21January2022

Decision of Turkish Data Privacy Authority Relating with Automobile Renting Industry

It is stated that as a result of the investigation of the Authority within the scope of the notices submitted to the Authority, the software provided by the software firms to the automobile renting companies and the negative experiences of the rent holders during their automobile rental period and the comments of the automobile rental companies for the next renting processes can be viewed by another automobile renting companies in the rental situation, and the lessor is not aware of the processing of this knowledge.

It is stated that once an evaluation is made case-by-case basis between the fundamental rights and freedoms of the person and the legitimate interests of the data controller, the blacklist application is applicable within the data controller company, but if the processed personal data is shared with the other firms, the fundamental rights and freedoms of the data subject will be violated, and commitment to the purpose, limitation and it has been evaluated that is incompatible with the principle of proportionality. In the Decision, it is also stated that the processing of personal data within the scope of the blacklist will prevent the data subject from exercising their rights since they cannot know other automobile renting companies that their personal data were shared with it.

What Are the Points to Be Considered By Data Controllers as of This Resolution?

It has been stated that if personal data is processed within the scope of the black list application in the automobile rental sector in violation of the Personal Data Privacy Law, the automobile rental company that has the control over the said data will be considered as a "joint data controller" with the software firms by the Authority.

It has also been stated that and administrative fine will be imposed on the data controllers who apply to blacklisting if the firms give up the illegal practices and if the necessary administrative and technical measures are not taken by the data controllers.

The Concept of Joint Data Controller

The concept of joint data controller which hasn't been defined in Turkish Personal Data Protection Law numbered 6698 but defined General Data Protection Regulation and stating that software companies are joint data controllers and are responsible for the data processing activities in the Decision for the first time.

Should you require any further details on the subject, you can visit our website VeriSistem® or contact your client representative via the link.

Author CottGroup Hukuk ve Mevzuat Ekibi, Category Personal Data Protection Law

Notification!

Contents provided in this article serve to informative purpose only. The article is confidential and property of CottGroup^® and all of its affiliated legal entities. Quoting any of the contents without credit being given to the source is strictly prohibited. Regardless of having all the precautions and importance put in the preparation of this article, CottGroup^® and its member companies cannot be held liable of the application or interpretation of the information provided. It is strictly advised to consult a professional for the application of the above-mentioned subject.

For each concrete situation, it is strongly advised to seek guidance from a professional advisor. If you are a customer of ours, please consult with your customer representative before taking any action related to the announcement. If you are not a customer, seek advice from an expert.