• NSN Law Bulletin

Recent Decision of Personal Data Protection Board on Unauthorized Access to Shareholder’s E-mails

The Personal Data Protection Board issued its decision dated 27.01.2020 and no. 2020/59 regarding the unauthorized and illegal access claim to the e-mail address used by the shareholder of the company. The decision was published on the website of the Personal Data Protection Board on 11.02.2021.

In the petition of complaint submitted to the Authority, it was stated that, within … Ltd.Şti. where the related person is a shareholder, personal e-mail account of the related person (initialandsurname), including personal data, was accessed unlawfully and without any permission and the access setting was changed. A request was made through a notary public to the data controller … Menkul Kıymetler A.Ş., the owner of the IP addresses of this e-mail account, for the deletion and removal of all personal data belonging to the e-mail account. However, it was stated that the request was rejected. In regards to the said issues, it has been requested that the necessary actions should be taken within the scope of the Personal Data Protection Law numbered 6698.

Within the framework of the investigation initiated on the subject in the Personal Data Protection Board, a defence has been requested from the data controller, the owner of the IP addresses where the e-mail account is located. The data controller stated the essential points as follows:

  • In order to follow the commercial affairs, the said e-mail address is assigned to the relevant person in the capacity of the manager of the company of which he is a partner. However, the relevant person does not give any information about the transactions and records made by him. Additionally, upon his failure to respond to the general assembly, the General Manager of the company looked at the correspondences of the corporate e-mail address,, from the company e-mail server in order to find the transactions and correspondences of the relevant person.

  • As a result of the comparison of e-mail and its attachment records, journal and invoice records with the bank records where the company's revenues were deposited, a lawsuit was filed before the Commercial Court of First Instance when it was determined that the relevant person had abused his manager position in previous years and transferred some of the company's revenues to various bank accounts.

  • Relevant person applied to the Prosecution on the grounds that the general manager of the data controller unlawfully seized the e-mail address and his personal data was unlawfully made public and shared with other persons. It has been decided by the Prosecution that there are no grounds for criminal proceeding regarding the complaint filed against the general manager of the company. The allegations that have been made concerning the relevant person’s e-mail account was seized without permission and all of the personal information in the said account was made public and shared with other persons, thus clearly violating the right of the relevant person under Law No. 6698, were dismissed.

  • The e-mail account, owned by the company of which the relevant person is a shareholder and whose invoice is paid by the company is allocated for following-up the transactions of the company, contract and payment transactions and is not a personal e-mail account.

  • It is determined by the decisions of both the Commercial Court of First Instance and the Prosecution that there is no illegal access to the e-mail address of the relevant person. The e-mails obtained from the “server backup” records are presented only to the Court as evidence in the cases filed for the dismissal of the relevant person from the directorate, the compensation of the damage caused by the company and the appointment of a commercial trustee.

  • The company that owns the IP address of the complained e-mail account does not have a crime or misdemeanor committed in accordance with the Personal Data Protection Law and the Turkish Penal Code. In accordance with Article 26/1 of the Turkish Penal Code, nobody can be punished; since the general manager of the complained company is also a shareholder and authorized manager of the company to which the relevant person is a partner, he is obliged to fulfill his duty as a manager in accordance with the provisions of Article 626 of the Turkish Commercial Code and to audit the company's contracts and customer correspondences in order to protect the interests of the company.

As a result of the complaint of the relevant person, the defense of the data controller and the examination of the legal provisions together, the Personal Data Protection Board issued the decision with the following evaluations:

  • The processing of personal data by any data controller will only be possible in the presence of an express consent or other situations other than express consent specified in the Personal Data Protection Law.

  • Pursuant to the provision of Article 5 of the Law, personal data cannot be processed without the express consent of the data subject, however; personal data can be processed without the explicit consent of the relevant person in the presence of the specified conditions in the article.

  • The personal data obtained from the server backup records of the said e-mail address are processed within the scope of the sub-clause (e) of paragraph (2) of Article 5 of the Personal Data Protection Law as “…(e) Data processing is mandatory for the establishment, use and protection of a right.

  • Since personal data processing activity is carried out due to the lawsuit filed before the Commercial Court, processing personal data is within the scope of sub-clause (d) of paragraph 1 of Article 28 of the Law.

Within the framework of these evaluations, it was decided that there was no action to be taken within the scope of the Personal Data Protection Law regarding the said complaint.

Authors: Bilge Derinbay, Aysu Eren

Article contact: Bilge Derinbay / E-mail: