PERSONAL DATA PROTECTION LAW
The Law on the Protection of Personal Data (“LPPD”) and its secondary legislation is a living law that is frequently updated since its effective date. Many procedures and principles related to data protection are determined not only by the Law, Regulation and Communiqué, but also by the Board Decisions, Principle Decisions and Board Decision Summaries. Therefore, our monthly bulletins aim to inform those concerned about the practices of the Personal Data Protection Board (“Board”) and to keep them up-to-date.
On 28 January 1981, the “Convention No. 108 on the Protection of Individuals with regard to Automatic Processing of Personal Data” was opened for signature and Turkey was among the first countries to sign this convention. In 2006, 28 January was declared as the European Data Protection Day by the Council of Europe and it has been celebrated as Data Protection Day in Turkey since 2016.
The aim of Data Protection Day is to raise awareness on the protection of personal data and to encourage improvement steps to be taken.
DATA BREACH NOTIFICATIONS
Article 12/5 of the LPPD titled “Obligations regarding data security” states that “In the event that the processed personal data is obtained by others through unlawful means, the data controller shall notify the relevant person and the Board as soon as possible. If necessary, the Board may announce this situation on its website or by any other method it deems appropriate.”
In January 2023, three data breach notifications were published on the website of the Personal Data Protection Authority, www.kvkk.gov.tr.
Okko Sağlık Turizm İnşaat San. ve Tic. A.Ş.
In the data breach notification submitted to the Board by the data controller, in summary; the programme used by the data controller for personnel and accounting transactions was cyber-attacked due to a short-term port opening during the installation of the programme in a branch of the data controller, the data in the programme content was deleted as a result of the attack, the relevant groups of people affected by the breach are employees and patients, the name-surname, T. C. identity number, address, photograph, professional information and blood groups personal data of employees were affected, name, surname information in the billing information of patients was affected, the programme has been used since 2012 and contains an estimated 10,000 records, the relevant persons can get information from 0226-811-22-44 phone number and info@oyh.com.tr address.
Reon Health Services Construction. Tur. San and Tic. A.Ş. (Private Aktif Hospital)
In the personal data breach notification sent to the Institution by the data controller, in summary; the programme used by the data controller for personnel and accounting transactions was cyber-attacked due to a short-term port opening during the installation of the programme in a branch of the data controller, the data in the programme content was deleted as a result of the attack, the relevant groups of people affected by the breach are employees and patients, the name-surname, T. C. identification number, address, photograph, professional information and blood groups of employees, name and surname information in the invoice information of patients were affected, the programme has been used since 2012 and contains an estimated 2,000,000 records, the relevant persons can get information from 0226-811-22-44 phone number and info@oyh.com.tr address.
Yalova Uzmanlar Sağlık Hizmetleri San. Paz. Tic. A.Ş.
In the personal data breach notification sent by the data controller to the Institution, in summary; the programme used by the data controller for personnel and accounting transactions was cyber-attacked due to a short-term port opening during the installation of the programme in a branch of the data controller, the data in the programme content was deleted as a result of the attack, the relevant groups of people affected by the breach are employees and patients, the name-surname, T. C. identification number, address, photograph, professional information and blood groups of employees, name and surname information in the invoice information of patients were affected, the programme has been used since 2012, there are an estimated 2,000,000 records in the content of the programme in question, the relevant persons can get information from 0226-811-22-44 phone number and info@oyh.com.tr address.
This month’s data breach notifications, in which we witnessed a single breach affecting more than one company, stem from service provider programmes used within the company. In order to determine the liability for the breach of such programmes, it will be important to position the titles. If the parties have the titles of data processor and data controller, their responsibilities and obligations vary.
What are the Differences Between Data Controller and Data Processor?
Any natural or legal person can be both a data controller and a data processor at the same time. The activities of the data processor are limited to more technical parts of data processing. The authority to take decisions regarding the processing of personal data belongs to the data controller. The data controller is the person who determines the purpose and method of processing personal data and the answers to the “why” and “how” questions.
How to Determine?
In order to determine the data controller, it should be taken into consideration who decides on issues such as the collection of personal data, collection method and purposes, types, groups of persons to be provided, transfer channels, retention periods. The data controller may leave the decision-making authority on some issues to the data processor through a personal data processing agreement.
Why is the distinction between data controller and data processor important?
The data controller is responsible for taking measures to comply with the legislation on the protection of personal data, supervising the data processor and ensuring that the data subjects can exercise their rights. The data controller is a natural or legal person who does not receive orders and instructions from anyone, but rather gives orders and instructions to another person in case of data processing, and has the authority to make decisions freely at every moment of the data processing processes.
If authorised by the controller, the data processor may have a significant degree of autonomy during the data processing activities and, accordingly, may define the non-essential elements of the processing. In the event that personal data are processed on its behalf by another natural or legal person data processor, the data controller is jointly liable with such persons for any technical and administrative measures taken.
Due to this joint liability, it is the obligation of the data controller to make a data breach notification, even if the breach occurs at the data processor.
What can be done?
Protocols regarding the transfer between the data controller and the data processor can be signed in addition to the main contract on the subject of the service received. In this protocol, it may be undertaken that the data processor must act within certain limits and the data controller may be granted supervisory authority. In the context of supervision authority, the level of KVKK compliance can be measured based on reference criteria, and business partner awareness and audit forms can be used in this sense.
Examples of Questions that can be included in the form
Have you established a “personal data storage and destruction policy” and “adequate measures policy for the processing of special categories of personal data”, which are mandatory under the Law? If you have subcontractors, has a KVKK confidentiality agreement/additional protocol been made with them? Do your subcontractors also undertake to comply with the obligations set out in the LPPD and secondary legislation and the Board’s Decisions? Have there been any data breaches to date? If so, have you informed the relevant persons and the Board? How long after the breach occurred and how long after the breach was learnt? What is the procedure or practice for responding to data subject applications?
If it can be proved that the data controller has taken care to take all the measures that can be taken, it can be interpreted that its responsibility for the breach will be less, and the Board may be satisfied with an instruction instead of an administrative fine as a sanction.