In summary, in the data breach notification notified to the Personal Data Protection Authority (“Institution”) by Surtaş Otomotiv ve Servis Hizmetleri Sanayi Ticaret Limited Şirketi, which has the title of data controller, and shared on the Authority's website on July 21, 2022;
- “The violation occurred on 16.07.2022 and was detected on the same day,
- The violation occurred by taking control of the data controller's online transactions system and subsequently an instant communication application on the employee's phone, upon the notification of the SMS confirmation code sent to the employee of the data controller to the person who introduced him/her as authorized,
- The relevant person groups affected by the violation are employees, customers and potential customers,
- the personal data categories affected by the breach are identity (name-surname), contact (phone number), audio-visual records (profile photo),
- It is stated that the estimated number of people affected by the violation is 1200”.
Conclusion:
As seen in the aforementioned data breach notification shared on the institution's website; Personal Data Protection training should be given to the employees, which is one of the administrative measures that the data controller must fulfill, and the staff should be informed about this issue. The training provided to the personnel should be repeated at regular intervals and the knowledge of the personnel should be fresh and up-to-date. One of the basic principles to be considered while processing data is that the processed data should be related to the purpose for which they are processed, limited and measured. Within the framework of this principle, data controllers should minimize the data they process.
Taking the administrative and technical measures to be taken by the data controller in accordance with the standards determined by the Institution is of great importance in minimizing the potential data breach risk. Attention should be paid to issues such as controlling and updating the administrative and technical measures taken, and minimizing and masking the processed data, as these issues will reduce the size of victimization experienced both on behalf of the data subject and on behalf of the data controller in potential data breaches.
You can reach the Data Breach Notification Decision via this link:
