Decision of the Turkish Data Protection Authority Regarding the Existence of Public Interest in the Excessive Request for Personal Data by Service Providers for the Enhancement of Level in Membership on Crypto Asset Platforms

Data Protection Law

Case in point: In the complaint received by the relevant person to the Turkish Data Protection Authority, in summary;

  • In order to increase the level of membership on the platform of the data controller, which is a crypto asset service provider, a photograph of the front and back side of the person's identity is requested together with their own photograph.
  • Personal data is processed by the data controller more than necessary and disproportionately.

Legal Assessment: As a result of the examination and evaluation conducted by the Personal Data Protection Board ("Board"):

  • The Cryptocurrency Asset Service Provider, which acts as an intermediary for cryptocurrency trading transactions, is subject to the Personal Data Protection Law ("KVKK") legislation as an obligated entity under the Law No. 5549 on Prevention of Laundering of Crime Revenues ("Law No. 5549") and the Regulation on Measures Regarding the Prevention of Laundering of Crime Revenues and Financing of Terrorism based on it.
  • According to Article 3 of Law No. 5549, titled "Recognition of the Customer" the data controller is obliged to identify the identities of the individuals and entities involved in transactions conducted or mediated by them before the transaction takes place and to take necessary measures.
  • In the "Cryptocurrency Asset Service Providers Guide"[1] published by the Financial Crimes Investigation Board ("MASAK"), it is stated that the most important measure required under the obligation of customer recognition is "identity verification."
  • Since there is a possibility of money laundering activities, which are classified as laundering of crime revenues, being conducted within the scope of the data controller's activities, there is a public interest in identifying the users' identities.
  • As the data subject did not request the deletion or destruction of his/her personal data from the data controller in his/her application and it is understood that the e-mail address used for the application was not specifically designated for requests regarding the protection of personal data, it has been concluded that the data subject has not exhausted the remedies to apply to the data controller regarding this request.

Therefore, since the data controller has an obligation arising from the relevant legislation, in particular Law No. 5549 on the Prevention of Laundering Proceeds of Crime, regarding the processing of personal data, activity is based on the data processing condition of "expressly provided for by the laws" within the framework of subparagraph (a) of paragraph 2 of Article 5 of the Law, and as a result, there is no action to be taken on the complaint.

You can access the full text of the Decision dated 11/04/2023 and numbered 2023/570 (in Turkish) from here.

 

Kind regards,

Zumbul Attorneys-at-Law

info@zumbul.av.tr

 


[1] "Cryptocurrency Asset Service Providers Guide" (in Turkish): https://ms.hmb.gov.tr/uploads/sites/12/2021/05/Kripto-Varlik-Hizmet-Saglayicilar-Rehberi.pdf