PERSONAL DATA PROTECTION LAW

The Law on the Protection of Personal Data and its secondary legislation is a living law that is frequently updated since its effective date. Many procedures and principles related to data protection are determined not only by the Law, Regulation and Communiqué, but also by the Board Decisions, Principle Decisions and Board Decision Summaries. Therefore, our monthly bulletins aim to inform those concerned about the practices of the Personal Data Protection Board and to keep them up-to-date.

In July 2023, the Board published one public announcement and nine data breach notifications regarding the VERBIS registration obligation, and among the companies that submitted data breach notifications, there are companies that are industry leaders.

DATA BREACH NOTIFICATIONS

Article 12/5 of the LPPD titled “Obligations regarding data security” states that “In the event that the processed personal data is obtained by others through unlawful means, the data controller shall notify the relevant person and the Board as soon as possible. If necessary, the Board may announce this situation on its website or by any other method it deems appropriate.”

In July 2023, nine data breach notifications were published on the website of the Personal Data Protection Authority, www.kvkk.gov.tr.

Oden İnşaat Turizm ve Tic. AŞ

In the data breach notification submitted to the Board by Oden İnşaat Turizm ve Tic. AŞ (Çeşme Ilıca Hotel SPA&Wellness Resort), as the data controller, summarised in the data breach notification submitted to the Board;

It was stated that the breach occurred as a result of a phishing attack via e-mail to the data controller, the attackers accessed the booking.com booking extranet screen, the relevant screen contains the name, surname, reservation date, telephone number, e-mail address information of the customers of the data controller, the attackers sent e-mails to the customers of the data controller from the relevant screen and tried to obtain their credit card information, and the number of data subjects affected by the breach was 155.

GRC LEGAL Comment:

When the data breach notification is analysed, it can be easily said that the attackers entered the touristic institutions, especially during the summer period we are in.

Based on the manner in which the breach occurred, it is of utmost importance that employees are warned to perform the necessary checks before clicking on links in emails that come to their radar, and that their awareness and consciousness regarding data security are increased. In addition, considering that the breach was carried out through booking.com; we see that it is necessary to follow the KVKK compliance processes of the business partners with whom we work for transactions such as reservations, etc. and to ensure the necessary controls to ensure data security.

-PDPL Article 12/2-

Before moving on to the other eight data breach notifications issued by the Board, we believe that it is useful to mention Article 12/2 of the LPPD. Pursuant to the relevant article, the data controller is jointly responsible with another natural or legal person for taking the measures specified in the first paragraph in the event that personal data is processed by another natural or legal person on its behalf.

The common point of all of the data breach notifications detailed below is that these companies work with the data processor Mivento Bilişim Hizmetleri ve Ticaret A.Ş., from which they purchase services for the provision of an infrastructure service where gift/promotion applications are managed for dealer employees, and that some personal data are affected by the breach as a result of the cyber attack on the servers of this company.

Although the announced breach notifications are the concrete reflection of this regulation, it is seen that data controllers are also obliged to notify the breach regardless of the identity or fault of the data controller in breaches caused by the data processor, and once again reveals the possibility of loss of reputation that may be brought by the open publication of the names of the data controllers on the Board’s website.

When the data breach notifications of the data controllers affected by the cyber-attack on the data servers of Mivento Bilişim Hizmetleri ve Ticaret Anonim Şirketi are analysed:

 


“Turkish ID number, name, surname, e-mail and telephone number” data of Vestel Ticaret Anonim Şirketi employees were affected,

Anadolu Isuzu Otomotiv Sanayi Ticaret Anonim Şirketi employees’ “Turkish ID number, name, surname and telephone information” data were affected,

“Turkish ID number, name, surname and e-mail” data of Çelik Motor Ticaret Anonim Şirketi employees were affected,

Geberit Tesisat Sistemleri Ticaret Limited Şirketi employees’ “name, surname, e-mail, telephone, gender, date of birth” data are affected,

“Turkish ID number, name, surname, e-mail and telephone” data of Mais Motorlu Araçlar İmal ve Satış Anonim Şirketi employees were affected,

“Turkish ID number, name, surname, e-mail and telephone” data of Schneider Elektrik Sanayi ve Ticaret Anonim Şirketi employees were affected,

“Name, surname and telephone” data of Toyota Turkey Pazarlama ve Satış Anonim Şirketi employees were affected,

Vodafone Dağıtım Servis ve İçerik Hizmetleri Anonim Şirketi employees’ “encrypted Turkish ID number, name, surname and start date” data were affected.

In this context, signing a Data Processor Protocol in addition to the agreements to be concluded with the structures that are in cooperation with the data processor, ensuring the update control if signed, and conducting a data security maturity assessment with tools such as the Business Partner Awareness Form for each new data processor supplier will minimise the risk in data processor-related violations and will ensure that measures are taken that will even bring up the recourse relationship when necessary.

When the breach notifications made by the data controllers are analysed, it is seen that the leaked data belong to the personnel working within the companies. As clearly regulated in Article 75/2 of the Labour Law No. 4857, “The employer is obliged to use the information obtained about the employee in accordance with the rules of honesty and law and not to disclose the information that the employee has a legitimate interest in keeping confidential” and is obliged to take all necessary technical and administrative measures to preserve this information. In this context, it is necessary to carry out audits and evaluations of the transfer channels of employee data within the data controllers, and it is important to carry out the relevant form and protocol processes.

PUBLIC ANNOUNCEMENT

Public Announcement on the Amendment to the Exception Criteria Regarding the Obligation to Register with the Data Controllers Registry

With the Decision of the Personal Data Protection Board (“Decision”) published in the Official Gazette dated 25.07.2023, the exemption criteria regarding the obligation to register to the Data Controllers Registry (“VERBIS”) has been amended as a result of the re-evaluation of the economic conditions in our country. Within this framework, the expression “natural or legal person data controllers with less than 50 employees and annual financial balance sheet total of less than 25 million Turkish Liras whose main activity is not processing special categories of personal data” has been amended as “natural or legal person data controllers with less than 50 employees and annual financial balance sheet total of less than 100 million Turkish Liras whose main activity is not processing special categories of personal data” and such data controllers are exempted from the obligation to register to VERBIS.

With the publication of the Decree, real or legal person data controllers will wait for the completion of 2023, as there should be a completed year for annual financial balance sheet calculations, and will not be obliged to register with VERBIS if the asset size is less than 100 million Turkish Liras in the Corporate Tax Declaration to be determined by April 2024 and other criteria are not met.

According to the new situation created by the Decree, which entered into force on 25.07.2023, companies with an annual financial balance sheet total of more than 25 million Turkish Liras and which are obliged to register with VERBIS only due to the asset size criterion will be able to continue to keep VERBIS records or have their records deactivated.