The principle decision of the Personal Data Protection Board dated 21.04.2022 and numbered 2022/388 on the payment and debt inquiry services of the municipalities was published in the Official Gazette on 29.04.2022.
A notice was given to the Authority on the grounds that accessing real estate information of individuals by entering the Turkish Identification Number on the real estate tax payment/faster payment or debt inquiry pages offered by municipalities in the online environment creates a problem for the protection of personal data.
Within the scope of the Law on Protection of Personal Data No. 6698, data controllers are required to take technical and administrative measures during the processing of personal data. “Personal Data Security Guide” has been prepared by the Personal Data Protection Board in order to provide clarity in practice on this subject. In this guide, the implementation of two-factor authentication control when remote access to personal data is provided is among the measures to be taken in order to ensure security. Therefore, when remote access to personal data is provided, a system consisting of two factor should be used so that third parties cannot easily access it. Two-factor authentication control are examples of the person’s access with a password created specifically for the person or the SMS code sent to the person’s phone number, in addition to the Turkish Identification Number.
In the Personal Data Security Guide, it is stated that the data controller should determine the risks that may arise in order to ensure the security of personal data and take appropriate technical and administrative measures. Accordingly, Two-factor authentication control that will reduce or eliminate the risk should be used instead of single-factor authentication that carry the risk of easy access to personal data.
In line with this information, real estate tax payment / fast payment or debt inquiry etc. offered by municipalities online. In order to fulfill the necessary obligations in accordance with Article 12 of the Law and to prevent data breaches, the first authentication for the two-factor authentication should be done with data such as Turkish Identification number, name and surname, tax and registration number. The second authentication must be completely personal, such as the SMS code sent to the phone or the password sent to the e-mail.
In the evaluation made by the Personal Data Protection Board;
- Municipalities should take technical and administrative measures in accordance with Article 12 of the Law by using membership and password or two-factor authentication in real estate tax payment/fast payment and debt inquiry services,
- Informing the public that action will be taken against the relevant municipality in accordance with the 18th article of the Law, in line with the complaints to be sent about the municipalities that do not take these measures,
- It has decided to take a Principle Decision on the use of a two-factor authentication in accordance with Article 12 of the Law in real estate tax payment/fast payment and debt inquiry services of municipalities and to publish this decision in the Official Gazette and on the website of the Authority.