Administrative Fine Imposed on Employer for Sharing Employee’s Personal Data with Sibling
The Personal Data Protection Board imposed an administrative fine on the employer for sharing juridical correspondence containing the employee's personal data with the employee’s sibling.
In its decision dated 02/09/2022 and numbered 2022/896 [1], the Personal Data Protection Board (“Board”) stated the following:
✓ An employment relationship existed between the data controller (employer) and the employee, during which the data controller processed certain personal data of the employee, such as identity, contact, personnel, professional experience, and health data, without providing any information to the data subject regarding these processing activities,
✓ Some personal data were processed without obtaining the explicit consent of the data subject,
✓ The data controller (employer) shared judicial correspondence containing the data subject’s name, which was part of a criminal investigation file, with the data subject’s sibling via email, despite the fact that this information was unrelated to the case,
✓ Although the data subject applied to the data controller regarding the issue, no response was received, prompting the Board to initiate an investigation based on the data subject's complaint.
In the assessment conducted by the Board:
It was emphasized that although the processing of certain personal data may be necessary, such processing must comply with the law, and the data controller must fulfill the obligation to inform.
It was determined that the act of transmitting the complaint petition submitted to the Prosecutor’s Office, which contained personal data belonging to the data subject and other natural persons, via email to a third party identified as the data subject’s sibling -who was understood to have no connection to the incident- constituted a violation of the data controller’s obligation to take all necessary technical and administrative measures. Therefore, an administrative fine of 150,000 TRY was imposed on the data controller.
Taking into account that the data subject’s requests were left unanswered, it was decided that the data controller must provide the data subject with an explanatory and detailed response regarding the matters requested in the application.
In summary:
Data controllers engaged in data processing activities must:
Absolutely present an information notice to the data subjects that is based on informing and meets legal obligations,
Ensure that the information notice is clear and understandable,
Obtain explicit consent from data subjects due to the nature of the processed data,
Refrain from sharing employees’ personal data with any third party, including siblings and other family members,
Respond to applications made to the data controller within the prescribed time frame.
[1] Personal Data Protection Board, Decision dated
The Personal Data Protection Board imposed an administrative fine on the employer for sharing juridical correspondence containing the employee's personal data with the employee’s sibling.
In its decision dated 02/09/2022 and numbered 2022/896 [1], the Personal Data Protection Board (“Board”) stated the following:
✓ An employment relationship existed between the data controller (employer) and the employee, during which the data controller processed certain personal data of the employee, such as identity, contact, personnel, professional experience, and health data, without providing any information to the data subject regarding these processing activities,
✓ Some personal data were processed without obtaining the explicit consent of the data subject,
✓ The data controller (employer) shared judicial correspondence containing the data subject’s name, which was part of a criminal investigation file, with the data subject’s sibling via email, despite the fact that this information was unrelated to the case,
✓ Although the data subject applied to the data controller regarding the issue, no response was received, prompting the Board to initiate an investigation based on the data subject's complaint.
In the assessment conducted by the Board:
It was emphasized that although the processing of certain personal data may be necessary, such processing must comply with the law, and the data controller must fulfill the obligation to inform.
It was determined that the act of transmitting the complaint petition submitted to the Prosecutor’s Office, which contained personal data belonging to the data subject and other natural persons, via email to a third party identified as the data subject’s sibling -who was understood to have no connection to the incident- constituted a violation of the data controller’s obligation to take all necessary technical and administrative measures. Therefore, an administrative fine of 150,000 TRY was imposed on the data controller.
Taking into account that the data subject’s requests were left unanswered, it was decided that the data controller must provide the data subject with an explanatory and detailed response regarding the matters requested in the application.
In summary:
Data controllers engaged in data processing activities must:
Absolutely present an information notice to the data subjects that is based on informing and meets legal obligations,
Ensure that the information notice is clear and understandable,
Obtain explicit consent from data subjects due to the nature of the processed data,
Refrain from sharing employees’ personal data with any third party, including siblings and other family members,
Respond to applications made to the data controller within the prescribed time frame.
[1] Personal Data Protection Board, Decision dated
Turkish
