In its decision dated June 15, 2023 and numbered 2023/1050, the Turkish Personal Data Protection Board (“Board”) evaluated a complaint regarding a bank’s failure to fulfill a customer’s request to provide the transcript of the conversation between the bank’s customer representative and the customer.

In summary, the customer (“Data Subject”) argued that the bank (“Data Controller”) failed to provide information regarding the Data Subject’s stolen personal data, as their virtual card had been copied. In this regard, the Data Subject requested from the Data Controller the voice recording or the transcript of their conversation with the customer representative, in line with the data subject rights under the Personal Data Protection Law No. 6698 (“DPL”). However, in its defense, the Data Controller denied the Data Subject’s request and did not share the voice recording or the transcript of the conversation due to the provisions of the Banking Law No. 5411 (“Banking Law”) and the Regulation on Sharing of Secret Information (“Regulation”).

In this regard, the Board evaluated the facts of the case in line with the provisions of DPL, the Banking Law and the Regulation. While underlining the rights of the data subjects, including the right to demand for information as to if their personal data have been processed, the Board underlined that the data controllers are under the obligation (i) to finalize the data subjects’ requests free of charge, as soon as possible and within thirty days at the latest or (ii) to reject the data subjects’ requests by explaining the reason and notify the data subject in writing or electronically. The Board determined that the Data Controller did not provide any response to the first inquiry by the Data Subject; and provided response to the second inquiry after the thirty day period.

Furthermore, within the framework of the Banking Law and the Regulation, the Board stated that the confidentiality obligation of the Data Controller requires not to provide “customer secrets” (natural and legal persons’ data after the establishment of a customer relationship with banks specific to banking activities) to third parties about the information and events obtained due to the commercial connection with the customer. On the other hand, this obligation does not prohibit disclosing the Data Subject’s own personal data within the scope of the rights of data subjects regulated under the DPL. The Board also mentioned that the data subject right to request information if their personal data have been processed, includes the right of access to such data.

Accordingly, the Board instructed the Data Controller to share with the Data Subject the transcript of the conversation between them and the customer representative by taking measures such as removing/masking the personal data of others, in line with the rights of data subjects regulated under the DPL.

 

Authors: Burak Özdağıstanli, Sümeyye Uçar, Begüm Alara Şahinkaya