PDPL Bulletin – June 2024

The Law on the Protection of Personal Data (“Law”) and its secondary legislation is a living law that is frequently updated since its effective date. Many procedures and principles regarding data protection are determined not only by the Law and the secondary regulations enacted under the Law, but also by the Personal Data Protection Board (“Board”) Decisions, Principle Decisions and Board Decision Summaries. Therefore, our monthly bulletins aim to inform the relevant parties about the Board’s practices and to keep them up-to-date.

In July 2024, in addition to data breach notifications, the Board published a study on “Common Mistakes in Complaints and Notifications Submitted to the Board”. In this study, the reasons for the invalidity of 89% of the complaint and notification applications submitted to the Personal Data Protection Authority (“Authority”) were discussed, and the most common mistakes such as filing a complaint to the Board before exhausting the remedy to the data controller and not using the e-mail address previously notified to the data controller and registered in the system of the data controller were included.

In addition, the “Regulation on the Procedures and Principles Regarding the Transfer of Personal Data Abroad” (“Regulation”) entered into force after being published in the Official Gazette numbered 32598 on 10.07.2024. On the same date, the Authority published the Public Announcement on Documents Regarding Standard Contracts and Binding Corporate Rules and the Auxiliary Guidelines on Standard Contracts, Binding Corporate Rules Application Form and Basic Issues to be included in Binding Corporate Rules.

It is seen that some concrete steps have been taken by the Authority through the entry into force of the Regulation and the documents and guidelines published for the gradual overseas transfer procedures regulated in Article 9 of the Law in parallel with the Regulation. However, the compliance process within the scope of the aforementioned article regulating the principles for the transfer of personal data abroad must be completed by the data controllers until 01.09.2024.

DATA BREACH NOTIFICATIONS

Article 12/5 of the LPPD titled “Obligations regarding data security” states that “In the event that the processed personal data is unlawfully obtained by others, the data controller shall notify the relevant person and the Board as soon as possible. If necessary, the Board may announce this situation on its website or by any other method it deems appropriate.”

In July 2024, five data breach notifications were published on the Board’s website, kvkk.gov.tr.

Adnan Özen İnşaat Taahhüt Enerji Turizm Ticaret ve Sanayi Anonim Şirketi

In the data breach notification submitted to the Board by Adnan Özen İnşaat Taahhüt Enerji Turizm Ticaret ve Sanayi Anonim Şirketi, which has the title of data controller the breach occurred through a leakage on the Application Programming Interface (API) of the website where the car rental reservations of the data controller are received, the breach was detected with the e-mail sent by the cyber attacker to the company personnel on 26 June 2024, the relevant groups of people affected by the breach are customers and potential customers, The categories of personal data affected by the breach are identity (name, surname, Turkish ID number), contact (address, telephone number, e-mail address) and customer transaction (reservation date, rental period and rental price) information, the number of data subjects affected by the breach is 185 , the database contains personal data of approximately 12. 000 customers’ personal data and that technical investigations regarding the breach are ongoing.

Creditwest Faktoring Anonim Şirketi

In the personal data breach notification sent to the Authority by Creditwest Faktoring Anonim Şirketi, which has the title of data controller, in summary; the breach occurred as a result of the attack on the servers of the data controller, the technical analysis process regarding the breach is ongoing, the breach was detected as a result of receiving a SOC monitoring warning, the number of people affected by the breach has not yet been determined, the breach started on 27. 06.06.2024 and ended on the same date, the personal data categories affected by the breach are identity, contact, location, personal, customer transaction information, the person group affected by the breach is employees and customers, the relevant persons can get information via www.creditwest.com.tr, data controller phone lines and e-mail.

Uber Technologies Incorporated

In the data breach notification submitted to the Board by Uber Technologies Incorporated, which has the title of data controller, in summary; on July 2, 2024, the data controller received an e-mail from a person revealing the intention to make personal data that may originate from Uber publicly available, it has not yet been determined when the data breach occurred and what the source of the breach is, Uber users (passengers and/or people who order food) and/or drivers and/or people who make deliveries are affected by the breach, regarding the data affected by the breach; It is foreseen that the screenshots regarding the data of Uber users (passengers and / or people who order food) contain name, e-mail address, phone number, profile photo, registration date and score information, and that the data foreseen to be affected by the breach in terms of drivers and / or delivery persons on the Uber platform are the data within the scope of documents such as driver’s license, insurance, identity card, vehicle registration and controls within the scope of the duty of care in the screenshots, but the affected personal data is not known exactly at the moment and the number of people affected by the breach has not yet been determined.

Güneş Ekspres Havacılık Anonim Şirketi (SunExpress)

In the data breach notification submitted to the Board by SunExpress, the data controller, in summary; a cyber attacker gained unauthorized access to the campaign management platform used by the data controller by obtaining the login information of an administrator account and sent phishing emails through this account, the breach occurred on 15.07.2024 and was detected on the same day, the cyber attacker sent a total of 1,986. 293 e-mails, the relevant groups of people affected by the breach are employees, customers and potential customers, the category of personal data affected by the breach is contact (e-mail) information, of the 596,659 e-mail addresses to which the cyber attacker sent e-mails; 86 of them belong to employees (current and former employees), 249. 668 belonged to customers, 346,905 e-mail addresses were of unknown origin and were e-mail addresses uploaded to the system by the cyber attacker during the attack, and that data subjects can obtain information about the data breach through the form on the data controller’s website.

Ann & Robert H. Lurie Children’s Hospital of Chicago

In the data breach notification submitted to the Board by Ann & Robert H. Lurie Children’s Hospital of Chicago, as the data controller, in summary; it was determined that cyber criminals gained access to the systems between January 26-31, 2024 as a result of a cyber attack within the data controller, it was determined that personal data related to approximately 791. 784 individuals worldwide, that this information relates to patients and patient relatives, current and former Lurie Children’s team members and family members, and current and former contractors, that the affected data varies from person to person and may include contact information, identification information, or information related to a patient’s health or medical care , that there is no clear information regarding the number of individuals affected by the breach in Turkey, that detailed information about the breach is available on Lurie Children’s website “www. luriechildrens.org” and via the ‘Cybersecurity Matter’ link at the top of the page.

GRC LEGAL Comment

An analysis of the data breach notifications published in July reveals that these breaches were caused by cyber-attacks on the servers of data controllers due to security vulnerabilities and data leakage. Especially in the data breach at SunExpress, unauthorized access was gained to the e-mail addresses of almost 600,000 people, and the extent of the data breach can be seen as a result of the failure of data controllers to take all necessary technical and administrative measures.

In this context; data controllers should act with the awareness that they are obliged to take all necessary technical and administrative measures to ensure data security in accordance with the Law, use monitoring systems effectively by constantly updating security measures, and prevent possible data breaches by raising awareness through user training.