10 June 2022

You may find below our notes on the Summary of the Decision of the Personal Data Protection Board (“Board”) dated 09/12/2021 and numbered 2021/1239” regarding "Sharing of personal data by the data controller Bank by making calls to the phone numbers of the family of the data subject".

Allegation: It has been claimed by a data subject that despite the fact that he/she did not grant a clear written or verbal explicit consent, his/her parents were persistently being called on their fixed phones regarding a debt arising from the contract between the data subject and the data controller Bank, the fact that the data subject could not be reached was shown as the reason for the calls, in the calls made by the data controller it was declared to the family of the data subject that the data subject and the partners of the company, of which the data subject is also a partner, could not be reached, also the names of the partners were given, at the end of the conversations, a phone number was left and it was said that the data subject should call this number, the data subject has repeatedly stated that the number being called is in the use of his/her family, the data controller has violated its obligations arising from the Personal Data Protection Law numbered 6698 (“PDPL”) by processing the data subject’s personal data without his/her explicit consent.

Board’s Findings:

A defense was made by the data controller that no information has been shared with third parties regarding the data subject or the company of which he/she is the controlling shareholder and chairman/chairwoman of the board of directors, in any of the calls; in these calls, only notes were left to third parties to be forwarded to the data subject, the relative of the data subject stated that they would forward the note to him/her and they did not put forward a request stating that they did not want to be called by the Bank regarding this matter; even though the customer representative should have specified the said phone number as “wrong number” on the system as an action to ensure that this number would not be called again, calls to the phone number subject to the complaint continued since he/she omitted to take the said action, the relevant personnel was warned about the issue; the phone number was added to the blocked list on a further date when the relative of the data subject stated that he/she did not want to be called through this phone number and the alternative telephone information subject to the complaint was obtained through an inquiry made from the Risk Center and was used for purpose of reaching the data subject and only limited to this purpose.
The Board has made the following decisions:

  • The debt follow-up calls were made by the data controller to the phone number registered in the Risk Center system.
  • Based on the available information and documents, it cannot be determined that any personal data of the data subject has been shared by the data controller.
  • Considering that the necessary action has been taken by the bank shortly upon the request of the data subject, there is no action to be taken against the data controller within the scope of PDPL.

Review: One of the biggest concerns of data controllers is that the complaints and investigations initiated against them before the Board are likely to result in the imposition of a monetary fine. However, as we have seen in a few other examples, in this decision, the Board has not applied a penalty to the data controller for the data processing activity, as the Board has decided that the data processing has been realized in line with PDPL. In this context, it can be argued that data controllers who have implemented a good compliance project, regularly follow up on the decisions of the Board and apply the principles set forth thereunder while processing personal data, considerably minimize the risk of being subject to a monetary fine in case of a complaint and/or investigation process.


Should you have any queries on the above, please do not hesitate to contact us.

Güner Law Office was established in 1996 and has since grown into one of the major corporate, M&A, banking and finance, energy, TMT and dispute resolution practices in Turkey.


Ece Güner
Managing Partner

Burçak Kurt Biçer

Uğurkan Şeber