Personal Data Protection Authority Decision to impose an Administrative Fine to Yemek Sepeti for Failing to Take Technical and Administrative Measures to Ensure Data Security
Following a data breach which occurred within the company’s web application server, the Personal Data Protection Authority (‘‘Authority’’) published a summary of its Decision No. 2021/1324, which was issued on 23 December 2021, in which it imposed a fine of TRY 1.9 million (approximately €122,130) on Yemek Sepeti Elektronik İletişim Perakende Gida Lojistik A.Ş. (‘‘Yemek Sepeti’’) for violations of Article 12(1)(a) of the Law on Protection of Personal Data No.6698 (‘‘Law’’).
In the data breach notification submitted to the Authority by the data controller it is stated that:
· The web application server of Yemek Sepeti was accessed by (an) unidentified person(s) on 18 March 2021,
· The system which is provided by an equipment to signal/prevent unauthorized access under normal conditions, failed to function properly and as a consequence of such malfunction the unauthorized access(es) could not be instantly noticed.
· When the alarms received on 25 March 2021 were examined, it was determined that there was suspicious behavior,