An e-Government password was obtained from the relevant persons for promissory note purchases by a shopping mall which is data controller, and an T.C identification number for creating a membership on the website.Regarding this, the Summary of Decision of the Personal Data Protection Board dated 17.02.2022 and numbered 2022/137 on the unlawful processing of personal data has been published on the website of the Personal Data Protection Agency.
In the notice submitted to the Authority, it was requested that the necessary action be taken since the e-Government passwords are requested from the relevant persons during the application for purchasing a promissory note and a telephone on the website of a shopping mall, which is the data controller, and since this situation constitutes a violation of the Law on Protection of Personal Data No. 6698, it has been requested that necessary action be taken. In addition, on the website of the data controller, on the page under the “Go to the Cash” tab, enter your e-Government password in the field below if you want your approval process to be completed successfully. When the I confirm the order button is pressed, the confirmation will be made automatically. Screenshots of the these information are included.
Thereupon, although the data controller claims that he did not ask for the e-government password from the relevant persons, that the area in the screenshot is part of another image, that there is a field to be filled and in jpg format, he did not provide an prover document for this situation, and even that the screenshot subject to the report was noticed by the parties declared that it was removed immediately. This situation revealed that the Board pointed out that the data controller could not control the possible personal data processing activities to be carried out on his own website and therefore did not take the necessary technical and administrative measures. In addition, he stated that by providing the e-Government passwords of the customers in promissory notes, the relevant persons will face the danger of accessing all kinds of information about them on the e-Government portal by the data controller.
It is obligatory to obtain the e-Government password from the relevant persons for purchases with promissory note on the website of the data controller. In order to create a membership on the website, it is obligatory to provide the identification number information. Upon this, the Board emphasized in its examination that the said personal data processing activities were carried out without relying on any of the data processing conditions in the second paragraph of Article 5 of the Personal Data Protection Law. In addition, the fact that the T.R ID number and e-Government passwords of the persons concerned are shared with the data controller by those who want to shop with promissory notes seems to be within the scope of explicit consent. However, if it does not meet the elements of the concept of explicit consent defined in subparagraph (a) of the first paragraph of Article 3 of the Law and gives consent to provide this information in order to benefit from the services to be provided, the individual has no other option to form a membership and benefit from the services to be provided afterwards, and the individual is not presented with a real right to choose. Therefore it has been determined that they were compelled to share the said data. In addition, on the page related to the membership application on the website of the data controller, A security vulnerability has emerged as a result of the fact that the personal data of people who have previously registered on the website by entering their T.C ID number can be viewed by third parties.
As a result of these evaluations, the Board;
- The data controller has not fulfilled its obligation to take the necessary technical and administrative measures to ensure data security in the processing of personal data in accordance with the first paragraph of Article 12 of the Law. Therefore, the Board decided to impose an administrative fine of 300.000 TL in accordance with subparagraph (b) of the first paragraph of Article 18 of the Law.
- In addition to this penalty, e-Government passwords obtained from individuals and it has decided to destroy the identification numbers in accordance with Article 7 of the Law and the Regulation on the Deletion, Destruction or Anonymization of Personal Data, and to inform the Board together with documents proving(such as log records) that the destruction processes have been carried out.
- On the account creation page of the website, promptly resolved the security vulnerability that caused the personal data of people who had previously been members of the system to be displayed, decided to update the system so that membership can be created without providing an ID number and instructed to be informed about these transactions within thirty days at the latest.