Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
Turkey: KVKK issues TRY 600,000 fine to hospital for security and data breach notification violations
The Personal Data Protection Authority ('KVKK') announced, on 18 May 2021, that it had issued a decision in which it had fined a hospital a total of TRY 600,000 (approx. €58,720) for data security and breach notification failures under the Law on Protection of Personal Data No. 6698 ('the Law'). In particular, the decision concerns a data breach that had resulted from the gross misconduct of a physician, found to be removing patient files from the hospital. In addition, the decision notes that the breach affected the data of 789 patients, and affected data including, among other things, identity, contact details, health information, and social security numbers.
Moreover, the decision notes that the hospital had violated Article 12(1) of the Law in that it had failed to take all necessary technical and administrative measures to provide a sufficient level of security and that this violation had been sanctioned with a fine of TRY 450,000 (approx. €44,040). Lastly, the decision notes that, in relation to breach notification, the hospital had failed to notify the KVKK of the breach within 72 hours as required by Article 12(5) of the Law resulting in a further fine of TRY 150,000 (approx. €14,650).
You can read the decision, only available in Turkish, here.