SUMMARY OF THE DECISION ON THE BREACH THAT OCCURRED AS A RESULT OF A HOTEL EMPLOYEE DISCLOSING THE PERSONAL DATA OF A GUEST STAYING AT THE HOTEL TO A THIRD PARTY, AND THE HOTEL'S LIABILITY AS A DATA CONTROLLER UNDER THE ACT
This information note has been prepared to inform you of the summary of the decision of the Personal Data Protection Board (the "Board") dated 03.08.2023 and numbered 2023/1327 (the "Decision") published by the Personal Data Protection Authority (the "Authority") on December, 27th, 2023.
In the case subject to the Decision, the applicant alleges that:
He received a document through one of the social media applications containing some information about an accommodation in a hotel in the past,
The sender received the document from a hotel employee,
The said document contained the name and accommodation details of the applicant; therefore, the hotel was responsible for the document produced within the hotel, which is the data controller, and also claimed that the obligation to inform was not fulfilled.
In the defence made by the hotel, the following statements were made in summary:
A printed document named "Housekeeping Task Sheet" is issued for housekeeping staff to keep track of the rooms they will be cleaning during the day and for which they are responsible and the said document contains only the name, surname and room number of the guests, and also is a standard document used in all companies providing hotel services,
There are different reasons for including name and surname information in this document, in accordance with the standards of hotels with luxury services, guests are addressed by their surnames in order to give them a sense of specialness, in the event of an emergency, housekeeping staff should also check on guests, housekeeping staff should be familiar with the name-surname information of the guests in order to determine whether the guest is the right person or to create an emergency response report,
The document in question was kept in the physical archive of the Housekeeping Department in locked cabinets with a limited number of people holding the key, and was destroyed periodically every three months during the period of the incident,
As of the date of the meeting between the applicant and the sender, the "Housekeeping Task Sheet" document containing the personal data of the applicant had been destroyed and therefore it was not possible for any person to access it,
Since the original "Housekeeping Task Sheet" could not be found at the hotel, it could not be determined whether it corresponded to the document in the hotel's records; and the contents of the "Housekeeping Task Sheet" attached to the applicant's complaint could not be read and there were some scribbles on it,
The Hotel, as the data controller, has taken all measures to ensure the security of personal data and has carried out the necessary investigations in this respect and has not found any evidence of the possibility of disclosure,
There were many contradictions in the meetings between the applicant and the sender, and the applicant's allegations did not reflect the truth, as well as the information that the applicant had stayed at the hotel was shared by the applicant on social media,
It is necessary to await the conclusion of the investigation conducted by the Public Prosecutor's Office, as it will be decisive in determining the authenticity of the "Housekeeping Task Sheet" and the existence of the person who sent the relevant document to the applicant,
When the hotel first receives the guest's personal information, it presents the Privacy Notice to its guests through the "Registration Card," and in this way the guests are informed.
As a result of the Board's review, the following findings and conclusions were reached:
The "Housekeeping Task Sheet" is created to determine the duties and program of the housekeepers for cleaning and maintenance services in the hotel and the personal data that may be subject to data processing within the scope of the document are: the name, surname, title, room number, information about the room, check-in and check-out date, the said document is prepared by the Housekeeping Department and given to the housekeeping staff, accordingly, the housekeepers are aware of the name and surname information of the guests,
With respect to the processing of personal data, the principles that should be at the core of all personal data processing activities and that all personal data processing activities should be conducted in accordance with are set forth in Article 4 of the Law on the Protection of Personal Data (the "Law"),
In accordance with the principle of "pertinence, limitation and proportionality to the purposes for which they are processed", as stated in Article 4, paragraph 2, sub-paragraph (ç) of the Law, the data processed should be adequate for the realization of the purposes specified and the processing of personal data that are not relevant or not necessary for the realization of the purposes should be avoided,
Although the hotel stated that there are various reasons for the inclusion of the name and surname information in the document in question, the main field of activity of the housekeepers is maintenance and cleaning services, the execution of the services does not require the host to know the name and surname of the host, the data controller should not ignore the right to the protection of personal data based on the purpose of making the guests feel special, and this purpose does not constitute an interest that is absolutely worth protecting against the right to the protection of personal data, in today's world, where privacy awareness has become widespread, most of the guests will not want their personal data to be used by persons and entities without the guests’ request and knowledge, in this sense, the relevant persons should be given the right to choose, and considering the risks that may be experienced in terms of personal data security, it is necessary to act in accordance with the principle of data minimization, in this direction, the data processing activity in the form of including the name and surname information of the guests in the document "Housekeeping Task Sheet", in which the duties of the housekeepers are determined, is subject to Article 4, paragraph 2, sub-paragraph (ç) of the Law, and the practice of including the name and surname information of the persons concerned in the said document should be terminated,
A comparison of the blank copy of the "Housekeeping Task Sheet" sent by the hotel to the Board and the screenshots and video recording of the screenshot of the document that the applicant alleges is the subject of the complaint and the sharing, shows that the appropriate phrases are included in the blank copy,
It is understood that the subject of the investigation initiated by the Chief Public Prosecutor's Office was initiated by the applicant against the sender for acts committed against sexual inviolability and honour,
Although the hotel stated that the investigation conducted by the Prosecutor's Office would be decisive in determining whether the document was genuine or not, it was not established that the hotel had initiated a separate procedure to determine the forgery of the document, the allegations that the hotel has doubts about the identity and existence of the sender are also allegations that need to be substantiated against the screenshots of the correspondence sent to the Board by the applicant, the hotel could not substantiate its statements that the "Housekeeping Task Sheet" containing the personal data of the person concerned was forged, the identity and existence of the sender was suspicious, and therefore there was no data breach,
Although it was declared by the hotel that the relevant document was destroyed, no record showing that the document was destroyed was submitted to the Board,
In this regard, considering that the allegations that the said document was created outside the hotel due to falsifications and contradictions in the conversations between the applicant and the sender cannot be substantiated, in the light of the available information and documents, the document in question is a document created within the hotel to regulate in-service issues, the document in question is made available only to the hotel's own staff for the purpose of providing the hotel's services, and the personal data processing activity carried out by the third party in the context of the specific case can only be carried out due to the lack of administrative and technical measures taken by the hotel,
Regarding the applicant's complaint about the failure to fulfil the obligation to inform: considering that the data controller carries out hotel activities, a contract has been established between the data subjects and the hotel, in this respect, the hotel processes many personal data of the data subjects based on the condition that "it is necessary to process the personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract" pursuant to Article 5, paragraph 2, sub-paragraph (c) of the Law, and in the Privacy Notice presented on the hotel’s website (although it is determined that this text also differs from the text presented in the annex of the accommodation document), it is stated that the contact information is processed based on the processing conditions within the scope of Article 5, paragraph 2 of the Law for purposes such as receiving and following up reservations within the scope of accommodation services and providing communication regarding the transactions carried out within the scope of the reservation,
In the irresponsibility record of the data controller on the "Registration Card", it is understood that the persons who sign the accommodation document will accept that commercial electronic messages such as advertisements, promotions, etc. will be sent to the contact information of the persons who sign the accommodation document, that they will accept that their information will be used for this purpose, will be stored and shared with third parties from whom the data controller will receive services, on the other hand, the same phrases are not included in the left part of the text where English expressions are included,
The issuance of a "Registration Card" is mandatory pursuant to the provision in Article 23 of the Regulation on the Implementation of the Identity Notification Law issued based on Article 12 of the Identity Notification Law No. 1774, in this respect, the hotel has a legal obligation due to the aforementioned regulation and the filling and signing of the accommodation document by the relevant persons arises from a legal obligation that the hotel has, but in the same document, under the title of irresponsibility record, the regulation that "the persons who sign the accommodation document will accept that commercial electronic messages will be sent to their contact information, that they will accept that their information will be used for this purpose, that it will be stored and shared with third parties from whom the data controller will receive services" shows that data processing is put forward as a general processing condition,
If the persons who are obliged to fill in and sign the "Registration Card" document are also required to sign the document and consent to the processing of their contact details for advertising and marketing purposes, the will of the data subjects regarding the processing of their personal data will be impaired,
In this direction, considering that the persons who sign the "Registration Card" are obliged to sign this document in accordance with the legislation, and considering that the inclusion of a provision that they will accept the processing of their contact information for advertising and marketing purposes will cripple the free will element of explicit consent:
Since it is concluded that the personal data processing activity carried out by including the name and surname of the guests in the "Housekeeping Task Sheet" is an unreasonable data processing activity within the scope of Article 4 of the Law, that the personal data in the "Housekeeping Task Sheet", which is subject to sharing with third parties, is created within the data controller and that the personal data processing activity carried out by obtaining it by third parties can only occur due to the failure of the data controller to take administrative and technical measures, considering that the obligation to prevent unlawful access to personal data in accordance with Article 12 of the Law and the obligation to take all necessary technical and administrative measures to ensure the appropriate level of security in order to ensure the protection of personal data have not been met, an administrative fine of 500,000-TL shall be imposed on the data controller within the scope of subparagraph (b) of paragraph (1) of Article 18 of the Law,
To instruct the data controller to organize the documents so that the name and surnames of the guests are not included in the "Housekeeping Task Sheet" document and to inform the Board of the result,
In accordance with the complaint of failure to comply with the duty of disclosure to take the necessary measures to eliminate the differences between the explanatory text in the annex to the accommodation document and the explanatory text on the website, and that the introduction of the provision that the persons who are obliged to fill in and sign the document "Registration Card" accept the processing of their contact details for advertising and marketing purposes if they sign the document, eliminates the free will element of the explicit consent, therefore, to instruct the hotel to revise the declaration of non-responsibility on the said document and to obtain the explicit consent for the processing of contact data for advertising and marketing purposes, in accordance with the provisions of the law, as indicated in the disclosure text, and to inform the Board of the result of the operations to be carried out. 28.12.2023
Kind Regards,
Kenaroğlu|Legal