The Turkish Watchdog KVKK continues to impose penalties
En son güncellendiği tarih: 4 Tem 2019
Summary of the Decision on the date of 14/02/2019 with the number of 2019/23 of the Personal Data Protection Board
The company, data controller, providing mobile phone technical services, gives their customers a form number while a new device is registered in the service for examining the condition of their phones during the service. For the reason that the form number is not assigned by a random number generator and includes successive numbers, it is possible to access to the other customers’ personal data by changing last two digits of the number with the previous or next ones. As a result of the Board investigation of notice in question,
· The Board ascertained that examinations of the other customers’ personal data can be made by changing the last two digits of any form number. The access to the other customers’ personal data such as name, surname, address and IMEI number of their phone in servicecan be gained by selecting the links revealed as a result of the examination. Therefore, the Board decided that,
the company failed to comply with the obligation, related to data security provided in Law On The Protection Of Personal Data Article 12/1, taking all necessary technical and administrative measures to provide a sufficient level of security in order to ensure retention of personal data, was required to payan administrative fine of 150.000 TLaccording to the Law On The Protection Of Personal Data Article 18.
the company was instructedabout remedying relevant identified unlawful infringements and the use of the beforementioned links was suspendeduntil the documentation, providing the unlawful infringement were remedied according to Article 15/7, was delivered to the Board.
After the notice of the decision with the number of 2019/23 to the company, the board examined the related system with changing the last two digits of any form number in different times for checking whether the company complied with the instructions. After the examination, the Board made another decision on the date of 05/03/2019 and with the number of 2019/52 regarding unfulfillment of the Board decision
As a result of the examination, the Board came to the conclusion that,
It is still possible to search, and access other devices information and no additional security measures are taken,
Result page of the search contains people’s names, IMEI numbers and shipping address of the device (with masked letters except initial and last letters). IMEI numbers are masked on the result page but when the “Click for Device Records” link is clicked, IMEI number of the device is plainly visible on the opened page,
On the abovementioned page, there is no identifying information about the person IMEI number belongs to, but when the “Click to View Your Shipping Information” link is clicked, the page redirects to the courier company’s shipping tracking page. On this page, name of the person that the shipment is delivered is plainly visible and it is possible to match IMEI number and the name of the person that the shipment is delivered.
As a result of the examination, the Board has decided that pursuant to Article 18 and violation of Article 15 of Law on Protection of Personal Data, the Company is required to pay 50.000 TL administrative fine due to the reason that the instructions about immediate remedy of violation in question and about suspension of the use of links in relevant websites was not carried out by the Company. Besides, the Company was instructed about changing the system which is enable to track the devices and about preventing the access to the examination system in context of remedy of main security breach due to the fact that action may be carried out by changing the last two digits of examination/form number belonging to the costumers.
Summary of the Decision on the date of 01/03/2019 with the number of 2019/47 of the Personal Data Protection Board
A complaint has been filed against a person for allegedly transferring personal information which is accessed by unlawful methods and about someone and his family to jurisdiction authority and to third parties with the exception of his consent.
i. Personal data was shared by petitions written to various authorities and in this scope, there has been no personal data processing carried out wholly or partly by automatic means or otherwise than by automatic means which form part of a filing system.
ii. In this context, it is not possible to specify the complainee as a data controller,
iii. The claim that the personal data belonging to the applicant and his family were unlawfully obtained by the complainee is a crime under the Turkish Criminal Code and there is no action to be taken under the Turkish Law on Protection of Personal Data.
iv. It was decided that data subject’s claim about access by complainee to his personal data through the Enforcement Directorates had been based on the personal opinion and by taking into consideration that no concrete information or document had been provided, there is no necessity for actions to be taken by the Board in respect of the claim in question.
Summary of the Decision on the date of 25/03/2019 with the number of 2019/82 of the Personal Data Protection Board Subject of the Complaint/Notification Authorities Decision
It is claimed on the complaint that consent is being requested as a precurement for the services, due to the fact that it is stated on the website that customers must consent to the personal data processing in order to benefit from the advantages of the Loyalty Card Program.
The Authority decided that the Loyalty Card Program is not precurement for the custumers to benefit from the services of the grocery chain market due to the fact that it is only a precurement for the benefits, not the services of the grocery chain market, therefore there is no necessity for actions to be taken.
It is notified to the Board that the grocery chain market is charging 0,01 TL from the costumers under the name of “Procedure of Obtaining Consent” in the event of obtaining consent for the Loyalty Card Program.
The Authority decided that there is no necessity for actions to be taken due to the fact that charging 0,01 TL from the costumers was a result of a system bug and the grocery chain market refunded this amount to the costumers Loyalty Card as discount.
The “Privacy Notice” and “Card Membership and Consent Notice” is reviewed on the matter of these documents containing unspecific statements.
It is seen by the Board that, “Privacy Notice” contains unspecific statements, there are contradictions between “Privacy Notice” and “Card Membership and Consent Notice” on the matters of processed personal datas and the parties that the personal datas are transferred, personal datas are being transferred to the social media sites without consent, special categories of personal data are processed.
The board decided that this processing is not according to general principles. The reasoning behind this decision is that processing of special categories of personal data is not relevant, limited and proportionate to the purposes which data are processed due to the fact that the data processor is a grocerey chain market and purpose of Loyalty Card Program is a marketing system.
Due to the mentioned reasons, the Board ruled to instructing grocery chain market on curing the contradictions between “Privacy Notice” and “Card Membership and Consent Notice” and revising their privacy notice according to legislations.
· It is seen that the grocery chain market claimed that they are transferring anonymised personal data to the social media sites. Due to the fact that marketing activities can not be performed with anonym data, the Board decided to instruct the grocery chain market about anonymising personal data according to the definition of anonymization which is stated in Turkish Personal Data Protection Law.
· The Board decided that there is no necessity for actions to be taken due to the fact that the reason of grocery chain market obtaining costumers consents is not trying to create a legal base for already obtained and processed personal datas, in fact, the reason is trying to renew the damaged physical copies of consents and get the consents Turkish Personal Data Protection Law compliant.
Summary of the Decision on the date of 02/05/2019 with the number of 2019/122 of the Personal Data Protection Board
Pursuant to decision of the Personal Data Protection Board relating to “about the T.C. Ziraat Bankası A.Ş. (“Bank”, “Data Controller”) that does not reply the data subject’s applicationand information notice published on the website does not have the required qualifications set forth in legislation” dated 2 May 2019 and numbered 2019/122;
Data subject was applied to the Bank via Registered Electronic Mail with application containing requests set forth in Article 11 of the Turkish Personal Data Protection Law no. 6698 (“Law”).
The data subject’s application was not replied within 30 days following the date he/she learns set forth in Law and data subject was filed a complaint by reason of;
The application was not replied to within 30 days,
Information notice published on the website of the Bank did not include the requirements set forth in legislation.
It has been decided that;
The Board letter sent to the Bank shall be delivered in the form of “Delivery to the supervisor at the workplace.” owing to the fact that there is no reply for Authority notice and in this context action shall be taken according to disciplinary provisions about the persons responsible for violation and persons liable for taking necessary measures and examination.
The Bank shall reply to the application by relevant person for the request of implementation of the Law. Besides, the Bank shall be instructed to ensure maximum care and attention within the scope of compliance with the provisions of the legislation.
In the information notice on the Bank’s website, the Bank’s purposes of the processing of personal data are listed without legal cause specified clearly oriented that the personal data of the data subject are processed on the basis of the conditions for processing of personal data specified in Article 5 and 6 of the Law, “processed within the scope of such purposes” statement in the text can be considered for other purposes that may be occurred in the opinion that personal data can be processed, the information notice was not prepared in accordance with the provisions under in limbs (g) and (h) of Clause 5.1 of the Communiqué relating to obligation to inform, the Bank shall be instructed in the direction of information notice in website shall review and align with the provisions of the Communiqué.