09 Mar, 2022

KVKK Decision Summaries for February 2022

Summary of the Decision of the Personal Data Protection Board dated 06/01/2022 and numbered 2022/13 "on the sharing of the exam result document by a local news site without the explicit consent of the person concerned"

A complaint was made to the institution on the grounds that the Higher Education Institutions Exam (YKS) exam result document, which contains the personal data of the person concerned, was shared by the local news site without its explicit consent. 

In the news on the website of the data controller at the time the complaint was examined, it was observed that the personal data of the person concerned, consisting of name, surname, photograph, higher education program and placement score, were processed. 

Information and documents that will form the basis for the defense and defense of the data controller are requested, predicted within a fifteen-day period the claim that no response has been given to the Authority, therefore the data controller has not exercised his right to defend the claim that the personal data of the person concerned has been processed, and therefore the person concerned has submitted it. that the complaint should be concluded with the supporting documents,

While there is freedom of the press for the data controller who published the news in the incident subject to the complaint, there is also the right to demand the protection of personal data for the data subject, with freedom of the press. has been faced with the right to demand the protection of personal data.

It is stated on the website of the data controller that the personal data processing activity subject to the complaint cannot be considered within the scope of freedom of expression regulated in paragraph (1) of Article 28 of the Law (KVKK). As of the date of the decision, the personal data of the person concerned has been processed in violation of subparagraph (a) of paragraph (1) of Article 12 of the Law, as of the date of the decision. Considering the mitigating factor that the said personal data has been removed from the website of the data controller, it has been decided to impose an administrative fine of 30.000 TL on the data in accordance with subparagraph (b) of paragraph (1) of Article 18 of the Law.. em >

Conclusion; 

Data Responsible

https://kvkk.gov.tr/Icerik/7179/2022-13

Summary of the Decision of the Personal Data Protection Board dated 23/12/2021 and numbered 2021/1324 on “Yemek Sepeti Elektronik İletişim Perakende Gida Logistics Inc. about data breach notification”

The server is accessed by installing an application and running a command due to a vulnerability on a web application server belonging to the data controller,

  • 21.504.083 Yemeksepeti users were affected by the breach,
  • Affected personal data is username, address, phone number, e-mail address, password and IP information,
  • Considering the large number of people affected by the breach and the fact that almost the entire customer database was leaked, the breach was very large,
  • It was decided to impose an administrative fine of 1,900,000 TL.

Conclusion; 

Controlling which software and services are running in the information networks of the data controllers and determining whether there is any infiltration or should not occur in the information networks, if they are working with third party companies, the data controllers should carry out the necessary control mechanisms required. Penetration tests are of great importance in preventing data breaches. In the relevant decision, a large-scale data breach was experienced due to the inability to perform the penetration test correctly. In order to be protected from different cyber threat actors, it is important for people affected by the breach to change their passwords immediately, if they have Yemek Sepeti and different applications they log in with the same password. It is very valuable for institutions and organizations to take the necessary precautions in terms of administrative and technical measures, to use security systems suitable for their working architecture, to have these systems under control by competent people, to have penetration tests done, to avoid administrative fines and to carry out the process correctly.

https://kvkk.gov.tr/Icerik/7168/2021-1324


To request a quotation for the following: Cyber Security, Digital Transformation, MSSP, Penetration Testing, KVKK, GDPR, ISO 27001 and ISO 27701, please click here.


 

About Content:
Share on Social Media:
Facebook
Twitter
LinkedIn
Telegram