In accordance with the Law on the Protection of Personal Data, the sanctions imposed by the Board due to non-compliance with the obligations that must be implemented by the data controllers who set up and manage the personal data recording system and are obliged to process this data, and act against the law are published on the website of the institution in the form of board decisions. In this article, we will examine some of the decisions made by the Board.

• Summary of the Decision of the Personal Data Protection Board dated 27/04/2021 and numbered 2021/426 on “ex officio review of a data breach in a data controller providing help desk panel service”

Abstract: As a result of the data breach, which occurred when the partner company on an e-commerce site accessed the notifications opened by the third-party companies on the help desk, as a result of the wrong authorization during the collective authorization work carried out in the help desk panel where the e-commerce site receives service, the Personal Data breach was notified to the Institution by the partner company. An ex officio investigation has been initiated by the Data Protection Board.

It has been evaluated that the help desk panel is a platform established and managed by the data controller, providing maintenance and support services related to software services, other data controllers have limited access and it is not possible to make direct changes on it. With the Board Decision dated 22.04.2020 and numbered 2020/311, it was decided to initiate an ex officio investigation against the 10 data controllers who did not report a personal data violation to the Authority by 3 data controllers regarding the violation, and upon this, information and documents were requested from the said data controllers. has been done. As a result of the examinations made, the data controller who does not take the necessary technical and administrative measures to ensure data security within the framework of paragraph (1) of Article 12 of the Personal Data Protection Law No. 6698, considering the unfair content of the fault, the fault of the data controller and the economic situation, It was decided to impose an administrative fine of 300,000 TL in accordance with subparagraph (b) of paragraph (1) of Article 18 of the Law, since more than one person was present and the breach was caused by the negligence of the data controller.

In addition, considering that no notification has been made to the Board regarding the data breach, it is unfair to blame the data controller who does not fulfill the notification obligation within 72 hours determined by the Decision of the Personal Data Protection Board dated 24/01/2019 and numbered 2019/10, within the scope of paragraph (5) of Article 12 of the Law. It has been decided to impose an administrative fine of 100.000 TL in accordance with subparagraph (b) of paragraph (1) of Article 18 of the Law, taking into account the content, fault and economic situation of the data controller.

• Summary of the Decision of the Personal Data Protection Board dated 27/04/2021 and numbered 2021/427 on “ex-officio review of a data breach by an e-commerce site (data controller)”

Abstract: An ex officio investigation has been initiated by the Personal Data Protection Board regarding the issue within the scope of a notification made by the partner company on an e-commerce site (data controller) after accessing the information of third party companies through the customer service panel on the e-commerce site. As a result of the examination of the notice made by the Partner Firm and the data controller’s letters, with the Decision of the Personal Data Protection Board dated 27/04/2021 and numbered 2021/427; Regarding the data controller who does not take the necessary technical and administrative measures to ensure data security within the scope of paragraph (1) of Article 12 of the Law on the Protection of Personal Data No. 6698, taking into account the unfair content of the fault, the fault of the data controller and the economic situation, Article 18 of the Law (1) In accordance with subparagraph (b) of paragraph no. 600,000, it was decided to impose an administrative fine.

In addition, due to unlawful access to the personal data held by the data controller, the act subject to the criminal investigation carried out by the Company and the obligation to report the data breach to the Board due to the failure of the data controller to take all necessary technical measures to ensure data security are different acts, the violation is 22.10.2019 Although it happened on the date of 22.10.2019 and was detected on 22.10.2019

• No notification is made to the relevant persons affected by the data breach,
• No violation notification has been made to the Personal Data Protection Board.

Regarding the data controller, who acts in violation of the obligation to notify within 72 hours determined in the Decision of the Personal Data Protection Board dated 24.01.2019 and numbered 2019/10, within the scope of paragraph (5) of Article 12 of the Law, paragraph (1) of Article 18 of the Law. It has been decided to impose an administrative fine of 200,000 TL in accordance with subparagraph (b).

• Summary of the Decision of the Personal Data Protection Board dated 20/04/2021 and numbered 2021/407 “About a hospital’s data breach notification”

Abstract: In the data breach notification submitted to the Institution by a data controller hospital; data breach; the data breach occurred when the files belonging to the patients of the doctor working in the hospital were taken from the archive and taken out of the hospital by some hospital staff upon his instruction; 17 days after an employee who attempted to take the files out of the hospital was seen, it was fully determined as a result of the examination of the camera records, From the Violation; It was determined that 789 patients were affected, but 54 files were received and delivered to the trusteeship. As a result of the examination made on the subject, the data controller who does not take the necessary measures to ensure data security within the framework of paragraph (1) of Article 12 of the Law, taking into account the unfair content of the fault, the fault of the data controller and the economic situation, the paragraph (1) of the Article 18 of the Law. It has been decided to impose an administrative fine of 450,000 TL in accordance with subparagraph (b).

25 days after the detection of the violation, the reason for the late notification is that the hospital management was caught red-handed while the relevant files were taken out of the hospital, the police were immediately called, the file was delivered to the hospital under the supervision of the police, the data breach was prevented by preventing the data from being taken out, the crisis desk was established, the prosecution was deepened. decided, for this purpose; It has been taken into account that the defenses were received from the doctor and his team, the files followed by the doctor were scanned, the camera records of various areas of the hospital, especially the archive, the polyclinic, the parking lot, were examined, and finally, as a result of the examination and investigations, a criminal complaint was made to the prosecutor’s office and a notification was made to the Institution.

Considering these issues, the provision of paragraph (5) of Article 12 of the Law and the Decision of the Personal Data Protection Board on the Procedures and Principles of Notification of Personal Data Violation should be interpreted as 72 hours for the expression ‘as soon as possible’ in the Decision dated 24.01.2019 and numbered 2019/10. It has been decided to impose an administrative fine of 150.000 TL in accordance with subparagraph (b) of paragraph (1) of Article 18 of the Law, taking into account the unfair content of the fault, the fault of the data controller and the economic situation, about the data controller who does not fulfill the obligation to notify within the framework of his statements.