Turkey: Review Of A Decision Of The Turkish Data Protection Authority Which Included An Evaluation Regarding A Lawyer

May 2021 – In a recently issued decision, the Turkish Personal Data Protection Board (the "Board") evaluated a lawyer's position in a case where a bank (the "Bank"), acting as a data controller, transferred its customer's data to its contracted lawyer ("the Lawyer"). In the case in question, the customer's data included a telephone number belonging to the customer's sister. Accordingly, the Lawyer called the customer's sister in relation to the customer's debts to the Bank. However, the Board concluded that processing the customer's sister data and transferring it to a third party, i.e., the Lawyer, constituted a violation of the Personal Data Protection Law (numbered 6698, the "DP Law") and therefore imposed on the Bank an administrative fine of TRL 175,000 (approximately EUR 17,500).

The Board makes an assessment on the Lawyer

The Lawyer stated in his defence that:

• He has an attorney-client relationship with the Bank that entitles him to contact the Bank's debtors regarding collection and other legal issues. The Bank, therefore, provided the customer's contact information to the Lawyer.
  • Once the lawyer realised that the phone number in question belongs to the customer's sister, he removed the number from the system and notified the Bank.

The Board also received the Bank's defence and concluded that:

• The Bank, which establishes a legal tracking system and records personal data, is the data controller.
• The Lawyer, who processes personal data on behalf of the Bank within the framework of the instructions given by the Bank based on the attorney-client relationship, is the data processor. (For more information on the distinction between a data controller and data processor, please click here.)
• The Lawyer processed the personal data to fulfil his liabilities arising under (i) the Law on the Legal Profession and (ii) the Bankruptcy and Enforcement law and secondary laws.
• The Lawyer is not able to know that the telephone number in the system belongs to the customer's sister, as who the telephone number belongs to is not stated in the system.
• Once the Lawyer realised that the number does not belong to the customer, he immediately removed the telephone number from the records and notified this matter to the Bank.
• As a result, no sanction has been imposed on the Lawyer.

What was the Decision of the Board regarding the Bank?

The Bank alleges that since the customer called the Bank with a number different from the contact number registered in the system, the Bank registered the relevant number as an alternative contact number. The Board decided that the Bank had to obtain the explicit consent of the customer's sister to process her telephone number, and thus such data processing activity of the Bank violates the DP Law. Consequently, the Board imposed an administrative fine of TRL 175,000 (approximately EUR 17,500) on the Bank, on the ground that it processed and transferred the customer's sister telephone number without a legal basis.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.