The Personal Data Protection Board (“the Board”) evaluated the complaint application regarding sending the order information of a third party from the e-commerce website which is the data controller to the data subject in its decision dated 03.08.2022 and numbered 2022/774.

The complaint that is the subject of the decision is that the order information including the identity, address, and contact information of a third-party is sent to the e-mail address of the data subject from an e-commerce website and that order details are accessible via a link accessed in the e-mail. In addition, the data subject stated in the complaint application that he/she received promotional e-mails and SMS from the data controller even though the data controller stated that his/her e-mail address was deleted from the order in question and that he/she would no longer be notified, accordingly data subject requested to be taken of necessary action within the scope of the Law on the Protection of Personal Data w. no. 6698 (“DPL”).

On the e-commerce website that is the subject of the complaint, there is an option to create a membership, and besides individuals can place an order by only giving their e-mail address and other information about the order without creating a membership.

In the explanations made by the data controller, it was stated that there is no membership account for the e-mail address used in the order subject to the complaint. The mentioned order was placed by a guest customer login without creating a membership account, by another user inadvertently notifying the e-mail address of the data subject due to name similarity, and this third party gave explicit consent for receiving SMS and e-mail.

The Board made the following explanations regarding the complaint;

  • Regarding the claim that the e-mail address, which is the personal data of the data subject, has been processed in a manner contrary to the DPL;

Although it is stated by the data controller that the e-mail address of the data subject was entered by the third party inadvertently while placing an order, it is possible that erroneous statements may be made in the information entries made manually by the individuals. Within the scope of the obligation to take administrative and technical measures to prevent the unlawful processing of personal data defined in Article 12 of the DPL, the data controller is obliged to take necessary administrative and technical measures in order to prevent the unlawful processing of personal data belonging to third parties due to these incorrect information entries since it is necessary to ensure that the contact information received from individuals is correct.

Although the order was not placed by the data subject, the data controller processed personal data by sending an informative e-mail to the data subject’s e-mail address without relying on any of the processing conditions. In this context, since there is no confirmation mechanism in the transaction in question, all shopping transactions made with the guests’ login to the e-commerce site carry the risk of a data breach.

  • Regarding the statements of the data controller that it provides an opportunity to reject receiving commercial electronic messages at any time, and that the addressee of such complaints is the provincial and district directorates of the Ministry of Commerce:

It is necessary to evaluate within the scope of the DPL whether the processing activity is based on legal compliance since the phone and e-mail information is also the contact information in the nature of personal data, any transaction on personal data through the means specified in the DPL is a processing activity.

In this regard, the Board adopted the following decisions;

  • The data controller has processed the personal data without relying on any of the processing conditions in Article 5 of the DPL by sending an e-mail regarding the order to the data subject who is an unrelated third party to the sales contract without there is not any confirmation mechanism. In this respect, it has been decided that the data controller has not taken the necessary technical and administrative measures regulated in Article 12 of the DPL in order to prevent the unlawful processing of personal data, and so an administrative fine of TRY 120.000 (approx. EUR 5.587) was imposed on the data controller.

Authors: Burak Özdağıstanli, Bensu Özdemir, Ebru Gümüş