The Data Protection Board (“Board”) has rendered 2 (two) important decisions regarding “data controller’s obligation to prevent unlawful access to personal data” and “processing and transferring of health data”, both of which are announced at the Board’s web site on the date of 18 February 2019 (“Decisions”). On the other hand, with respect to data breach notifications to be made to the Board by data controllers, the Authority has made an announcement at its web site for disclosing its decision dated 24 January 2019 and numbered 2019/10 (“Announcement”) about when and how such notification will be made.
- The First Decision:
Among the Decisions, the first decision dated 26 July 2018 and numbered 2018/91 with respect to “data controller’s obligation to prevent unlawful access to personal data”, is a concrete example of administrative monetary fine imposed by the Board to a company, operating in a ready wear clothing sector, due to violation of Article 12 of the Data Protection Law with no 6698 (“Law”) outlining obligations of the data controller regarding data security. In this decision, upon complaint of the customer making online shopping from the relevant company’s web site, the Board has resolved that such company should be imposed to an administrative monetary fine as per Article 18 of the Law, due to not taking necessary technical and administrative precautions for the purpose of preservation of personal data and unlawful access to personal data as prescribed under Article 12 of the Law.
Through such decision, the Board has also has imposed the company to delete, erase the customer’s any kind of personal data from the company’s systems, make it unreachable and to submit evidencing documents in this respect to the complaining customer within 30 days following receipt of the decision, in line with Article 15/5 of the Law.
- Second Decision:
The second of the Decisions dated 5 December 2018 and dated 2018/143 in a nutshell acknowledges that sensitive personal data of the person (e.g. health data), having medicine under the control of a doctor, can only be processed in accordance with conditions under Article 6 of the Law and cannot be shared with third parties by pharmacy, unless the conditions defined under Article 8 are met. In this regard, upon complaint application of relevant person, the Board has sanctioned the pharmacy with an administrative monetary fine due to violation of Article 12 /4 of the Law.
- Announcement:
Apart from the Decisions, the Board also made a recent Announcement at its website about data breach notifications to be made by the data controllers in the event of data breach. In summary, the Board has clarified in its Announcement that:
(i) data breach notification to the Board should be made to the Board within 72 hours and to the data subject at the earliest reasonable period,
(ii) if such notification cannot be made to the Board within 72 hours due to valid reasons, such valid reasons should be communicated to the Board together with the data breach notification, and
(iii) standard data breach notification form of the Board in its web site should be used for these notifications.
Please let us know if you have any queries.