PDPL Bulletin – June 2024

The Law on the Protection of Personal Data (“Law”) and its secondary legislation is a living law that is frequently updated since its effective date. Many procedures and principles are determined not only by the Law and the secondary regulations enacted under the Law, but also by the Personal Data Protection Board (“Board”) Decisions, Principle Decisions and Board Decision Summaries. Therefore, our monthly bulletins aim to inform those concerned about the Board’s practices and to keep them up-to-date.

DATA BREACH NOTIFICATIONS

Only 1 data breach notification was issued by the Board in June. The data controller is Karakaya Kuruyemiş Gıda Tarım Ürünleri İnş. Taah. Turz. Teks. Industry and Trade Limited Company, it was stated that the breach occurred as a result of the data controller being exposed to a cyber-attack, the number of people affected by the breach was 200 and the personal data affected were; identity, communication, location, personal, customer transaction, transaction security, risk management, finance, marketing, visual and audio recordings, race and ethnic origin, health information, criminal conviction and security measure data.

VERBIS REGISTRATION AND NOTIFICATION OBLIGATION WITHIN THE SCOPE OF 2023 ACTIVITY REPORT

When the 2023 Annual Report published by the Board is examined; it is seen that the Board, which has imposed administrative fines on data controllers for breaching the obligation to register and notify to the Data Controllers Registry Information System (“VERBIS”) since 2022, imposed a total fine of 150,710,000 TL on data controllers for breaching the VERBIS registration and notification obligation only in 2023. In this context, companies that meet the VERBIS registration obligation criteria should complete the relevant registrations immediately. The fact that the majority of the total administrative fines of TRY 241,082,000 imposed in 2023 were due to violations of the VERBIS registration and notification obligation indicates that the Board has recently strictly supervised these registration obligations.