The Law on the Protection of Personal Data and its secondary legislation are frequently updated from the effective date to the present day.
law. Many procedures and principles related to data protection are determined not only by Law, Regulation and Communiqué, but also by Board Decisions, Principle Decisions and Board Decision Summaries. Therefore, our monthly bulletins aim to inform those concerned about the practices of the Personal Data Protection Board and to keep them up-to-date.
In December 2023, the Personal Data Protection Board (“Board”) published 31 decision summaries and 3 data breach notifications. In this month’s bulletin, we include 10 decisions and data breach notifications that we consider to be of high importance among the Board Decision Summaries.
DATA BREACH NOTIFICATIONS
Article 12/5 of the Law on the Protection of Personal Data (“LPPD”) titled “Obligations regarding data security” states that “In the event that the processed personal data is obtained by others through unlawful means, the data controller shall notify the relevant person and the Board as soon as possible. If necessary, the Board may announce this situation on its website or by any other method it deems appropriate.”
Union of Chambers of Agriculture of Turkey
In the data breach notification submitted to the Board by the Union of Chambers of Agriculture of Turkey, which has the title of data controller, in summary;
On 20.11.2023, the breach, which occurred on 20.11.2023 and was detected one day later, was carried out through Central Population Administration System (“MERNIS”) web service queries by obtaining the account information of a user registered in the Agricultural Chambers Information System (“ZOBIS”), 162,000 people whose person group could not be determined were affected by the breach, and it was stated that the personal data category affected by the breach was identity data.
Kaymek Kayseri Vocational Education and Culture Inc.
In the data breach notification submitted to the Board by Kaymek Kayseri Vocational Education and Culture Inc;
It is stated that the breach was realised by clicking on the link received via e-mail and 7,186 students were affected by the breach. It is stated that the categories of personal data affected by the breach are identity, contact, location, personal data and race and ethnic origin information from the category of sensitive personal data.
MongoDB Limited
In the data breach notification submitted to the Board by MongoDB Limited, as the data controller, in summary; it is stated that the breach detected on 20.12.2023 was carried out by hacking the user accounts of a limited number of data controller employees from the customer relationship management (“CRM”) application and customer support application, personal data of the users of some services were accessed and the relevant data were downloaded, and 130,000 to 160,000 users from Turkey were affected by the breach.
The categories of personal data affected by the breach are address, name, surname, title, account number, company name, address, telephone number (main, mobile, fax), e-mail, sales representative name, surname, username (e-mail address), last successful authentication time, last authentication method used, identifier for the user’s preferred time zone, the alphabetic code for the user’s preferred time zone, the user’s date of registration, the user’s first name, last name, unique user ID, information that the user has been invited but has not yet accepted the invitation, that the user has limited permissions, the last time the page was viewed by the user, the number of times a user has logged in, information that the user was automatically or manually blocked and whether the user was deleted, when deleted, date of email verification, information that email verification was required, alternative email, information that multi-factor authentication was enabled, phone number used for deprecated multi-factor authentication (“MFA”), phone number extension used for deprecated MFA, the alternative telephone number used for the deprecated MFA, the alternative telephone number extension used for the deprecated MFA, whether an authenticator device was used for the deprecated MFA, whether the user of the deprecated MFA wishes to receive voice calls.
BOARD DECISION SUMMARIES
In order to keep up with the pace of the data world, the most important source has been the Board’s Principle Decisions and Summaries of Decisions for administrative sanctions. The legislation has been heavily shaped in line with these decisions, and many procedures and principles, as well as adjectives and expressions familiar from the European General Data Protection Regulation (“GDPR”) are included here. The duties and powers of the Board are listed in Article 22 of the LPPD and the binding nature of the summaries of the Decisions is based on this provision.
CREDIT/DEBIT CARD REGISTRATION SHOULD NOT BE MANDATORY IN ONLINE SHOPPING!
In summary in the complaint of the data subject; It is stated that the data subject was requested to save his/her credit/debit card information on the payment screen while shopping on the e-commerce site, that the data subject was required to save his/her credit/debit card information in order to shop on the site, that there is no valid data processing requirement under the Law for the data controller to save credit/debit card information, that the data subject did not have an explicit consent given to the data controller, and that the data subject was not informed about this processing.
In the defence statement received from the data controller; it was stated that billing address and credit/debit card information were processed in order to complete payment transactions, customers can remove their cards at any time from their account settings, customers who do not prefer to remove their card information can easily make subsequent purchases without the need to re-enter the same information; It was stated that the Company clearly fulfilled its obligation to inform the data subjects regarding data processing activities, and that the Company carried out its personal data processing activities in compliance with the Law.
With the final Board review; It is understood that the shopping cannot be completed without saving the card information in the system and that the card information continues to be registered in the wallet section after the shopping is completed, and considering that it is stated by the data controller that the data subjects who add a payment instrument can easily make subsequent purchases, a new data processing purpose has been revealed by the data controller, In accordance with the principle of “being connected, limited and proportionate to the purpose” and the principle of “processing for specific, explicit and legitimate purposes” regulated in the Law, it is stated that when the purpose changes, the data processing condition should also be determined in accordance with the purpose, and that the continuation of the processing of card information after the current purchase is completed can only be done within the scope of the explicit consent of the data subjects obtained in accordance with the Law in this direction; It was decided to impose an administrative fine of 500. 000 TL administrative fine was decided to be imposed on the data controller.
UNLAWFUL ACCESS TO DATA IN THE E-NABIZ SYSTEM
In summary in the complaint of the data subject; It was noticed that the health data of the data subject was viewed through the e-Nabız system by the physician working at the data controller Medical Centre, the data subject has not received health services within the data controller before, has no health problem in this direction, and has no relation and acquaintance with the said physician, It has been stated that the fact that the e-Nabız privacy settings of the relevant person’s e-Nabız privacy settings are in the form of “All Physicians Affiliated to the Ministry of Health See My Data” does not mean that he / she allows his / her health data to be viewed by a hospital / physician that he / she has not been treated and has no interest in, and that the processing of any personal data of special nature depends on the compliance with a legitimate purpose.
In the defence of the data controller; The e-Nabız information of the relevant person was queried by the secretary of the physician working within the data controller without the knowledge and consent of the physician and the hospital, and that physicians can log in to the e-Nabız system with the e-signature defined on their behalf, It has been stated that the weakest of the e-Nabız privacy and sharing settings, which every citizen can change at any time, “All Physicians Affiliated to the Ministry of Health See My Data” setting has been selected by the data subject and thus, physicians can access health data without the consent of the data subject, and it cannot be concluded that the data controller does not comply with the data security provisions.
As a result of the Board’s assessment; it was stated that the data subject to the processing activity are health data in the category of special categories of personal data, the authorisation of individuals to access their own records does not give other healthcare personnel/physicians the right to process this data for purposes other than its purpose, the necessary sensitivity was not shown due to the sharing of the password to access the eNabız system provided only to physicians by the physician with the assistant healthcare personnel, it was concluded that the data controller did not take reasonable measures to prevent unlawful access to personal data; it was decided to impose an administrative fine of 200,000 TL on the data controller.
MARRIED COUPLE’S HEALTH DATA PUBLISHED IN THE NEWSPAPER!
In summary in the complaint of the data subject; It was stated that the data subjects received health services from a private hospital, they made a complaint about the doctor to the Ministry of Health, the Chief Public Prosecutor’s Office and the hospital by sending a notice to the hospital due to the negativities experienced during the treatment, their private personal data were processed with the news published in the newspaper two months after the treatment date, they were of the opinion that the notice they sent to the hospital was used as a source in the news, and no explanation was made by the data controller about how the notary notice containing private personal data was obtained.
In summary in the defence statement received from the data controller; It was stated that the transaction was a lawful data processing activity carried out within the scope of journalism, freedom of the press and freedom of expression, the news was created by including the allegations in the notice sent to the hospital by the person concerned and the defences of the person on the other side of the incident against these allegations, the processing activity falls within the scope of the exception pursuant to Article 28/1(c) of the Law, there is no distinction between “personal data” and “sensitive personal data” within the exceptions, and for this reason, the publication of the news does not constitute a violation of the law even if it contains sensitive personal data.
As a result of the Board’s assessment; In order for personal data processing to be considered as a full exceptional case within the scope of freedom of expression, it should not violate the confidentiality of private life, provided that it does not constitute a crime, the news contains details that violate the confidentiality of private life, there is no interest in making the details known to the public, the personal rights of the persons concerned are damaged as a result of the violation of the right to protection of personal data, on the other hand, the fact that the personal data included in the news is of special quality data shows that the balance between substance and form is not achieved; In this context, it was stated that Article 28/1(c) of the Law cannot be relied upon; and it was decided to impose an administrative fine of 100. 000 TL administrative fine was decided to be imposed on the data controller newspaper.
CAN BANK NOTIFICATIONS BE MADE FROM A NUMBER NOT PROVIDED AS A CONTACT NUMBER?
In summary in the complaint of the data subject; It is stated that the data subject is a customer of the data controller Bank online through his mobile phone number and applied for a personal loan on the same day, and that on the same day, text messages with different content and different content were sent to both the phone number he gave to the relevant Bank and the phone number registered in his name but not used in his transactions with the Bank.
In summary, in the defence statement received from the data controller; it is stated that the data controller Bank is a member of Kredi Kayıt Bürosu A.Ş. (“KKB”), and in accordance with the Banking Law No. 5411 (“Banking Law”) Art.73 /4 of the Banking Law No. 5411 (“Banking Law”), that the financial institutions that are members of KKB share the credit information of their customers with each other in a limited and measured manner for the purpose, and that pursuant to Article 36/1 and 2 of the Regulation on Information Systems and Electronic Banking Services of Banks (“Regulation”), monitoring mechanisms have been established to detect and prevent unusual, fraudulent or fraudulent transactions.
In the event that risky transactions are detected, it is stated that customers are warned as soon as possible by appropriate methods such as telephone or text messages, and it is stated that this is mandatory for the data controller to fulfil its legal obligation.
With the Board’s assessment; pursuant to Article 2 of the Law, it is stated that personal data can be processed without obtaining the explicit consent of the data subject in cases where it is clearly stipulated in the laws and it is mandatory for the data controller to fulfil its legal obligation, in the concrete case, the contact information declared by the person during the loan application process was not found in the KKB records, this situation was perceived as an early warning signal of a potential fraudulent transaction and the applicant was contacted through the most up-to-date contact information of the relevant person registered in KKB, the said transactions were carried out in accordance with the Banking Law and Regulation; it was decided that there was no action to be taken within the scope of the Law.
THE PHARMACY SHARED THE REPORT AND MEDICATION RECORDS WITH THE EX-WIFE OF THE PERSON CONCERNED!
In the complaint of the data subject, it was stated that the data subject divorced his/her spouse, but there was a custody case between the data subject and his/her former spouse, and it was understood from the case file that the hospital report and medication records of the data subject were removed from the Medula system by the pharmacist and given to the former spouse.
In summary in the defence statement received from the data controller The former spouse of the person concerned came to the pharmacy, the person concerned requested the report printouts on the grounds that the medication reports of the person concerned were renewed, the pharmacy employee, who did not know that there was a feud between the parties, gave the reports to the person he knew as the spouse of the person concerned in order to be beneficial to the person concerned, the medications of the person concerned based on the report were given to the person he knew as the spouse of the person concerned in 2018, 2019, During 2020 and 2021, it was stated that the person concerned consented to the purchase of medicines from the pharmacy by his/her spouse each time by coming to the pharmacy by his/her spouse, to give his/her prescriptions to the pharmacy and to make prescription transactions on behalf of the person concerned for 4 years, and that the pharmacist was not notified or told that he/she did not consent to the situation
With the evaluation carried out by the Board on the subject; It has been stated that the pharmacist, as in other obligations, should take the necessary objective care in the selection, informing, supervision and instruction of the personnel he employs, for whom he is responsible in accordance with the Turkish Code of Obligations, and/or provide information and documents proving that he cannot prevent the birth of the damage.
However, it was stated that the pharmacist did not fulfil its obligation to take all necessary technical and administrative measures to ensure the appropriate level of security in order to prevent unlawful processing of personal data and shared the data of the data subject with a third party without relying on any of the data processing conditions; In this context, it was decided to impose an administrative fine of 50,000 TL on the data controller.
INDEX REPORT QUERY IN CAR HIRE!
In the complaint of the data subject; It was reported that the Platform, which provides online bus, flight, rental car and accommodation search services to users, rented a car through the official website of the Platform and the person paid from the credit card, however, at the stage of receiving the vehicle, an SMS was sent to the person concerned with a request to access the Findeks report, it was stated that the car rental would not be carried out unless the person gave explicit consent to the processing of the information contained in the Findeks report and the vehicle was not delivered.
In its defence, the data controller car rental company stated that the data of the data subject was processed by the intermediary Platform, that there was a confidentiality agreement between them and the Platform, that the company only dealt with the customer at the vehicle delivery stage, that no Findeks query was made and that the vehicle was not delivered because the data subject did not make a deposit payment.
In its response letter, the Intermediary Platform stated that it only provides the environment for the services offered on its website as an intermediary service provider, and that it is not responsible for the content offered by the service provider and unlawful issues related to the goods or services subject to the content.
The Board, in its assessment before the platform,
The platform does not provide car rental services, only receives reservation requests and does not collect fees, and its responsibility as data controller will only be in terms of services such as ticket listing, flight display, ticket sales, car rental, vehicle listing, hotel listing, hotel reservation, etc,
Since the platform is not the party that determines the purposes and means of processing the data processed within the framework of car rental services, it emphasised that it cannot be accepted as the data controller in the concrete case.
In the evaluation made in terms of the car hire company determined as the data controller,
Although the data controller states that no Findeks query is performed, it is stated that under the heading of leasing conditions on the website, the Decision Support Score Query based on Findeks is mentioned and it is decided whether to make a lease transaction based on the score generated here,
It was stated that the explicit consent was made conditional to the service by not renting to the relevant person who did not give explicit consent regarding the Findeks report, and it was decided to impose an administrative fine of 100,000 TL on the data controller who did not fulfil his obligations regarding data security.
ATTENTION TO CHECK-IN PROCEDURES!
In the complaint submitted to the Authority, it was stated that the person concerned purchased a tour from a travel agency with his/her family, and when he/she logged in to check-in from the airline’s mobile application, he/she accessed the personal data of people he/she did not know and all the information of the people he/she did not know appeared in both departure and return transactions and requested to be informed about the violation and possibility of disclosure-publication of personal data kept by the airline company to people he/she did not know and to remove the existing violation.
In its defence, the data controller stated that Travel agencies make the reservation and ticketing transactions of all passengers in the same package tour collectively, therefore, the travel agency can track all its customers through a single Group PNR within the scope of the group reservation, and that their company has implemented additional measures regarding access to these Group PNRs and the display of personal data, that, unlike the general practice, after people successfully log in with the combination of PNR + Surname, they are not able to view all passengers in the PNR and can only view the records whose Surname matches in the PNR, that joint viewing aims to enable families travelling together to perform their transactions together, and that, as a matter of fact, there is a practice in this direction in line with the requests received from passengers, especially regarding the allocation of seats next to each other for family members for flights.
The surnames of the other passengers that the applicant viewed during the check-in process were the same as the applicant’s surname, but
The applicant’s defence also included additional explanations such as that it was understood that the persons were not family members of the applicant, that this showed that a control step that should have been under the control of the travel agency was not carried out, that the travel agency that created the record in the system had an obligation not to combine different persons with the same surname in a single Group PNR and that no fault could be attributed to them at this point.
In the light of the Board’s assessment,
Despite the explanations that the transaction subject to the complaint is a transaction related to the Package Tour Agreement between the person concerned and the travel agency, the surnames of the persons seen on the screen as a result of entering the PNR information in the screenshots submitted by the person concerned are different from his/her own surname, Therefore, contrary to what is claimed by the data controller, it is understood that the data of persons with different surnames can be seen on the same PNR even if the login process is performed with the PNR Surname combination, and this situation shows that the necessary technical and administrative measures have not been taken by the data controller to ensure the appropriate level of security in order to prevent unlawful access and preservation of personal data,
On the other hand; even if it is understood that the issuance of a joint PNR is intended to facilitate the travel of family members who book together, and that this situation can be evaluated within the scope of Article 40 of the Turkish Civil Aviation Law No. 2920, the PNR information should be accessed only by matching the surname combination, In the concrete case, it was emphasised that access to the data of persons with the same surname but not belonging to the same group or family and not travelling together may cause a data breach and that no notification was made to the Board regarding this data breach, and it was decided to impose an administrative fine of 300. 000 TL administrative fine was imposed.
FINE FOR HOTEL USING HOUSEKEEPING TASK SHEET!
In the complaint received by the Authority; it was stated that a document containing information about the period of residence in the hotel belonging to the data controller was sent to the person concerned via social media, when the person concerned asked the person in question how the document in question reached him, the person stated that he asked an acquaintance working at the hotel to send it to him, the name and accommodation information of the person concerned on the document in question fell into the hands of third parties, on the other hand, the disclosure obligation was not fulfilled by the data controller.
In his response letter, the data controller stated that; In the printed document named Housekeeping Task Sheet, which is organised by the housekeeping staff, the name, surname and room numbers of the customers are included, the guests are called by surname in order to make the guests feel personal and special in accordance with the standards of the hotel offering luxury service, and that the housekeeping staff should have a command of the name-surname information of the guests in order to call the person in case of emergency, to determine whether it is the right person or to create an emergency response report.
In addition, it was stated that the relevant documents are periodically destroyed every 3 months, and that the destruction of the document in question was carried out after the relevant person wrote on social media. It was stated that the document named Housekeeping Task Sheet, which was attached to the complaint of the relevant person, could not be read because there were some scribbles on it, and that the result of the investigation carried out by the Prosecutor’s Office should be awaited, as it will be decisive in determining whether the document is original or not and the existence of the social media user.
With the final Board review,
Since the main field of activity of housekeepers is maintenance and cleaning, there is no need to know the names of the guests, the principle of data minimisation and the purpose of making people feel special in the face of privacy is not an interest that requires higher protection, and therefore the Housekeeping Task Sheet application should be abolished,
The relevant document is shared only with the personnel of the data controller, and the personal data processing activity carried out by obtaining it by a third party within the scope of the concrete event can only be realised due to the fact that administrative and technical measures have not been taken by the data controller,
It is understood that the data controller states in the “Non-Responsibility Record” on the Registraton Card / Accommodation Document that the persons who sign the accommodation document will also accept the sending of commercial electronic messages such as advertisements, promotions, etc. to the contact information of the persons who sign the accommodation document, on the other hand, the same phrases are not included in the part of the text containing English expressions,
Considering that the guests are under the obligation to sign this document, considering that the issuance of the accommodation certificate is mandatory as required by the legislation, it is stated that stating that signing this document will also mean consenting to the sending of commercial electronic messages will also cripple the element of free will, and it has been decided to impose an administrative fine of 500,000 TL on the data controller who does not fulfil the obligation to prevent unlawful access to personal data and the obligation to take all necessary technical and administrative measures to ensure the appropriate level of security to ensure the protection of personal data.
EMPLOYERS WITH PLACES OF WORSHIP IN THE WORKPLACE, BEWARE!
In the complaint of the data subject; it was stated that as a result of the former employee filing a reemployment lawsuit, the employer submitted the images of him in the place of worship through the cameras positioned within the company.
In summary, in the defence statement received from the data controller; the data controller stated that there is a camera system in the workplace because it is classified as “very dangerous” in terms of occupational health and safety due to its production activities, and stated that the taking of the camera images of the employee in the place of worship is due to the fact that the place of worship is not an independent section but is located within the production area.
Within the scope of the final Board examination; the data controller’s processing of the image recordings in the place of worship through the cameras is a data processing related to the religious belief of the person concerned and for this reason, it will fall into the category of special categories of personal data, employees; Considering that the employees have a reasonable expectation of privacy in terms of changing rooms, toilets, showers, masjid, rest rooms and breastfeeding rooms and that the place of worship does not have any characteristics that would oblige the monitoring of the place of worship within the scope of the work area of the data controller, it has been stated that the data processing activity in question is contrary to the principles of “processing for specific, explicit and legitimate purposes” and “being connected, limited and proportionate to the purpose for which they are processed” and an administrative fine of 300. 000 TL administrative fine was decided to be imposed on the data controller.
SANCTION WORTH 750.000 TL FOR COOKIE APPLICATIONS!
In the complaint of the data subject, in summary; it is stated that the data controller is the distributor and sole authorised distributor of a widely participated online game in Turkey, is the company that performs all kinds of transactions on behalf of the game for users in Turkey and obtains all commercial revenues, and that the texts on the websites do not comply with the personal data protection legislation.
In the defence statement received from the data controller; it was stated that only cookies that are mandatory for the operation of the website are included, cookies are not used for marketing etc. purposes other than these cookies, the cookie policy appears as a “pop-up” when the website is visited, the disclosure text and privacy policy on the website were prepared before the period when the Law entered into force, therefore, a new compliance process was initiated in order to update the disclosure text and privacy policy and to make it suitable for current data processing activities.
Since no definite conclusion regarding the various complaints of the data subject could be reached from the aforementioned response text, the Board conducted an on-site inspection by visiting the office of the data controller and the headquarters of another company from which it receives services.
Within the framework of the on-site examination of the Board; under the pop-up description of cookies published on the website of the data controller, two options are offered as “use only necessary cookies” and “allow all cookies”, and with the “allow all cookies” option, collective explicit consent is obtained for each type of cookie other than the category of necessary cookies and the relevant persons are not given the opportunity to choose,
In the cookie table in the Cookie Declaration and Cookie Policy texts, it is stated that various cookies are used by third-party cookie providers in the category of “necessary cookies”, the third-party cookie provider is a company located abroad, in the personal data processing activity carried out by the data controller based on the explicit consent condition through cookies on the website, since the elements of “being related to a specific subject” and “given with free will”, which are among the elements of explicit consent, are not provided, the explicit consent is crippled and a lawful personal data processing activity is not carried out.
On the other hand, it has been concluded that the personal data processing activity carried out by transferring personal data abroad by using third-party cookies, the providers of which are companies located abroad and are in the category of mandatory cookies, is unlawful since it is not based on the conditions for data transfer abroad, and it has been decided to impose an administrative fine of 750,000 TL on the data controller.
GRC LEGAL Comment
In 2023, the Board spent most of the year in silence and was not active in publishing decisions, but at the end of the year, the Board broke this silence. When the published decision summaries are analysed in general terms, we can observe that data controllers from many sectors are the subject of the decisions.
However, considering the issues included in the decisions and considered as the main evaluation points in the imposition of administrative fines; it can be said that the awareness of the data protection legislation in our country is still not at a sufficient level as the Law enters its eighth year of enforcement, and the ideal of full compliance has not been realised for data controllers.