Summary of the Decision of the Personal Data Protection Board dated 20/04/2021 and numbered 2021/407 “About a hospital's data breach notification”
The event subject to the data breach notification;
It was realized that the bags containing the files containing the personal data/private personal data belonging to the patients of the physician working in the hospital were taken out of the hospital by some hospital staff upon his instruction,
It is an indication that the administrative measures to ensure the security of the physical environments are not adequately taken to ensure the data security of the issues where the camera records are not controlled, unauthorized persons can enter the archive room where the records of the patients are kept, and the files containing the personal data/private personal data of the patients can be removed from the archive without the permission of the chief physician. is,
Considering that 789 patients were affected by the violation, but 54 patient files, which were determined according to the police station report, were taken back and delivered to the trusteeship, and the fate of the remaining files is not known, the loss of patient files could not be prevented, and this shows that adequate measures were not taken to reduce the risks for the loss of the patient files in question,
Administrative fine of 450.000 TL pursuant to subparagraph (b) of paragraph (1) of Article 18 of the Law,
The institution was notified 25 days after the violation was detected, the reason for the late notification was that the hospital management was caught red-handed while the relevant files were being removed from the hospital,
Except for one of the relevant persons who came to the hospital, none of them were notified of the violation.
In accordance with subparagraph (b) of paragraph (1) of Article 18 of the Law, it has been decided by the Personal Data Protection Authority to impose an administrative fine of 150,000 TL.
Conclusion;
In the concrete case, the hospital management did not take the administrative and technical measures, the training on the protection of personal data for the employees was not completed, From the violation; Although there are events that give rise to the suspicion of violation; The detection of the violation after 17 days is an indication that the personal data security policies and procedures are not well prepared or followed by the data controller, this is an indication of the fact that the current security measures taken cannot be used effectively, that the institution is notified late after the detection of the violation, and that the institution must have a data protection process. Personal data of 789 patients were violated as a result of not managing such The institution should notify the data breach within 72 hours at the latest. This decision is an indication of how important it is for institutions and organizations to take administrative and technical measures, and is an example of the very high penalties imposed on institutions that fail to take administrative and technical measures and are subject to data breach.
Summary of the Decision of the Personal Data Protection Board dated 20/04/2021 and numbered 2021/389 regarding the "notification by an insurance company about the condition of making the service subject to explicit consent"
In a notice sent to the Institution; It is understood that the notifying person has an individual pension contract (BES) from an insurance company (Company), that he has to consent to the processing of personal data by presenting a checkbox when he tries to access the policy information from the company's website, and that he cannot take any action if he does not tick this box, but It has been stated that it is against the law to have to give consent for the processing of personal data, and it has been requested that necessary action be taken within the scope of the Law on the Protection of Personal Data No. 6698 (Law).
Personal Data Protection Authority;
After examining the "Individual Pension Contract Offer Form" (Offer Form) on the website of the data controller, from the statements under the heading "Provisions Regarding the Services to be Provided on the Internet", the Service Agreement concluded between the data controller and the data controller and the data requested in the use of the application subject to notification. It can be seen as a method developed other than password in the services offered by the controller over the internet, in this case, it is necessary for the data controller to process the personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract, which is included in the second paragraph of Article 5 of the Law. ” Since it is considered that it will be based on the data processing condition, it cannot be mentioned that the service is subject to the express consent condition, however, in the clarification text submitted for the use of the application in question in the case subject to the notification, explicit consent was also obtained for the processing of personal data, therefore, in the defense of the data controller, the concepts of explicit consent and clarification are intertwined. At this point, it should be underlined that it is the responsibility of the data controller to clearly express the legal reason for the personal data processing activity in question,
In addition, if the personal data processing activity in question is based on one of the conditions other than express consent in the Law, in this case, there is no need to obtain explicit consent from the data subject and it is possible to base the data processing activity on a basis other than express consent, in the form of deception and abuse of right. Based on the evaluations that this situation would be contrary to the principle of "compliance with the law and good faith" regulated in subparagraph (a) of the second paragraph of Article 4 of the Law,
Considering that obtaining the explicit consent of the persons concerned while there are other processing conditions in Article 5 of the Law is contrary to the principle of "compliance with the law and honesty rules" in Article 4 of the Law, those who do not fulfill their obligations in paragraph (1) of Article 12 of the Law about the data controller, pursuant to subparagraph (b) of paragraph (1) of Article 18 of the Law, that the application in question may have a negative impact on many people other than the whistleblower, that the data controller has a large customer base in terms of the service provided, the company's fault, economic situation and injustice It was decided to impose an administrative fine of 250,000 TL, taking into account the issues such as its content.
Conclusion;
In paragraph (a) of the first paragraph of Article 3 of the Personal Data Protection Law No. 6698 titled “Definitions”, express consent is defined as “consent related to a certain subject, based on information and expressed with free will”. In this respect, it should be clearly stated on which subject the express consent statement is requested by the data controller, in other words, the express consent statement should not be of a general nature, it should be specific to a specific subject and limited to that subject. However, since the explicit consent is a declaration of will, the person must know what he/she consented to in order to consent freely, and the person is expected to have full knowledge not only on the subject but also on the consequences of his consent, For this reason, information should be provided in a clear and understandable manner on all matters related to data processing. Institutions and organizations should pay attention to the fact that the concepts of explicit consent and disclosure are not the same and explain them separately. The intertwining of concepts can deceive people and does not comply with the rule of legal honesty.
Summary of the Decision of the Personal Data Protection Board dated 25/02/2021 and numbered 2021/140 regarding "internet services offered by municipalities"
In various notices sent to the Personal Data Protection Authority, it was stated that accessing the real estate information of the citizens by entering only the TR ID number on the real estate tax or declaration information inquiry pages on the internet constitutes a problem in terms of the protection of personal data, and the subject was requested to be examined within the scope of the Law on the Protection of Personal Data (Law) No. 6698. .
As a result of the examinations, only one information was found in the quick inquiry or debt payment applications offered by some municipalities, that the tax payment services provided by some municipalities are carried out by logging into the system via membership and password or double verification, and that these applications are in compliance with the Law. it is possible to access the debt information of individuals by entering; Considering that although it is not possible to access information about the name or property of the person, it is understood that information about the debt can be accessed, and this situation is contrary to the provision in subparagraph (b) of paragraph 1 of Article 12 of the Law;
To inform the Ministry of Environment and Urbanization and the Union of Municipalities of Turkey on the subject due to the illegal practices of some municipalities in this regard,
On the other hand, instead of applications for providing access to debt or real estate information of individuals by entering only a single information (for example, TR ID number, tax number), it is necessary to increase data security in inquiry pages regarding real estate tax, declaration information or similar services offered by municipalities. taking administrative and technical measures, in this context, for example, entering the TR Identity number or tax number so that double-layer verification is possible, as well as requesting different personal data from individuals, choosing methods such as verification via SMS, membership, and in this respect, the personalization of the service delivery methods of the municipalities. It was decided to instruct the Municipalities to take the necessary measures by re-evaluating them within the framework of the data protection legislation.
Conclusion;
The obligations of the data controller are included in Article 12 of the Personal Data Protection Law No. 6698. In the first paragraph of the relevant article; Data controllers are obliged to take all necessary technical and administrative measures to ensure the appropriate level of security in order to ensure the protection of personal data. Municipalities that are data controllers in accordance with this provision must also fulfill their obligations to citizens. Public institutions, as well as the private sector, have great responsibilities in protecting personal data. Necessary administrative and technical measures should be taken to increase data security in public institutions, access should be limited, and two-stage authentication control should be implemented.
Summary of the Decision of the Personal Data Protection Board dated 13/04/2021 and numbered 2021/359 on the "unlawful sharing of the personal data of the data subject with a mobile application by the data controller company providing the site management service"
In summary, in the complaint of the person concerned, submitted to the Institution; It was stated that the company responsible for the management of the site he resides shared his phone number with a mobile application used within the scope of management services without his consent, and an information message was sent to him from the relevant application, and the necessary sanctions were requested within the scope of the Law on the Protection of Personal Data No. 6698 (Law).
By The Board;
The Management Services Company provides management services on the site where the relevant person resides within the scope of the contract concluded with the Site Representatives Board; Considering that the Provider Company has concluded a service contract with the application/second application to which the personal data is alleged to have been transferred, and it is stated in the KVKK Protocol, which is an annex to this contract, that the Management Service Provider Company has the title of data controller in the service contract, carries the title of data controller as the person who determines the purpose and method of processing personal data within the scope of the contract,
The Company Providing the Application Service, on the other hand, has the title of data processor performing data processing on its behalf within the scope of the authorization given by the Company Offering the Management Service,
In the article titled "Protocol Conditions" of the Protocol concluded between the Data Controller Company and the Data Processing Application Service Provider;
The Company Providing Management Services will share information, documents and data with the application in writing, electronically or in other ways, using the application within the scope of the service contract,
It will accept, declare and undertake that all kinds of data to be shared with the application by the Management Service Company are transferred to the application within the scope of the contractual relationship and, if deemed necessary in terms of PDPL, the Protocol is an express consent for all kinds of personal data to be shared,
If it is necessary for the persons concerned to give express consent within the scope of KVKK, it is stated that they accept, declare and undertake that they have obtained express consent from the relevant persons regarding the sharing of their data with the application,
Participation in the application where the personal data is allegedly transferred is optional and serves a separate purpose from the site management works, the processing of personal data in order to ensure the participation of the persons concerned in this application cannot be based on the processing conditions in paragraph (2) of Article 5 of the Law, but the explicit consent of the person concerned It has been concluded that personal data is processed unlawfully, taking into account the fact that the explicit consent of the person concerned is not obtained. It has been decided to impose an administrative fine of 100.000 TL in accordance with sub-paragraph (b) of paragraph no.
Conclusion;
The company that provides the Management Service, which has the title of data controller, must obtain the express consent of the relevant persons at points where it is not based on paragraph 2 of Article 5 of the KVKK No. 6698. Data controllers; They have obligations such as taking all necessary technical and administrative measures to prevent the unlawful processing of personal data, to prevent unlawful access to personal data, to ensure the appropriate level of security in order to ensure the preservation of personal data.
