top of page
Ara
  • sonerkenaroglu

About an administrative fine issued based on the violation of personal data due to a digital algorithm fault.



SUMMARY OF THE DECISION OF THE TURKISH DATA PROTECTION BOARD CONCERNING THE VIOLATION CAUSED BY DISPLAYING THE PERSONAL DATA OF A THIRD PARTY INSTEAD OF THE USER'S OWN PERSONAL DATA WHILE LOGGING INTO THE WEBSITE.

 

In the decision of the Turkish Personal Data Protection Board (the "Board") dated 24.08.2023 and numbered 2023/1465 (the "Decision") the case subject to the Decision, the applicant alleges that:

 

  • When he logged in to the website of a car rental company (“Data Controller”) with his own username and e-mail registered in the system, he was redirected to another person's account,

 

  • As a result of the misdirection, he accessed a third party's personal data including address, telephone number, Turkish ID number and driver's license information,

  • He notified the call center of the Data Controller, regarding the issue,

  • The information in the system was later corrected, but the Data Controller did not respond the questions in the request.


In the defense made by the Data Controller, the following statements were made in summary:


  • All necessary technical and administrative measures are taken in accordance with the Law on the Protection of Personal Data (“the Law”) and other relevant legislation to ensure the security of personal data,

 

  • The user’s information was altered as a result of an algorithmic error and that the applicant thus accessed the personal data of a third party,

  • When making a reservation, incorrect e-mail address information was entered manually on the reservation screen of the Data Controller, and that entering incorrect information disrupted the algorithm used to update customer information.

  • According to subparagraph (e) of Article 3 of the Law, making personal data accessible is a personal data processing activity, and the personal data of a total of four individuals became accessible to other users due to the incorrect operation of the algorithm used to update customer information in the data collection system of the Data Controller,

  • The algorithm, which malfunctioned due to an incorrect e-mail entry, exposed the personal data of individuals using the Data Controller's services to unauthorized access,

  • Ø  In accordance with the principle of "pertinence, limitation and proportionality to the purposes for which they are processed", as stated in Article 4, paragraph 2, sub-paragraph (ç) of the Law, the data processed should be adequate for the realization of the purposes specified and the processing of personal data that are not relevant or not necessary for the realization of the purposes should be avoided,

  • Considering that due to the incorrect operation of the algorithm in the data recording system of the Data Controller, unlawful access to the personal data of different users was provided when the car rental platform users tried to log in to the system, pursuant to subparagraph (b) of paragraph (1) of Article 18 of the Law, it was decided to impose an administrative fine of 200,000-TRL on the data controller who does not fulfill its obligations regarding data security under Article 12 of the Law. 04.01.2024


Kind Regards,

Kenaroğlu|Legal

4 görüntüleme0 yorum
bottom of page