Principle Decision of the Personal Data Protection Board dated 21/12/2017 and numbered 2017/61 on the protection of personal data in websites/applications providing guidance services
The decision is within the scope of notices and complaints submitted to the Personal Data Protection Authority regarding websites and applications that provide guidance in the form of questioning names from phone numbers or phone numbers without the express consent of the persons concerned.
As a result of the evaluation;
In clause (e) of paragraph (1) of Article 3 of the Law, it is stated that “obtaining, recording, storing, preserving, changing, rearranging personal data completely or partially automatically or non-automatically provided that it is a part of any data recording system, Any kind of operation performed on data such as disclosure, transfer, acquisition, making available, classification or prevention of use” is regulated as the processing of personal data. Other obligations stipulated by the law must be fulfilled.
The data processing activity carried out by websites and mobile applications that share the contact information of the persons concerned without any basis in the law and the relevant legislation should be stopped immediately,
It has been concluded that if information is obtained that the websites/applications engaged in such activities have not ceased their activities, an application will be made to the authorized institutions in order to take necessary action to prevent access to these websites/applications.
Conclusion;
The relevant policy decision was published in the Official Gazette, taking into account the fact that personal data may have been obtained unlawfully, the Turkish Penal Code No. 5237 entitled "Unlawful Giving or Seizing Data" It is also stated that within the framework of Article 136, necessary legal actions will be taken regarding the relevant websites/applications. The data in these applications must be obtained in accordance with the KVKK numbered 6698. Obtaining the explicit consent of individuals is of great importance in order not to initiate legal sanctions on practices. In such applications, when collecting personal data, it is necessary to pay attention to the situations in which it is possible to process personal data without seeking the explicit consent of the person concerned, and the processing conditions of sensitive personal data in Article 6 of the law.
Policy Decision of the Personal Data Protection Board dated 21/12/2017 and numbered 2017/62 on the protection of personal data in service areas such as counters, counters and desks.
The principle decision of the Board; It is within the scope of notifications submitted to the Personal Data Protection Authority regarding personal data security violations in areas where services are provided to citizens such as counters, counters and desks.
As a result of the evaluation;
The 'post and cargo services, tourism agencies, customer service departments of chain stores, various subscription services, serving together with more than one employee, especially in the banking and health sectors. Personal institutions and organizations' , Personal Data Protection Law No. 6698 (KVKK) In accordance with Article 12 of the Data Protection Law (Law), regarding the protection of personal data; It has been decided to take the necessary technical and administrative measures to prevent unauthorized persons from taking part in sections such as counters / counters / desks, and to prevent service recipients who are close to each other from hearing, seeing, learning or seizing personal data of each other at the same time.
Conclusion;
Especially 'institutions and organizations serving adjacent order' must take greater care to avoid data breaches. Hearing, seeing and capturing personal data by unauthorized persons is one of the most common data breaches recently. It is very important for these institutions and organizations to take the necessary technical and administrative measures, to attach importance to data security in their corporate policies, and to organize awareness trainings for employees, especially on the protection of personal data, in order not to impose administrative sanctions by the institution.
To reach all relevant policy decisions;
7a2f2dc1-b656-4325-9249-73e350c3ea57.pdf (kvkk.gov.tr)
To request a quotation for the following: Cyber Security, Digital Transformation, MSSP, Penetration Testing, KVKK, GDPR, ISO 27001 and ISO 27701, please click here.