The Personel Data Protection Board's ("Board") Decision No. 2023/692 ("Decision") On A Private Healtcare Organization Was Published On The Authority's Website 21 August 2023

With the aforementioned Decision, the Board decided that the statement "I have read the clarification text regarding the processing of my personal data. I consent to the processing of my data in accordance with the Law on the Protection of Personal Data." expression creates the impression that the relevant persons give consent to the clarification text and that relying on this explicit consent processing condition will be deceptive and an abuse of right, and that the inability to complete the appointment process without explicit consent to the personal data processing activity cripples the element of "given with free will", which is one of the elements of explicit consent, and that this situation constitutes a violation of the principle of compliance with the law and honesty rules, and decided an administrative fine of 300,000 TRY.
 

• The mentioned application reveals that the appointment service, which constitutes a preliminary step for individuals to receive services, is subject to the explicit consent requirement for the introduction of the data controller. This is because the processing activity, which solely benefits the data controller through the promotion of their services and is not directly related to the healthcare service to be provided, mandates the necessity of obtaining explicit consent declarations. It is noted that requiring explicit consent declarations for this processing activity, where the elements of "specificity, informed consent, and free will" should be present, would impair the will of the relevant individuals. Considering that in the given scenario, the explicit consent that should meet these criteria has lost its qualities for the individuals concerned, this situation contradicts the principle of compliance with the law and fairness stipulated in Article 4 of the Law.
   

• As of the date of the notification, the completion of the appointment process without granting explicit consent for the processing of personal data within the context of the data controller's promotional activities, as stated on the appointment registration page, undermines the element of "free will" within the elements of explicit consent. This situation is contrary to the principle of compliance with the law and fairness stipulated in Article 4 of the Law.
   

• Furthermore, although it would be possible for the personal data processing conditions other than explicit consent processing conditions to be applicable to the personal data that need to be processed in the appointment application form within the scope of the services to be provided by the data controller, relying on the explicit consent processing condition stipulated in the first paragraph of Article 5 of the Law would be deceptive and constitute an abuse of rights. This situation is contrary to the principle of compliance with the law and fairness stipulated in Article 4 of the Law.
   

• Considering that the statement "I have read the clarification text regarding the processing of my personal data. I consent to the processing of my data in accordance with the Law on the Protection of Personal Data." creates the impression that the relevant persons give consent to the clarification text, the statement "I give my consent" should be removed from the text in question and a regulation should be made only by checking a box that the clarification text has been read in order to ensure that the data controller proves that the obligation to clarify has been fulfilled.
   

Based on these evaluations, it has been determined that the personal data processing activity carried out in the specific case is not in compliance with the law.