PERSONAL DATA PROTECTION LAW

The Law on the Protection of Personal Data and its secondary legislation is a living law that is frequently updated since its effective date. Many procedures and principles related to data protection are determined not only by the Law, Regulation and Communiqué, but also by the Board Decisions, Principle Decisions and Board Decision Summaries. Therefore, our monthly bulletins aim to inform those concerned about the practices of the Personal Data Protection Board and to keep them up-to-date.

In June 2023, four data breach notifications were published by the Board, and among the companies published, there are companies that are industry leaders.

DATA BREACH NOTIFICATIONS

Article 12/5 of the LPPD titled “Obligations regarding data security” states that “In the event that the processed personal data is obtained by others through unlawful means, the data controller shall notify the relevant person and the Board as soon as possible. If necessary, the Board may announce this situation on its website or by any other method it deems appropriate.”

In June 2023, four data breach notifications were published on the website of the Personal Data Protection Authority, www.kvkk.gov.tr.

OSDS Su Arıtma Sistemleri San. Tic. Ltd. Şti

OSDS Su Arıtma Sistemleri San. Tic. Ltd. Şti, as the data controller, summarised in the data breach notification submitted to the Board:

It was stated that the customers of the data controller were sent SMS containing a link which is thought to be fraudulent; the sending dates of the said SMS were 26-27 May 2023, MAS GSM Haberleşme A.Ş. is in the position of the data processor of the data controller, 45,228 SMS were sent by unauthorised persons and most of the numbers sent SMS are the customers of the data controller.

It is stated that the personal data affected by the breach are communication, location, legal transaction, customer transaction, transaction security, risk management, marketing and criminal conviction and security measures, and that the relevant groups of persons affected by the breach are customers and potential customers.

Bilge Adam Yazılım ve Teknoloji A.Ş.

“A chain is as strong as its weakest link”

As a result of the phishing attack against the data controller, the computers of 3 personnel of the data controller were accessed and these computers were encrypted with ransomware, data belonging to employees and employee candidates were kept on the computers with unauthorised access, personal data affected by the breach are name, surname, TR identity number and workplace registration number, the number of people and records affected by the breach has not yet been determined, and the relevant persons can get information about the data breach via call centre and e-mail.

Tıp Evi Sağlık Hizmetleri Ticaret Limited Şirketi

In the personal data breach notification sent to the Institution by Tıp Evi Sağlık Hizmetleri Ticaret Limited Şirketi, which has the title of data controller, in summary; It was stated that the breach occurred as a result of a cyber attack on a company contracted by the data controller.

It was stated that the data could not be accessed as a result of the cyber-attack, the number of people affected by the breach is not known exactly, the relevant groups of people affected by the breach are not yet known, personal data and health data, which are among personal data of special nature, were affected by the breach.

Arçelik A.Ş.

It was stated that unauthorised access to personal data was provided due to a security weakness detected in the supplier systems where the Arçelik Bizbize mobile application and website of the data controller are hosted, the code and ownership of the relevant systems are in the data processor, the data controller receives service with a model that the data controller only has the opportunity to use, access to the admin panel was provided by unauthorised persons and it was determined that personal data was received to an IP address in Germany.

It is stated that the relevant groups of persons affected by the breach are dealers and authorised service employees, the personal data affected by the breach are identity, contact, transaction security code and other (within the scope of the system, point earning and expenditure information of dealers and authorised service employees, expertise, education, date of commencement of employment, code, name and address of the dealer and store where the relevant person works, although not personal information of the relevant person), the number of relevant persons affected by the breach is estimated to be 30,373 people and the relevant persons can get information from the application panel of the data controller.

GRC LEGAL Comment

We see a notice of violation reflecting the importance of keeping the documents containing health information in the personnel file separate from the personnel file.