Personal Data Protection Authority Targets Car Rental Companies for Compliance Review
In a decision [1] made in the final days of 2023, the Personal Data Protection Board scrutinized car rental companies.
In its decision dated July 20, 2023, and numbered 2023/1234, the Board emphasized that the requirement of explicit consent for Findeks inquiries conducted by car rental companies must not be tied to the terms of service, and imposed an administrative fine.
In the relevant decision, it was stated that the individual rented a car through a platform where car rental applications and reservation requests were received, and payment was made via the individual's credit card. During the car delivery stage, an SMS was sent to the individual indicating that access to the Findeks report was required, and the individual needed to provide explicit consent for the processing of the data in the report. It was also stated that, without consent, the car rental service would not be provided. As the individual did not provide explicit consent, the car rental company did not fulfill the service, and the individual was notified on the same day with a message saying, "Your reservation has been canceled because you did not accept our company's procedures."
As a result of the examination conducted by the Board:
The Platform does not provide car rental services but only receives reservation requests. Therefore, since there is no situation where the purposes and means of processing personal data related to car rental services are determined, the Platform does not qualify as the data controller for these services.
According to Article 3 of the Additional Article of the Law No. 1174 on Identity Reporting, car rental companies are required to properly maintain records of the rented vehicle information, the identity details of the renters, and the rental agreements in a timely manner. They must also keep the information, documents, and records related to this subject readily available for inspection by law enforcement authorities at any time.
It was understood that the provision of car rental services was conditional upon explicit consent for accessing the Findeks report. As the individual did not provide explicit consent, the reservation was canceled,
Given that the rental process was not carried out without obtaining the Findeks report,which tied the consent to the terms of service, the data controller did not fulfill its obligations under the law.
The data controller did not respond to the individual's requests for the deletion of all personal data held and processed by the data controller, providing a record of the deletion, and ensuring the deletion of personal data from third parties if applicable. This was a violation of the law, and the illegal practice was not terminated.
Based on these evaluations, the processing of personal data through the querying of the Findeks report can only be carried out with explicit consent. Given that the rental process was tied to explicit consent for the Findeks report, the data controller was fined 100,000 TRY as an administrative penalty. Additionally, it was decided that the data controller should be reminded that requests from individuals should be handled effectively, in accordance with the law and principles of honesty, with reasoning provided, and concluded within the required timeframe.
In summary:
The explicit consent to be obtained from the data subjects must:
Reflect the free will of the data subject,
Not be made a requirement for the service provided to the data subject,
Be obtained after the data subject has been informed,
Not be pre-checked when collected through a checkbox,
Not be obtained with vague, broad, and/or misleading expressions.
[1] Summary of the Personal Data Protection Board's Decision No. 2023/1234, dated July 20, 2023, regarding the processing of personal data by a car rental company through the request for a Findeks report from the data subject.
In a decision [1] made in the final days of 2023, the Personal Data Protection Board scrutinized car rental companies.
In its decision dated July 20, 2023, and numbered 2023/1234, the Board emphasized that the requirement of explicit consent for Findeks inquiries conducted by car rental companies must not be tied to the terms of service, and imposed an administrative fine.
In the relevant decision, it was stated that the individual rented a car through a platform where car rental applications and reservation requests were received, and payment was made via the individual's credit card. During the car delivery stage, an SMS was sent to the individual indicating that access to the Findeks report was required, and the individual needed to provide explicit consent for the processing of the data in the report. It was also stated that, without consent, the car rental service would not be provided. As the individual did not provide explicit consent, the car rental company did not fulfill the service, and the individual was notified on the same day with a message saying, "Your reservation has been canceled because you did not accept our company's procedures."
As a result of the examination conducted by the Board:
The Platform does not provide car rental services but only receives reservation requests. Therefore, since there is no situation where the purposes and means of processing personal data related to car rental services are determined, the Platform does not qualify as the data controller for these services.
According to Article 3 of the Additional Article of the Law No. 1174 on Identity Reporting, car rental companies are required to properly maintain records of the rented vehicle information, the identity details of the renters, and the rental agreements in a timely manner. They must also keep the information, documents, and records related to this subject readily available for inspection by law enforcement authorities at any time.
It was understood that the provision of car rental services was conditional upon explicit consent for accessing the Findeks report. As the individual did not provide explicit consent, the reservation was canceled,
Given that the rental process was not carried out without obtaining the Findeks report,which tied the consent to the terms of service, the data controller did not fulfill its obligations under the law.
The data controller did not respond to the individual's requests for the deletion of all personal data held and processed by the data controller, providing a record of the deletion, and ensuring the deletion of personal data from third parties if applicable. This was a violation of the law, and the illegal practice was not terminated.
Based on these evaluations, the processing of personal data through the querying of the Findeks report can only be carried out with explicit consent. Given that the rental process was tied to explicit consent for the Findeks report, the data controller was fined 100,000 TRY as an administrative penalty. Additionally, it was decided that the data controller should be reminded that requests from individuals should be handled effectively, in accordance with the law and principles of honesty, with reasoning provided, and concluded within the required timeframe.
In summary:
The explicit consent to be obtained from the data subjects must:
Reflect the free will of the data subject,
Not be made a requirement for the service provided to the data subject,
Be obtained after the data subject has been informed,
Not be pre-checked when collected through a checkbox,
Not be obtained with vague, broad, and/or misleading expressions.
[1] Summary of the Personal Data Protection Board's Decision No. 2023/1234, dated July 20, 2023, regarding the processing of personal data by a car rental company through the request for a Findeks report from the data subject.
Turkish
