Privacy Blog
Implementation of Disciplinary Provisions on Data Controller as a Result of Sharing Personal Information of Persons Working within the University with All Personnel
Data Protection Law
Case in point: In the complaint received by the relevant person to the Turkish Data Protection Authority, in summary;
- In an e-mail attachment sent with the signature of the dean of the faculty of a university, the data showing the registration numbers of the person concerned and all faculty members working at the University, the unit they work in, and their leave status were transferred to all administrative and academic staff of the Faculty.
- It is unlawful for the University to share this data with all staff via a mass e-mail without any discrimination or justification
Legal Assessment: As a result of the examination and evaluation conducted by the Personal Data Protection Board ("Board"):
- In the response letter of the data controller, it was stated that the data sharing regarding the use of permission subject to the complaint was made for the purpose of warning the relevant personnel and was carried out based on the condition that "it is necessary to process the personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract" regulated in subparagraph (c) of paragraph (2) of Article 5 of the Law.
- It is stated that the relevant processing condition shall not apply to the sharing of the personal data of the data subject regarding the consent status with other persons.
- It has been stated that it is not necessary to share personal data with all other personnel working in the unit where the relevant person works in order to warn the relevant person about the use of leave.
Therefore, as a result of the personal data processing activity not being based on any of the processing conditions specified in Article 5 of the Law, it was decided to take action in accordance with the disciplinary provisions against the relevant personnel working within the data controller in accordance with paragraph (3) of Article 18 of the Law.
You can access the full text of the Decision dated 27/04/2023 and numbered 2023/646 (in Turkish) from here.
Kind regards,
Zumbul Attorneys-at-Law