1) FACEBOOK DECISION ON THE PERSONAL DATA PROTECTION BOARD DATED 18/09/2019
A total of 1.600.000 TL administrative fine was imposed against Facebook by Personal Data Protection Board dated 18/09/2019 and numbered 2019/269. The Board imposed an administrative fine of TRY 1.150.000 reagrding violation of Article 12/1 of The Law on Personal Data Protection and another administrative fine of TRY 450.000 on violation of Article 12/5 of the Law on Personal Data Protection.
In accordance with Article 12/1 of the Personal Data Protection Law; data controller shall take all necessary technical and organizational measures or provide an appropriate level of security in order to prevent unlawful processing of personel data, prevent unlawful access to personel data and safeguard personel data. In accordance with paragraph 5 of the Law, if the personal data processed is obtained by others by unlawful means, the data controller shall inform the data subject and the Board as soon as possible. Data breach is stated to be occurred from technical errors of Facebook’s different features, “see from someone else’s eyes”, “birthday celebrator” and “video uploader”. The board ruled that Facebook;
1- Is negligent in not taking technical and administrative measures since such errors should be detected and corrected during the testing phase,
2- Continuation of the related negligence for approximately 14 months is an indication that the necessary audit and controls have not been carried out,
3- Considering that the violation for 13 days due to the relevant negligence, it was found that the violation was not intervened in a timely manner and that there was a violation of Article 12 of the Law.
The Board further found that there has been a violation of paragraph 5 of Article 12 on account of the failure to provide the necessary information. The rule states that a total of 280.959 users were affected by the violation and the basic profile information of 133.510 among such users were reached. In addition to basic profile information of 143.974 users, information such as gender, relationship status, religion, hometown, location, educational background, birthday, recently reported places have been reached.
2) S ŞANS OYUNLARI A.Ş. DECISION ON THE PERSONAL DATA PROTECTION BOARD DATED 27/08/2019
A total of TRY 180.000 administrative fine was imposed against S Şans Oyunları A.Ş. by Personal Data Protection Board dated 27/08/2019 and numbered 2019/254. The Board ruled to impose an administrative fine of TRY 150.000 on violation of Article 12/1 and administrative fine of TRY 30.000 on violation of Article 12/5.
In accordance with Article 12/1 of the Personal Data Protection Law; data controller shall take all necessary technical and organizational measures or providing an appropriate level of security in order to prevent unlawful processing of personel data, prevent unlawful access to personel data, safeguard personel data. In accordance with paragraph 5 of the Law, if the personal data processed is obtained by others by unlawful means, the data controller shall inform the data subject and the Board as soon as possible.
In the notifications made by S Şans Oyunları A.Ş. to Turkish Data Protection Authority; phone numbers of some members and an Excel list of member numbers sent by the SMS company in case they lose their password is published on the Internet, date of data breach is unknown, could not determine the number of people affected by the violation is expressed.
The Board, stated that;
1- The failure to determine the date of the violation is an indication that the data controller is not performing the necessary supervision, inspection and control,
2- It is a technical and administrative fault that it is not possible to determine when the data in the Excel list is transferred to the data processor,
3- Although 90% of the members in the list have never declared by the company their entry to the system, the fact that the number of people affected by the violation cannot be determined is an indication that technical and administrative measures have not been fully implemented,
4- The Company has not been able to notify the data subjects about the data breach and this is an indication that administrative measures have not been fully implemented.
The Board ruled to impose an administrative fine of TRY 150.000 on violation of Article 12/1 of The Law on Personal Data Protection and an administrative fine of TRY 30.000 on violation of Article 12/5 in accordance with Article 18/1, subclause (b).
3) A TOURISM COMPANY DECISION ON THE PERSONAL DATA PROTECTION BOARD DATED 27/08/2019
A total of TRY 500.000 administrative fine was imposed against a Tourism Company by the Personal Data Protection Board dated 27/08/2019 and numbered 2019/255.
In accordance with Article 12/1 of the Law, data controller shall take all necessary technical and organizational measures for providing an appropriate level of security in order to prevent unlawful processing of personal data, prevent unlawful access to personal data, safeguard personal data. In accordance with Article 12/3 of the Law, the data controller is obligated to carry out or have carried out necessary inspections within his institution and organization in order to ensure implementation of the provisions of the Law. In accordance with Article 12/5 of the Law, in case processed personal data are acquired by others through unlawful means, the data controller shall notify the data subject and the Board of such situation as soon as possible.
As a result of the examinations made by the authorized people and IT experts, it was found that the data breach occurred by infiltrating the company’s network over the LAN network. It is found that the employee’s data such as name, surname, TC identification number, date of birth, marital status, spouse work information, number of children, mother’s name, father’s name, address, GSM number, bank account information have been violated. It has been found that customer’s data such as country/state, nationality, date of birth, name, surname, phone number, e-mail address, letter address, credit card number and expiration date, tax number, TC identification number, passport number, gender have been violated. It has been found that there were no special categories of personal data among the affected data.
The Board, stated that;
1- It is an administrative imprudence that accessing an employee’s computer by unauthorized people who are not employees of the company,
2- Employee network connections with access to servers are closed after a violation arises and this is a failure in server security,
3- It is ensured that the firewall is renewed after the violation and it is a technical deficiency that the firewall is not up to date.
4- It has been found that the employees did not receive any safety training before and this is indicative of an administrative deficiency,
5- It is a technical deficiency that IT systems did not recognize whether there is an infiltration in the information network.
6- The data on the server is irrevocably destroyed by the infringer.
7- The fact that employees of the other units of the company report the incident to the IT Unit is an indication that the IT Unit is not operating and functioning
The Board ruled to impose an administrative fine of TRY 400.000 on violation of paragraphs 1 and 3 of Article 12 of the Law and an administrative fine of TRY 100.000 on violation of paragraph 5 of the Article 12 of the Law in accordance with subclause (b) of paragraph 1 of Article 18.
4) REGISTRATION BLIGATIONS OF BRANCHES AND REPRESENTATIVE OFFICES OF LEGAL PERSONS OPERATED ABROAD DECISION ON THE PERSONAL DATA PROTECTION BOARD DATED 23/07/2019
It has been requested from Personal Data Protection Board to examine legal entities that are seated abroad, their branches and representative offices in Turkey in terms of determining if they are data controller, their registration obligation and exemption criteria.
According to the Law, data controller can be real or legal persons. For establishing the data controller; identifying the purpose and means of processing personal data, being responsible for the establishment and management of the data recording system, the purpose of which personal data will be processed and the methods of obtaining personal data, the types of personal data to be processed, whose personal data will be processed, the access of the data subject and other rights exercised, who decides whether or not the data will be shared and how long the personal data will be stored.
a) In terms of branches in Turkey
In accordance with General Data Protection Regulation; it does not matter whether the branch in the European Union itself processes the data. An abroad company is subject to the GDPR provisions if it processes data within the activities of its branch office in the EU. It is concluded that, if it is found that there is a clear link between the EU entity and the data controller which is outside the EU, data controller will be subject to the GDPR provisions.
Although it is required to be a data controller, namely a real person or legal entity, for the obligation to register according to the Law numbered 6698, branches that are acting as a decentralized processor of personal data in Turkey will be considered as a data controller.
b) In terms of representative offices in Turkey of legal entities seated abroad:
After examination it was decided that;
1- The data controllers seated abroad need to be registered in case they have direct operations or operations through their branches in Turkey,
2- In case branches of abroad legal persons in Turkey, by definition is responsible for the data contained in the act to determine purposes and means of processing personal data and being responsible for managing the establishment of the data processing system, such branches shall be considered as data controller separately from the legal entity seated abroad and after an evaluation it will be decided whether the there is an obligation to register.
3- Since representative offices are established for the purpose of communication, feasibility research, working through in social and cultural fields, making preparations for mergers and acquisitions, following business opportunities in the country and informing the central company and are not branches, they are not obliged to register.
5) MINIMUM REQUIREMENTS THAT MUST BE INCLUDED IN THE NOTIFICATION OF DATA VIOLATION BY THE DATA CONTROLLER DECISION ON THE PERSONAL DATA PROTECTION BOARD DATED 18/09/2019
It is ruled on the Article 12/1 of the Law numbered 6698 that the Data Controller shall ;
a) Prevent unlawful processing of personal data,
b) Prevent unlawful access of personal data,
c) Safeguard personal data,
and on the paragraph 5 stated that; the Data Controller shall notify the data subject and the Board within the shortest time. Where necessary, the Board may announce such breach at its official website or through other methods it deems appropriate.
The decision of the Personal Data Protection Board (Board) dated 24.01.2019 and numbered 2019/10 states that “Following the identification of the persons affected by the data breach by the data controller, notification of the data subjects as soon as possible by direct means if the contact address of the data subject can be reached, if not, by means of appropriate data such as publishing the data officer through their website”. In the process of evaluating data breach notifications delivering to the Authority; in the event that personal data is obtained by others by unlawful means, the purpose of the data controller to inform the Board and the affected persons is to ensure that the objective is to take measures to prevent or minimize the negative consequences of such a violation. Consediring this issue, it was necessary to clearly define which elements should be included in the notifications of the data controller to the data subects regarding the violation.
In this context, with the decision of Personal Data Protection Board dated 18.09.2019 and numbered 2019/271;
The breach notification to be made by the data controller to the data subject must be made in clear and simple language. And it was decided that breach notification should be included;
– When the violation occurred,
– Which personal data is affected by the violation of personal data categories (by distinguishing between personal data / sensitive personal data),
– Possible consequences of personal data breach,
– Measures taken or proposed to mitigate the adverse effects of data breach,
– The name and contact details of the contact persons to provide information to the persons concerned about the data breach, or the means of contact such as the full address of the data officer’s web page, call center.