On 20 January 2022, the Turkish Data Protection Authority ("Authority") published a principal decision ("Decision") in the Official Gazette regarding blacklisting practices in the car rental industry. The Decision introduced the concept of the joint controller by defining that both car rental companies and car rental software companies function as data controllers in blacklisting practices.

How Does the Blacklist Practice Work?

In its Decision, the Authority determined that software development companies provide car rental companies with software that allows them to create blacklists containing comprehensive information about natural person customers for use in future rentals. According to the Decision, these blacklists include records such as accidents, damage to the vehicle, and payment problems during the use of the vehicle.

The Authority also determined that car rental companies other than those used by a customer can directly access their personal data using the same car rental software. Therefore, it is understood that by accessing these blacklists, customers' personal data can be transferred to car rental companies who have not collected the customers' data directly.

The Authority also emphasized that the software companies solely manage the databases and software that they provide. In this context, the Authority stated that car rental companies cannot interfere with the source code and are therefore limited to providing content and have little control over personal data transfer through blacklists.

Legal Background to the Decision

Based on the notices, the Authority evaluated the blacklisting practices within the scope of general principles, processing, and transfer conditions of personal data, and decided that they violate the Law on the Protection of Personal Data ("DP Law").

As stated in the Decision, Article 5 of the DP Law regulates that personal data can be processed by obtaining explicit consent, and in cases where explicit consent cannot be obtained, the conditions stipulated in the DP Law must be fulfilled in order for personal data to be processed. Personal data transfer activities should also be conducted in accordance with the conditions specified in Article 8 of the DP Law.

Car rental companies are obliged to enter the data they have obtained during the rental activities into the "Rental Car Notification System" to notify the law enforcement officers in accordance with Article 5 of the Identification Reporting Law. Therefore, the Authority indicates that personal data processing activities conducted by car rental companies can be evaluated within the scope of data processing conditions foreseen under Article 5 of the DP Law.

However, in the Decision, the Authority emphasized that the processing of personal data by a data controller limited to conducting its business activities and the transfer of other data controllers through software companies differ in terms of blacklist-like data records. In light of its evaluation on blacklisting practices, the Authority stated that a balance test should be performed between the legitimate interests of the data controller and the fundamental rights and freedoms of data subjects and stated that if the legitimate interest of the data controller prevails as a result of the balance test, blacklisting practices that are limited to the data controller's business activities may be applicable. In other words, the Authority has decided that data controllers (in this case car rental companies) may use blacklists containing solely their own customers' personal data to conduct their business activities after the result of a balance test and cannot transfer this personal data through software.

Regarding the transfer of personal data through software to data controllers other than those who have directly obtained customers' personal data, the Authority pointed out that the fundamental rights and freedoms of the data subject would be violated. Therefore, the Authority prohibited the transfer of blacklists through software to any data controllers who have not obtained customer data directly.

The Authority also decided that personal data transfer to an unknown number of car rental companies by means of a software is contrary to the principles of "lawfulness and fairness,"

"processing for specific, legitimate and legitimate purposes" and "being relevant, limited and proportional to the purposes" foreseen under Article 4 of the DP Law.

In addition to the above evaluations, in its Decision, the Authority introduced the concept of the joint controller for the first time and considered both car rental companies and software companies to be joint controllers, since they both have control over data and use blacklist records for their own purposes. The Authority also determined the criteria to specify the responsibilities of joint controllers.

In this context, data processing activities should be evaluated on a case-by-case basis in order to determine which of the joint controllers has control over the data and the defect rates by considering factors such as:

  • the data controller who processed personal data first and last;
  • the data controller who registered the data;
  • the purposes of the data's registration;
  • the data controller who decides amendments, erasure, and transfer of the data and;
  • the use of the data collected by data controllers other than those who have collected the data directly.

Finally, as it is highlighted in the Decision, because data subjects are negatively affected by blacklisting practices and decisions made based on their inclusion, and are not in a position to know who their data, based on the aforementioned profiling, may be shared with, processing personal data within the scope of blacklisting practices will prevent data subjects from exercising their rights arising from Article 11 of the DP Law as required.

In the light of all these evaluations, it has been unanimously decided that:

  • Data controllers are required to terminate blacklist software practices and take all technical and administrative measures to ensure that an appropriate level of security is established to prevent unlawful access to personal data, as regulated in Article 12 of the Law.
  • Necessary actions will be taken against those who continue to use blacklisting software in their rental practices in accordance with the provisions of Article 18 of the Law.

Conclusion

As a result of the Decision, the Authority has introduced the "joint controller" concept and the criteria that specifies the responsibilities of joint controllers, which should be taken into account by data controllers. It has also been determined that the usage of blacklists by data controllers, solely for conducting their own business activities after a balance test, may be applicable, however, it should be evaluated case-by-case. Personal data transfer through software to data controllers who have not obtained personal data directly is clearly against the provisions of the DP Law. It can be said that the Authority's Decision will shed light on similar practices that may occur in the future.

Special thanks to Mira Gokalp for her assistance on this article.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.