11 November 2020
Administrative Fine Imposed on an Association for Breach of Personal Data Legislation
In accordance with the decision numbered 2020/691 that has been recently published by the Personal Data Protection Authority (“Authority”), an administrative fine has been imposed on an association within the scope of the Law on Personal Data Protection (“KVK”). The administrative fine is based on marketing related messages. The inquiry process resulting in an administrative fine was trigger by a complaint.
The data subject who was disturbed by the message sent to them and had no knowledge of how their personal data obtained requested information from the association in accordance with KVK. The respective individual submitted a complaint to the Authority on the basis that the requested information was not provided by the association within the statutory period. The Authority initiated an inquiry. Within the scope of the inquiry the Authority:
- Determined that the association could not document that the complaining individual provided consent for receiving messages;
- Evaluated that this constituted a failure by the data controller to fulfill the data security obligations and that the phone number in question should be deleted; and,
- Resolved that an administrative fine should be imposed.
The respective decision showcases how important it is for civil society organizations (“CSO) to fulfill obligations within the scope of the KVK. We are likely to see similar decision rendered by the Authority in the upcoming days against CSO2s which have not undertaken relevant compliance work. It should be noted that, branches of associations; direct activity, or representative offices or branches of foreign CSO’s operating in Turkey that are subject to the Associations’ Law shall be evaluated within this context.
You may find the full text of the respective decision here.