Turkish Data Protection Board Decision: Mobile App Requesting National ID for Verification
In its decision dated August 17, 2023 and numbered 2023/1430, the Turkish Personal Data Protection Board (“Board”) evaluated a complaint regarding a meal card service provider processing Turkish identity number of users on its mobile application.
In summary, the Board initiated an ex officio investigation against the meal card service provider (“Data Controller”) upon a notification stating that the Turkish identity number (“ID Data”) is requested while registering to use the Data Controller's mobile application. As a result of the investigation, the Board determined that when registering for the Data Controller’s mobile application, personal data, including name, surname, phone number, date of birth and e-mail were requested. However, when users wished to link their meal cards to their profile in the mobile application, ID Data was requested for authentication purposes.
In its defense, the Data Controller claimed that it is not necessary to be registered with the mobile application to use the physical meal cards, however if users prefer to benefit from the mobile payment feature by defining their physical meal card to the mobile application, the users’ ID Data is requested for verification and security purposes.
In this regard, the Board underlined the significance of ID Data due to its nature and possible damages for data subjects in case of a data breach and instructed the Data Controller to update its verification mechanism by ensuring that the verification in the mobile application is realized with data such as card information and phone number to be submitted to the Data Controller by the employer, in order to protect the interests of the data subjects.
The Board further emphasized that using data such as card information and phone number for verification purposes would be compliant with
(i) principle of privacy by design,
(ii) data minimization and
(iii) the principle of appropriate and proportionate processing of personal data.
Accordingly, the Board imposed an administrative fine of TRY 200,000 (approx. EUR 6,131) on the Data Controller due to:
the processing of ID Data is not based on the conditions for processing personal data regulated under the Personal Data Protection Law No. 6698 (“DPL”),
the processing of ID Data is not in compliance with the principle of appropriate and proportionate processing of personal data regulated under the DPL.