PERSONAL DATA PROTECTION LAW
The Law on the Protection of Personal Data and its secondary legislation is a living law that is frequently updated since its effective date. Many procedures and principles related to data protection are determined not only by the Law, Regulation and Communiqué, but also by the Board Decisions, Principle Decisions and Board Decision Summaries. Therefore, our monthly bulletins aim to inform those concerned about the practices of the Personal Data Protection Board and to keep them up-to-date.
In August 2023, two Board decision summaries and twelve data breach notifications were published by the Board, and among the companies published, there are companies that are industry leaders.
DATA BREACH NOTIFICATIONS
Article 12/5 of the LPPD titled “Obligations regarding data security” states that “In the event that the processed personal data is obtained by others through unlawful means, the data controller shall notify the relevant person and the Board as soon as possible. If necessary, the Board may announce this situation on its website or by any other method it deems appropriate.”
In August 2023, twelve data breach notifications were published on the website of the Personal Data Protection Authority, www.kvkk.gov.tr.
Atatürk University
In the data breach notification submitted to the Board by Atatürk University, which has the title of data controller, in summary;
It was stated that it was noticed by the data controller that there was excessive traffic in the transaction logs on 09.08.2023, and it was thought that it was determined that unauthorised access to personal data was provided and student and employee information was viewed by using the user name and password of the personnel with administrative duties.
It was stated that the personal data subject to the breach included the Turkish ID number, name, surname, date of birth, place of birth, family sequence number, registry sequence number, volume sequence number, physical contact address registered in the system, e-mail address, mobile phone number, unit of study, and that the number of persons affected by the breach, both employees and students, was approximately 12,000.
Diler Holding A.Ş. and Group Companies:
Diler Holding and its group companies that have the title of data controller:
Atlas Enerji Üretim A.Ş.
Bodova Turizm Yatçılık San. ve Tic. A.Ş.
Diler Demir Çelik Endüstri ve Ticaret A.Ş. Diler Denizcilik ve Tic. A.Ş.
Diler Elektrik Üretim A.Ş. Diler Dış Ticaret A.Ş.
Esm Shipping and Trade Inc.
Eti Toprak Endüstrisi ve Ticaret A.Ş.
Renar Bitkisel Üretim Sanayi ve Ticaret A.Ş. Resa Demir Sanayi ve Ticaret A.Ş.
Yazıcı Demir Çelik San. ve Turizm Tic. A.Ş.
in the data breach notification submitted to the Board by Yazıcı Demir Çelik San. ve Turizm Tic. A.Ş;
It has been reported that the data controller systems were infiltrated by exploiting the firewall vulnerability and user accounts were compromised with a password attack, ransomware was installed with the compromised accounts, the breach started on 06.08.2023 and was detected as a result of the interruption of access to virtual servers on the same day.
It was stated that the relevant groups of people affected by the breach are employees and users, the data categories are identity, communication, personal, legal transaction, customer transaction, physical space security, transaction security, risk management, finance, professional experience, marketing and audio-visual records, and the number of people affected by the breach is 1200.
Vodatech Bilişim Proje Danışmanlık Sanayi ve Dış Ticaret A.Ş.
In the data breach notification submitted to the Board by Vodatech Bilişim Proje Danışmanlık Sanayi ve Dış Ticaret AŞ (“Vodatech”), which has the title of data controller
It was stated that the data breach occurred as a result of a cyber-attack on the servers of the data controller by encrypting the data in the storage devices and making them inaccessible.
It is stated that the relevant group of persons affected by the data breach are employees, family relatives of employees, suppliers, business partners, customer employees and employee candidates and the data affected by the breach; Identity, Contact, Personal, Finance, Professional Experience data in total 9746 people are affected.
Data Breach Notifications of Data Controllers Working with Data Processing Vodatech Business Partner When the data of the data controllers affected by the breach were examined with the cyber attack on the data servers within Vodatech:
Data Breach Notifications of Data Controllers Working with Data Processing Vodatech Business Partner
Dagi Giyim Sanayi ve Ticaret A.Ş. customers’ “identity, communication, customer transaction information and visual and audio recordings” data are affected, Beşiktaş Sportif Ürünleri Sanayi ve Ticaret A.Ş. customers and potential customers’ “identity, communication, customer transaction, visual and audio data are affected, records”
“Identity, communication, customer transaction, visual and auditory records” data of Beşiktaş Sportif Ürünleri Sanayi ve Ticaret A.Ş. customers and potential customers are affected,
Gulf Sigorta A.Ş. employees and customers’ “identity (name, surname), communication (e-mail, telephone number), visual and audio recording (audio, e-mail correspondence)” data were affected,
“Identity (name and surname), contact (telephone number), customer transaction, visual and audio records” data of YOYO Bilgi Teknolojileri ve Turizm Ticaret A.Ş. customers are affected,
“Identity (name, surname), contact (telephone number), customer transaction, visual and audio records” data of Oto Plan Operational Vehicle Rental Ticaret A.Ş. customers are affected,
Derimod Deri Konfeksiyon Pazarlama Sanayi ve Ticaret A.Ş. customers’ “identity, communication, customer transaction, visual and auditory records” data were affected and the number of people and records has not yet been determined,
AgeSA Hayat ve Emeklilik A.Ş. customers’ “identity, communication, customer transaction, visual and auditory records” data were affected and the number of people and records has not yet been determined,
UPS Hızlı Kargo Taşımacılığı A.Ş. customers’ “identity, communication, customer transaction, visual and audio records” data were affected and the number of people and records has not yet been determined,
It has been stated that the relevant group of persons, categories of personal data and the number of persons and records affected by the breach within Puma Spor Giyim Sanayi ve Ticaret A.Ş. have not yet been determined.
BOARD DECISION SUMMARIES
In order to keep up with the pace of the data world, the most important source has been the Board’s Principle Decisions and Summaries of Decisions for administrative sanctions. The legislation has been shaped in line with these decisions, and many procedures and principles as well as adjectives and expressions familiar from the European General Data Protection Regulation (“GDPR”) are included here. The duties and powers of the Board are listed in Article 22 of the KVKK and the binding nature of the summaries of the Decision is based on this provision.
Service cannot be conditional on explicit consent!
It has been stated that during filling out the form to make an appointment on the website of the health institution, it is obligatory to give consent to the processing of the applicants’ data and contacting the applicants for this purpose in order to be informed about the services and announcements of the health institution, and that the appointment process is not completed unless the consent is given to the promotion box, and thus, the service is conditioned on explicit consent by the data controller.
In the Board’s examination on the subject; it has been determined that although the name, surname, Turkish ID number, date of birth and mobile phone number information of the persons are requested on the form page filled out for appointment purposes on the website of the data controller, at the bottom of the same page, there is a box next to the phrase “… I allow my personal information to be used and contacted in order to be informed about the services and announcements of the Health Group”.
It is understood that the “next” button does not work unless the relevant box is ticked, therefore, the application in question reveals that the appointment service, which constitutes a preliminary step for the relevant persons to receive services, is conditional on explicit consent for the promotion of the data controller, It was decided to impose an administrative fine of 300. 000 TL on the grounds that requiring the explicit consent declaration would cripple the free will of the data subjects in this regard and that it would be deceptive and an abuse of right to rely on the explicit consent processing condition regulated in paragraph 1 of Article 5 of the Law, while it is possible to rely on processing conditions other than the explicit consent processing condition of the personal data to be processed in the appointment application form within the scope of the service to be provided by the data controller. 000 TL administrative fine was decided to be imposed.
Processing of Health Data with Explicit Consent within the Scope of Advertisement and Promotion Activities is Unlawful!
In the notification received by the Authority, it was stated that the consent forms signed by the patients requested explicit consent from the patients to share the images and videos of the patient with the media organs contracted by the hospital for advertising and promotional purposes, and that the fact that the patient signed the consent forms would not make the explicit consent lawful.
In the Board’s examination on the subject, it was stated that pursuant to the provision in Article 60 of the Private Hospitals Regulation, it is regulated that private hospitals cannot make promotions in the form of advertisements to create demand, and that the Advertisement Board’s 20.08. 2019 dated 20.08. 2019 and file number 2019/2602, it was decided to impose an administrative fine of 250.000 TL on the data controller on the grounds that the information and promotions regarding the statements that the treatment of the health problem experienced by the patient has been successfully concluded, giving a commercial appearance to the activities of the institution, creating demand and causing unfair competition against other health institutions.
GRC LEGAL COMMENT
Although the above-mentioned Board decisions stand out as two important decisions regarding the health sector, it is an indisputable fact that they are guiding all sectors with personal data contact. As a matter of fact; considering that the law is a whole, it is of great importance to ensure compliance with the LPPD with a holistic perspective.
In this context, the relevant provisions of the legislation with personal data contact and the decisions of the regulatory administrative authorities should be evaluated in KVKK compliance studies. Because, trying to circumvent the provisions of the legislation and the decisions of the regulatory administrative authorities by obtaining explicit consent from the data subjects within the scope of the process and activity will cause a violation of the law and good faith, which is one of the basic principles of the KVKK.