26 Jun, 2021

June 2021 Equivalent KVKK Decisions

Summary of the Decision of the Personal Data Protection Board dated 06/05/2021 and numbered 2021/470 on "the claim that the data controller did not fulfill the request for access to the personal data of the person concerned about the meal card account activities"

In summary, in the complaint of the person concerned, submitted to the Institution; It is requested from the Company, which is the data controller, that the account movements of the meal card allocated to him by his employer are communicated to him, additional information is requested to verify the identity in order to provide the requested information in the response given by the data controller, upon which the petition and the identity image are sent to the data controller via e-mail, In the e-mail sent by the responsible company, it was stated that the relevant information was shared in the attachment, but that the mobile phone number in the e-mail should be called in order to access the attached document due to additional security measures, and that this additional security measure was unlawful and prevented from accessing personal data and account movements It is stated that it is not shared in accordance with the Law on the Protection of Personal Data (Law) No. 6698, and it is requested that necessary action be taken within the scope of the Law.

  • In line with the risk analysis made by the data controller, since the file containing the personal data regarding the account activities and loading information of the meal card used by the data subject will be sent via e-mail to the "gmail" account specified by the data subject and whose infrastructure is abroad, the file containing this data will be sent encrypted. It is stated that it is aimed to provide data security at a high level; As stated in the Board's Decision dated 31/05/2019 and numbered 2019/157, if the G-mail e-mail service infrastructure of Google company is used, the e-mails sent and received will be kept in data centers located in various parts of the world; In this regard, based on the evaluations that the additional security measure taken by the data controller, who is under the obligation to prevent unlawful access to personal data in accordance with subparagraph (b) of paragraph (1) of Article 12 of the Law, is not a violation of the Law as claimed by the person concerned, but the meticulous implementation of the Law;

  • Upon the request of the data subject to access the personal data processed by the data controller regarding the account activities of the meal card used in accordance with subparagraph (b) of paragraph (1) of Article 11 of the Law; Contrary to the claim of the person concerned, the encryption of the file containing the personal data sent by the data controller via e-mail to the "gmail" address specified by the person concerned, contrary to the claim of the person concerned, in accordance with subparagraph (b) of paragraph (1) of Article 12 of the Law, to unlawfully transfer personal data. It is a reasonable measure to fulfill the obligation to take all kinds of technical and administrative measures to ensure the appropriate level of security in order to prevent access, the necessary explanation regarding this security measure is given to the relevant person and when the phone number included in the e-mail is called, the password is immediately sent to the person concerned. Considering that it is stated that it will be shared, it has been decided that the right to access personal data is not prevented, and accordingly, there is no action to be taken against the data controller within the scope of the Law.

Conclusion

Within the scope of subparagraph (b) of paragraph (1) of Article 11 of the Law on the Protection of Personal Data No. 6698, the right of access to the data in question is protected, if the personal data about him/her has been processed. Data controller pursuant to paragraph (1) of article 12 of the Law

a) To prevent the unlawful processing of personal data,

b) To prevent unlawful access to personal data,

c) It has been stated that it has to take all necessary technical and administrative measures to ensure the appropriate level of security in order to ensure the protection of personal data.

In the case before the court, the data controller's request for the phone number of the data subject in a way that does not burden him is related to the obligation to fulfill the administrative measures that the person should take, rather than preventing the access of the person's personal data. Otherwise, bad results such as theft or destruction of the data of the person concerned could occur. Whereas ; As stated in the Board's Decision dated 31/05/2019 and numbered 2019/157, if the G-mail e-mail service infrastructure of Google company is used, the e-mails sent and received will be kept in data centers located in various parts of the world; In this regard, it has also been concluded that the additional security measure taken by the data controller, who is under the obligation to prevent unlawful access to personal data in accordance with subparagraph (b) of paragraph (1) of Article 12 of the Law, is not a violation of the Law as claimed by the person concerned, but a meticulous implementation of the Law. .

Summary of the Decision of the Personal Data Protection Board dated 27/04/2021 and numbered 2021/427 on the "ex-officio review of a data breach by an e-commerce site (data controller)"

An ex officio investigation has been initiated by the Personal Data Protection Board regarding the issue within the scope of a notice made by the partner company on an e-commerce site (data controller) after accessing the information of third party companies through the customer service panel on the e-commerce site.

The company officials, who are their suppliers by the data controller, have access to the personal data of third parties when they log into the system of the data controller and are not authorized in this regard as of the first date of access, in this sense, before the "Confidentiality Agreement" mentioned, "unauthorized personal data in the possession of the data controller" It is understood that access has been provided, and it is not legally possible to eliminate the data breach that has occurred retrospectively with the confidentiality agreement signed between the data controller and the individuals after the unlawful access has occurred,

It has been determined that the breach occurred as a result of the data controller giving the supplier group, including the company that is its supplier, the authority to "call in all notifications", that regular control regarding unauthorized access is not provided and that the authorization processes are not checked and the potential damages that may occur on the data subjects by the data controller before the data breach. Considering that it is an indication that the necessary measures are not taken in order to prevent it, the unfair content of the fault, the fault of the data controller and the economic situation of the data controller, who do not take the necessary technical and administrative measures to ensure data security within the scope of paragraph (1) of Article 12 of the Personal Data Protection Law no. taking into account the application of an administrative fine of 600.000 TL in accordance with subparagraph (b) of paragraph (1) of Article 18 of the Law,

B. Regarding the notification made to the Institution and related persons:

Due to the unlawful access to the personal data of the data controller, the act subject to the criminal investigation carried out by the Company and the obligation to notify the Board of the data breach due to the failure of the data controller to take all necessary technical measures to ensure data security are different acts, the violation was dated 22.10.2019. Although it happened and was detected on 22.10.2019

  • No notification has been made to the relevant persons affected by the data breach,
  • No violation notification has been made to the Personal Data Protection Board.

Regarding the data controller, who acts in violation of the obligation to notify within 72 hours, determined in the Decision of the Personal Data Protection Board dated 24.01.2019 and numbered 2019/10, within the scope of paragraph (5) of Article 12 of the Law (b). ), it was decided to impose an administrative fine of 200.000 TL in accordance with the subparagraph.

Conclusion

  • It is among the duties of data controllers to notify the data breaches on time, to notify the relevant persons, to use the data in accordance with the law and legitimately, and to take the necessary administrative and technical measures. Fulfilling their responsibilities meticulously by data controllers has a very important place in preventing data breaches.
  • Summary of the Decision of the Personal Data Protection Board dated 27/04/2021 and numbered 2021/426 on "ex-officio review of a data breach in a data controller providing help desk panel service"
  • As a result of the data breach that occurred when the partner company on an e-commerce site accessed the notifications opened on the help desk by other third-party companies as a result of incorrect authorization during the collective authorization work carried out in the help desk panel where the e-commerce site receives service, the partner company notified the KVK Institution. An ex officio investigation has been initiated by the KVK Board.

As a result of the examination carried out, the KVK Board;

  • The help desk panel is a platform where the data controllers receiving service from the software company log in with their usernames and passwords and submit their help requests, the software company has the title of data controller in terms of the services provided on the platform, 13 different data controllers from the data breach, more than 950 numbers The identity, communication and customer transaction data of the employee and customer are affected, the data breach is caused by the wrong authorization arrangement and the failure of the data controller to take adequate security measures due to negligence, a data controller carrying out information services is expected to be more careful in information systems security, software development processes 300.000 TL for the data controller who does not take the necessary technical and administrative measures to ensure data security on the grounds that the breach occurred due to the fact that the update in the database was made in the live environment when it should have been done on the test platform, and the data controller does not have effective application and control tools that mask personal data in case there are documents containing personal data in their systems. imposition of administrative fines,
  • An administrative fine of 100.000 TL is imposed on the data controller who does not fulfill the obligation to notify the KVK Board about the data breach within 72 hours, 2 data controllers who do not respond to the KVK Authority and do not provide explanatory information/documents,
  • It has decided that the KVK Board should be instructed to show the necessary attention and care in responding to the information document request.

Conclusion

The data breach was caused by unauthorized access.

The most important issue for the prevention of data breaches is to protect the places where people have access.

Data controllers should avoid negligence and authorization arrangements should be made in full. Periodic control tests need to be performed on the test platform.

Availability of audit tools is very important in preventing data breaches.

Data breaches cause personal data to be accessed, used, and their privacy violated, and companies not showing due diligence in this regard cause heavy penalties to companies.

Source:

kvkk.gov.tr/6982
kvkk.gov.tr/6980
kvkk.gov.tr/6981

To request a quotation for the following: Cyber Security, Digital Transformation, MSSP, Penetration Testing, KVKK, GDPR, ISO 27001 and ISO 27701, please click here.

Request a Quotation

About Content:
Share on Social Media:
Facebook
Twitter
LinkedIn
Telegram

Related Articles