On January 20, 2022, the Turkish Data Protection Authority (“Authority”) issued a main decision (“Decision”) in the Official Gazette regarding blacklisting practices in the car rental industry. The decision introduced the concept of joint controller by defining that car rental companies and car rental software companies function as data controllers in blacklisting practices.

How does the practice of blacklisting work?

In its decision, the Authority determined that software development companies provide car rental companies with software that allows them to create blacklists containing complete information about individual customers for use in future rentals. According to the ruling, these blacklists include records such as accidents, vehicle damage and payment issues while using the vehicle.

The Authority also determined that car rental companies other than those used by a customer can directly access their personal data using the same car rental software. Therefore, it is understood that by accessing these blacklists, personal customer data may be transferred to car rental companies that have not directly collected customer data.

The Autorité also pointed out that software publishers only manage the databases and software they provide. In this context, the Authority stated that car rental companies cannot interfere with the source code and therefore limit themselves to providing content and have little control over the transfer of personal data via blacklists.

Legal context of the decision

Based on the notices, the Authority assessed the blacklisting practices under the general principles, conditions of processing and transfer of personal data, and decided that they violated data protection law personal (“DP Law”).

As stated in the decision, Article 5 of the DP Act stipulates that personal data may be processed subject to obtaining explicit consent, and in cases where explicit consent cannot be obtained, the conditions stipulated in the DP law must be met for the personal data to be processed. Personal data transfer activities must also be carried out in accordance with the conditions specified in Article 8 of the Data Protection Act.

Car rental companies are obliged to enter the data they have obtained during rental activities into the “Rental Car Notification System” in order to notify law enforcement authorities in accordance with Article 5 of the law on identification reports. Therefore, the Authority indicates that the personal data processing activities carried out by car rental companies can be assessed under the data processing conditions provided for in Article 5 of the PD Law.

However, in the decision, the Authority underlined that the processing of personal data by a data controller limited to the exercise of its commercial activities and the transfer of other data controllers through publishers of software differ in terms of blacklist type data records. In light of its assessment of blacklisting practices, the Authority stated that a balancing test should be made between the legitimate interests of the controller and the fundamental rights and freedoms of data subjects and stated that if the controller’s legitimate interest prevails as a result of the balance test, blacklisting practices limited to the controller’s business activities may be applicable. In other words, the Authority decided that data controllers (in this case, car rental companies) can use blacklists containing only their own customers’ personal data to conduct their business activities after the result. of a balance test and cannot transfer such personal data via software.

Regarding the transfer of personal data through software to controllers other than those who directly obtained the personal data of customers, the Authority stressed that the fundamental rights and freedoms of the data subject would be violated. Therefore, the Authority prohibited the transfer of blacklists through software to any controller who did not obtain customer data directly.

The Authority also decided that the transfer of personal data to an unknown number of car rental companies by means of software is contrary to the principles of “lawfulness and fairness”,

“processing for specified, legitimate and legitimate purposes” and “being relevant, limited and proportionate to the purposes” provided for in article 4 of the DP law.

In addition to the above assessments, in its decision the Authority introduced for the first time the concept of joint controller and considered both car rental companies and software companies as joint controllers of the processing, since they both control data and use blacklist records for their own purposes. The Authority has also determined the criteria for specifying the responsibilities of the joint controllers.

In this context, data processing activities should be assessed on a case-by-case basis to determine which of the joint controllers has control of the data and default rates taking into account factors such as:

• the controller who first and last processed the personal data;
• the data controller who recorded the data;
• the purposes of data storage;
• the data controller who decides on the modifications, erasure and transfer of data and;
• the use of data collected by data controllers other than those who directly collected the data.

Finally, as highlighted in the decision, because data subjects are negatively affected by blacklisting practices and decisions made based on their inclusion, and are not able to know with whom their data, on the basis of the aforementioned profiling, may be shared, the processing of personal data in the context of blacklisting practices will prevent data subjects from exercising their rights arising from Article 11 of the DP Act as required.

In light of all these assessments, it was unanimously decided that:

• Data controllers are required to terminate blacklisting software practices and take all technical and administrative measures to ensure that an appropriate level of security is established to prevent unlawful access to personal data, such as regulated in article 12 of the law.
• The necessary actions will be taken against those who continue to use blacklisting software in their rental practices in accordance with the provisions of Article 18 of the Act.

Conclusion

Following the decision, the Authority introduced the concept of “joint controller” and the criteria which specify the responsibilities of joint controllers, which should be taken into account by controllers. It has also been determined that the use of blacklists by data controllers, solely to conduct their own business activities after a balance test, may be applicable, however, this must be assessed on a case-by-case basis. The transfer of personal data through software to data controllers who have not directly obtained personal data is clearly contrary to the provisions of the DP law. It can be said that the Authority’s decision will shed light on similar practices that may occur in the future.