In accordance with the Personal Dara Protection Board’s (“Board”) decision dated 18 October 2019 and numbered 2019/308 which was published in the Official Gazette dated 21 November 2019 and numbered 30955, within the scope of the reportings received by Personal Data Protection Authority, it has been determined that the software, program and applications which enable to query personal data such as identity and contact information of citizens via data which are obtained by different methods, are being used by lawyers/law firms and some persons and institutions operating in the area of finance, real estate counselling, insurance and etc. As a result of this determination, taking into account that the usage of the software, program and applications stated in this paragraph constitutes a breach to the provisions of article 12 of the Personal Data Protection Law numbered 6698 which regulate the data security liabilities of the data controllers, the below stated matters have been unanimously decided in order to prevent any possible data security violations:
1- In order to conduct the necessary judicial actions within the scope of Turkish Criminal Code for those who have been determined to use such software/program/applications, the matter will be notified to the relevant Chief Public Prosecutor’s Office in accordance with article 158 of the Criminal Procedural Law numbered 5271,
2- As to the scope of the Board’s duty, administration action will be established for the data controllers within the frame of article 18 of the Personal Data Protection Law numbered 6698.
As a result, in case of determination of obtaining data illegally through software, program and applications that enable to query personal data such as identity and contact information of persons and conducting query with such data; serious and wide scope of penal obligations can arise for such persons and institutions who conduct such illegal act. In this line, it is necessary that the mentioned person and institutions shall take every caution and care in order not to violate their liabilities related to data security as data controllers while using software, program and applications that enable the query of personal data and shall not obtain any data illegally by using them.