[:tr]Emsal KVKK Kararları[:en]July 2021 Equivalent KVKK Decisions[:]

30 Jul, 2021

GRC News

July 2021 Precedent KVKK Decisions

Summary of the Decision of the Personal Data Protection Board dated 20/04/2021 and numbered 2021/407 “About a hospital's data breach notification”

In the data breach notification submitted to the Institution by a data controller hospital;

Data breach; It happened when the files belonging to the patients of the doctor working in the hospital were taken from the archive and taken out of the hospital by some hospital staff at his own instruction,
Data breach; It was fully detected as a result of the examination of the camera records 17 days after the sighting of an employee who attempted to take the files out of the hospital.
From violation; 789 patients were affected,
From violation; Identity, contact, health information and genetic data information in the patient card (T.R. ID number, name, surname, father's name, mother's name, social security number, private insurance, contracted institution, institution, nationality, date of birth, gender, marital status) status, blood type, profession, tax office, tax number, address, zip code, e-mail, home phone, work phone, mobile phone, last appointment mobile and home phone, insured status, retirement or not, policy number, disability status , employee name, information such as the doctors and branches treated) and patient file anamnesis content (drugs used, habits, allergic history, family history, psychological state, findings, laboratory tests, pre-diagnosis, diagnosis, treatment and care plan, previous diseases, surgeries) etc. information) are included.

Board:

Considering that 789 patients were affected by the violation, but 54 patient files, which were determined according to the police station report, were taken back and delivered to the trusteeship, and the fate of the remaining files is not known, the loss of patient files could not be prevented, and this shows that adequate measures were not taken to reduce the risks for the loss of the patient files in question,
Considering that the employees involved in the violation are involved in the processing of a large number of personal data of special nature, including health data and genetic data; It is understood that the personal data protection training defined for the employees by the data controller was not completed, and although the former employee received training on the protection of personal data, he helped to move the documents in the archive room.
The fact that the violation is detected after 17 days is an indication of the fact that the personal data security policies and procedures were not prepared or followed well by the data controller, and that the current security measures taken could not be used effectively.
Despite the establishment of the Personal Data Protection and Information Security Board, the preparation of a Data Breach Response Plan and the creation of an algorithm to meet the demands from the relevant persons or institutions within the scope of KVKK before the breach occurs; It has been determined after the breach that the patient files submitted to the trustee contain more data than the hospital archive,

In accordance with subparagraph (b) of paragraph (1) of Article 18 of the Law, taking into account the unfair content of the fault, the fault of the data controller and the economic situation of the data controller who does not take the necessary measures to ensure data security within the framework of paragraph (1) of Article 12 of the Law. 450,000 TL,

The violation is reported to the Authority 25 days after detection,
Except for one of the relevant persons who came to the hospital, none of them were notified of the violation.

Considering the issues, the provisions of paragraph (5) of Article 12 of the Law and the statements regarding the interpretation of the expression 'as soon as possible' as 72 hours in the Decision of the Personal Data Protection Board dated 24.01.2019 and numbered 2019/10 on Personal Data Violation Notification Procedures and Principles. 150.000 TL in accordance with subparagraph (b) of paragraph (1) of Article 18 of the Law, taking into account the unfair content of the fault, the fault of the data controller and the economic situation of the data controller who does not fulfill the notification obligation within the framework of the law.

including;

It was decided to impose an administrative fine of 600.000 TL in total.

Institutions and organizations have very important duties to prevent data breaches. In the Decision of the Personal Data Protection Board dated 31/01/2018 and numbered 2018/10 on "Adequate Precautions to be Taken by Data Controllers in the Processing of Special Quality Personal Data", "For employees involved in the processing of special quality personal data, a) Law and It is necessary to provide regular training on related regulations and special quality personal data security issues.”

As seen in the relevant decision, the reason why institutions face such heavy sanctions is that employees do not receive training on the protection of personal data, and even if they do, the trainings received by the data controllers are not checked by the employees. Preventing data breaches is only possible if each employee in the institution and organization receives proper training and completes these trainings seriously. In addition to training, institutions and organizations should take technical and administrative measures. The correct and consistent policies and procedures to be determined regarding personal data security should be integrated in accordance with the work and operation of the data controller. When the policies and procedures cannot be prepared in a good and timely manner by the data controllers, when the problem areas cannot be determined or when the existing security measures cannot be used, the personal data security level cannot be adequately provided. As stated in his statements; In order for institutions and organizations to prepare or use the existing security measures taken by the data controller in a good way, they should receive the right support for the protection of personal data and foresee the risks in order not to be exposed to heavy penalties.

Summary of the Decision of the Personal Data Protection Board dated 25.03.2021 and numbered 2021/311, “About a data breach notification of a cosmetic company”

In the data breach notification sent to our Institution by the data controller;

On 18.05.2020, due to a new campaign on the website of the data controller, high access to the site was achieved and the application servers were insufficient,
While adding new application servers by the data processor, copies of the current version of the site are made considering the possibility that the site will not work,
While performing this operation; it is intended to make a copy of the static page of the site and to show the static copy of the page to customers when adding new application servers,
During this process; Due to a function that is used to prevent DDoS attacks and that does not work as defined in the service that the data processor receives from the third party, a copy of not only the current interface but also user profiles is created and the information of the user profiles that are randomly copied to users who log in as members are visible,
Profiles displayed contain personal data such as name, surname, e-mail address, and no financial personal data such as credit card,
The unusual behavior of the site was noticed by the consumers and the central office team in a short time with the notifications sent to the call center of the data controller, and as a result of the efforts to fix it, the problems on the site were fixed at 17.00, and the site was closed to access at 17.48, and was restored to normal working order at 17.48,
During this 48-minute period, it is possible that the customers who have logged in to the site have seen their personal data in the copied profiles of the consumers, which corresponds to the moment when the copy was made, instead of their own personal data,
However, since the copies taken in this process are not stored in any system, it is stated that a clear number cannot be specified about how many people may have seen which members' profiles, and that the information of 24 people in total is expected to be visible to different members.

Board:

It is not possible to specify a clear number about how many people may have seen which members' profiles, and the personal data of these people may have been seen by a large number of people, since the error occurred during the campaign and during the high-intensity minutes,
Personal Data Security Guidelines (Technical and Administrative Measures) 4.1. Plans to take the "encryption and data masking" measures, which are also included in the Summary Table of Technical Measures, only after the breach,
Although the function was tested before taking it to the live environment, this test was conducted with a limited number of users. It should not be done during the busy time period, but the site should be closed at the lowest hours and in order to avoid such violations, but the data controller does not comply with this in the event that caused the violation,

Considering this, an administrative fine of 200,000 TL is imposed on the data controller, who does not take the necessary technical and administrative measures to ensure data security within the framework of paragraph (1) of Article 12 of the Law, pursuant to subparagraph (b) of paragraph (1) of Article 18 of the Law,

The data controller has notified the Authority within 72 hours starting from the learning of the data breach determined by the Decision of the Personal Data Protection Board dated 24.01.2019 and numbered 2019/10,

Considering that the data controller sends an e-mail to the relevant persons for the purpose of notifying the data breach, and that the e-mail sent contains the minimum elements required to be notified in the Decision of the Personal Data Protection Board dated 18.09.2019 and numbered 2019/271, it is considered that Article 12 of the Law (5 ), it was decided that there was no action to be taken at this stage.

Personal Data Security Guide (Technical and Administrative Precautions) of data controllers of companies that make a large number of campaigns such as cosmetics and clothing companies and whose websites are in demand by many users during the campaign period are listed in 2.1. It is stated under the title of Identification of Existing Risks and Threats, “…the probability of the risks that may arise regarding the protection of this data and the losses to be caused in case of realization should be determined accurately and appropriate measures should be taken.” They must act within the framework of the risk-oriented approach and comply with the obligations of the data controller, encryption and data masking measures must be taken before large campaigns to be made. 3.5 in the Personal Data Security Guide (Technical and Administrative Measures). Security requirements should be taken into account when determining the needs related to the procurement, development or improvement of existing systems by the data controller, which is stated under the title of Information Technology Systems Procurement, Development and Maintenance. Controls should be made to ensure that the inputs of the application systems are correct and appropriate, and control mechanisms should be placed in the applications to check whether the correctly entered information is corrupted as a result of an error during the process or intentionally. Applications should be designed in such a way as to minimize the likelihood that errors during processing will compromise data integrity.” Anticipating risks and taking technical and administrative measures are of great importance in terms of storage and confidentiality of user data. Thanks to the tests to be carried out before the campaigns, companies can prevent data breaches. Thanks to the notification to be made within 72 hours after the data breach, companies can avoid being punished more severely. It is important that companies, especially those whose websites are heavily used, are sensitive to data protection.

Summary of the Decision of the Personal Data Protection Board dated 04.03.2021 and numbered 2021/190 “About the data breach notification of the data controller in the banking sector”

As a result of examining the data breach notification within the framework of the Authority's authority and duty; With the Decision of the Personal Data Protection Board dated 04.03.2021 and numbered 2021/190;

Considering that the Team Leader, who is the subject of the incident, can access the information of the person making the complaint and abuse his/her authority by taking advantage of his/her position, and that despite the data privacy and security training provided by the data controller, the awareness of the said employee about his/her roles and responsibilities cannot be achieved. Under the heading of Training and Awareness Studies of Employees in the Security Guide (Technical and Administrative Measures), “The roles and responsibilities of everyone working for the data controller, regardless of their position, regarding personal data security should be determined in their job descriptions and it should be ensured that employees are aware of their roles and responsibilities in this regard.” constitutes a violation of the regulations,
The Personal Data Security Guide (Technical and Administrative Measures) published by our Institution, where the personnel working as the Team Leader in the Bank can view the customer information with the desired frequency and number of inquiries before the data breach, and this situation may cause the personal data of the customers to be breached by the employees. Under the heading of Training of Employees and Awareness Studies, "... care should be taken to act in accordance with the principle of "Everything is Forbidden Unless Allowed", not the principle of "Everything is Free Unless Prohibited", while giving the right to access environments containing personal data or creating a corporate culture in this regard. ,
The number of records that can be questioned / quota determination procedures for querying the Risk Center data were not made before the data breach, an inquiry quota limit was established for employees only about two years after the said breach, and efforts are still being made to establish a quota for other customer inquiries,
Considering that the employees working as Call Center Team Leader within the body of the data controller, can access customer information by making unlimited inquiries without the consent of the customers, and that the necessary authorization is not given to the employees in question, the Personal Data Security Guide (Technical and Administrative Measures) published by our Institution is considered as Cyber Security. Access to systems containing personal data should also be limited. In this context, employees should be granted access to the extent necessary for their jobs and duties, as well as their powers and responsibilities, and … access to relevant systems should be provided.” constitutes a violation of the measures,
A warning system was developed for employees who want to query the information of another branch customer after a data breach, that they can use the data they access within the scope of their business needs and in line with their job description, and no warning system was used before the data breach.

Considering the issues, it has been decided to impose an administrative fine of 100.000 TL on the data controller who does not take the necessary technical and administrative measures to ensure data security within the framework of paragraph (1) of Article 12 of the Law, pursuant to subparagraph (b) of paragraph (1) of Article 18 of the Law.

Conclusion:
Especially in institutions such as banks where personal data is used extensively, the access of employees to data should be limited by the policies of the institution. It is of great importance to put a quota on the number of records that can be questioned / quota determination processes for querying Risk Center data before data breaches occur. Risk Merkezi verilerinin sorgulanmasına yönelik sorgulama yapılabilecek kayıt sayısı/kota belirleme işlemlerine veri ihlalleri gerçekleşmeden kota konulması çok büyük önem taşımaktadır.

Decision of the Personal Data Protection Board dated 04.03.2021 and numbered 2021/187 “About a data breach notification of an insurance company” Summary

In the data breach notification submitted to the Authority by the data controller;

About how the breach occurred;

Within the scope of a pension service, a "Report" regarding the employees included in the insurance service is sent to some companies that are the customers of the data controller,

Due to a systematic error in the support service provider from which the data controller receives information systems service;
Within the scope of the system service, there is a problem due to a technical error in the "Report" association with some companies that are the customers of the data controller,
A “Report” file was sent to 28 customer companies within the scope of the system service, and to the employees of 31 other customer companies included in the system,

As a result of the erroneous operation of the query that selects the "report", the footer information was sent to 681 real person customers, who are employees of 31 employer companies within the scope of the system, to 28 employer companies within the scope of the system in a systematic way,

It was determined that the customer company, which received the report of the violation, gave information about the issue on the phone,
The company, which provides access to the relevant file and notifies the data controller of the violation, informed about the violation on 19.02.2020 at 09:55 during the call made via the telephone channel,
This company is informed as well as all companies affected by the violation and it is repeated that the information sent inadvertently should be deleted,
The infringing software is tested before it goes live,
It is stated that the personal data affected by the violation includes the Turkish National ID / Blue Card Number, Name - Surname, Planned Suspension End Date, Contract Status.

The personal data of 681 data subjects, who are employees of 31 employer companies within the scope of pension service, are sent to customers within the scope of retirement (it was sent to 28 employer companies, which are customers),
Since the system error that caused the data breach is caused by the application software, such errors should be corrected before the transaction is published, and it cannot be detected before the event subject to the breach,
It is stated in the Personal Data Security Guide (Technical and Administrative Measures) that there is a delay of approximately 2 years between the realization date of the infringing event (18.01.2018) and the detection date (19.02.2020). In the title of Monitoring Personal Data Security, “…reports to be generated during the reporting process may be automatic reports to be generated by the system. These reports should be aggregated by the system administrator as soon as possible and submitted to the data controller. In addition, regular checking of security software messages, access control records and other reporting tools and taking action on warnings from these systems…” is an indication that the data controller does not perform the necessary controls and audits on time,
It is stated in the Personal Data Security Guide (Technical and Administrative Measures) that the breach was detected as a result of the client company receiving the report informing the data controller about the issue, and that it could not be detected by the data controller automatically. It is an indication that it does not comply with the statement "It is necessary to determine whether there is an infiltration in information networks or a movement that should not occur", which is stated under the title of Monitoring Personal Data Security.

Considering the issues related to the data controller who does not take the necessary technical and administrative measures to ensure data security within the framework of paragraph (1) of Article 12 of the Law, taking into account the unfair content of the fault, the fault of the data controller and the economic situation, the paragraph (1) of the Article 18 of the Law To impose an administrative fine of 125,000 TL in accordance with subparagraph (b),

The error in the system that caused the breach occurred between 18.01.2018 and 19.02.2020, the Company that provided access to the relevant file on 19.02.2020 informed the data controller of the breach, and the Agency notified the data breach via e-mail on 21.02.2020, The letter entered the Institution's records on 24.02.2020, and in this respect, the notification condition is met within 72 hours starting from the learning of the data breach determined by the Board's Decision dated 24.01.2019 and numbered 2019/10,
It was stated that the relevant persons affected by the violation were notified via e-mail on 28.02.2020, the persons who did not have e-mail information were called, the dates and times of the interview and the information text sample were sent to the Institution.

However, it is seen that when the violation occurred, which personal data is affected by the violation on the basis of personal data categories (personal data / special quality personal data), personal data Considering that there are deficiencies in the possible consequences of the breach and the measures taken or recommended to be taken to reduce the negative effects of the data breach, it has been decided to instruct the data controller to notify the relevant persons in accordance with the Decision of the Personal Data Protection Board dated 18.09.2019 and numbered 2019/271. .

Conclusion:
Data controllers have great responsibilities for data protection and auditing. 3.5 in the Personal Data Security Guide (Technical and Administrative Measures) published by the Institution. Security requirements should be taken into account when determining the needs for the supply, development or improvement of existing systems by the data controller under the title of Information Technology Systems Procurement, Development and Maintenance. Controls should be made to ensure that the inputs of the application systems are correct and appropriate, and control mechanisms should be placed in the applications to check whether the correctly entered information is corrupted as a result of an error during the process or on purpose. As stated in the statement, data breaches occur as can be seen in the above decision as a result of the data controllers not performing the necessary controls.

Summary of the Decision of the Personal Data Protection Board dated 29.09.2020 and numbered 2020/744 "About a data breach notification of a bank"

In the data breach notification submitted to the Authority by the data controller;

The data breach has been determined by the Bank's Data Leakage team by starting the investigation studies based on the notification sent to the Board of Inspectors,
As a result of the examination of the records of the e-mails sent to and from the e-mail address used by the employee before the data controller, the employee processed the information of 346 customers into a word document and sent the document to the third party, whom he claimed to be a friend and working in an investment firm. sent,
All of the said customers have money transfers to an investment company,
The personal data categories affected by the breach are identity, communication, customer transaction and financial data,
It is stated that the customers whose data are shared are not the customers of the branch to which the employee who caused the violation is related, therefore there is no basis for the employee to collect and share the data.

As a result of examining the data breach notification within the framework of the Authority's authority and duty; With the Decision of the Personal Data Protection Board dated 29/09/2020 and numbered 2020/744,

The breach affected the branch number, account number, name-surname, mobile phone number of 346 Bank customers and the investment transaction amount information sent by these customers from their bank accounts to an investment firm account,
Although the personnel involved in the breach had completed the "Personal Data Protection Law" training on 09.10.2018 more than 1 year before the data breach occurred, the fact that he personally committed the breach after the said training creates doubts that the training provided is not sufficient and effective,
Although it is stated that there is a Data Leakage Detection/Prevention System for e-mails sent out of the bank, DLP systems do not prevent the e-mail that caused the violation and the personal data of the employee who caused the violation can be transferred. ) under the heading "Identification of Existing Risks and Threats", "In order to ensure the security of personal data, first of all, all personal data processed by the data controller, the probability of the risks that may arise regarding the protection of this data, and the losses to be caused in case of realization should be determined correctly. appropriate measures should be taken. While determining these risks; – Whether the personal data is sensitive personal data, – What degree of confidentiality is required due to its nature, – The nature and quantity of the damage that may arise in terms of the person concerned in case of a security breach should be taken into consideration. After defining and prioritizing these risks; control and solution alternatives to reduce or eliminate the said risks; should be evaluated in line with the principles of cost, applicability and usefulness, necessary technical and administrative measures should be planned and implemented.”
Despite the administrative and technical measures taken by the Bank, the Bank's personnel were able to transmit the personal data of 346 customers to third parties other than for the purpose of processing, and this situation was stated in the resolution of the Personal Data Protection Board dated 31/05/2018 and numbered 2018/63, “…a data controller Processing of personal data and/or sharing this data with third parties, depending on personal purposes or reasons, by those who are authorized to access personal data due to their position or duty, by exceeding their powers and/or misusing their powers. Since it would be contrary to paragraph (1) of Article 12 of the Law (Law), all necessary technical and administrative measures should be taken by data controllers to ensure the appropriate level of security in order to prevent actions within this scope…” It is an indication that technical and administrative measures are insufficient.

Considering the unfair content of the fault, the fault of the data controller and the economic situation of the data controller, who did not take the necessary technical and administrative measures to ensure data security within the framework of paragraph (1) of Article 12 of the Law, b) 225,000 TL within the scope of subparagraph,

Necessary notifications are made to the relevant persons and the said notification samples are sent to the Institution,
However, considering that the breach occurred on 31.10.2019 and it was reported to the Board of Inspectors by the Bank's Technology Data Leakage team on 04.11.2019, and the data controller notified the Agency on 06.12.2019, the Board's Decision dated 24.01.2019 and numbered 2019/10 If the notification condition is not met within the 72-hour period starting from the learning of the data breach determined by

Considering this, the data controller is subject to Article 18 of the Law, since he/she violates the obligation to notify as soon as possible (within the 72-hour period specified in the Board decision dated 24.01.2019 and numbered 2019/10) in paragraph (5) of Article 12 of the Law. It has been decided to impose an administrative fine of 50,000 TL, in total 275,000 TL, pursuant to subparagraph (b) of paragraph (1) of the article.

Conclusion;
While it is certain that employees must have received training in the Law on the Protection of Personal Data, institutions are required from time to time to audit and control whether these trainings are received correctly. As seen in the decision, the personal data of many customers was shared with third parties by the employee, and at the same time, no notification was made to the institution after the data breach occurred. Institutions are required to make data breach notifications within the 72 hour period determined as the shortest time. Otherwise, they are subject to heavy sanctions by the Board. In this period when data breaches are increasing, it is very important for institutions and organizations to focus on data protection, and if they need to get support, they are not subject to heavy administrative fines.

“Summary of the Decision of the Personal Data Protection Board dated 25.02.2021 and numbered 2021/154 on a data breach notification of an insurance company

As a result of examining the data breach notification within the framework of the Authority's authority and duty;

The violation was detected by the relevant units of the company where the former employee started to work after leaving his job and notified to the data controller,
544 customers from the violation; identity, communication and vehicle plate numbers are affected,
With DLP systems; over a certain number of T.C. In the e-mail that the data controller sent to some employees in 2017, it is possible to prevent the sending of documents containing personal data such as Identity Number, credit card number, IBAN, phone number, e-mail address outside the institution by e-mail; Although it was stated that the movement of TRN information, Credit Card information and IBAN information inside and outside the institution would be monitored and prevented, the fact that the DLP system of the data controller could not prevent the sending of the e-mails subject to the violation is under the heading "Cyber Security" of the "Personal Data Security Guide". “…every software and hardware must be subjected to a set of installation and configuration processes.” Contrary to the statement, it shows that this system is not configured correctly,
If the last e-mail sent by the former employee to his personal e-mail address is not reflected in the DLP Report due to the closure of his account due to leaving the job 1 month after this date, the "All Data Security Guide" under the "Tracking of Personal Data Security" heading. It is inconsistent with the statement “It is necessary to keep the records of the transactions of the users on a regular basis”,
Infringing e-mail submissions; In the e-mail sent to some employees in 2017, it was stated that although it was carried out in November and December, it could not be detected until 24.12.2019 and the determination on this date was made by the company that has just started working and it was reported to the data controller; Although it was stated that the DLP reports would be shared with the department managers and they would be asked if they had any information about the relevant data shares, it was stated in the two DLP reports of 2018 that the manager of the personnel was not notified about the e-mails containing the files, and that controls were not provided,
Although online personal data protection training was offered to the former employee regarding the violation, the employee quit the job for 2 months without starting this training, and the user group, including the former employee, was also informed. Considering that the link is shared and only the rights and obligations of the persons concerned are included in the second information, the “… training of employees on issues such as not unlawfully disclosing and sharing personal data, It is very important to carry out awareness studies for employees and to create an environment where security risks can be determined, in terms of ensuring personal data security.” Considering that the fact that the information given to the employee, contrary to the statement, consists of some general provisions on the protection of personal data, and does not even include the basic issues exemplified such as the unlawful disclosure and sharing of personal data of the employees, it shows that the data controller does not attach sufficient importance to training on the protection of personal data. Regarding the data controller who does not take the necessary technical and administrative measures to ensure data security within the framework of paragraph (1) of Article 12, taking into account the unfair content of the fault, the fault of the data controller and the economic situation, in accordance with subparagraph (b) of paragraph (1) of Article 18 of the Law. Administrative fine of 150.000 TL

your violation; Considering that it was detected on 24.12.2019 and notified to our Institution on 27.12.2019, there is no action to be taken within the scope of the Law, since the notification condition is met within the 72-hour period starting from the learning of the data breach determined by the Board's Decision dated 24.01.2019 and numbered 2019/10,
On the other hand, it was decided to remind the data controller that the notifications to be made by the data controller from now on to the relevant persons should be made in accordance with the Decision of the Personal Data Protection Board dated 18.09.2019 and numbered 2019/271.

Summary of the Decision of the Personal Data Protection Board dated 12/03/2020 and numbered 2020/216 on “About a data breach notification of an IT company”

“Summary of the Decision of the Personal Data Protection Board dated 12/03/2020 and numbered 2020/216 on a data breach notification of an IT company

In the data breach notification submitted to the Authority by the data controller;

Cyber-attacks on the systems of the data controller company are attempted to obtain the data in their systems,
In the application called Pilot, the debugging feature is turned on and the developers who make system development for the company use this feature to detect errors in the application and make improvements,
The person(s) trying to access the Pilot application over the internet with the cyber attack subject to the breach, obtains the "PHPSESSID" value belonging to the people who have logged in to the application before and gains access to the Pilot application,
The reason why the debugging feature is turned on is to allow improvements to be made by accessing the system over the internet, but this allows access to the system by performing cyber attacks over the internet,
It is not possible to clearly determine what the data accessed by the attackers is in the system, but considering all the data in the systems of the data controller, there are 65.993 people in the system, and these people only include people who have received offers, created memberships, received services in any way, are active and inactive,
The records in the system regarding the relevant persons are 1259 contracts, 701 domain name application files (including the signature circular, tax plate and person ID photocopy records),
Fifty thousand credit card information is also included in the system, but it has been determined that most of this credit card information has passed its expiration date and cannot be used, and only eight thousand cards are active,
The categories of persons affected by the breach are customers and potential customers,
It cannot be determined which data the attackers have accessed, the data in the system are identity, communication, transaction security (username and password information), payment information (credit card number),
The seized credit card information is the information transferred to the Data Controller Company before 2018, a project has been initiated within the scope of improvement studies in payment services as of 2016, credit card information is collected and stored by authorized payment service providers as of 2018,
Considering that there is no sensitive data directly affected by the data breach, but blood type and religion information are included in the photocopies of old identity cards attached to the signature circular of legal entity customers, and that the reverse side of the identity photocopy can be found in some signature circulars; for some customers, it may be possible for attackers to access this data,
All records in the system were examined and it was determined that there were 1,784 copies of old identity cards (including the photocopies of identity cards included in the signature circular) in the counting,
It was stated that all customers affected by the violation were notified by sending an e-mail, and some customers were informed by telephone as much as possible.

As a result of the examination of the said notification, with the Decision of the Personal Data Protection Board dated 12/03/2020 and numbered 2020/216;

The fact that the data accessed by the attackers in the system cannot be determined clearly is an indication that the control and warning mechanisms are not used effectively by the data controller to determine whether there is any infiltration or any anomaly,
It can not be determined which personal data is affected by the data controller, but there are 65.993 people in the systems, these people only include people who have received offers, created a membership, received any kind of service, are active or inactive, and 1.784 of these people have their old ID photocopy on both sides. contains fifty thousand credit card information,
Despite the fact that the data controller has changed the payment system, in this context, the credit card information of the data controller has passed the expiry date and cannot be used, only eight thousand cards are active, and as of 2018, credit card information is collected and stored by authorized payment service providers. act contrary to subparagraph (b) and (ç) of paragraph (2) of article 4 of the Law on the Protection of Personal Data (Law) numbered 6698 by not destroying the card information,
In the penetration test conducted on 29.01.2020 after the breach and sent to the Institution by the data controller, it was determined that the attackers were connected to the system via SFTP and VPN, and that private user names and VPN passwords were given to the individuals for security purposes for access from outside the company. Considering that high and medium vulnerabilities are detected in applications, this is an indication that the necessary technical measures have not been taken by the data controller,
When the screens of the data controller where domain and hosting services are purchased at https://www.****.com.tr are examined, it is taken into account that identity and contact information are requested during the purchasing processes, but there is no illumination text, and it It has been concluded that it has not adequately fulfilled its obligations under the Law,
The fact that the technical measures to be taken by the data controller before the breach are put into use after the breach is an indication that the necessary technical and administrative measures have not been taken.

Based on the evaluations, an administrative fine of 450.000 TL will be imposed on the data controller who does not take the necessary technical measures to ensure data security within the framework of paragraph (1) of Article 12 of the Law, in accordance with sub-paragraph (b) of paragraph (1) of Article 18 of the Law,

Considering that the data breach occurred on 09.10.2019 at 14:04, it was detected by the data controller on 11.10.2019 at 14.04, and it was reported to the Board on 14.10.2019 within 72 hours, it was decided that there was no action to be taken in this regard.

Conclusion:
Thanks to the penetration test sent to the institution in the incident subject to the violation, high and medium level vulnerabilities of the data controller were detected. Performing penetration tests is of great importance in terms of preventing data breaches. Administrative and technical measures such as activating this feature in systems with double factor feature, renewing the certificates used in VPN access, updating the e-mail access of their employees as two-step authentication, stamping the log records with a timestamp so that they can be used as evidence in forensic events, ensuring the correlation of the logs. they have to take. In particular, IT companies need to be very careful about data breaches and use control and warning mechanisms.

“Summary of the Decision of the Personal Data Protection Board dated 30.06.2020 and numbered 2020/511 on a data breach notification of an insurance company

As a result of the examination of the data breach notification within the framework of the Authority's authority and duty; With the Decision of the Personal Data Protection Board dated 30/06/2020 and numbered 2020/511,

The breach occurred as a result of changing the pharmacy provision screens of the data controller, the excel file containing the identity and drug usage information on a per-person basis, becoming viewable by 11 insured persons while being transferred to the new system. Personal data such as identity, customer transaction and health information as special quality personal data are affected,
From 25.04.2019 until 07.12.2019, the openness continued and the data controller could not detect the vulnerability until the person providing access to the file was informed,,
In addition, it is stated under the title of "Security of Environments Containing Personal Data", which is an indication that "data controllers do not regularly perform vulnerability scans in order to prevent undesirable events such as violations of confidentiality and integrity of data controllers" in the Personal Data Security Guide. Since employees' access to the system network also increases the risk of security breaches, adequate security measures are not taken for them,
It is also stated under the heading of Information Technologies Systems Supply, Development and Maintenance of the Personal Data Security Guide that the data controller has not taken any technical and administrative measures to prevent the uploading of excel files, which contain personal data causing the breach and become viewable by unauthorized persons, to the document management system. As it is stated, "security requirements are not taken into account when determining the needs for the development of the new system or the improvement of the existing systems by the data controller, the controls regarding the correct and appropriateness of the inputs of the application systems are not made adequately and to the required extent, the correctly entered information is corrupted intentionally or as a result of an error during the process. control mechanisms are not placed in the applications to check that they are not corrupted and an approval process is not operated while uploading the documents to the system,
Considering that the personal data affected by the breach includes health information as sensitive personal data, and that the file subject to the violation also includes sensitive personal data, the Article 31/31 of the Personal Data Protection Board regarding "Adequate Precautions to be Taken by Data Controllers in the Processing of Special Quality Personal Data". As stated in its Decision dated 01/2018 and numbered 2018/10, “environments where sensitive personal data are processed, stored and/or accessed, and electronic media is the data must be kept by using cryptographic methods and cryptographic keys must be kept in secure and different environments, while the data controller provides other it is not taken into account that they should be protected much more strictly than personal data,
Even if the persons concerned have not suffered any significant damage in the incident subject to the violation, the data that may cause victimization about the persons concerned if learned are subject to the violation, therefore the violation carries a serious risk in terms of potential threat,

Considering this, it has been decided to impose an administrative fine of 100.000 TL on the data controller who does not take the necessary technical and administrative measures to ensure data security within the framework of paragraph (1) of Article 12 of the Law, in accordance with paragraph (1) (b) of Article 18 of the Law.

Conclusion:
As stated under the title of Determination of Personal Data Security Policies and Procedures of the Personal Data Security Guide, “…within the scope of the personal data security policies and procedures prepared by the data controller; It should fulfill its obligations such as making regular checks of the application, documenting the checks made, identifying the issues that need improvement and continuing the checks regularly after the necessary updates are made. Determining a policy on the Protection of Personal Data will benefit institutions and organizations in terms of data processing, protection and access. Data controllers should not disrupt the controls for the improvement of the systems.

“Summary of the Decision of the Personal Data Protection Board dated 16.06.2020 and numbered 2021/464 on a data breach notification of a highway operator

In the data breach notification submitted to the Authority by the data controller;

Your violation; In the payrolls sent to these accounts through the payroll program after the personal e-mail addresses that the employees have forwarded to the data controller in writing and signed with their own consent and requests are processed into the system, the payroll belonging to the other employees, who are the employees of the same company but not the person sent, and thus the name, surname belonging to someone else. , TR Identity Number and registration number are displayed, and the salary information is displayed in the same generic information for everyone,
The violation occurred as a result of sending an incorrect e-mail due to a systemic error, and this technical error was also experienced due to the fact that a device type for the Turkish language was not defined in the payroll system, and instead of sending the payroll envelopes instantly, the program used the method of sending the payroll envelopes to the queue and sending an e-mail after the records there,
It is stated that the number of persons and records affected by the violation is 489.

As a result of examining the data breach notification within the framework of our Authority's authority and duty; With the Decision of the Personal Data Protection Board dated 25.03.2021 and numbered 2021/311;

During the review process, in the notification sent to the data controller pursuant to the board's decision, it was stated, “…The personal e-mail addresses included in the written declaration petition submitted by the employees upon their consent and requests are entered into the system and these personal e-mails are used, but why are they sent to the company instead of the personal e-mails? Information was requested regarding the "no delivery to the e-mail address". In response to this request, the data controller said, “Our company has an organizational structure where the majority of its employees are in the field. In this respect, considering that all our employees do not have an e-mail account defined by our company, and that the company has access to their e-mail accounts, it was considered that it would be more appropriate to make these notifications to the personal e-mail accounts of our employees.” feedback was given. This is not just a technical glitch, as stated by the data controller, since employees do not have the ability to control whether accidentally sent payrolls are deleted from their personal e-mail accounts (because it includes many e-mail servers); By not opening a corporate e-mail account to the said employees and not sending payrolls through these accounts, the violation was also caused by administrative deficiencies,
2.1. In the title of Identification of Current Risks and Threats, it is stated that "In order to ensure the security of personal data, first of all, what all personal data processed by the data controller is, the probability of the risks that may arise regarding the protection of this data, and the losses to be caused in case of realization, must be correctly determined and appropriate measures must be taken..." According to the data controller, the risk subject to the breach is not evaluated by the data controller,
Although it is stated that the e-mails are sent by the data controller in accordance with the obligation of disclosure and obtaining the explicit consent of the data subjects, it is seen that the text of the clarification is not a text that informs the relevant persons sufficiently about these issues and does not leave any other option to the persons,
As stated in the Board Decision dated 31.05.2019 and numbered 2019/157, in case the corporate e-mail service providers are procured from data controllers/processors abroad, the custody services should also be performed in accordance with the provisions of Article 9 of the Law No. 6698, by the data controller. Using the personal e-mail accounts of the employees to send e-mails related to the work they work without using the corporate e-mail service may reveal the storage of the data in different countries and cause loss of control over the data.

Considering the issues related to the data controller who does not take the necessary technical and administrative measures to ensure data security within the framework of paragraph (1) of Article 12 of the Law, taking into account the unfair content of the fault, the fault of the data controller and the economic situation, the article 18 (1) of the Law Administrative fine of 60.000 TL in accordance with subparagraph (b) of paragraph no.

decided.

Conclusion:
The biggest reason for a data breach is the use of employees' personal e-mails. Opening a corporate e-mail address to the employees, making all notifications and e-mails through these e-mails provides a control mechanism for institutions and organizations in case of violations. Personal Data Security Guide (Technical and Administrative Measures) article 3.2, under the title of Monitoring Personal Data Security, “…A formal reporting procedure should be established for employees to report security weaknesses in systems and services or threats using them.” It's trying. Thanks to the official reporting procedure to be established, it will be easier to inform the employees.

“Summary of the Decision of the Personal Data Protection Board dated 16.06.2020 and numbered 2020/466 on a data breach in an insurance company's agency

As a result of examining the data breach notification within the framework of the Authority's authority and duty; With the Decision of the Personal Data Protection Board dated 16.06.2020 and numbered 2020/466;

The data breach occurred with unauthorized access to the systems of the data processor on 13.02.2020, the breach was detected by the data controller on 20.02.2020,
It is stated that the data controller insurance company does not supply the hardware to the data processing agency, the computer subject to the case belongs to the data processor himself, therefore, the data controller's own activity and user records on the computer are not managed by the data controller and penetration tests are not carried out,

Moreover; In the Agency Information Security Principles document; In order to ensure that the agencies comply with the information security policy, it is stated that audits can be carried out by the Information Security or Risk Management and Internal Control units and that security and compliance tests and audits are carried out by external independent sources if necessary and periodically, although it is stated that the data processor does not Under the title of "Management of Relations with Data Processors" in article 2.5 of the Personal Data Security Guide (Technical and Administrative Measures-Guide) published by the Authority; “…data controllers must ensure that the security level provided by the data processors in question at least for personal data is provided while receiving services. Because, pursuant to the second paragraph of Article 12 of the Law, data processors are jointly responsible with the data controller for ensuring the security of personal data.” is inconsistent with their statement,

By the data controller; Since the relevant computer was formatted immediately after the incident, it was stated that no investigation could be made, whether any personal data had been accessed or not, and based on the data processor's statement, the identification information on the vehicle license and the credit card information categories were selected. in the article; Under the heading "Backup of Personal Data"; It constitutes a violation of the statements “…in cases where personal data is damaged, destroyed, stolen or lost for any reason, the data controllers take action as soon as possible by using the backed up data…”,
The agency officer received training on the protection of personal data after the data breach occurred,,
In the announcement made on the official page of Windows, that the data processor uses the Windows 7 Professional x64 operating system; Since the Windows 7 operating system no longer supports new Microsoft Security Essentials installations as of 14.01.2020, it is recommended that all customers switch to the best security option, Windows 10 and Windows Defender Antivirus, in article 2.3 of the Guide; Under the title of Determination of Personal Data Security Policies and Procedures; It is stated that “…almost every software and hardware needs to undergo some installation and configuration processes, but there are documented security vulnerabilities of some widely used software, especially old versions…”, that the operating system in question is already an old version, and as of 14.01.2020 It shows that the necessary security measures are not fully taken by the data controller and the data processor,
Anti-virus software is not used at all by the data processor prior to the data breach,
In the announcement made by the data controller on April 27, 2020 for the protection of agencies from cyber attacks; It is stated in the Agency Information Security Principles document dated 01.11.2019 and announced to the agents of the data controller on 21.01.2020 that anti-virus software should be installed on all user computers and users should not turn off anti-virus software or change their settings; Anti-virus software is installed on all user computers, agency users cannot turn off anti-virus software or change their settings, the aforementioned security measures are not fulfilled by the data controller and data processor, even the requirements of the documents prepared by the data controller himself are not provided,

Considering the issues regarding the data controller who does not take the necessary technical and administrative measures to ensure data security within the framework of paragraph (1) of Article 12 of the Law, taking into account the unfair content of the fault, the fault of the data controller and the economic situation, the article 18 (1) of the Law Administrative fine of 172.000 TL in accordance with subparagraph (b) of paragraph no.

Of the 172 data subjects affected by the data breach, 95 people were not notified of the data breach,
Of the 77 people to whom the violation was reported, 33 were notified on 26.03.2020, 9 on 16.04.2020, 35 on 20.04.2020, therefore, there was more than 1 month between the date of detection of the violation and the date of notification.

taking into account, the obligation to notify "as soon as possible" (for notification to the relevant persons) as stipulated in paragraph (5) of Article 12 of the Law, is stated in the Decision no. It has been decided to remind the data controller that it can also be done in the form of "notifying through appropriate methods such as publishing on its own website".

Conclusion:
In article 3.2 of the Guide, under the title of “Ensuring Cyber Security”; “…To be protected from malicious software, it is also necessary to use products such as antivirus and antispam that regularly scan the information system network and detect dangers. However, the installation of these products is not enough, it should be kept up to date and the necessary files should be scanned regularly.” The use of anti-virus is among the obligations of data controllers. Not forgetting the use of anti-viruses, making regular improvements, as well as updating the operating systems is also important for preventing data breaches. It has been stated that audits can be carried out for agencies by the Information Security or Risk Management and Internal Control units, and security and compliance tests and audits can be carried out by external independent sources, if necessary and periodically. Institutions and organizations can also receive support from various companies in order to provide security protection and control.

To request a quotation for the following: Cyber Security, Digital Transformation, MSSP, Penetration Testing, KVKK, GDPR, ISO 27001 and ISO 27701, please click here.

Request a Quotation