Turkey: Decision Of Turkish Data Privacy Authority Relating With Automobile Renting Industry

It is stated that as a result of the investigation of the Authority within the scope of the notices submitted to the Authority, the software provided by the software firms to the automobile renting companies and the negative experiences of the rent holders during their automobile rental period and the comments of the automobile rental companies for the next renting processes can be viewed by another automobile renting companies in the rental situation, and the lessor is not aware of the processing of this knowledge.

It is stated that once an evaluation is made case-by-case basis between the fundamental rights and freedoms of the person and the legitimate interests of the data controller, the blacklist application is applicable within the data controller company, but if the processed personal data is shared with the other firms, the fundamental rights and freedoms of the data subject will be violated, and commitment to the purpose, limitation and it has been evaluated that is incompatible with the principle of proportionality. In the Decision, it is also stated that the processing of personal data within the scope of the blacklist will prevent the data subject from exercising their rights since they cannot know other automobile renting companies that their personal data were shared with it.

What Are the Points to Be Considered By Data Controllers as of This Resolution?

It has been stated that if personal data is processed within the scope of the black list application in the automobile rental sector in violation of the Personal Data Privacy Law, the automobile rental company that has the control over the said data will be considered as a "joint data controller" with the software firms by the Authority.

It has also been stated that and administrative fine will be imposed on the data controllers who apply to blacklisting if the firms give up the illegal practices and if the necessary administrative and technical measures are not taken by the data controllers.

The Concept of Joint Data Controller

The concept of joint data controller which hasn't been defined in Turkish Personal Data Protection Law numbered 6698 but defined General Data Protection Regulation and stating that software companies are joint data controllers and are responsible for the data processing activities in the Decision for the first time.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.