The important matters regarding the decisions taken within the scope of the Personal Data Protection Law No. 6698 (“Law”) and published on the official website of the Personal Data Protection Board (“Board”) in February 2022 are listed below.

1. Summary of the Board’s Decision No. 2022/13 on the sharing of the exam result document by a local news website without the explicit consent of the person concerned

In the incident subject to the complaint, it was stated that the Higher Education Institutions Exam (YKS) exam result document, which contains the personal data of the data subject, was shared by the local news site without the explicit consent of the data subject and a request was made to the data controller regarding this data processing activity, but this request was left unanswered.

The Board states that while freedom of the press is in question for the data controller who published the news in the aforementioned incident, the right to demand the protection of personal data is also in question for the person concerned, therefore, freedom of the press is against the right to demand the protection of personal data.

The Board concluded that the event in the news did not prompt the public to think about the issue, and therefore there was no public interest. The Board decided that the personal data processing activity carried out in the aforementioned news is against the Law and an administrative fine is imposed on the data controller. It was stated that the removal of the news subject to the complaint from the website as of the date of the decision was a mitigating factor in the punishment imposed on the data controller.

You can access the full text of the decision (in Turkish) from the link below:

https://kvkk.gov.tr/Icerik/7179/2022-13

2. Summary of the Board’s Decision Number 2021/1324 on the Yemek Sepeti data breach

In the complaint submitted to the Board, it was stated that a web application server belonging to the data controller was accessed by the person(s) who could not be identified, that the perpetrator(s) tried to collect data via different tools by creating a user on the server they accessed, and that they sent traffic to remote servers. In addition, it is stated that the person/individuals forwarded the data they obtained to an IP address/server in France and that this transmitted traffic had traces on the firewall, and 21,504,083 Yemeksepeti users were affected by the breach and that the personal data affected by the breach are username, address, phone number, e-mail address, user password, and IP information.

The Board states that the data controller is at fault since the installation and operation of malicious software on the system could not be noticed by the data controller for 8 days. At the same time, it has been concluded that the data controller does not have an effective control mechanism over the third-party companies that it receives service from and that it has deficiencies in the follow-up of security software and the use of security procedures.

In addition, it was stated that security controls and data security monitoring were not carried out properly by the data controller and leak tests were not implemented effectively.

For these reasons, it has been decided to impose an administrative fine on the data controller who does not take the necessary technical and administrative measures to ensure data security, under Articles 12 and 18 of the Law.

The full text of the decision (in Turkish) can be accessed from the link below:

https://kvkk.gov.tr/Icerik/7168/2021-1324

3. Principle Decisions Booklet published by the Board

You can find detailed information about the Principle Decisions Booklet published by the Board from our bulletin from the link below:

https://bener.com/information-note-on-the-principal-decisions-of-the-turkish-personal-data-protection-board/

Batuhan Şahmay
Behiç Ateş Gülenç
Associate | ates.gulenc@bener.com