Sending SMS for Marketing Purposes Without Explicit Consent

13.07.2023

The Personal Data Protection Board (“Board”) evaluated a complaint regarding the processing of personal data by sending text messages for marketing purposes without explicit consent in its decision dated 02.09.2022 and numbered 2022/902.

The incident subject to the complaint is sending a message to the data subject for marketing purposes without fulfilling the obligation to inform and without obtaining explicit consent, even though no commercial activity has been carried out with the data controller company and no communication approval has been given. In response to the data subject’s request, the data controller apologized to the data subject for the mistake and stated that the necessary corrections were made after the data subject’s request.

The Board made the following explanations regarding the complaint;

  • In the response given by the data controller, it was stated that the messages that are sent to the customers who gave their consent to receive e-mail/SMS on the company's website were sent to all customers who shopped at their stores on the sales platform. It was also stated that the cancellation procedure was initiated upon noticing the aforementioned transaction, but sending SMS to some customers could not be prevented. Within this scope, the phone number of the data subject is processed without relying on any of the processing conditions in Article 5 of the Personal Data Protection Law No. 6698 (“DPL”), and the incident is a data breach, but the data breach notification was not made within the scope of Article 12 of the DPL.

In this regard, the Board adopted the following decision;

  • Through the messages that were sent to the data subject, the telephone number of the data subject, which is considered personal data, is processed without relying on any of the processing conditions in Article 5 of the DPL. Also, the data controller did not take the necessary technical and administrative measures to ensure the appropriate level of security to prevent the unlawful processing of personal data under Article 12 of the DPL. When considering that the incident subject to the complaint constitutes a data breach and the data controller did not notify the Board, it is decided to impose an administrative fine of TRY 30,000 (approx. EUR 1.056) against the data controller.


Tagged withÖzdağıstanli Ekici Attorney Partnership, Burak Özdağıstanli, Bensu Özdemir, Ebru Gümüş, Data Protection & Privacy, Personal Data

This website is available “as is. Turkish Law Blog is not responsible for any actions (or lack thereof) taken as a result of relying on or in any way using information contained in this website, and in no event shall they be liable for any loss or damages.

The content and materials published on this website are provided for informational purposes only and should not be used as a legal opinion in any way. This website and the information contained are not intended to establish an attorney-client relationship.
th
Ready to stay ahead of the curve?
Share your interest anonymously and let us guide you through the informative articles on the hottest legal topics.
|
Successful Your message has been sent