PDPL BULLETIN – December 2024
The Law on the Protection of Personal Data (‘Law’) and its secondary legislation is a living law that is frequently updated since its effective date. Many procedures and principles related to data protection are determined not only by the Law and the secondary regulations enacted under the Law, but also by the Personal Data Protection Board (‘Board’) Decisions, Principle Decisions and Board Decision Summaries. Therefore, our monthly bulletins aim to inform the relevant parties about the Board’s practices and to keep them up-to-date.
In December 2024, two data breach notifications, one Board Decision Summary, ‘Information Note on the Application of Misdemeanours in Terms of Time’ and ‘Information Note on the Activities of the Personal Data Protection Authority in 2024’ were published on the website of the Personal Data Protection Authority, www.kvkk.gov.tr. In addition, one Board decision was published on Anadolu Agency’s website www.aa.com.tr in December.
DATA BREACH NOTIFICATIONS
Article 12/5 of the LPPD titled ‘Obligations regarding data security’ states that ‘In the event that the processed personal data is unlawfully obtained by others, the data controller shall notify the relevant person and the Board as soon as possible. If necessary, the Board may announce this situation on its website or by any other method it deems appropriate.’
Anıl Private Health Services Tourism Trade Limited Company (Private Hisar Medical Centre)
In the data breach notification submitted to the Board by Anıl Özel Sağlık Hizmetleri Turizm Ticaret Limited Şirketi, which has the title of data controller; it was stated that the breach occurred between 22.11.2024-24.11.2024 and was detected on 02.12.2024, the breach occurred as a result of a cyber attack, but there is no detailed information on the subject, and the data controller cannot currently access the data subject to the breach. It is stated that the number of persons and records affected by the breach is not yet known, the relevant groups of persons affected by the breach are employees and patients, health information and identity data are affected by the breach, but there is no detailed information on the subject yet, and the relevant persons can obtain information about the data breach through the website of the data controller and physical desks.
Karadeniz Holding Anonim Şirketi
In the personal data breach notification submitted to the Board by Karadeniz Holding Anonim Şirketi, which has the title of data controller; it is stated that the breach is thought to have occurred due to a cyber attack, and that studies and researches are continuing since detailed information on the subject has not yet been determined. It is stated that the start and end dates of the breach are uncertain and the breach was detected on 10.12.2024, the breach was detected as a result of the routine security check performed after the internet outage on the relevant date, no determination has yet been made regarding the categories of personal data affected by the breach, the studies regarding the determination of the number of persons and records affected by the breach are ongoing and no determination has yet been made.
GRC LEGAL Comment: It was stated that this month’s data breach notifications were caused by cyber-attacks. However, in both cases, detailed information about the breach could not be obtained and the effects of the breach could not be fully determined. This situation shows that data controllers should make detection and response processes more effective in data breaches.
In addition to the technical measures to be taken against cyber-attacks, it reveals the importance of establishing administrative measures and breach response plans and conducting more effective information processes for the relevant persons. It is important for data controllers to gain awareness not only to increase security measures within the company, but also to effectively manage crisis management processes.
BOARD DECISION SUMMARIES
In order to keep up with the pace of the data world and current developments, the most important source at the national level has been the Board Decisions and Decision Summaries for administrative sanctions. The legislation has been shaped in line with these decisions, and many procedures and principles as well as adjectives and expressions familiar from the European General Data Protection Regulation (‘GDPR’) are included here. The duties and powers of the Board are listed in Article 22 of the KVKK and the binding nature of the decision summaries is based on this provision.
The Personal Data Protection Authority (‘Authority’) initiated an ex officio investigation upon allegations that the privacy of child users was violated by converting their private Instagram accounts into business accounts and making their personal data public. As a result of the investigation, it was determined that since the e-mail and telephone information in the business accounts of children were included in the HTML source code of Instagram, this information became accessible to everyone and children were left vulnerable to online risks.
The Authority decided to impose an administrative fine of TL 2,500,000 on the grounds that it did not take the necessary technical and administrative measures to ensure data security and did not fulfil its legal notification obligations, and TL 9,000,000 for converting children’s accounts into business accounts without questioning the age criterion and not providing parental control in this process, totalling TL 11,500,000.
GRC LEGAL Comment: This decision emphasises the need for social media platforms to take more responsibility for ensuring the safety of children in particular. The inclusion of child users’ information in Instagram’s HTML source code not only indicates a security weakness of the platform, but also a lack of adequate protection against online risks. For long-term effects, such penalties should lead to platforms developing more effective security measures and stricter regulations for child users. Meta’s experience should serve as a warning to other technology companies, and the protection of children’s digital privacy should be seen as not only a legal but also an ethical obligation.
In addition, the fact that the Board has not published its decisions on its website for a long time can be considered as a serious lack of transparency. This situation creates legal uncertainty for practitioners and data subjects and is contrary to the transparency principle of data protection law. Recently, the fact that the Board’s decisions can only be accessed through third party sources such as Anadolu Agency causes uncertainty for all concerned, especially legal practitioners. As a matter of fact, binding Board decisions form the basis of the compliance activities carried out by data controllers and shape these operations. It is also deemed necessary for the Board to publish its decisions on its website as a reliable source of information and to make these decisions accessible first-hand in order to effectively carry out the process of harmonisation with the personal data protection legislation.
In the Board’s decision dated 08/08/2024, an administrative fine of 3.250.000 TL was imposed on the data controller due to the data breach that occurred on the seller portal of an e-commerce platform. In the data breach that occurred on the e-commerce platform, some seller accounts were accessed as a result of unauthorised persons obtaining the username and password information used by the sellers on other platforms and trying them on this platform. The data breach occurred between 2-6 February 2024, and the data controller was only able to detect the breach on 6 February 2024 through complaints from customers and sellers.
As a result of the breach, 673 sellers were affected and malicious transactions (such as IBAN change, product listing, price reduction) were performed on 107 of these accounts. In addition, the personal data of 7,202 customers were downloaded by unauthorised persons and suspicious orders were created in the accounts of 1,213 customers. The affected data included identity, contact, financial and customer transaction data. It was determined that the breach occurred due to a vulnerability in the data controller’s systems and insufficient technical measures. It was stated that security measures such as blocking bot traffic and two-factor authentication were not taken before the breach, and abnormal input movements were not recognised in time to detect the breach. It was emphasised that the measures taken after the breach should have been implemented earlier and it was concluded that the data controller did not fulfil its obligations under Article 12 of the Law.
GRC LEGAL Comment: This decision clearly emphasises the data security obligations imposed by the Law on data controllers. The data controller’s failure to implement proactive security measures such as two-factor authentication, bot traffic prevention and anomaly detection[1] in a timely manner caused the breach to occur and its effects to increase. Nowadays, it is important for companies whose main business activity is e-commerce and which engage in intensive personal data processing activities due to contact with end users to take into account the frequent cyber-attacks and to prevent these attacks as much as possible.
INFORMATION NOTES
Purpose of the Information Note
Published on 12.03.2024 in the Official Gazette, the Law on the Amendment of the Code of Criminal Procedure and Certain Laws and the important amendments made to the Law brought along uncertainties regarding the application of misdemeanours in terms of time. These amendments were mainly made within the scope of Article 6 titled ‘Processing of Special Categories of Personal Data’ and Article 9 titled ‘Transfer of Personal Data Abroad’ and these amendments entered into force on 01.06.2024. However, it has been decided that the first paragraph of Article 9 will be applied until 01.09.2024 with the new regulation. The information note published by the Board aims to explain the timely applicability of the Law within the framework of the amendments.
Applicability in terms of Time
The provisions regarding the applicability in terms of time in the Law should be evaluated within the framework of Article 5 titled ‘Application in terms of time’ of the Law No. 5326 on Misdemeanours. The relevant article states that the provisions of the Turkish Criminal Code No. 5237 (‘TCC’) are also applicable to misdemeanours. In this context, the provisions of the Turkish Penal Code will be taken into consideration in terms of the interpretation of the Law on Misdemeanours.
Status | Complaint Time | Status of the Act | Applicable Law |
The act was committed and finished before the amendment. | The complaint was filed before or after the amendment. | Instantaneous action/interrupted continuous action (completed.) | The favourable law applies. |
The act started before the amendment of the Law and continues. | The complaint* was filed before or after the amendment. | Continuous moving verb (Continuous). | If the act was interrupted before the change of law, the law in favour shall apply. If the act was interrupted after the change of law or is still continuing, the new law shall apply. |
The act took place after the change in the law. | – | – | The new law applies. |
- General Statistics
In 2024, the Authority finalised 6,958 out of 8,186 notices, complaints and applications and publicised 63 out of 281 data breach notifications. As a result of the examinations, an administrative fine of 552 million 668 thousand TL was imposed and 3 commitments regarding data transfer abroad were approved. In addition, 1,345 standard contracts were notified to the Agency.
- Secondary Legislation and Guides & Publications
Following the amendments to the Law in 2024, the Authority published the ‘Regulation on the Procedures and Principles Regarding the Transfer of Personal Data Abroad’ . In addition, it regulated four standard contracts and binding corporate rules envisaged as appropriate assurance methods for the transfer of personal data abroad. In order to facilitate the notification of standard contracts to the Authority, an online Standard Contract Notification Module was established.
In addition, sectoral guidelines such as ‘Guidelines on the Processing of Turkish Republic Identity Numbers “ and ”Guidelines on the Protection of Personal Data in Election Activities ’ were published. In addition to these, ‘Deepfake Information Note’, ‘Information Note on the Personal Data Processing Condition Stipulated in the Laws’,‘Information Note on the Application of Misdemeanours in Terms of Time within the Scope of Law No. 6698’,‘Information Note on Chat Robots (ChatGPT Example)’ and‘Common Mistakes in Complaints and Notifications Submitted to the Board’ were also published.
- Awareness and Training Activities
The Agency organised seminars, summits, conferences and events to raise awareness on personal data. Digital privacy awareness was raised with the “KVKK at School Project “ for children and young people, and the comic book series ”I Learn Personal Data with Verican ’ was published. ‘Personal Data Protection Volunteers Training Project’ was carried out with law faculty students.
- National and International Collaborations
The Agency has realised many collaborations at national and international level. In this context, protocols were signed with TRNC Personal Data Protection Board, Kyrgyzstan Data Protection Authority and Ministry of Trade. In addition, the ‘Consultation Meeting of Data Protection Authorities’ was organised in Istanbul and events such as the ‘Global Privacy Assembly’ were attended.
- General Conclusions and Future Goals
By developing its legislative work, the Agency has secured the rights of individuals and guided the harmonisation processes of institutions. For 2025, new guidelines and projects related to artificial intelligence are planned.
[1] It is a technique that enables finding unexpected situations or patterns in a data.