Decision of Data Protection Board

Personal Data Protection Board’s decision of 16/10/2018 with no. 2018/119, regarding the “prevention of data controllers and data processors from transmitting advertisement e-mails/calls to the email addresses of persons or to their phone numbers by means of SMS or calling” has been published in the Official Gazette no. 30582 dated 1 November 2018.

Within this scope, it is decided that:

  • Data controllers who direct messages with advertising content by means of sending SMS to, or calling the phone numbers of individuals, or sending e-mails to their e-mail addresses without obtaining those individuals’ consent and fulfilling the processing requirements stipulated in Article 5 of Law on the Protection of Personal Data (the “Law”), and data processors who use such data without the explicit consent of the relevant individuals for the purposes of sending messages/e-mails or making calls with advertising content on behalf of the data controllers shall immediately cease the mentioned data processing activities as per Article 15(7) of the Law,
  • Data controllers are obliged to take all kinds of technical and administrative measures to ensure the appropriate level of security for the purposes of preventing unlawful processing of personal data, preventing unlawful access to personal data and enabling protection of personal data and, if personal data are processed by another real person or legal entity on behalf of the data controllers, then the data controllers are jointly responsible with such person or entity to take the mentioned measures, as per Article 12 of the Law,
  • Data controllers who are engaged in the above stated activities shall be subject to fines within the framework of the provisions of Article 18 of the Law,
  • Considering that the personal data processed as mentioned might have been obtained unlawfully, the matter shall be reported to the Chief Public Prosecutor’s Office as per Article 158 of the Code of Criminal Procedure for the initiation of the necessary legal actions for the relevant data controllers in accordance with Article 136 titled “Unlawful Delivery and Acquisition of Data” of the Turkish Criminal Code No. 5237.

The information given in this note are aimed only at providing information, and does not serve as a legal opinion under any circumstances.