PDPL BULLETIN- JANUARY 2025
The Law on the Protection of Personal Data (‘KVKK’) and its secondary legislation is a living law that is frequently updated since its effective date Many procedures and principles related to data protection are determined not only by the LPPD and secondary regulations enacted under the LPPD, but also by the Personal Data Protection Board (‘Board’) Decisions, Principle Decisions and Board Decision Summaries Therefore, our monthly bulletins aim to inform the relevant parties about the Board’s practices and to keep them up-to-date
In January 2025, one data breach notification, ‘Guideline on Transfer of Personal Data Abroad’ and ‘Banking Sector Good Practices Guide on Protection of Personal Data’ (‘Guide’) were published on the website of the Personal Data Protection Authority, www.kvkk.gov.tr.
The Guide, prepared in cooperation withthe Board and the Banks Association of Turkey , has been updated within the scope of the KVKK reforms that entered into force on 1 June 2024 The Guide, which was published to guide banks to comply with the LPPD and related regulations, provides practical information on data processing processes within the legal framework and good practice examples to raise sectoral standards in detail With this Guidance, the Board aims to support compliance standards by clarifying banks’ obligations
DATA BREACH NOTIFICATION
Article 12/5 of the LPPD titled ‘Obligations regarding data security’ ‘In the event that the processed personal data is obtained by others through unlawful means, the data controller shall notify the relevant person and the Board as soon as possible If necessary, the Board may announce this situation on its website or by any other method it deems appropriate.”
Trabzon University Rectorate
In the data breach notification submitted to the Board by the Rectorate of Trabzon University, which has the title of data controller; it was stated that some data belonging to the staff and students of the data controller were offered for sale on illegal platforms on the internet by cyber attackers, and that the data categories affected by the breach are; name, surname, TR ID number, date of birth, parents’ name, place of birth belonging to the identity data category; e-mail address, telephone number belonging to the communication data category; corporate registration number, title, and location data belonging to the personal data category. In the notification, it was stated that the breach started on 01.01.2025 and was detected on 06.01.2025, and it was explained that the number of records affected by the breach was 25,357 and the relevant person group was; data controller staff and students
GRC LEGAL Comment Data breaches as a result of cyber-attacks once again demonstrate the importance of emphasising the necessity of taking all kinds of technical and administrative measures in the protection of personal data Especially considering that cyber-attackers offer this data for sale on illegal platforms, the idea that data is seen as a new currency today is strengthened This situation shows that data security is of critical importance not only in terms of protecting the privacy of individuals, but also in terms of preventing economic and social risks.
PUBLIC ANNOUNCEMENT
Public Announcement Regarding the Fulfilment of the Disclosure Obligation within the Scope of Mediation Activities
In the announcement published by the Board on 13.01.2025, the obligations of mediators regarding the fulfilment of the disclosure obligation in mediation processes within the scope of the Law No. 6325 on Mediation in Civil Disputes (‘Mediation Law’) and KVKK were mentioned
Pursuant to the Mediation Law; mediators have the obligation to inform the parties about the process before starting the mediation process However, this obligation covers only the principles of the mediation activity and does not include any information regarding personal data processing processes
At this point, the LPPD imposes an obligation on mediators, who have the title of data controller, to inform the relevant persons during the processing of personal data Within the scope of the LPPD, mediators should inform the parties about the purposes for which personal data are processed, to whom and for what purposes the data can be transferred, the method and legal basis of data collection and the rights of the relevant persons This information should be provided at the time of obtaining personal data or at the latest when the data is started to be processed in order to ensure that the data processing process is carried out in a transparent manner
Since the responsibility of proving that the obligation to inform is fulfilled will belong to the mediators as the data controller, it is of great importance that the mediators carry out their personal data processing activities in full compliance with the KVKK
As a result, mediators are required to fulfil their information obligations under the Mediation Law and the LPPD separately In order to preserve the environment of trust and transparency that the mediation process provides to the parties, it is essential to provide the necessary information about both the principles of mediation and the processing of personal data in an accurate and complete manner
GRC LEGAL Review In the public announcement published by the Board, it is stated that mediators must fulfil not only the information obligation arising from the Mediation Law but also the disclosure obligation under the LPPD In this context, it is clearly seen that the Board characterises mediators as data controllers
Within the framework of the relevant announcement, firstly, the quality of the disclosure text will be of critical importance Since the personal data of both the parties and their lawyers will be among the persons involved in the process, it will be necessary to correctly determine the relevant mass of persons addressed, and the personal data processed will need to be organised specifically for the process and the parties Therefore, mediators should prepare a text in line with the scope and basic principles outlined by the legislation, and revise their texts to be specific to each process, without acting with a single draft text in the process This means a serious workload for mediators in practice
Similarly, the way in which the obligation of disclosure will be fulfilled in mediator meetings held by using online methods such as teleconferencing etc. may also raise a question mark In this direction, the mediator will be required to communicate the clarification text to be prepared in accordance with the legislation to the parties by other means, and to keep a record in order to constitute the burden of proof that the clarification has been communicated Although it is obvious that channels such as e-mail, SMS, etc. will serve the process and purpose in terms of notification and burden of proof, it is thought that when a data processing activity that requires explicit consent is on the agenda, the stage of obtaining consent may proceed more slowly in online processes As an extension of all these processes, it seems inevitable that mediators may face many applications from data subjects
As a result, it has become an obligation to inform the parties in mediation processes in accordance with the Mediation Law and at the same time to notify the necessary information within the scope of KVKK Mediators who act otherwise may face administrative fines for failure to fulfil the disclosure obligation and/or data security obligations