In the case subject to the decision of the Personal Data Protection Authority dated 20.04.2021 and numbered 2021/389, it has been stated by the data subject that an individual pension contract has been signed by an insurance company, that it is obligatory to allow the processing of their personal data while trying to access the policies on the company's website, that he could not take any action on the site without explicit consent and he could not use the website, that this situation is unlawful and therefore, he has made a notification within the scope of PDPL numbered 6698.
Upon the notification, the Board initiated an investigation and requested the data controller to send their statement. In brief, the data controller stated that;
In order for the insurance company to carry out its activities, in order to understand who the customer is, issues such as identity information and compensation claims and also parents’ names, e-mail addresses, phone numbers and addresses are processed in accordance with Article 5/1 of the Personal Data Protection Law and, as stated in the second paragraph of the same article, this situation is among the exceptions and it is stated that explicit consent is not required for the processing of this information within the scope of the activity of the insurance company.
Also, it has been seen that it is stated by the data controller that since it is not possible to predict whether the person participating in the system will want another service from the company in the future, they think that explicit consent should be requested from the person when entering the system, and in this direction, it has been stated that the clarification text and the express consent notification are included in two separate links on their website.
In addition, against the notifier's statement regarding he could not use the site, they stated that the service provided is not only provided through the website, it is possible to reach the relevant service from many channels, including agencies all over Turkey, mobile applications and some other electronic media.
With the decision of the Personal Data Protection Board dated 20/04/2021 and numbered 2021/389 in accordance with the aforementioned notice, the statement of the data controller and the provisions of the relevant legislation;
- Regarding the Clarification Text:
As stated in Article 10 of the Personal Data Protection Law, it has been determined that the data controller has an obligation to inform the data subjects, and that this obligation must be fulfilled in accordance with the provisions of the Communiqué on the Procedures and Principles to be Complied with in Fulfilling the Obligation to Inform. In the concrete case, the Board may require the processing of personal data for insurance activities, due to this situation, it is also important for the company to fulfill its obligation to inform, even if the data controller has given the clarification text and the explicit consent in two separate links, as stated in their defense, it has been determined that both texts are the same and that the clarification text and the explicit consent are located in the same box to be approved. According to subparagraph f of Article 5 of the Communiqué, if the personal data processing activity is based on the condition of explicit consent, the confirmation that the clarification text has been read and the explicit consent must be obtained separately. In other words, in cases where the legal reason for the processing of personal data is explicit consent, it will be necessary to create a separate explicit consent text.
Also, in the Decision, it is stated that the Data Controller has made a statement under the heading “D-Your Personal Data Collection Method and Legal Reason" as “Personal/special categories of personal data belonging to the parties of insurance policies and pension contracts; is compiled from databases that are authorized by public institutions to access us, to fulfill obligations arising directly from you and insurance contracts through our agents, internet applications, and call center.” followed by "It is processed only for the purpose of carrying out insurance activities within the framework of the Personal Data Protection Law numbered 6698 and other legislation and limited to the legal periods required for this purpose." in both clarification texts and that there is no information about the processing condition on which the data is processed.
- Regarding Whether the Explicit Consent is Bound to the Terms of Service:
In the relevant decision, The Board stated and emphasized that in the law, the explicit consent is defined as "freely given, specific and informed consent" and that as it is understood from this definition, explicit consent should not be of a general nature, and that explicit consent should be specific and limited to that subject and that the person is expected to have full knowledge of the subject to which he gave his consent, as well as the consequences of explicit consent.
Regarding this issue, the Board has determined that the insurance activity, which is the subject of the notification in the concrete case, is included in the second paragraph of Article 5 of the Personal Data Protection Law and it is based on the data processing condition that "Processing of personal data of the parties of a contract is necessary, provided that it is directly related to the establishment or performance of the contract", for this reason, it has been evaluated that the fact that the data controller also receives an express consent statement for the processing of personal data on the subject is "deceptive and in the nature of abuse of right" and that this situation constitutes a violation of the principle of being in compliance with the law and the rules of honesty in Article 4 of the law.
For all these reasons, the Board gave a decision about the data controller as follows;
a. To give an administrative fine of 250.000 TL, considering the company's social, economic situation and the degree of injustice, and also considering that the company may have a negative impact on many people, such as those who made the notification,
b. To separate the approval part of both explicit consent and the clarification text since they obtain together,
c. To arrange the ambiguous expressions in the text of the clarification in accordance with the Provisions of the Law and the Communiqué on the Procedures and Principles to be Applied in Fulfilling the Obligation of Inform, and to inform the Authority after.