Sending Invoices Issued to Third Parties to a Data Subject’s E-Mail Address

The Personal Data Protection Board (“Board”) evaluated a complaint regarding the processing of personal data through sending e-invoices to the e-mail address of a data subject in the decision dated 08.09.2022 and numbered 2022/925.

The complaint subject to the decision is related to sending e-invoices of other subscribers to the data subject since 2018, even though the Board decided to instruct the data controller to take all necessary administrative and technical measures since the data subject has previously filed a complaint regarding the same incident.

The Board made the following explanations regarding the complaint;

• Although the data controller was instructed to take all necessary administrative and technical measures regarding the security of personal data in the previous Board decision, continuing to send invoices of third parties to the data subject and specifying the e-mail address of the data subject in the subscription agreement of a third party shows that there is no mechanism for verification of communication channels.
• Failure of the data controller to take the necessary measures with a proactive approach in order to ensure the accuracy of the personal data constitutes a violation of the principle of “being accurate and up to date when necessary” of the Law on the Protection of Personal Data No. 6698 (“DPL“).

In this regard, the Board adopted the following decision;

• Sending invoices issued to third parties to the e-mail address of the data subject violates the DPL’s principle of “being accurate and up to date when necessary“. It is seen that the data controller acts in violation of its obligations in Article 12 of the DPL. Considering that the data controller was instructed to take the necessary administrative and technical measures regarding the security of the personal data of the subscribers in the Board decision, it was decided to impose an administrative fine of TRY 200,000 (approx. EUR 6,954) against the data controller.
• It has been decided to instruct the data controller to take necessary measures in order not to transmit personal data of third parties to the e-mail addresses of the data subjects and to inform the Board of the result.

Authors: Burak Özdağıstanli, Bensu Özdemir, Ebru Gümüş