The Turkish Personal Data Protection Board ("Board") published a new principle decision ("Decision") on the verification of information.
Data controllers in various sectors such as e-commerce, telecommunication, transportation, tourism generally request contact information from data subjects to fulfill the requests for the document submissions such as invoice, statement, and reservation document etc. The Board indicates that if there is a mistake in the contact information provided by data subjects, documents containing personal data may be sent to third parties instead of the relevant data subjects.
The Board emphasized the principle of keeping personal data up-to-date and accurate by underlying the need to take necessary technical and administrative measures regarding this principle.
In this context, it is stated that reasonable measures should be taken to verify the contact information declared by the data subjects, such as sending a verification code / link to the phone number and / or e-mail address.
We would like to point out that OTP (one-time-password) or similar verification measures should be implemented in the information or document requests made by the data subjects via websites or mobile applications.
Background of the Principle Decision
If the Board determines that there is a wide-scale violation on a particular subject as a result of the examination made upon the complaint or ex officio, it can make a principle decision in this regard. The principle decisions are published in the Official Gazette and become binding on those concerned. In case of failure to comply with such decisions, sanctions are imposed on the real and legal persons who are obliged to implement the decision.
You can reach the full text of the Decision here.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
