The Law on the Protection of Personal Data and its secondary legislation is a living law that is frequently updated since its effective date. Many procedures and principles related to data protection are determined not only by the Law, Regulation and Communiqué, but also by the Board Decisions, Principle Decisions and Board Decision Summaries. Therefore, our monthly bulletins aim to inform those concerned about the practices of the Personal Data Protection Board and to keep them up-to-date.

In January 2024, in addition to one data breach notification, the Board published a Public Announcement on “Requests of Turkish Citizens Living Abroad Not to Transfer Financial Account Data Abroad” and “Announcement on Application for Letter of Undertaking”. In addition, the Board published “Guideline on the Processing of Republic of Turkey Identity Numbers”, “Guideline on the Protection of Personal Data in Election Activities” and “Deepfake Information Note”, aiming to guide the relevant parties on the aforementioned issues this month.

DATA BREACH NOTIFICATION

Article 12/5 of the LPPD titled “Obligations regarding data security” states that “In the event that the processed personal data is obtained by others through unlawful means, the data controller shall notify the relevant person and the Board as soon as possible. If necessary, the Board may announce this situation on its website or by any other method it deems appropriate.”

In January 2024, one data breach notification was published on the website of the Personal Data Protection Authority, www.kvkk.gov.tr.

Dirk Rossmann Mağazacılık Ltd. Şti.

In summary, in the data breach notifications submitted to the Board by Dirk Rossmann Mağazacılık Ltd. Şti. which has the title of data controller; It was stated that the breach occurred by capturing the data of the site users who shopped on the website of the data controller between 27.12.2023 and 09.01.2024, the breach occurred as a result of the capture of the password of the third party technology company official who manages the site panel, and the breach was detected during routine security checks carried out by the data controller.

It is stated that the number of persons and records affected by the breach has not yet been determined, the categories of personal data affected by the breach have not yet been determined, and that the data subjects can receive information about the personal data breach from the data controller via e-mail and call centre.

GRC LEGAL Comment

It is seen that the data breach within the data controller occurred due to the failure to take the necessary technical and administrative measures within the third party technology company. Within the scope of the legislation on the protection of personal data, although each actor needs to be evaluated on a case-by-case basis and legalised, it can be said that the relevant technology company has the title of data processor with a high probability.

However, regardless of the legal nature of the business partner from which the service is received, it is important for data controllers to ensure that such data processors/data controllers provide at least the security level provided by them regarding personal data in accordance with Article 12/1, 2 of the LPPD.

GUIDELINES

Guideline on the Processing of Republic of Turkey Identity Numbers has been published!

The Personal Data Protection Authority (“Authority”) has published the “Guideline on the Processing of Republic of Turkey Identity Numbers”, which includes the issues to be considered within the scope of the Law in the processing of Turkish Republic identification numbers.

Although the Turkish Republic ID number is not among the special categories of personal data, it is stated in the Guideline that it is frequently preferred to be processed by data controllers due to the official, unique and unchangeable nature of the relevant data type and the ease of access to other personal data of the data subjects, but these data processing activities must also comply with the Law.

It is seen that the allegations in the notifications and complaints submitted to the Authority are related to the failure to observe the “principle of being connected, limited and proportionate to the purpose for which they are processed”, which is one of the general principles in Article 4 of the Law.

Within the scope of the principle of proportionality; if the desired result can be approached with personal data processing, it is accepted that the processing is appropriate. In order to meet the criterion of necessity, in case there are more than one tool that allows the same purpose to be achieved, the one that is less restrictive to the right should be preferred. The proportionality criterion, on the other hand, refers to the existence of a proportion between the means and the purpose to be achieved.

For example; although it is a convenient way to process the Turkish ID number in order to verify the identity of a person in a mobile application, it cannot be said that the processing in question is necessary and proportionate, since verification with the Turkish ID number while verification can be made with the phone number will be an intervention that further limits the right to protection of personal data.

Within the scope of the above information, it is necessary to consider whether methods that interfere less with the right to protection of personal data of the data subjects are possible in the processing of the Turkish ID number. As a result of this assessment, if there is another method that interferes less with personal data, it is important that these methods are preferred and necessary technical and administrative measures are taken by data controllers to carry out personal data processing activities in accordance with the Law.

In addition, in this Guideline, in general, the situations where the processing of the Turkish ID number is foreseen in the relevant legislation are specified. In this context, in the vast majority of cases, the processing of the T.R. identification number may be carried out based on the legal reason that it is expressly stipulated in the laws pursuant to Article 5/2 of the Law.

For example; issuance of invoices for the purchase of goods or services within the scope of the Tax Procedure Law and the processing of the T.R. identification number of real persons in the certification issued in the registration of a commercial enterprise to the registry within the scope of the Trade Registry Regulation are within this scope.

Guideline on the Protection of Personal Data in Election Activities has been published!

The “Guideline on the Protection of Personal Data in Election Activities” was published by the Authority with regard to various personal data processed in the relevant activities in order to remind public administrations, political parties, candidates and voters who are involved in election activities such as organising, updating, suspending the voter register, candidate nomination, nomination, announcement of final candidate lists, election propaganda, public opinion surveys, voting, etc. of their obligations or rights under the Law.

Within the scope of the relevant Guideline, it is stated that the SBE is not obliged to register with the Data Controllers Registry in accordance with the exceptions of the Law, and political parties are not obliged to register with the Data Controllers Registry in accordance with the Board decision dated 02.04.2018 and numbered 2018/32. In addition, although it is stated that the SBE is exempt from the regulation in Article 11 of the Law, except for the right to “claim compensation for damages”, it is emphasised that the relevant persons may request corrections and updates within the scope of their information in the voter registers in accordance with Law No. 298.

Deepfake Information Note Published!

The Authority has prepared the “Deepfake Information Note” in order to better understand the “Deepfake” (deep fiction or deep fake) technology, which is formed from the words deep learning and fake. The information note includes information on the definition of Deepfake, the purposes for which it is used, the threats it poses, how it can be detected, what individuals and organisations can do and the measures that can be taken at this point.

Considering that the risks posed by deepfake technology will increase with the increase in the use of artificial intelligence today, it can be said that the information note published in order to make the public aware of the application in question is an important step.

In the information note, it is emphasised that real persons have important responsibilities to prevent the spread of deepfake content and misinformation. Especially when it is considered that deepfake videos are usually created using facial and voice data, it is emphasised that care should be taken when sharing personal data on social media and similar platforms. The information note states that the intended use of many deepfake applications should be checked and suggestions are provided for organisations to strengthen their cyber security operations and internal communication channels.

PUBLIC ANNOUNCEMENTS

Public Announcement on “Requests of Turkish Citizens Living Abroad Regarding the Non-Transfer of Financial Account Data Abroad

Citizens of the Republic of Turkey residing abroad have made many applications to the Authority regarding the non-sharing of their personal data, especially financial account data, with the institutions and organisations of other countries, especially European Union member states.

In the petitions received by the Authority, it was stated that the applications were made to the Republic of Turkey Revenue Administration and the banks where the account information is located within the scope of the Law and information was requested, but the applications were not responded sufficiently by the relevant data controllers and it was requested that the necessary action be taken within the scope of the Law.

It has been stated that financial account data are transferred abroad within the framework of the “Convention on Mutual Administrative Assistance in Tax Matters” signed by the member countries of the Organisation for Economic Co-operation and Development, including Turkey, on 3 November 2011 and approved by the Law dated 03.05.2017 and numbered 7018, and the Multilateral Competent Authority Agreement on Automatic Exchange of Financial Account Information (“Agreement”) signed in 2017 within the scope of this agreement and published in the Official Gazette dated 31.12.2019 and numbered 30995. Within the scope of the Agreement, the Revenue Administration is the competent authority in Turkey to collect and share information for automatic exchange of information.

The current situation was evaluated by the Board and clarified with the decision dated 28/12/2023 and numbered 2023/2199:

Article 90 of the Constitution “International agreements duly put into force shall have the force of law. In case of disputes that may arise due to the fact that international agreements on fundamental rights and freedoms duly put into force and laws contain different provisions on the same subject, the provisions of the international agreement shall prevail.”

Article 9/5 of the Law stipulates that “Without prejudice to the provisions of international conventions, personal data may be transferred abroad in cases where the interests of Turkey or the person concerned would be seriously harmed, only with the permission of the Board after obtaining the opinion of the relevant public institution or organisation” and Article 9/6 stipulates that “The provisions of other laws regarding the transfer of personal data abroad are reserved.”

Pursuant to the aforementioned articles, it has been decided that there is no action to be taken within the scope of the Law, taking into account that the personal data transfers to be made abroad within the scope of the Agreement will not constitute a violation of the Law and that Article 11 regarding the rights of the data subject, except for Article 10 regulating the disclosure obligation of the data controller and the right to claim compensation for the damage, will not be applied in accordance with Article 28/2/ç of the Law, if personal data processing is necessary to protect the economic and financial interests of the State regarding budget, tax and financial matters.

The Authority Approved a New Letter of Undertaking Application Regarding the Transfer of Personal Data Abroad!

According to the announcement made by the Authority on 29.01.2024; the application of “Celltrion Healthcare İlaç Sanayi ve Limited Şirketi” for a Letter of Undertaking regarding the transfer of personal data abroad was evaluated by the Board within the scope of Article 9/2/b of the Law and the said data transfer was approved on 25.01.2024. Thus, the number of undertakings approved for the transfer of personal data from Turkey to abroad under the Law has increased to 8 so far