İkra İletişim is responsible for obtaining the personal data of the relevant person from the relevant person in accordance with the law,
  • Due to the fact that the personal data of the data subject is provided by İkra İletişim and transferred to Demirören's systems, the obligation to provide information is fulfilled by İkra İletişim at the time when the personal data of the data subject is first requested from the data subject, and the Relevant Person has been lawfully informed in accordance with the provisions of the Communiqué on the Procedures and Principles to be Followed in Fulfilling the Obligation to Inform ("Communiqué") through the call centre channel through which the Relevant Person contacts Demirören to communicate cancellations and other requests regarding subscription transactions within the scope of the incident that is the subject of the complaint.

As a result of the examination carried out on the subject, with the decision of the Personal Data Protection Board dated 18/07/2024 and numbered 2024/1176;

  • In the context of the incident subject to the application, the Relevant Person declared that although he clearly stated that he did not want to be a D-Smart subscriber, he was deceived that the company he received service from would not change, for this reason, he gave his consent to the processing, he never received service from D-Smart, in this respect, it is not possible to have his explicit consent in terms of processing the personal data requested from him for subscription establishment,
  • It is understood that the data controller claims to act as an intermediary in order to conclude a contract between Andromeda and potential customers in exchange for a premium, by contacting customers through the website https://dsmart-internet.com.tr, and that the personal data of the data subject are processed for this purpose,
  • Considering that the number that made a call to the Data Subject also belongs to the Data Controller, the Data Controller reaches potential customers by using the visuals of another company in a misleading way, although there is no legal basis, it processes personal data by misleading the relevant persons until the contract is established in order to establish a contractual relationship, and the processing conditions regulated in the second paragraph of Article 5 of the Law in terms of the activity in question do not exist in the concrete case, In order to be able to rely on the ‘explicit consent’ processing condition, three basic conditions, namely ‘being related to a specific subject’, ‘being based on information’ and ‘being expressed with free will’, must be fulfilled at the same time, in the incident subject to the complaint, the will of the Relevant Person was impaired by deception, in this respect, the consent obtained cannot be qualified as ‘explicit consent’ in the sense of Article 3 of the Law

based on these considerations the following decision has been taken;

  • Since Demirören İnternet ve İletişim Hizmetleri Ticaret Anonim Şirketi was involved as a third party in the incident subject to the complaint, there is no action to be taken against the said company within the scope of the Law,
  • Based on the assessments that Andromeda TV Digital Platform İşletmeciliği Anonim Şirketi has lost the title of data controller in the incident subject to the complaint, there is no action to be taken against the said company under the Law,
  • İkra İletişim Telekomünikasyon ve Danışmanlık Hizmetleri Sanayi Ticaret Limited Company misleads potential customers by using the visuals of another company even though it should act within the framework of the orders and instructions of the said company and the provisions of the contract in the status of data processor in accordance with the contract concluded with Andromeda TV Digital Platform İşletmeciliği Anonim Şirketi, and in this way, the said company obtains and processes the personal data of the Data Subject,  Based on the assessments that the processing activity in question is not based on any of the processing conditions regulated in Article 5 of the Law, an administrative fine of 450.000 Turkish Liras shall be imposed on the Data Controller in accordance with subparagraph (b) of the first paragraph of Article 18 of the Law on the grounds that the Data Controller has not fulfilled the obligation to take the necessary administrative and technical measures to ensure the appropriate level of security in order to prevent unlawful processing of personal data stipulated in subparagraph (a) of the first paragraph of Article 12 of the Law titled ‘Obligations Regarding Data Security’.

You can access the full text of the desicion (in Turkish) here.

 

Kind regards,

Zumbul Attorneys-At-Law

info@zumbul.av.tr