PDPL Bulletin – February 2025

PDPL BULLETIN – FEBRUARY 2025

The Law on the Protection of Personal Data (‘Law’) and its secondary legislation have been subject to frequent updates since their entry into force. Not only the Law and the secondary regulations enacted in accordance with the Law, but also the Decisions of the Personal Data Protection Board (‘Board’), the Principles Decisions, and the Summaries of Board Decisions establish numerous procedures and principles related to data protection. Therefore, our monthly bulletins aim to keep stakeholders informed about Board practices and ensure up-to-date information.

In February 2025, the Personal Data Protection Authority (‘Authority’) published three data breach notifications on its website www.kvkk. gov.tr, three data breach notifications and a Public Announcement on Matters to Be Considered in Standard Contracts for the Transfer of Personal Data Abroad (‘Announcement’) were published, along with the ‘Guidelines on the Processing of Special Category Personal Data.’

Additionally, in February, Anadolu Agency’s website, www.aa.com.tr, published statements by the Authority’s President, Faruk Bilir, regarding the prior notification of citizens whose phone numbers are requested at the checkout during shopping.

DATA BREACH NOTIFICATIONS

Under the heading ‘Obligations regarding data security,’ Article 12/5 of the KVKK states: ‘If personal data processed is obtained by others through unlawful means, the data controller shall notify the relevant parties and the Board as soon as possible. The Board may, if necessary, announce this situation on its website or through other appropriate means.’

Organic Communication Technologies Information Industry Trade Limited Company

According to the data breach notification submitted to the Board by Organic Communication Technologies Information Industry Trade Limited Company, which acts as the data controller, the breach began on 01.02.2025 and ended on the same day. The data controller detected the breach on the same day through a message sent by an unknown person to the WhatsApp line, stating that the data had been compromised.

The message demanded payment in exchange for the return of the data. The third party supported their claim by sharing sample data belonging to the data controller through the WhatsApp line.

As a result of the investigations, it was determined that the relevant groups of individuals affected by the breach were subscribers and members. The personal data affected by the breach were identified as username, first name, last name, and contact information. A total of 1,090 individuals’ personal data were affected by this breach.

Afyon Kocatepe University

According to the data breach notification submitted to the Board by Afyon Kocatepe University, which is the data controller, the breach occurred as a result of unauthorised access to data in the distance education system through the use of the password of the user account named ‘system_admin’ belonging to the data processor. The breach began on 20 January 2025 and was detected and resolved on the same day. The breach was discovered through an announcement made by the unauthorised third party via the distance learning system.

The personal data affected by the breach are believed to include users’ Turkish ID numbers, institution registration numbers, email addresses of trainees registered at the continuing education centre, and visual and audio recordings used for distance learning purposes. The relevant groups of individuals include employees, users, students, and customers. It is estimated that approximately 26,438 individuals were affected by this breach.

Asilkar Hızlı Kargo Taşımacılık Ticaret Anonim Şirketi

According to the data breach notification submitted to the Board by Asilkar Hızlı Kargo Taşımacılık Ticaret Anonim Şirketi, which holds the status of data controller; unauthorised individuals gained access to the terminal servers of Ajannet Bilişim Hizmetleri Sanayi Ticaret Ltd. Şti., the service provider, by obtaining the username and password information of system users through unauthorised means.

The breach began on 30 January 2025 and was detected on 3 February 2025 via a message sent on WhatsApp. As a result of this attack, unauthorised access was gained to the first and last names of 16 employees/users, which were used solely as file names. Ajannet Bilişim Hizmetleri Sanayi Ticaret Ltd. Şti. has informed the data controller that ‘the data received may contain the names, surnames, addresses, and shipment contents of the cargo recipients…’

GRC LEGAL COMMENT

The relevant data breach notifications are important examples demonstrating how personal data security is violated across different sectors in Turkey and how companies respond to such breaches. The breaches occurred in the telecommunications, education, and logistics sectors, affecting tens of thousands of individuals and once again highlighting how sensitive and vulnerable personal data is.

Unauthorised access stands out as a common action in all data breaches. This situation also reminds us that companies need to implement strong password policies, use two-factor authentication methods, and regularly monitor access logs. In particular, the security of administrator accounts can play a critical role in preventing such breaches.

However, upon examining these breaches, it becomes clear that not only data controllers but also data processors play an important role in this process. Indeed, in the Asilkar Hızlı Kargo Taşımacılık incident, the breach of the terminal servers of Ajannet Bilişim Hizmetleri Sanayi Ticaret Ltd. Şti., the service provider, demonstrates that data controllers may also be at risk when data processors fail to implement adequate security measures.

Similarly, it was determined that the unauthorised access to the distance education system of Afyon Kocatepe University was carried out through the administrator account belonging to the data processor. At this point, the joint responsibility of data controllers and data processors should not be overlooked. It should also be remembered that data processors are not merely technical service providers but are parties subject to the obligation to comply with the KVKK in terms of ensuring data security.

To prevent such violations, it is not sufficient for data controllers to establish their own security policies; technical and administrative measures must be detailed in contractual processes with data processors, regular security audits must be conducted, and the liability relationship between the parties in the event of a violation must be clearly defined. Otherwise, any security breach originating from data processors may also affect data controllers legally and financially.

PUBLIC ANNOUNCEMENT

Public Announcement on Matters to Be Considered in Standard Contracts to Be Used in the Transfer of Personal Data Abroad

Pursuant to Article 9 of the KVKK, standard contracts to be used for the transfer of personal data abroad must be notified to the Authority within five business days of their signing. The Authority has identified the matters to be considered as a result of its review of the standard contracts and has shared them with the public:

  • Firstly, for the contract to be valid, it must be signed by the parties to the transfer or by persons authorised to represent them. If any signature is missing, the contract will be deemed invalid. Additionally, the signatures must comply with the Turkish Code of Obligations. If the contract is prepared in a foreign language, signatures must be included in both the Turkish text and the foreign-language text. Even in two-column contracts, signatures must be present in the column containing the Turkish text.
  • Documents proving the authority of the persons signing the standard contracts to represent and sign must be submitted to the Institution together with the contract. If the names of the signatories are not included in these documents, the contract shall be deemed to have been signed by unauthorised persons and shall be invalid. Additionally, the names of the parties must be complete and consistent with the names in the supporting documents.
  • Standard contracts must be notified to the Institution within five business days of the completion of the signatures, either physically, via registered electronic mail (KEP) address, or using the Standard Contract Notification Module. To determine whether the notification was made within the specified timeframe, both parties must indicate the signing dates on the contract text. Additionally, all pages must be included in full to ensure that no documents are missing when submitted to the Institution.
  • Official documents issued in a foreign country must be apostilled or certified by the relevant Turkish consulate in that country to be valid in Turkey. If the documents are in a foreign language, they must be submitted along with notarised Turkish translations.
  • In standard contracts, even if the signatures of the parties are completed at a later date, no provision should be included stating that the contract will take effect retroactively. Additionally, changes may only be made to clauses containing optional or alternative provisions. Any additions, deletions, or changes outside of this scope will jeopardise the validity of the contract.

GRC LEGAL COMMENT

The Announcement specifies the procedures to be followed in the standard contract process used for the transfer of personal data abroad. Despite the ongoing uncertainties regarding the standard contract process in practice, the recently published Guide on the Transfer of Personal Data Abroad (‘Guide’) and this Announcement aim to clarify the standard contract preparation processes of the Institution.

Within the scope of this Notice, which contains similar content to the topics addressed in the Guide, data controllers and data processors must exercise due diligence in the preparation and signing of standard contracts.

At this point, the validity of the signatures in the standard contract, the correct submission of the parties’ authorisation documents, and the consistency of all information in the standard contract can be considered critical steps in preventing potential legal issues and ensuring the validity of standard contracts.

In particular, monitoring details such as signature dates and the notification period for standard contracts can ensure that the process proceeds correctly and that the standard contracts are accepted by the Authority.

The amendments to the KVKK entered into force in June 2024; however, secondary regulations aimed at clarifying the process were published in recent months. At this point, it is inevitable that many standard contracts prepared by data controllers and/or data processors do not comply with the conditions specified in the Guide and the Announcement, and it is a matter of concern whether the standard contracts reported to the Institution up to the present date will be accepted by the Institution.

AGENDA NEWS

Institution President Faruk Bilir: ‘Information must be provided to customers before requesting their phone numbers during shopping!’

Institution President Faruk Bilir, who made important assessments regarding personal data violations at the Turkish Grand National Assembly’s Artificial Intelligence Research Commission, stated that requesting phone numbers during shopping is one of the most frequently reported complaints to the Institution.

He emphasised that when requesting phone numbers from citizens during shopping, the purpose of use must be clearly and explicitly stated to consumers. Bilir noted that the processing of personal data is subject to eight conditions established by law and that data processing not based on one of these conditions is unlawful.

Additionally, in line with the Institution’s established case law, it was reiterated that biometric data processing practices such as fingerprint, retina, eye, or palm scans in businesses like sports centres are excessive and should be avoided.

GRC LEGAL Comment

The statements made by the Authority’s President, Faruk Bilir, are of great importance in raising awareness regarding personal data requests frequently encountered in daily life. The warnings regarding the request for phone numbers during shopping are a topic frequently emphasised in the Authority’s previously published guidelines, public announcements, and Board decisions.

As is known, data controllers must inform the relevant person before commencing personal data processing activities and base such activities on one of the processing conditions set out in the legislation, or obtain explicit consent where necessary. In this context, while the data controllers’ obligation to inform remains, the legal basis to be relied upon for each activity will vary depending on the purposes for which the phone number requested during the transaction will be used.

As emphasised by the President of the Authority, while individuals must be informed about processes that continue as an extension of the transaction, their explicit consent must also be obtained in addition to this information in order to send commercial electronic communications to customers. Conducting the process without informing the relevant individuals about advertising messages and assuming that the provision of the phone number constitutes explicit consent would constitute a violation of the law. Indeed, it should not be forgotten that explicit consent is a concept based on information and the free will of the relevant individuals.

In connection with this news, the ‘Public Announcement on the Processing of Personal Data by Sending Verification Codes via SMS to Relevant Persons During Shopping in Stores’ published by the Institution may be recalled.

In the aforementioned notice, it is stated that during cash register transactions related to shopping in stores, verification codes are sent to data subjects via SMS, and that the codes are requested to be communicated to the cashier for the completion of payments, issuance of invoices, etc. However, the announcement also provided clarification regarding claims that, following this process, commercial electronic communications related to the store’s activities were sent to the relevant individuals. Therefore, the Board has repeatedly emphasised the illegality of sending commercial electronic communications that are based on fraud and do not contain the elements of explicit consent.

Within the scope of Labour Law No. 4857, Overtime Work, Compensatory Work and Equalisation
PDPL Bulletin – March 2025