The Turkish Personal Data Protection Authority ( “Authority” ) has published its decision dated 20/01/2020 and numbered 2020/50 regarding the personal data breach notification of a retail clothing company. The decision relates to a late-detected violation due to insufficient tests during the design phase of the web page. 

In the data breach notification submitted to the Authority, the data controller stated that the personal data of some customers who opened new accounts were transferred to some third-party vendors/providers via a URL. The determination of this violation has emerged during the regular examination of the data controller. 

The Board made the following conclusions in its decision.

· The fact that the data breaches that took place on 01.08.2018 and 21.10.2018 were detected on 02.07.2019, approximately one year later, is an indication that the company's tracking alarm systems were not effective and the company did not make the necessary controls. 

· The fact that personal data can be seen by third-party vendors/providers via the URL is an indication that the tests performed during the web page design phase are insufficient or that the necessary tests are not performed. 

Concerning the reasons explained above, about the data controller who does not take the necessary technical and administrative measures to ensure data security within the framework of paragraph (1) of Article 12 of the Personal Data Protection Law (Law) No. 6698, it is decided to impose a 50.000 TL administrative fine according to subparagraph (b) of paragraph (1) of Article 18 of the Law. 

Author: Melis Karadeniz