The following are summaries of five recent decisions of the Personal Data Protection Board (“Board”).
- Decision No. 2021/470: The data subject requested transaction list regarding a meal pass provided by her employer. The data controller company sent the transaction list in an encoded document via e-mail and requested data subject to call the data controller company in order to provide her with the password. According to the data subject, this restricts the data subject’s right to be informed as to the data processing. On the other hand, the Board decided that such action should be regarded as required security measure under the Personal Data Protection Law numbered 6698 (“DP Law”).
- Decision No. 2021/427: Decision was given upon a previous data breach. A partner company accessed CRM system of an e-commerce platform provider. The access was notified to the platform provider. Although a confidentiality and service agreement was signed between the parties for discovery of system weaknesses, as the partner was not authorized to do so at the time of the breach, the Board decided that such agreement does not eliminate the unlawfulness of the breach. The Board imposed an administrative fine of total TRY 800,000.
- Decision No. 2021/426: Decision was given upon a previous data breach. E-commerce platform provider data controller provided excessive access authorization to a partner company by mistake. According to the Board the mistake has been arisen from the lack of required security measures. The Board imposed an administrative fine of total TRY 400,000.
- Decision No. 2021/571: Previously, associations, foundations and unions were exempted from registration to data controllers’ registry (“VERBİS”). For the sake of clarification, the Board decided to limit the exemption to associations, foundations and unions that do not conduct a business to accomplish their purposes. Accordingly, associations, foundations and unions which conduct a business must register with VERBİS limited to the activities of the business conducted.
- Decision No. 2021/569: Upon information requests from the Board regarding VERBİS registration of partnerships such as consortiums, business partnership or ordinary partnerships, the Board decided that the partners that are already under the obligation to register with the VERBİS must also enter data that are processed under the activities of the partnership to the VERBİS.