In various notices sent to the Personal Data Protection Authority, it was stated that accessing the real estate information of the citizens by entering only the TR ID number on the real estate tax payment / fast payment or debt inquiry pages presented online by the municipalities constitutes a problem in terms of the protection of personal data and it was requested that the subject be examined within the scope of the Personal Data Protection Law No. 6698 (Law).

As it is known, pursuant to Article 12(1) of the Law, “the data controller is obliged to take all necessary technical and organizational measures to provide an appropriate level of security for the purposes of: a) preventing unlawful processing of personal data, b) preventing unlawful access to personal data, c) ensuring protection of personal data.” Furthermore, Article 12(4) rules that “the data controllers and data processors shall not disclose the personal data that they have learned to anyone contrary to the provisions of this Law, neither shall they use such data for purposes other than that for which the personal data have been processed.” And Article 12(5) states that “in case the data processed are obtained by others by unlawful means, the data controller shall communicate the breach to the data subject and notify it to the Board within the shortest time. Where necessary, the Board may announce such breach at its official website or through in any other way it deems appropriate.”

In this context, The Guideline on Data Security (Technical and Organisational Measures), prepared by the Board to provide clarification in practice about the technical and organisational measures that data controllers should take during their processing activities and to set good practice examples, counts the implementation of two-step verification system in case of remote access to personal data when necessary as one of the measures to be taken in order to ensure security. In this respect, in case the data are accessed remotely, it is necessary to use a two-step query system so that third parties cannot easily access. For instance, systems that allow access by querying the person's TR ID no and birthday information are determined as one-step verification, while systems that can be accessed with a password created specifically for the person in addition to the person's TR ID no or an SMS code sent to the phone number that the person has previously notified are called two-step verification. 

In Article 2.1 of the Guideline on Personal Data Security, titled "Technical and Organisational Measures, Determination of Existing Risks and Threats", it is stated that “In order to ensure data security, it is necessary to accurately determine what personal data are processed by the data controller, the probability of the risks that may arise regarding the protection of this data, and the losses to be caused by these risks if they occur and take appropriate measures accordingly. While determining these risks; it should be taken into account whether the personal data is sensitive personal data, what degree of confidentiality it requires due to its nature, and the quality and quantity of the damage that may arise in the case of a security breach. After identifying these risks and determining their priority, control and solution alternatives to mitigate or eliminate these risks should be evaluated in line with the principles of cost, applicability and usefulness, then necessary technical and organizational measures should be planned and implemented.” Accordingly, it is important to ensure that inquiries are made with two-step verification methods, which will significantly mitigate or eliminate this risk, instead of single-stage verification systems that carry the risk of easy access to personal information.

In this context, within the scope of the services offered by the municipalities through online pages such as real estate tax payment / fast payment or debt inquiry; it is evaluated that, in order to fulfil the obligations stipulated in Article 12 of the Law and to prevent any data breach, such services should be offered through two-factor verification system, where the first verification should be done with data such as TR identity number, name and surname, tax number, registration number, and the secondary verification should be carried out with a system such as a personalized SMS or a password sent to e-mail, and for a secondary level, systems exclusively tailored for the person and systems which request only the information the person have access to, or membership system, should be used instead of systems requesting information such as phone number, date of birth, parent's name, registration number belonging to person.

In the light of these evaluations, the Board unanimously decides that;

• Municipalities shall take the necessary technical and organisational measures within the scope of Article 12 of the Law by using membership and password or two-factor verification method in real estate tax payment/fast payment and debt inquiry services,
• The public will be informed that an action will be taken pursuant to Article 18 of the Law against the municipalities that fail to take the aforementioned in line with the complaints/notifications to be sent about the,
• Pursuant to Article 15(6) of the Law, a Resolution shall be adopted and published in the Official Gazette and on the Authority’s website, regarding that municipalities must use “membership and password” method or “two-factor verification” system in their real estate tax payment/fast payment and debt inquiry services as per Article 12 of the Law.