Turkish Data Protection Board ("Board") fined Facebook for 256.222 EUR with its decision of September 18, 2019.

The breach is due to a system deficit causing an attacker reaching profile data of a third party if the "View As" mode is used with a video uploader.

Several important points in the decision are below:

Board decided that;

  • System weakness existed for 14 months, which shows that necessary tests and controls were not made.
  • The intervention was late as the patch was made 2 days later and Facebook was disabled the "View As" feature 3 days later.
  • The features should have been tested before opening it to the public. Insufficient tests are a breach of data security obligation (taking administrative and technical measures to avoid data breaches)
  • As accessed data included special categories of data, the data controller should have taken the measures determined by the Board for processing of special categories of data
  • The breach could harm data subjects as they may be used for profiling.
  • Facebook should also pay a fine for avoiding breach notification to the Board.

Another interesting point is that the Board limited the scope of its evaluation to data subjects using Facebook in Turkish but not to Facebook users in Turkey.

We will publish our more detailed review later.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.