July 2022 – On 18 July 2022, The Turkish Personal Data Protection Authority (“Authority”) published its decision (“Decision”) on a data subject’s complaint alleging that an insurance company had processed their personal data without legal grounds. As a result of the examination, the Authority concluded that the insurance company processed the individual’s personal data to carry out the insurance policy executed between the data subject and the insurance company.
The most important matter in the Decision is that the Authority highlighted that data subjects are able to apply to data controllers via a lawyer without a power of attorney involving a special authority to apply to data controllers.
What happened before?
The data subject claimed that the insurance company unlawfully processed their bank information, as the data subject did not provide this personal data. In this respect, the data subject’s lawyer has applied to the insurance company and requested detailed information. However, the insurance company did not provide information on this matter, as the power of attorney did not involve a special authority to apply to data controllers under Turkish Personal Data Protection Law.
During the examination, the insurance company stated in its defence that:
What the Authority states in its Decision
As result of its examination, the Authority has stated that:
In conclusion, the Authority has made it clear with this Decision that data controllers cannot require a special power of attorney for data subjects' applications. In this respect, the Authority instructed the insurance company to remove the phrase requiring a special power of attorney from the application form and other relevant documents.
Follow this link for the full text of the Decision (only available in Turkish).