The Recent Decisions of the Personal Data Protection Board
The Personal Data Protection Board (“the Board”) has published three recent decisions.
Decision No. 2021/426: A personal data violation occurred when a data controller e-commerce website has given one of its partner companies an excessive accession right to helpdesk data leading that the partner company to be able to access the personal data put in the helpdesk by third-party companies. The Board has conducted ex officio investigation upon it is notified by the partner-company, and, decided to;
- Impose data controller an administrative fine of 300.000 TL since it has not provided the necessary technical and administrative measures to ensure data security. The Board determined that the data breach affecting 950 people is caused by the negligence of the data controller,
- Impose an administrative fine of 100.000 TL, considering the data controller is at fault for not fulfilling the notification obligation within 72 hours,
- Instruct the data controllers to show the necessary care and attention in responding to the requests of the Board as both the public and private data controllers have not provided any answer upon the request for information/documentation.
Decision No. 2021/427: The Board initiated an ex officio investigation over a notification made by the partner company of an e-commerce site (the data controller) after accessing the information of third-party companies through the customer service panel on the e-commerce site. As a result of the examinations carried out by the Board,
- Regarding technical and administrative measures; a 600.000 TL administrative fine is imposed on the data controller as it has not taken the necessary technical and administrative measures to ensure data security.
- Regarding the notification made to the Board and related persons; a 200.000 TL administrative fine is imposed on the data controller since any notification has been made to the relevant persons affected by the data breach and no violation notification has been made to Board within 72 hours.
- It was decided to instruct the data controller to show maximum attention and care in compliance with the laws as the Board's information document request letter has not responded.
Decision No. 2021/470: An investigation was carried out by the Board over a complaint of the data subject as the data controller has not fulfilled the request for access to the personal data regarding the meal card account activities. In the defense, the data controller has stated that the data subject has requested its personal data to be sent to its e-mail address, so, the relevant data has been shared to the e-mail address as encrypted due to security reasons. The Board has investigated the complaint and decided that;
- It is a reasonable security measure to encrypt the data which is transferred by a foreign-based e-mail platform to prevent illegal accesses,
- The right to access personal data of the data subject has not been blocked and no action is necessary to be taken against the data controller as per Law No.6698, considering that the explanation regarding the security measure has made to the data subject and the data subject has been informed that the password of the encryption will be shared immediately via phone call.