The Board’s Decision dated 18.01.2022 and numbered 2022/31 on the processing of personal data for the purpose of sending commercial electronic messages without obtaining explicit consent from the data subject by the data controller operating in the health sector
The following issues were briefly mentioned in the complaint petition, which is the subject of the ‘Board’s Decision:
- A commercial message has been sent to the e-mail address of the data subject by the data controller operating in the health sector without prior explicit consent, and this situation constitutes a violation of the Law on the Regulation of Electronic Commerce;
- The data controller did not obtain the explicit consent of the data subject for the processing of the personal data of the data subject. However, there are no special conditions in the concrete case where explicit consent is not required for the processing of the personal data regulated in the Law;
- Since the data subject’s personal data is processed by sending a message to the e-mail address, the data controller has not taken all necessary technical and administrative measures to ensure the appropriate level of security to prevent the unlawful processing of personal data.
In this regard, it was requested by the Board to take necessary action.
In the letter sent by the data controller to the Board upon the complaint of the data subject, the following issues were addressed:
- The e-mail address of the data subject was obtained as a result of her/his application to the branch of the data controller, and this information was recorded in the Hospital Information Management System (HIMS) during the patient registration process;
- This data processing activity has been carried out on the condition that it is necessary to process the personal data of the parties to the contract due to the contract concluded between the data subject and the hospital and on the condition that the data processing is mandatory in order for the data controller to fulfill its legal obligations in accordance with the Specialty Hospitals Law and the Basic Law on Health Care;
- The e-mail address of the data subject was transferred to the Social Security Institution (SGK) systems via HIMS and the MEDULA software, which is the communication medium between hospitals;
- The e-mail sending in question resulted from the temporary lack of coordination between the units and was carried out inadvertently without the consent of the data subject;
- The e-mail address of the data subject has been removed from the list of persons who have approved the sending of commercial electronic messages upon her/his request, and it has been undertaken that no more e-mail will be sent to the data subject;
- Some additional measures have been taken, and now, it has been started to send SMS which includes approval code to the data subject who has registered the patient so that the HIMS registration of the persons can be completed and the information can be provided during the patient registration. The SMS content in question approval codes for the data subject who wants to approve. In case these codes are communicated to the personnel, a record is created on the HIMS indicating that explicit consent and approval have been obtained; In case the e-mail is processed afterward, only after clicking on an e-mail containing a verification link, the e-mail data of the relevant persons will be processed;
- It is stated that the data controller publishes the privacy notice regulating the processing of personal data of patients more comprehensively on the website and also issues a Guest Communication Explicit Consent Statement document in order to communicate with the relevant people for advertising purposes, and this document, especially the Personal Data Processing and Disposal Policy, has been regularly updated;
- A Personal Data Protection and Information Security Board has been established in hospitals affiliated with the data controller, and a particular assignment and undertaking document has been prepared for those elected to this Board;
As a result of the investigation carried out on the subject, the Board has stated that obtaining the contact information of the data subject or his/her companions during the patient registration does not constitute a violation of the Law and other legislation. However, in the concrete case, the contact information of the data subject was used for the purpose of carrying out a marketing activity, not to convey any medical information to him or his relatives. Therefore, the Board has decided that the content of the e-mail sent to the data subject is for informational and commercial purposes. In this regard, although the Board states that it is lawful for the data controller to obtain the contact information from the data subject during the patient registration, in the case mentioned above, it has decided that the relevant provision has been violated due to the fact that the personal data is processed by sending a commercial e-mail to the e-mail address without a connection for the purpose of obtaining them at the time they are provided. For this reason, it has been decided to impose an administrative fine of 100.000 TL on the data controller.
You may access the Decision by this link.
To see our other articles, you may follow the NSN Bulletin via the link.
Authors: Bilge Derinbay, Hande Ülker Pehlivan, Bengisu Çakırca