The Principal Decision on Blacklist Practices in the Car Rental Sector, adopted by the Personal Data Protection Board on 23.12.2021, was published in the Official Gazette dated 20.01.2022.
Upon notifications made to the Personal Data Protection Authority, the Personal Data Protection Board (“Board”), as a result of its investigations, determined that “blacklist” practices were applied in the car rental sector.
With the “blacklist” applications used in the car rental industry;
- It has been understood that car rental software developers and sellers offer car rental software which includes the “blacklist” feature to car rental companies or real persons engaged in car rental business.
- It is stated that car rental companies process personal data of real persons who rent a car, and that this data contains “blacklist” information, including the negative effects that occur during the use of the vehicles or the comments of the car rental company and it is understood that this information is processed to be used in the decision-making process for subsequent leases.
- ”Blacklist” software is a system that allows a car rental company to open the data entered by itself to other car rental companies, and with the software in question, it has been understood that the personal data of the persons renting a car are shared by creating a design that provides data sharing regarding the blacklist from one car rental company to other car rental companies.
- When the personal data processing is required within the scope of the rental agreement between the real person who rents the car and the car rental company, it is understood that personal data such as positive / negative situations experienced by the real person with the company, damage to the vehicle or problems in the payment process, etc. are shared with a large number of other users.
It is stipulated that processing of personal data in subparagraph (c) of paragraph 2 of Article 5 of the Law may be lawful if there is a contract concluded between the real person renting a car and the car rental company, and data processing is directly related to the conclusion or performance of a contract.
Data controllers collect the relevant personal data first-hand in the blacklist applications. However, since these data are shared with an unknown number of users, it has been evaluated that car rental companies and software companies will be deemed are the joint data controllers.
CONCLUSION: It has been decided that in case personal data processing within the scope of the blacklist application is in violation of the general principles, processing conditions and data transfer provisions regulated in the relevant articles of the Law, the car rental companies and software companies will be considered as joint data controllers, data controllers should take the necessary technical and administrative measures and administrative fines within the scope of article 18 of the Law will be imposed.