The Board's Decision dated 23.12.2021 and numbered 2021/1303 on the processing of personal data by the data controller car rental program software developer and vendor companies and the creation of a blacklist program that enables sharing of these data among car rental companies.
The following issues were briefly mentioned in the complaint petition, which is the subject of the Board's Decision:
- The Car rental companies record all the data they obtain about their customers through this software;
- Other companies using the same software can also see their personal data from the blacklist pool in the application without the consent of the relevant customers, and thus the data is disclosed to other users using this software.
In this regard, it was requested by the Board to take necessary action.
Information was requested from companies developing car rental software to conduct the necessary investigations. In the letter sent by the data controller and other companies to the Board upon the request of the institution, the following issues were addressed:
- Software programs developed by companies are prepared for car rental companies to manage their operations,
- In these software programs, the necessary information for the car rental agreement and the personal data made obligatory by the state institutions and organizations are recorded, and stored as specified by the General Directorate of Security and the Rental Vehicle Notification System (KABİS) to the car rental companies,
- The purpose of the processing of personal data is to easily reach the customers of the member car rental companies, to inform them about the campaigns, to convey the warning and comments about the customer to the relevant car rental company, to gather the car rental companies under one roof, and to provide information flow among themselves, etc. is to create a digital environment where they can see many issues instantly,
- Legally, the purpose here is to share good/bad comments about the customer with other program partners to ensure customer satisfaction, risk of damage, and vehicle reliability specified in the privacy notice,
- With the warning and customer consent specified in the signed agreements, the personal information of the customer of the car rental company is recorded in the program database by the member car rental company,
- Companies are not liable for the unlawful use of car rental companies that are their customers,
- In the membership agreement, it is regulated that the explicit consent of the data controllers must be obtained for the data they add to the system,
- Software companies are not data controllers and do not make data entry, therefore it is not possible to determine which data has been added illegally, they are only obliged to store the added data and share it with other program members,
- The given username and passwords are assigned to each customer car rental company separately, and it is not possible to access this data from another car rental company,
- These companies do not have the right to interfere with the data of third parties and the customer pools of the car rental companies are not connected with the blacklist systems.
As a result of the investigation carried out on the subject, the Board has stated that if the personal data of a customer, which is blacklisted by a car rental company, is collected in the cloud belonging to this software company, the software companies can use them for their own purposes without having direct access to these stored data.
It has been mentioned that trade secrets also include personal data of customers and making the comments made by car rental companies about the persons included in the list visible in their agencies or branches can be considered a transaction that complies with the criterion of legitimate interest, as long as it does not go beyond the use of this trade secret. However, since making it visible to other car rental companies and even suggesting this feature as a marketing strategy will mean both the disclosure of the customer's secret (trade secret) and the disclosure of personal data; it is considered data processing incompatible with the legitimate interest criteria and unlawful done in line with the instructions of the car rental companies by the Board. This data transfer activity now means the use of personal data of the persons concerned by software companies.
In the practice seen, it is stated that the said transfer activity is made primarily to the software by the car rental companies, not directly to other companies; it has been evaluated that this situation causes a violation of the basic principles of data processing and then the general principles of data transfer since it is not possible to predict which companies can see the data shared by car rental companies. It has been stated by the Board that if software companies open this data to an unknown number and quality of users (other car rental companies), they will become data controllers. This will constitute a violation of the important principles in the processing of personal data (“compliance with the rules of law and good faith”, “processing for specific, clear, and legitimate purposes” and “being relevant, limited, and proportional to the purpose for which they are processed”).
In addition, it is stated that this situation will cause the data to be processed unlawfully by transferring the data to third parties without the explicit consent of the person whose data is being processed or even if one of the processing conditions regulated in the Law is not met. Based on all of these, it was decided that the companies producing, developing, and selling car rental software who is the subject of the complaint, it has been decided to act as the joint data controller with the car rental companies and instruct the data controllers to properly destroy the data processed.
You may access the Decision by this link.