In summary, in the data breach notification notified to the Personal Data Protection Authority (“Authority”) by AstraZeneca İlaç Sanayi ve Ticaret Limited Şirketi, which has the title of data controller, and shared on the Agency’s website on 12 August 2022;
- "There has been a breach in the data processing system (Workday Limited) that enables employee candidates to apply for open positions in "AstraZeneca",
- In order for a candidate to submit a job application without logging into their own account, Workday uses a JavaScript variable to track data about the user session, this variable is included in the HTML source, the value of the variable examines the HTML source for the external career site, for example the browser's "View Source" feature becomes visible to users using it,
- Due to the aforementioned situation, employee candidates who apply for a job between July 13, 2022 at 23:53 (Istanbul time) and July 14, 2022 at 05:32 and/or between 22:06 on July 20, 2022 and 23:15 on August 1, 2022, are subject to personal data. data becomes accessible for a short time,
- The violation was detected on 31 July 2022,
- Where the group of people affected by the violation are employee candidates
- An estimated 981 people were affected by the breach
- Personal data affected by the breach; Country, name, e-mail, phone number, salary expectation, current salary information, previous employment relationship information with “AstraZeneca” if any, visa status, details of restrictive clauses regarding current or previous employer, in addition, employee It is stated that the candidates can voluntarily provide personal URL, work experience, education, language, abilities and CV data through the data processing system.
Conclusion:
As seen in the aforementioned data breach notification shared on the institution's website; The data controller company, which is one of the administrative measures that the data controller must fulfill, should pay attention to some important issues in the contract it has drawn up while receiving services from another company for data processing. The data controller should first check whether the necessary measures foreseen in the Law and secondary legislation regarding the protection of personal data are provided in the company where he will receive service. Then, in writing in the contract;
- It contains a provision that the data processor will act only in line with the instructions of the data controller, in accordance with the purpose and scope of data processing specified in the contract and in compliance with the personal data protection legislation, and the provision that it will act in accordance with the Personal Data Retention and Destruction Policy,
- The provision that the data processor will be subject to an indefinite confidentiality obligation regarding the personal data it processes,
- In the event of any data breach, it is important to include the provision that the data processor is obliged to immediately notify the data controller and all measures to be taken regarding data security.
The data controller should include the above-mentioned minimum provisions in the contract and ensure data security by periodically providing the necessary audits to ensure compliance with the contract and whether the data processor has taken full administrative and technical measures.
One of the important issues regarding data processing activity is the security of the physical/electronic place where the data is stored. In this context, it is clear that the data processing company in the aforementioned data breach notification could not provide all the necessary security on the website, which is the area where the data is kept. It is a very important issue for the data controller to convey all the necessary measures to ensure security to the data processor by revealing his knowledge and experience, and to reduce the victimization that may arise from data breaches. In addition, keeping the data kept in electronic media such as the website by masking or other techniques is undeniably important in minimizing the victimization for the natural person whose data is processed.
One of the basic principles to be considered while processing data is that the processed data should be related to the purpose for which they are processed, limited and measured. Within the framework of this principle, data controllers/processors should minimize the data they process.
You can reach the Data Breach Notification Decision via this link:
