Sending SMS for Marketing Purposes Without Explicit Consent

The Personal Data Protection Board (“Board”) evaluated a complaint regarding the processing of personal data by sending text messages for marketing purposes without explicit consent in its decision dated 02.09.2022 and numbered 2022/902.

The incident subject to the complaint is sending a message to the data subject for marketing purposes without fulfilling the obligation to inform and without obtaining explicit consent, even though no commercial activity has been carried out with the data controller company and no communication approval has been given. In response to the data subject’s request, the data controller apologized to the data subject for the mistake and stated that the necessary corrections were made after the data subject’s request.

The Board made the following explanations regarding the complaint;

• In the response given by the data controller, it was stated that the messages that are sent to the customers who gave their consent to receive e-mail/SMS on the company’s website were sent to all customers who shopped at their stores on the sales platform. It was also stated that the cancellation procedure was initiated upon noticing the aforementioned transaction, but sending SMS to some customers could not be prevented. Within this scope, the phone number of the data subject is processed without relying on any of the processing conditions in Article 5 of the Personal Data Protection Law No. 6698 (“DPL”), and the incident is a data breach, but the data breach notification was not made within the scope of Article 12 of the DPL.

In this regard, the Board adopted the following decision;

• Through the messages that were sent to the data subject, the telephone number of the data subject, which is considered personal data, is processed without relying on any of the processing conditions in Article 5 of the DPL. Also, the data controller did not take the necessary technical and administrative measures to ensure the appropriate level of security to prevent the unlawful processing of personal data under Article 12 of the DPL. When considering that the incident subject to the complaint constitutes a data breach and the data controller did not notify the Board, it is decided to impose an administrative fine of TRY 30,000 (approx. EUR 1.056) against the data controller.

Authors: Burak Özdağıstanli, Bensu Özdemir, Ebru Gümüş