Legal AlertPersonal Data Protection Board Rendered a Decision numbered 2020/787 on the Data Breach Notification of a Company Operating in the Healthcare Sector.

9 February 2021

Personal Data Protection Board (“Board”) rendered a decision (“Decision”) dated 09.10.2020 and numbered 2020/787 regarding the data breach notification made by a data controller (“Data Controller”) operating in the healthcare sector.

It is stated in the Decision that the Data Controller submitted a data breach notification indicating that (i) the data breach which started on 30.09.2020 was a result of a vulnerability of an application used worldwide; (ii) the data breach was detected and ended on 05.10.2020; (iii) the supporting documents regarding the employee trainings organized within the last year of the data breach, and the technical and administrative measures taken before and after the data breach were submitted to the Authority; (iv) a notification would be made to the data subjects who are affected by the data breach, within 3 days of the notification submitted to the Board.

The Board made the following determinations regarding the data breach notification submitted by the Data Controller:

  • The data breach has occurred due to a vulnerability in a commonly used application, thus it cannot be expected from the Data Controller to interfere in this situation;
  • The Data Controller has detected the breach in a short period of time;
  • The personal data affected by the data breach is easily accessible, since such data is provided on the private company stamps and at the public sources;
  • It has been stated by the Data Controller that the data subjects would be notified in up to three days after the data breach notification was submitted to the Board;
  • The possibility of an adverse outcome due to the data breach is low in terms of the data subjects;
  • The Data Controller has taken reasonable administrative and technical measures.

In light of its assessments, the Board decided not to impose any additional sanctions on the Data Controller in accordance with Article 12 of the Personal Data Protection Law numbered 6698, provided that the supporting documents regarding the data breach notification made to the data subjects are submitted to the Board.

You may reach the full Turkish version of the Decision via the link below.