Turkish Personal Data Protection Board (“Board”) decided implantation of administrative fine of TRL 1.600.000 via decision dated 18.09.2019, numbered 2019/269 against Facebook due to failure in taking necessary technical and administrative measures to prevent prospective personal data breaches and to notify the Board regarding such breaches as per Personal Data Protection Law numbered 6698 (“Law”) which published in Official Gazette on 07.04.2016.  

Facebook notified the Board on 25 September 2018 via e-mail regarding a data breach which caused by the complex interaction of multiple bugs related to different Facebook features of Facebook named as “View As”, “Video Upload tool” and “Happy Birthday Videos”.  However, such notification was not made to Board as per the procedure and principle foreseen by the Law. In this respect, the Board initiated an ex-officio investigation against Facebook pursuant to article 15/1 of the Law.  

As a result of the above-mentioned investigation conducted by the Board, more than one personal data violation has been determined which are as follows:  

  • Attackers are able to access users’ personal data through the access tokens, which generated by the interaction of multiple bugs in three different features of Facebook named as “View As”, “Video Upload tool” and “Happy Birthday Videos” between the dates of 14 September 2018 and 28 September 2018. The mentioned situation has continued for a period of 14 months which set forts that necessary measures were not taken by Facebook,  
  • Facebook is in delay re. recovery of failure in software and removal of “View As” feature,  
  • Facebook provides access to the personal data of 280,959 Facebook users in the Turkish language including profile information, religion data, location data, search histories and followed accounts,  
  • Furthermore, the Board stipulated that through the personal data accessed by the attackers, profiling activities may be conducted against the data subjects and such activities may have a negative effect on them.  

On the other hand, the Board, with its decision dated 11.04.2019 and numbered 2019/104 which published on 10.05.2019, has also decided implementation of another administrative fine against Facebook amounting to 1.650.000 TL. at past due to unlawful access by third parties to data available on Facebook’s “Photo API” services.  

Consequently, it is important that data supervisors must comply with the Board's decision dated 24.01.2019, numbered 2019/10 pertaining to the Principles and Procedures of Personal Data Violation Notification to avoid similar sanctions. Such notifications must be made through Data Violation Notification Form available at website of Personal Data Protection Institution “without any delay and latest within 72 hours from the date of learning”.