Administrative Fine Imposed Due to Display of Third-Party Personal Data During User Login on Car Rental Website
It was stated that the data subject, while logging into the car rental company's website using their own username and email address, was mistakenly directed to another user's account, and as a result of this incorrect redirection, gained access to a third party's personal data such as address, phone number, Turkish ID number, and driver's license information. The incident was reported to the relevant call center, and although the information in the system was later corrected, no response was provided to the questions asked in the application made to the data controller. Therefore, action was requested under the Law on the Protection of Personal Data No. 6698 (“the Law”).
The Personal Data Protection Board (“the Board”) requested a defense from the data controller, the car rental company, and in its responses, the company stated, in summary, that:
The issue of incorrect data display arose due to the manual entry of incorrect email information on the reservation screen during the processing of a reservation made through the company’s central office, and the problem was promptly resolved by updating the system,
A database scan was conducted to determine whether the issue affected other users as well, and it was found that, in addition to the data subject, three other individuals experienced the same problem,
There was no data breach caused by the algorithm malfunction, and only a very limited amount of data was displayed within the system.
In its decision dated 24/08/2023 and numbered 2023/1465, the Board ruled that [1],
According to Article 3(e) of the Law, making personal data accessible constitutes a personal data processing activity, and noted that due to a malfunction in the algorithm used by the data controller, the personal data of a total of four individuals was exposed to unauthorized access;
An administrative fine of 000 TL shall be imposed on the data controller for failing to fulfill its data security obligations under the relevant article of the Law;
The data controller shall be informed that, in order for a violation notified by a data subject to be examined, it is not necessary for the data subject’s own personal data to have been affected by the breach;
The data controller shall be reminded of its obligations regarding data breach notifications, since unauthorized access to the personal data of data subjects by third parties constitutes a data breach under the Law.
In summary;
Data controllers engaged in personal data processing must:
Review their current data security measures and eliminate any administrative and technical vulnerabilities,
Notify the Board in a timely and accurate manner in cases where personal data is exposed to unauthorized access,
In the event of a breach, promptly inform the affected individuals and refrain from avoiding their inquiries.
It was stated that the data subject, while logging into the car rental company's website using their own username and email address, was mistakenly directed to another user's account, and as a result of this incorrect redirection, gained access to a third party's personal data such as address, phone number, Turkish ID number, and driver's license information. The incident was reported to the relevant call center, and although the information in the system was later corrected, no response was provided to the questions asked in the application made to the data controller. Therefore, action was requested under the Law on the Protection of Personal Data No. 6698 (“the Law”).
The Personal Data Protection Board (“the Board”) requested a defense from the data controller, the car rental company, and in its responses, the company stated, in summary, that:
The issue of incorrect data display arose due to the manual entry of incorrect email information on the reservation screen during the processing of a reservation made through the company’s central office, and the problem was promptly resolved by updating the system,
A database scan was conducted to determine whether the issue affected other users as well, and it was found that, in addition to the data subject, three other individuals experienced the same problem,
There was no data breach caused by the algorithm malfunction, and only a very limited amount of data was displayed within the system.
In its decision dated 24/08/2023 and numbered 2023/1465, the Board ruled that [1],
According to Article 3(e) of the Law, making personal data accessible constitutes a personal data processing activity, and noted that due to a malfunction in the algorithm used by the data controller, the personal data of a total of four individuals was exposed to unauthorized access;
An administrative fine of 000 TL shall be imposed on the data controller for failing to fulfill its data security obligations under the relevant article of the Law;
The data controller shall be informed that, in order for a violation notified by a data subject to be examined, it is not necessary for the data subject’s own personal data to have been affected by the breach;
The data controller shall be reminded of its obligations regarding data breach notifications, since unauthorized access to the personal data of data subjects by third parties constitutes a data breach under the Law.
In summary;
Data controllers engaged in personal data processing must:
Review their current data security measures and eliminate any administrative and technical vulnerabilities,
Notify the Board in a timely and accurate manner in cases where personal data is exposed to unauthorized access,
In the event of a breach, promptly inform the affected individuals and refrain from avoiding their inquiries.
Turkish
