Turkish Data Protection Board Fines a Private Healthcare Institution for a Mandatory Checkbox
Turkish Personal Data Protection Board (“Board”) evaluated a complaint regarding a private health institution obtaining explicit consent from patients unlawfully, in its decision dated 02.05.2023 and numbered 2023/692.
In summary, the complaint subject to the decision was that while filling out the form to make an appointment on the healthcare institution’s website, the appointment process could not be completed unless the patients provide their explicit consent to be informed about the services and announcements of the healthcare institution.
The Board made the following evaluations regarding the complaint;
The appointment process cannot be completed until the box containing the phrase “I allow my personal information to be used and contacted to be informed about (data controller’s) services and announcements” is checked.
The appointment process, which constitutes a preliminary step for the data subjects to receive service, is subject to the condition of providing explicit consent for the promotion of the data controller.
Since the explicit consent must be based on free will, where providing an explicit consent is a condition to provide a good and/or service, it is necessary to evaluate the free will where the parties are not in an equal position or if one of the parties has an effect on the other.
Demanding explicit consent for an activity not directly related to the healthcare service and for the promotion of services where only the data controller benefits form, invalidates the data subjects’ free will.
Therefore, in this case, demanding explicit consent, which must be given with free will based on an informed decision, violated the principles of lawfulness and fairness under the Law on the Protection of Personal Data No. 6698.
In this regard, the Board adopted the following decision;
When the website is examined, it was seen that the patients who did not provide their explicit consent to processing of personal data within the scope of promotional activities could not continue the appointment process. This violates the principles of lawfulness and fairness under the Law on the Protection of Personal Data No. 6698, as the conditions for explicit consent (must be given with free will based on an informed decision) is not met.
Additionally, while it is possible that the personal data required in the appointment form can be based on processing conditions other than the explicit consent, it is deceptive and an abuse of right to base it on the explicit consent.
For above mentioned reasons, it was decided to impose an administrative fine of TRY 300.000 (approx. 10.362 EUR) on the data controller.
The Board also decided to instruct the data controller to amend the checkbox under the application form stating that “I have read the privacy notice on the processing of my personal data. I consent to the processing of my data in accordance with the Personal Data Protection Law", by removing the phrase "I give consent", as the data controller is obligated to provide that they have fulfilled their obligation to inform data subjects and the current wording gives the impression that the data subjects have approved the privacy notice.
In addition, the Board decided to instruct the data controller to prepare explicit consent texts separately, in case there are personal data processed with the explicit consent legal base.