In its decision dated August 3, 2023 and numbered 2023/1321, the Turkish Personal Data Protection Board (“Board”) evaluated a complaint regarding a company’s continued processing of e-mail data of a former shareholder.
In summary, the former shareholder of a company (“Data Subject”) argued that the company (“Data Controller”) has continued to process their e-mail data, as their former work e-mail address is still active, and the Data Controller has been reading their e-mails. The Data Subject further claimed that such processing of their personal data creates unfair competition for their new company and caused material damage; and that their applications to the Data Controller remained unanswered.
On the other hand, the Data Controller stated that the e-mail address in question was closed and recorded as an “undefined email address” in its system and as the extension of the Data Subject’s e-mail address belongs to the Data Controller, the new emails have been directed to the email addresses of the relevant executives of the Data Controller. Moreover, the Data Controller claimed that the emails received after the resignation of the Data Subject do not contain any personal data.
In this regard, the Board evaluated that as the messages are still being sent to the e-mail address previously used by the Data Subject, which is currently inactive, the e-mail data has the quality of personal data, and such personal data continue to be processed by the Data Controller by accessing the sent emails, without relying on the conditions of personal data processing regulated under the Personal Data Protection Law No. 6698, and decided to impose an administrative fine of TRY 50.000 (approx. EUR 1520).
Authors: Burak Özdağıstanli, Sümeyye Uçar, Begüm Alara Şahinkaya