The Personal Data Protection Board’s Decision On Crypto Assets Service Providers
Data Subject’s Complaint Letter to the Board:
The complaint submitted to the Personal Data Protection Board (“Board”) by the data subject against the crypto assets service provider includes the following allegations:
- On the platform belonging to the data controller, whom is a crypto assets service provider, the data subject who requested to increase his membership level was asked for a photograph of himself and a photograph of the front and back of the Turkish Republic ID,
- This processing carried out by the data controller is unnecessary and against the principle of proportionality.
Defense of the Crypto Assets Service Provider aka the Data Controller:
The defense letter of the data controller submitted to the Board includes the following statements:
- Regarding the personal data requested from the data subject:
- For users under the "Basic Level" membership, the personal data that are requested of users include their name, surname, Turkish identification number, or if they are foreign nationals, their foreign identification number and nationality, date of birth, email address, and mobile phone number.
- Under the "Advanced Level" membership, the personal data requested and processed include (i) an image of user’s identification card, driver's license, or passport, (ii) photos of identification card’s or driver's license’s front and back, and (iii) a photograph of the applicant holding the front of the identification card or driver's license along with a piece of paper containing a specific expression and the date of that day, ensuring a clear view of the face.
- Regarding that the processing is legal and proportionate:
- In accordance with the Regulation on Measures Regarding the Prevention of Laundering of Crime Revenues and the Financing of Terrorism ("Regulation"), the data controller stated that it is obliged to prevent money laundering and the financing of terrorism,
- Performing customer identity verification is a legal duty under the law, and the procedures for this are entirely conducted in accordance with Article 6 of the relevant Regulation,
- The principle of proportionality is being adhered to by having two distinct membership levels; with the transition to the "Advanced Level" membership, more detailed documents are requested in order to confirm transactions in compliance with the Regulation, since crypto transactions at this level may be conducted entirely anonymously. However, if no crypto withdrawal transactions are to be made, the processing of the mentioned data is unnecessary.
Board’s Review and Opinions:
- Regarding the legality of data processing activities:
- The crypto assets service provider, as the data controller, has obligations under Law No. 5549[1] and the Regulation, with one of these obligations being the recognition of the customer, and "identity verification" is considered a measure within the framework of these legal regulations. Therefore, the processing of these personal data is legal given it is explicitly required by laws.
- Regarding the detection processed personal data and compliance of the principle of proportionality:
- The Board stated that there is a real risk of money laundering activities within the scope of the crypto asset brokerage services provided by the data controller. Therefore, the processing of the personal data may be conducted based on the legal ground of "explicitly provided for by laws",
- The crypto assets service provider distinguishes memberships into two groups, namely "Basic Level" and "Advanced Level," and it is observed that the collection and processing of personal data differ depending on the membership group. Therefore, the Board concluded that the processed personal data is handled "when necessary," demonstrating compliance with the principle of proportionality.
- For these reasons, the Board stated that there is public interest in making the identities of users in the "Advanced Level" membership group identifiable, particularly due to the nature of the transactions involved.
- Regarding the data subject's complaint to the Board:
- The Board evaluated that the email address provided by the data subject to the data controller did not specifically address requests related to the protection of personal data. There was no request for the destruction of personal data, and the data subject's mentioned request was not considered an application under personal data protection legislation. Therefore, the Board concluded that the data subject has not exhausted the application procedure towards the data controller.
Board Sanctions Applied:
In light of the review, the Board decided that there is no action to be taken within the scope of the personal data protection legislation against the data controller within the scope of the data subject's complaint.
[1] Law No: 5549 Date: 11.10.2006