Sending Invoices Issued to Third Parties to a Data Subject’s E-Mail Address

24.07.2023

The Personal Data Protection Board (“Board”) evaluated a complaint regarding the processing of personal data through sending e-invoices to the e-mail address of a data subject in the decision dated 08.09.2022 and numbered 2022/925.

The complaint subject to the decision is related to sending e-invoices of other subscribers to the data subject since 2018, even though the Board decided to instruct the data controller to take all necessary administrative and technical measures since the data subject has previously filed a complaint regarding the same incident.

The Board made the following explanations regarding the complaint;

  • Although the data controller was instructed to take all necessary administrative and technical measures regarding the security of personal data in the previous Board decision, continuing to send invoices of third parties to the data subject and specifying the e-mail address of the data subject in the subscription agreement of a third party shows that there is no mechanism for verification of communication channels.

  • Failure of the data controller to take the necessary measures with a proactive approach in order to ensure the accuracy of the personal data constitutes a violation of the principle of "being accurate and up to date when necessary" of the Law on the Protection of Personal Data No. 6698 (“DPL").

In this regard, the Board adopted the following decision;

  • Sending invoices issued to third parties to the e-mail address of the data subject violates the DPL's principle of "being accurate and up to date when necessary". It is seen that the data controller acts in violation of its obligations in Article 12 of the DPL. Considering that the data controller was instructed to take the necessary administrative and technical measures regarding the security of the personal data of the subscribers in the Board decision, it was decided to impose an administrative fine of TRY 200,000 (approx. EUR 6,954) against the data controller.

  • It has been decided to instruct the data controller to take necessary measures in order not to transmit personal data of third parties to the e-mail addresses of the data subjects and to inform the Board of the result.

This website is available “as is. Turkish Law Blog is not responsible for any actions (or lack thereof) taken as a result of relying on or in any way using information contained in this website, and in no event shall they be liable for any loss or damages.

The content and materials published on this website are provided for informational purposes only and should not be used as a legal opinion in any way. This website and the information contained are not intended to establish an attorney-client relationship.
th
Ready to stay ahead of the curve?
Share your interest anonymously and let us guide you through the informative articles on the hottest legal topics.
|
Successful Your message has been sent