The Board initiates an investigation against WhatsApp
Principle decision on the personal data of third parties illegally provided by data subjects
A principle decision regarding the personal data of third parties illegally provided by data subjects (the Principle Decision") published by the Board on 22 December 2020 was also published in the Official Gazette on 15 January 2021. We analyse the Principle Decision in detail here.
The Principle Decision relates to the personal data of third parties illegally sent by data subjects to data controllers upon the latter's request, such as phone numbers and e-mail addresses. The Board notes that there are inaccuracies and mistakes in the information provided by the data subjects, and that also, as a result of the disclosure by data subjects of the information belonging to third parties, documents containing the personal data of such data subjects are unlawfully transmitted to third parties.
In its Principle Decision the Board aims to ensure that the necessary administrative and technical measures are taken by data controllers in order to establish mechanisms, such as a confirmation code sent to the phone number or e-mail address of the data subject, in order to confirm the accuracy of the contact information provided by data subjects. In addition to the confirmation mechanism, the Board has stated that data controllers must always keep channels open for data subjects to update and correct their personal data.
In case of a data breach, the Board may not always impose an administrative fine
The Board announced a decision, dated 9 October 2020, regarding its investigation against a company operating in the health industry, in which it did not impose an administrative fine. The company, as the data controller, had notified the Board of a data breach, which started on 30 September 2020 and ended on 5 October 2020. Within the scope of the data breach notification, the company stated that it had informed the data subjects affected by the data breach within three days following notification to the Board. In addition, the company demonstrated the technical and administrative measures it took before and after the data breach.
At the end of its investigation the Board underlined that the data breach did not arise due to a lack of precaution by the data controller, and that since an application widely used worldwide had caused the data breach, the data controller would not be reasonably expected to intervene. It also stated that the data controller reacted quickly, having taken reasonable technical and administrative measures. For this reason, the Board concluded that there were no remaining processes, such as imposing an administrative fine or instructions, apart from ensuring that the company sent notifications to data subjects affected by the data breach. In conclusion, data controllers may not face administrative fines if they take the necessary administrative and technical measures and act quickly to notify both the Board and any affected data subjects following a data breach.
The Board announced the following data breach notification in January
In January, the Board announced only one data breach notification. The breach occurred on the website of Özyegin University. Within the scope of the announcement, Özyegin University, as the data controller, notified the Board on 5 January 2021 that the University's website had been attacked. The data controller became aware of the violation on Monday, 28 December 2020. Several data categories of 1,665 data subjects were affected by the violation. Consequently, the Board has initiated an investigation regarding this data breach.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.