Personal Data Protection Authority (the “Authority”) continues to clarify the rapidly developing process of harmonization with the Law on the Protection of Personal Data numbered 6698 (the “Law”) with recent decisions. On 16 April 2019, the Authority published a decision dated 25 March 2019, numbered 2019/78 and evaluated the vague “legitimate interest” term as set out as one of the exceptions and justifiable reasons for data processing under Article 5 of the Law.
The decision is in relation to a company which is conducting business in the petroleum market with its distributor license. The company has been processing personal data for its automation system as required under the regulations of Energy Market Regulatory Authority, and intended to use such data by paring automatically for its Vehicle Identification Project without express written consent of the Related Person. The decision is regard to whether such personal data processing can be within the scope of the “legitimate interest” of the Company as set out under the Article 5/2 subparagraph (f) of the Law.
As a result of the evaluation, the Authority decided that since both consumer and the distributor company may suffer losses and it is crucial to take into consideration the service quality and brand value of the company, it is lawful to process personal data within the automation system in the Vehicle Identification Project without obtaining express consent on the condition that the company duly fulfills its clarification obligation in an accessible and explicit manner and not to use such data for any other reason.
In the light of the evaluation, the Authority has laid out principles and limitations regarding legitimate interest for processing personal data by Data Controller as follows:
- Data Controller’s legitimate interest must be at a competitive level with the fundamental rights and freedoms of Related Person;
- Processing of Personal Data must be a necessity for the legitimate interest of Data Controller;
- Data Controller’s legitimate interest must be present, specific and clear;
- There must be a benefit for the legitimate interest of Data Controller and there must be no other way to have such benefit other than processing of personal data;
- In determining the legitimate interest of Data Controller, transparent and accountable criteria must be basis of benefit, i.e. such benefit must (i) affect many people, (ii) be for a purpose other than gaining profit or providing economic benefit, and (iii) simplify the business processes or operations (e.g. does not affect only a unit or small number of employees but more general corporate manner);
- Keep Related Person away from any foreseeable, clear and imminent danger in order to protect personal data of such Related Person and prevent any breach of fundamental rights and freedoms;
- Data Controller must take all technical and administrative measures in order to prevent any loss or breach and to ensure lawful process of personal data in a data record system limited to and proportionate to the purposes for which they are processed;
- Data Controller must ensure compliance with the general principles of personal data processing; and
- In this context, Data Controller must make a balance test, comparing fundamental rights and freedoms of Related Person and legitimate interest of processing personal data.
In consequence, the Authority has accepted Company’s application that comprises abovementioned conditions. Furthermore, one of the crucial notes that is stated in the decision is that in addition to the related provision of the Law, while evaluating the situation the Authority did not only take into consideration the condition of not violating fundamental rights and freedoms of the Related Person but also assessed indemnification of losses suffered by the Related Person (natural person consumers whose personal data is processed), in this sense more questions can be aroused due to this unclear evaluation.