SUMMARY OF THE DECISION OF THE TURKISH DATA PROTECTION BOARD ON THE BREACH DUE TO THE DATA CONTROLLER’S CONTINUED PROCESSING OF THE E-MAIL DATA OF ITS PREVIOUS PARTNER
In the decision of the Turkish Personal Data Protection Board (the "Board") dated 03.08.2023 and numbered 2023/1321 (the "Decision") the case subject to the Decision, the applicant (the “Data Subject”) alleges that:
Previously, he/she was a partner of the company, which is the data controller (the “Data Controller”),
He/She left the Data Controller and founded a new company. However, she/he learned that the e-mail address he used when she/he was a partner of the Data Controller was still active and that the Data Controller was reading the e-mails sent to the said address,
This has resulted in unfair competition for him/her and he has suffered material damage.
In the defense made by the Data Controller, the following statements were made in summary:
After the Data Subject left the partnership, his/her e-mail address was cancelled and it was not technically possible to use accordingly,
That the Data Subject's e-mail address appeared as "undefined e-mail" in the Data Controller's system, since there is personal circulation (name changes) in commercial e-mail addresses, as long as there is an extension belonging to the Data Controller at the end of the deleted e-mail addresses, regardless of what is written in the first, these e-mails fall into the administrator email as "undefined e-mail", and this redirection was carried out by the e-mail service provider,
The e-mails subject to the complaint do not contain any personal data.
As a result of the Board's review, the following findings and conclusions were reached:
The Data Subject, in the new company he/she founded after leaving the Data Controller, started the same business in the field of activity of the Data Controller,
In this period, firstly, a former customer, who did not know that the Data Subject left the partnership, sent a message to the Data Subject's previous e-mail address, and the authorized officer of the Data Controller who reads the message contacted the relevant customer,
Secondly, an employee of the Data Subject's new company sent a message to the previous e-mail address of the Data Subject by mistake, and the authorized officer of the Data Controller responded to this message with an e-mail without any comment,
In this context, it was found that: messages continued to be sent to the Data Subject's previous e-mail address which is now in-active, as “e-mail data is personal data”, in this respect, after the Data Subject left his/her job, the e-mails sent to him/her could be viewed in "undefined e-mail" and in this way, the Data Subject’s personal data continued to be processed,
Considering that the personal data processing activity in question does not have any ground within the scope of Article 5th of the Personal Data Protection Law, it was decided to impose an administrative fine of “50.000,00-TRL” on the Data Controller.
Kenaroğlu | Legal