The Personal Data Protection Board [“KVKK”] published two more decisions on the website that two different companies were fined for failing to take adequate administrative and technical measures to protect personal data. As the regulations on the protection of personal data were relatively new in Turkish law, the decisions made by the KVKK during the process of compliance with the new regulations were relatively warning and advisable. However, given the recent decisions of the KVKK, including these two decisions, it appears that the institution no longer makes concessions to the protection of personal data. A summary of the decisions can be found below.
In one of the decisions, KVKK charged a company 300.000,00 TL for data controller’s failure in taking administrative and technical precautions and 150.000,00 TL for failure of company in performing its obligation to inform related person (the person whose data are affected from breach) of data breach. In justification of aforementioned decision;
- The company, in its notification to KVKK, stated that breach time cannot be determined. KVKK regarded this acknowledgement as an indicator of company’s failure to take necessary supervision, inspection and controlling measures.
- Uncertainty of the date on when the data subject to the breach was stolen and when data was given to data processor are regarded by KVKK as omissions of the data controller in terms of taking administrative and technical measures.
- Uncertainty of the people whose data are stolen is found, by KVKK, another indicator of the inadequate of the technical and administrative measures.
- Failure of the company to notify related persons of the data breach is regarded by KVKK as another indicator of the insufficient administrative measures or ineffectiveness of such measures.
For further information: https://kvkk.gov.tr/Icerik/5535/2019-254
Another company was charged 400.000,00 TL for inadequate technical and administrative measures to ensure security of personal data, and 100.000,00 TL for failure of company in performing its obligation which is to inform related person of the breach. In order to come this conclusion, in justification of such decision;
- A third party’s access to an employee’s computer in company is regarded as one of the indicators of administrative imprudence of the company,
- Shutting down the internal network connections which is connected to servers had occurred after the breach, KVKK considered this as vulnerability of security of server.
- According to KVKK, firewall’s renewal after the breach proves that the firewall was outdated before the breach which is indicator of lack of technical precaution,
- According to KVKK staff was untrained in terms of awareness of cyber security and such unawareness of staff regarding the breach is indicator of lack of technical precautions,
- IT department of company was informed of the breach by one of the staff regarding the breach. This fact was regarded by KVKK as incompetence of IT department.
For further information: https://kvkk.gov.tr/Icerik/5537/2019-255