As a result of the examinations carried out by the Personal Data Protection Board (Board) within the scope of the notices submitted to the Authority, it has been understood that "blacklisting" software/programs/applications are used in the car rental sector.

With the aforementioned “blacklisting” practices used in the car rental sector, it has been understood that;

• Car rental software developers and vendors offer car rental software including "blacklisting" features to car rental companies (or natural persons who rent a car), 
• The car rental companies are processing the personal data of their customers and among these data processed, there are "black list" information, which includes the problems that occur during the use of the vehicles, or the comments of the car rental company,
• This information is processed by the car rental companies to be used when making decisions for future rentals,
• Furthermore, the software in question is designed as systems that allow a car rental company to open the data entered by itself to other car rental companies, 
• Therefore, a system has been created that provides data flow/sharing from the car rental company to the software, and from the software to other car rental companies using the said software, and that the personal data of the persons renting the car are shared mutually, 
• In general, the service provided by software companies is in the form of SaaS (Software as a Service), and as a requirement of the SaaS service, the management of the database and software is in software companies; also users with admin authority are appointed in car rental companies and software companies in order to provide technical support and development when necessary; since the type of service offered is a ready-made SaaS service, it is not offered in source code, car rental companies are not allowed to interfere with software codes, therefore the authorities of car rental companies are limited to providing content,
• While providing the personal data required under the rental agreement of a natural person who rents a car to the car rental company, the customer is not aware that the data he provided to the company in this process, his personal data such as the positive/negative relationship he had with the company, the damage to the vehicle, the problems experienced in the payment process were shared with an unknown number of users, except for the car rental company of which he was a customer, by means of software with black list feature.

As it is known, pursuant to Article 3(1) of the Law, titled "Definitions", data subject means “the natural person, whose personal data are processed”,  personal data means “any information relating to an identified or identifiable natural person”, processing of personal data means “any operation which is performed on personal data, wholly or partially by automated means or non-automated means which provided  that form part of a data filing system, such as collection, recording, storage, protection, alteration, adaptation, disclosure, transfer, retrieval, making available for collection, categorization, preventing the use thereof”, data controller means “the natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data filing system.”

Article 5(1) of the Law titled "Conditions for Processing Personal Data" stipulated that personal data shall not be processed without explicit consent of the data subject. Paragraph (2) rules that: personal data may be processed without seeking the explicit consent of the data subject only in cases where one of the following conditions is met: a) It is expressly provided for by the laws. b) It is necessary for the protection of life or physical integrity of the person himself/herself or of any other person, who is unable to explain his/her consent due to the physical disability or whose consent is not deemed legally valid. c) Processing of personal data of the parties of a contract is necessary, provided that it is directly related to the establishment or performance of the contract. ç) It is necessary for compliance with a legal obligation to which the data controller is subject. d) Personal data have been made public by the data subject himself/herself. e) Data processing is necessary for the establishment, exercise or protection of any right. f) Processing of data is necessary for the legitimate interests pursued by the data controller, provided that this processing shall not violate the fundamental rights and freedoms of the data subject.

In accordance with Article 8 of the Law; (1) Personal data shall not be transferred without explicit consent of the data subject. (2) Personal data may be transferred without seeking explicit consent of data subject upon the existence of one of the conditions provided for in: a) the second paragraph of Article 5, b) the third paragraph of Article 6, provided that sufficient measures are taken. (3) The Provisions of other laws relating to transfer of personal data are reserved.

On the other hand, Article 11 of the Law regulates the rights of the data subject, paragraph 1 (g) includes the right “to object to the occurrence of a result against the person himself/herself by analysing the data processed solely through automated systems.”

In Article 12 of the Law it has been stipulated that the data controller is obliged to take all necessary technical and organizational measures to provide an appropriate level of security for the purposes of preventing unlawful processing of personal data, preventing unlawful access to personal data, ensuring protection of personal data.

In accordance with the relevant articles of the Identity Notification Law No. 1774, it is obligatory to report the car rental activity to the law enforcement officers. Therefore, in the context of data entry of car rental companies into the Rental Vehicle Notification System (KABİS), the processing condition "expressly provided for by the laws" in Article 5(2)(a) of the Law and “necessary for compliance with a legal obligation to which the data controller is subject" in subparagraph (ç) can be evaluated within the scope of processing conditions.

In addition, since the car rental business is carried out within the scope of a contract concluded between the parties, within the context of Article 5(2)(c) of the Law “Processing of personal data of the parties of a contract is necessary, provided that it is directly related to the establishment or performance of the contract” it is possible for the personal data of the data subjects to be processed by the car rental companies.

In terms of blacklist-like data records, it is evaluated that processing of personal data limited to business activities is different from disclosure of such data to data controllers via software companies. Article 5(2)(f) of the Law regulates the processing condition as “Processing of data is necessary for the legitimate interests pursued by the data controller, provided that this processing shall not violate the fundamental rights and freedoms of the data subject.” Accordingly, a balancing test should be conducted between fundamental rights and freedoms of data subjects and legitimate interests of the data controller, and in case legitimate interest overrides, data controllers may apply black listing practices, provided that it is limited to the business activity -in other words, with the condition that the blacklisting practices, within the body of the data controller, will be evaluated separately depending on the present actual case. However, if the processed personal data is disclosed to other data controllers (other car rental companies) using the same software, fundamental rights and freedoms of the data subject would be violated.

In addition, it has been evaluated that sharing the personal data processed by a car rental company with an unknown number of car rental companies via software would violate the principles of “lawfulness and fairness”, “being accurate and kept up to date where necessary”, “being processed for specified, explicit and legitimate purposes” as regulated under the General Principles in Article 4 of the Law.

On the other hand, in the blacklist practices that are the subject of the notice, car rental companies are the data controllers who collect personal data from natural person customers at first hand. However, considering that the access to the blacklist record is not limited to one company, other car rental companies using the software can also access the personal data transferred to the software, and they have dominance over the data, it has been evaluated that car rental companies and software companies that use the blacklist record for their own benefit will be joint data controllers. 

In this context, in order to determine the amount of responsibility and fault, it is necessary to evaluate the processing activities on a case-by-case basis and identify which of the joint controllers is the faulty party and has control over the data .When determining faultiness among joint data controllers the following factors should be taken into account: Who is the first and last user of the processed data; who registers the data; the purposes of the data registration; who decides rectification, erasure or transfer of data; what activities are performed by the data controllers other than the one who collected the data.

Blacklisting practices in the car rental sector should also be evaluated in terms of the rights of the data subject. Processing personal data for blacklisting practices will prevent individuals from properly exercising their rights arising from Article 11 of the Law. That is to say, due to the nature of blacklisting practices, such processing will lead to negative outcome about the data subject, and this negative outcome will be added to the blacklist, which will result in making decisions about the person based on this negative outcome and therefore, as a result of this profiling, data subjects will be negatively affected. Furthermore, since the person renting a car is not in a position to know the other car rental companies with whom their personal data are shared, it will be difficult for them to assert their rights arising from Article 11 of the Law against these data controllers.

In the light of all these evaluations, the Board unanimously decides that;

• Car rental companies that have control over personal data will be regarded as joint data controllers with software companies, in case personal data is processed within the scope of the blacklisting practices in car rental companies in violation of the general principles regulated in Article 4 of the Law, processing conditions regulated in Article 5 of the Law, and provisions on transfer of data regulated in Article 8 of the Law,
• Such unlawful practices shoul be terminated, and data controllers shall take the necessary technical and organizational measures regulated in Article 12 of the Law in order to ensure that personal data processing processes in the car rental sector comply with the Law,
• The public shall be informed that, pursuant to Article 18 of the Law, an action will be taken against the data controllers who apply blacklisting practices in the car rental sector without taking the aforementioned measures and in violation of the provisions of the Law,
• This Resolution taken pursuant to Article 15(6) of the Law shall be published in the Official Gazette and on the website of the Authority.