Instruction Decision Regarding a Data Controller Who Shared Personnel Records of University Employees with All Staff
It was stated that a file attached to an email sent with the signature of the dean of a university faculty included the personnel ID numbers, affiliated departments, and leave statuses of the data subject and all faculty members working at the university, and that this data was shared with the entire administrative and academic staff of the faculty. The data subject submitted a request under the Personal Data Protection Law No. 6698 ("the Law") for necessary action to be taken, emphasizing that the sharing of this data with all personnel by the university via a mass email, without any justification or distinction, was unlawful.
The Personal Data Protection Board (“Board”), ruled in its decision dated 27/04/2023 and numbered 2023/646 that [1],
Although the data controller university’s defense is that the data was shared in order to warn the data subject on the grounds that the data subject did not exercise due care regarding consent, it is not necessary to share the data subject’s personal data with all other personnel working in the same unit as the data subject for the purpose of issuing such a warning. Alternative procedures could have been implemented by addressing the data subject directly for this purpose,
The personal data processing activity carried out by sharing the data subject’s personal data regarding their consent status with other personnel working in the same unit does not rely on any data processing condition stipulated under the Law,
This situation constitutes a violation of the data controller university’s obligation to “prevent the unlawful processing of personal data,
It was decided to instruct the data controller to take action against the relevant personnel employed within the data controller’s organization in accordance with disciplinary provisions and to inform the Board of the outcome of such action.
In summary;
Data controllers engaged in personal data processing activities are required to;
Comply with the obligation to “prevent the unlawful processing of personal data belonging to data subjects,”
Ensure that personal data belonging to data subjects is processed and/or transferred only where there is a legitimate purpose,
Exercise the utmost care and diligence when processing the personal data of data subject(s),
Ensure that personal data is processed only by persons connected to the data processing activities and made accessible only to those authorized in terms of operational execution,
Prefer less intrusive methods when processing the personal data of data subjects.
It was stated that a file attached to an email sent with the signature of the dean of a university faculty included the personnel ID numbers, affiliated departments, and leave statuses of the data subject and all faculty members working at the university, and that this data was shared with the entire administrative and academic staff of the faculty. The data subject submitted a request under the Personal Data Protection Law No. 6698 ("the Law") for necessary action to be taken, emphasizing that the sharing of this data with all personnel by the university via a mass email, without any justification or distinction, was unlawful.
The Personal Data Protection Board (“Board”), ruled in its decision dated 27/04/2023 and numbered 2023/646 that [1],
Although the data controller university’s defense is that the data was shared in order to warn the data subject on the grounds that the data subject did not exercise due care regarding consent, it is not necessary to share the data subject’s personal data with all other personnel working in the same unit as the data subject for the purpose of issuing such a warning. Alternative procedures could have been implemented by addressing the data subject directly for this purpose,
The personal data processing activity carried out by sharing the data subject’s personal data regarding their consent status with other personnel working in the same unit does not rely on any data processing condition stipulated under the Law,
This situation constitutes a violation of the data controller university’s obligation to “prevent the unlawful processing of personal data,
It was decided to instruct the data controller to take action against the relevant personnel employed within the data controller’s organization in accordance with disciplinary provisions and to inform the Board of the outcome of such action.
In summary;
Data controllers engaged in personal data processing activities are required to;
Comply with the obligation to “prevent the unlawful processing of personal data belonging to data subjects,”
Ensure that personal data belonging to data subjects is processed and/or transferred only where there is a legitimate purpose,
Exercise the utmost care and diligence when processing the personal data of data subject(s),
Ensure that personal data is processed only by persons connected to the data processing activities and made accessible only to those authorized in terms of operational execution,
Prefer less intrusive methods when processing the personal data of data subjects.
Turkish
