A notice submitted to the Authority asserts briefly that; a data controller company, operating under a holding, shared the ID number, phone number, license plate and address information belonging to its customers for whom execution proceedings were initiated on an internet address; and their purpose was to ensure the vehicles with a warrant of arrest were banned from traffic when found by calling 155. The notice requested the necessary action to be taken in accordance with the Personal Data Protection Law 6698 (the Law). 

An examination initiated and the defence letter of the data controller briefly explains that; 

• The data subject did not request to the data controller in accordance with Articles 11 and 14 of the Law, since no personal data of the data subject is processed, the material element sought for legal application does not exist, no vehicles are sold to the data subject by their companies, the data subject does not have the opportunity to access the company’s stored information, 
• The company sells second-hand vehicles in installments and in cash, if the installment payments are not made by customers, enforcement proceedings are initiated by legal means, sequestration and seizure procedures are carried out by the executive directorate on vehicles registered in the name of customers, seized vehicles are taken to the car parks of the Trustee in accordance with the enforcement legislation, in the vehicles pulled into the parking lot, they saw the creditor of the enforcement file and informed their company, other than that, the enforcement debt information of the customers was not shared with any Trustee or third parties,
• When the internet address mentioned by the data subject is examined, the application is rejected because there is no such an address on its servers and there is no content proving the claims of the person concerned in the internet address, and that the personal data of the customers are transferred in a digital secure server environment, and only the authorized personnel logging in with user name and password can make inquiry.

In this regard, taking into account the following points:

• The purpose of the Law is to protect fundamental rights and freedoms of persons, particularly the right to privacy to set forth obligations, principles and procedures which shall be binding upon natural or legal persons who process personal data. Article 3 of the Law defines the data subject as the natural person whose personal data are processed, Article 4 of the Law defines the data controller as the natural or legal person who processes personal data on behalf of the data controller upon its authorization,

Pursuant to Article 4(1) of the Law regulating the ‘general principles’ in processing personal data “personal data shall only be processed in compliance with procedures and principles laid down in this Law or other laws” and the second paragraph of the same Article lists the principles to be complied within the processing of personal data as:

a) Lawfulness and fairness
b) Being accurate and kept up to date where necessary.
c) Being processed for specified, explicit and legitimate purposes.
ç) Being relevant, limited and proportionate to the purposes for which they are processed.
d) Being stored for the period laid down by relevant legislation or the period required for the purpose for which the personal data are processed,

Article 5(1) of the Law rules that personal data shall not be processed without explicit consent of the data subject, Article (2) rules that personal data may be processed without seeking the explicit consent of the data subject only in cases where one of the following conditions is met:

a) It is expressly provided for by the laws.
b) It is necessary for the protection of life or physical integrity of the person himself/herself or of any other person, who is unable to explain his/her consent due to the physical disability or whose consent is not deemed legally valid.
c) Processing of personal data of the parties of a contract is necessary, provided that it is directly related to the establishment or performance of the contract.
ç) It is necessary for compliance with a legal obligation to which the data controller is subject.
d) Personal data have been made public by the data subject himself/herself.
e) Data processing is necessary for the establishment, exercise or protection of any right.
f) Processing of data is necessary for the legitimate interests pursued by the data controller, provided that this processing shall not violate the fundamental rights and freedoms of the data subject.

• Article 12(1) of the Law stipulates that the data controller is obliged to take all necessary technical and organizational measures to provide an appropriate level of security for the purposes of preventing unlawful processing of personal data, preventing unlawful access to personal data, and ensuring protection of personal data.
• The notice letter was submitted to the Board through Presidency’s Communication Center (CİMER) and the data subject did not claim that his/her data is published on this website or processed in any other way. Pursuant to Article 15(1) of the Law, “the Board shall carry out the necessary examination on the matters falling within its task upon complaint or ex officio where it has learnt about the alleged infringement”. The Board decided to initiate an examination on the subject upon the notice submitted via CIMER, considering that it is possible to initiate an ex officio examination on matters falling under its jurisdiction even if there is no notice and even if the persons affected by the violation do not lodge a complaint with the Board,
• As a result of the preliminary examination of the internet address subject to examination before the Authority sent an information and document request to the data controller it is found that the name, ID number, address, license plates and models of the vehicles for which the arrest warrant has been issued, and which law firm the enforcement files are followed by were displayed on the website and it is determined that a search can be made by vehicle license plate, city and district among this information. Furthermore, after the information and document request letter was made to the data controller, the website could not be reached when tried to be reached, 

On the basis of the foregoing evaluations, The Board with its Decision numbered 2021/1110 and dated 2 December 2022 decides:

• to impose an administrative fine of 200.00 TL on the data controller pursuant to Article 18(1)(b) of the Law for the failure to take technical and organizational measures laid down in Article 12(1) of the Law, and processing personal data without based on one of the conditions for processing personal data laid down in Article 5 of the Law by way of publishing the data on the website that was accessible when the examination initiated.