Reading Mode

Turkish Personal Data Protection Board Fines an Internet Service Provider for Credit Card Exposure

16 May, 2020

Turkish Personal Data Protection Board (“Board”), with its decision numbered 2020/213 and dated March 12, 2020 (“Decision No. 2020/213”), has fined an internet service provider data controller for failing to take necessary technical and administrative measures to ensure data security in compliance with the Article 12(1) of the Law on the Protection of Personal Data No. 6698 (“Law No. 6698”) upon the internet service provider’s notification of personal data breach to the Board.    


According to the summary provided by the Board regarding the data controller’s notification of personal data breach, customers’ credit card information has been exposed to third parties due to a security breach comprised during an attempt to fix an online transaction failure of the invoice payment system under the Online Transaction Center, operated by the data controller for customer’s to conduct subscription transactions. The main reason of breach was stated to be the change made to the application with the purpose to fix the failure via “debug” by adding features that create logs. As a result, credit card information of 69 customers has been displayed by third parties.  


It has been explained by the Board that; i) to actualize a verbal failure fix request conveyed to the software developers in actual platform instead of test environment indicates that procedures regarding applying application changes to actual (live) platform are not followed, which is considered lack of technical and administrative measures, ii) inadequacy of testing procedures indicates that technical and administrative measures with regards to application security have not been taken, iii) even though the data controller claimed that personal data is either not displayed or masked in system interface, customer’s personal data (identity and finance) was exposed due to an error, which indicates technical inadequacy, and iv) even though the data controller has a data security policy, the effective date is subsequent to the date of the breach. Therefore, the Board has concluded to fine the data controller to an administrative fine amounting to TRY 300,000.00- pursuant to the Article 18(1)(b) of the Law No. 6698. 


Simge Kılıç 

Recent Articles & Updates

Significant Impediment in Telecommunication: Recent decision of the General Court of the European Union

04 June, 2020 yesterday

Government Controlled Public Companies Exempted from Several Merger Regulations in Turkey

02 June, 2020 3 days ago

Personalized Medical Devices: Custom-made Medical Devices under Turkish Law

01 June, 2020 4 days ago

Government Aids for Airlines from IATA’s Standpoint: Liability or Relief ?

01 June, 2020 4 days ago

Special Report on Aviation: The Effect of the COVID-19 on Aviation Industry, Special Focus on Turkey

01 June, 2020 4 days ago

Data Transfer and COVID-19: Applicable Derogations

31 May, 2020 5 days ago

Legal Aspects of 3D Printing Intellectual Property Domains

31 May, 2020 5 days ago

Classified or Confidential Information: Entering into a Contract with State-Owned Enterprises and Turkish Armed Forces Foundation Companies

29 May, 2020 7 days ago

Non-Price Element Application in Negotiated Electronic Tendering Procedure

27 May, 2020 a week ago

E-Call and Automotive Industry: General Safety Regulations 2019/2144 of EU and Turkey

27 May, 2020 a week ago