In summary, in the data breach notification notified to the Personal Data Protection Authority ("Institution") by Tofisa Tekstil Sanayi ve Ticaret Limited Şirketi, which has the title of data controller, and shared on the Authority's website on 29 June 2022;
- In the calls made by the customers to the data controller call center, it was informed that they received messages and calls from various law firms that they would start the enforcement proceedings regarding the cargo charges that they did not receive,
- As a result of the controls, it has been determined that the callers are the ones who are shared with the data processor (Dolunay Cargo Logistics Automotive Construction Industry and Trade Limited Company),
- The data controller wants to contact the data processor but is unsuccessful,
- The names, surnames, phone numbers, numbers, e-mail addresses of the data subjects are shared with the data processor by the data controller, and the names, surnames and telephone numbers of the persons concerned are used unlawfully,
- The relevant person groups affected by the breach are customers and potential customers,
- The number of people affected by the violation is 42,373, and this number is the number of people whose cargo is not delivered in the data processor records.
information is included.
Conclusion:
As seen in the aforementioned data breach notification shared on the institution's website; In cases where the data controller gives/will authorize data processing on his/her behalf or shares the personal data he/she processes, the company/persons holding the title of data processor should also pay attention to the issue of providing the necessary administrative and technical measures. In the contracts made with the persons to be authorized within the scope of the administrative measures to be taken by the data controller; It is necessary to have special clauses such as making the contract in writing, acting only in accordance with the instructions of the data controller and according to the purpose and scope of data processing specified in the contract. In addition, the data controller should pay great attention to the compliance of the data destruction and storage policies of the data processor to which he is authorized, and the confidentiality commitments regarding the shared/processed data.
The data controller must ensure that other necessary technical and administrative measures have been taken, apart from the administrative measures shown above, for the data processor to be authorized. This situation is important for minimizing the risks of data breaches and preventing possible grievances.
You can reach the Data Breach Notification Decision via this link:
To request a quotation for the following: Cyber Security, Digital Transformation, MSSP, Penetration Testing, KVKK, GDPR, ISO 27001 and ISO 27701, please click here.