The Personal Data Protection Board (“Board”) rendered a decision dated 20.04.2021 and numbered 2021/407 (“Decision”) regarding the data breach notice of a data controller hospital (“Data Controller”).
In the Decision, within the scope of the data breach notice submitted by the Data Controller, it was stated that (i) the breach was carried out with the instruction of the physician working in the hospital, by removing the files of the patients out of the hospital by the hospital staff; (ii) the employee who attempted to extract the file was detected 17 days after it was videotaped; (iii) all but one of the employees involved in the breach was given a training on protection of personal data prior to occurrence of the data breach; (iv) the Personal Data Protection Authority (“Authority”) was notified to the Board 25 days after the breach occurred, due to the reasons included in the breach notification regarding late notification.
The Board detected the following after evaluating the breach notice submitted by the Data Controller:
- The data breach occurred when the bags containing the personal data and special categories of personal data belonging to the patients of the physician working in the hospital were taken out of the hospital by some hospital staff, upon the physician’s instruction;
- Sufficient administrative measures have not been taken to ensure data security, since unauthorized persons could enter the archive room where patients’ records were kept, and those persons could remove personal data and special categories of personal data of patients from the archive without permission;
- Of the 789 lost patient files, only 54 were retrieved and the fate of the others were unknown, indicating that the measures to reduce the risks for the loss of files were not sufficient;
- Employees were not given any or adequate training on the protection of personal data;
- The fact that the breach was detected 17 days after its occurrence showed that the Data Controller did not prepare or follow the personal data security policies and procedures well, and also failed to use the existing security measures in the hospital effectively;
- The breach was reported to the Authority 25 days after its detection;
- The breach was not reported to any of the data subjects, except for one person who visited the hospital.
In the light of the detections it has made, the Board imposed an administrative fine of TRY 450,000,- on the Data Controller on the grounds that the Data Controller did not take the measures to ensure the data security stipulated in Article 12, paragraph 1 of the Personal Data Protection Law numbered 6698 (“PDPL”); again, considering that the Data Controller has not fulfilled the 72-hour notification obligation specified in Article 12, paragraph 5 of the PDPL and the decision of the Board numbered 2019/10 on the Personal Data Breach Notification Procedures and Principles, and bearing in mind the unfair content of the misdemeanours committed by the Data Controller, the fault of the data controller and its economic situation, the Board decided to impose a further administrative fine of TRY 150.000,- on the Data Controller.
You may reach the full Turkish version of the Decision via the link below.