Summary of the Decision of the Personal Data Protection Board dated 01.10.2020 and numbered 2020/763 "About the data breach notification of the data controller providing online grocery shopping service"
Decision Date: 01/10/2020
Decision No: 2020/763
Subject Summary: About the data breach notification of the data controller providing online grocery shopping service
The statements of;
-All recipients are added to the BCC part of the relevant bulk e-mail in order to protect the confidentiality of the recipient e-mail addresses when sending an e-mail to a group of 400 recipients,
-During the process in question, the e-mail address of 43 customers was added to the subject part of the e-mail by mistake by the employee who sent the e-mail, therefore, the e-mail address of 43 recipients whose e-mail address was included in the subject part of the e-mail was sent. shared with the buyer group of 400 people,
-As soon as the e-mail in question is sent, it is learned that the employee's mistaken transmission of the e-mail as stated above was determined by the employee and that the people responsible for the Technology Department were contacted to take immediate action, but it was learned that it would not be possible to retrieve the e-mail,
-Customer e-mail address information is affected by the breach, e-mail addresses may also include the name and surname of the person, therefore identity and contact data are affected by the breach,
-43 related persons were informed about the said sharing and it was ensured that the level of exposure of the persons concerned from the violation was minimized,
-As soon as possible (within 48 hours) following the violation, the relevant persons are contacted directly via their e-mail addresses and a notification is made on 29.09.2020.
are included in the data breach notification of the data controller sent to our Institution.
As a result of examining the data breach notification, with the Decision of the Personal Data Protection Board dated 01/10/2020 and numbered 2020/763;
- 43 related persons have been affected by the violation,
-The personal data affected by the breach only contains the name-surname information in the e-mail and e-mail addresses of the customers,
-The relevant persons have been notified of the violation on 29.09.2020 and the supporting documents have been submitted to our Institution,
- The risk of negative consequences for the relevant persons affected by the violation is low,
-Destruction of the infringing e-mail was requested from 400 customers to whom erroneous e-mails were sent,
-The data controller has fulfilled its obligation to notify our Agency of the data breach “as soon as possible” (within the 72-hour period specified in the Board decision dated 24.01.2019 and numbered 2019/10).
Considering the issues, at this stage, it was decided that there is no action to be taken against the data controller within the scope of Article 12 of the Law.
Ünal § Partners Legal Team
Comments