1. The Summary of the Decision No. 2023/1509 on the Data Transfer for the Credit Risk Assessment
The relationship between protection of personal data and the operational requirements of the banking industry is being closely examined in today's digital environment. The complexity of transferring personal data to Kredi Kayıt Bürosu AŞ (KKB) which was established to facilitate all kinds of information and document exchange between credit institutions and financial institutions for the purpose of providing credit and financial services, is exemplified in the Personal Data Protection Board's (PDPB) Decision No. 2023/1509, dated 31 August 2023. This decision offers valuable insights into the legal framework concerning personal data protection in financial sector but it also raises significant concerns about legal certainty and the principles of legality, fairness and transparency under Article 5(1)(a) of the Personal Data Protection Law (Law).
In a complaint submitted to the PDPB, it was summarized that the data subject had applied to the data controller bank regarding the transfer of their personal data to KKB, in accordance with the first paragraph of Article 8 of the Law. The data subject requested the withdrawal of their explicit consent for such transfer, which was subsequently rejected.
Notwithstanding the customer's revocation of consent for this data transfer, the bank proceeded with the transfer, citing legal obligations and operational requirements. The investigation conducted by the PDPB centred around the compliance of the data transfer with the Law, specifically Article 8, which pertains to the transfer of personal data. The bank justified its actions by explaining the need to share data for the purposes of credit processing and risk assessment. It relied on various legal grounds that seemingly allow for such data processing without explicit consent.
PDPB states that personal data cannot be processed without the explicit consent of the data subject unless one of the conditions listed in Article 5(2) of the Law applies. However, there is no hierarchical relationship between explicit consent and the other processing conditions in Article 5(2). If a personal data processing activity is based on one of the conditions other than explicit consent, then obtaining explicit consent is not required. In the decision, it was found that the conditions specified in Article 5(2)(a), (c), (ç), and (f) of the Law were met, and therefore, explicit consent was not necessary for the processing of personal data.
2. Critical Review of the Decision: The Possibility of the Reliance on Several Legal Grounds for Data Processing and Its Impact on Legality
While the PDPB's decision seeks to address the intricate legal aspects of data processing in the banking sector, I highlight two points that underscore potential flaws in the decision's rationale and its potential impact on personal data protection. Neverthless, it should be borne in mind that my analysis is based on the the summary of the case published on the PDPB website. Thus, the Board would provide clarification on these two points in its complete decision.
2.1. The Issue of Legal Certainty
I contend that the decision made by the PDPB lacks precision in terms of the legal bases for data processing, as it refers to Article 5(2)(a), (c), (ç), and (f) of the Law without providing thorough justification for each. This approach may prejudice the principle of legal certainty, causing data subjects to be unsure about the bases in which their data can be processed. The lack of explicit justification for selecting multiple legal grounds for data processing undermines the predictability and clarity that are fundamental to both legal and data protection frameworks.
2.2. The Problem on the Legality, Transparency and Fairness as a General Principle of Data Processing
The decision has a deficit regarding its approach to the consent. At first, as it is understood from the summary of the case, the bank requested consent for data processing, but later relied on alternative legal ground for transferring the data when consent was revoked. This prompts inquiries regarding the bank's compliance with principles of transparency and fairness. The act of changing legal ground for data processing after the request of the withdrawal of the consent not only confuses individuals whose data is being processed, but also potentially goes against the principle of legality, fairness and transparency. This principle emphasises the significance of maintaining consistent and transparent practices in data processing.
3. Takeaways from the Decision
It is important for authorities and data controllers to clearly state the precise legal grounds for data processing activities. This will improve legal certainty and enable data subjects to better comprehend the extent and rationale behind data processing. Transparent and prompt communication is necessary to maintain trust when there are modifications to the legal foundation for processing. Data controllers are obligated to guarantee that their data processing activities are transparent by furnishing explicit and thorough information to data subjects regarding the utilization of their personal data and the legal basis on which it is processed.
4. Conclusion
In conclusion, the decision No. 2023/1509 by the PDPB represents a crucial milestone in the continuous discussion between data privacy rights and the operational needs of the banking sector. Although it provides insights into the legal grounds for data transfers without explicit consent, it also encourages a reassessment of practices to ensure they adhere to principles of legality, fairness, and transparency.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
