The Turkish Data Protection Authority Fines the Intermediary Service Provider Company TRY 500.000 as a result of the Company's Requirement to Record The Credit/Debit Card Information of the Individuals Shopping from the E-Commerce Site

Case in point: In the complaint received by the relevant person to the Turkish Data Protection Authority, in summary;

• During the process of purchasing from the e-commerce website, the option to "add credit/bank card" appeared on the payment screen, requesting the individual to save their credit/bank card information.
• It is mandatory to save credit/bank card information to make purchases from the website.
• The "continue" buttons do not function without entering the relevant information, making it impossible to complete the purchase.
• There is no valid data processing condition for the data controller to be able to save credit/bank card information within the scope of Law No. 6698 on the Protection of Personal Data ("Law").
• The individual has not given explicit consent to the data controller.
• The individual has not been informed about the processing operation.

Legal Assessment: As a result of the examination and evaluation conducted by the Personal Data Protection Board ("Board"):

• A generic account was created by the Board on the website in question and an attempt was made to place an order to confirm the allegations of the complainant and the statements of the data controller.
• During the purchase process on the system, there is a section titled "Add a Payment Method" which includes "add a credit card or bank card". When clicked, there are two options next to the field where card information should be entered: "cancel" and "add your card". Upon clicking "add your card", the entered card information is added as a payment method, and the next step can only be proceeded after entering this information.
• It is understood that shopping cannot be completed without saving the card information, in line with the allegations of the complainant, and it is also understood that the card information continues to be stored in the wallet section after the completion of the shopping.
• According to the "Recommendations 02/2021 on the legal basis for the storage of credit card data for the sole purpose of facilitating further online transactions"[1]adopted by the European Data Protection Board ("EDPB") on May 19, 2021, the processing of card information to facilitate purchases can only be possible with explicit consent.
• By enabling individuals who add a payment method to easily make subsequent purchases, the data controller has introduced a new processing purpose.
• While requesting the entry of card information to complete the purchase complies with various processing conditions of the Law, it is not possible to rely on the same processing conditions for the continued processing of card information in the membership account after the completion of the purchase. However, such processing can be carried out within the scope of the explicitly obtained consents of the relevant individuals, obtained under the Law.
• It is stated that the declaration by the data controller that customers can remove their card information from their account after it has been saved is contrary to the principles of "lawfulness and fairness" and "limited and proportionate processing for the purpose" stipulated by the Law.

Therefore, it is stated that an administrative fine of 500. 000 TL should be imposed on the data controller for not fulfilling the obligations regarding data security stipulated in Article 12 (1) of the Law and it has been decided that since it is possible to save credit card information to the membership account with the explicit consent of the relevant individuals, the data controller should develop a system to ensure this and make necessary adjustments in the informative texts, followed by informing the Board accordingly.

You can access the full text of the Decision dated 11/04/2023 and numbered 2023/567  (in Turkish) from here.

 

 

Kind regards,

Zumbul Attorneys-at-Law

info@zumbul.av.tr