PERSONAL DATA PROTECTION LAW
The Law on the Protection of Personal Data (“LPPD”) and its secondary legislation is a living law that is frequently updated since its effective date. Many procedures and principles related to data protection are determined not only by the Law, Regulation and Communiqué, but also by the Board Decisions, Principle Decisions and Board Decision Summaries. Therefore, our monthly bulletins aim to inform those concerned about the practices of the Personal Data Protection Board (“Board”) and to keep them up-to-date.
In March 2023, the Board published public announcements and data breach notifications, and among the companies published are companies that are among the most popular initiatives of recent times and sector leaders. In addition, it is observed that a new one was added to the Board’s Summary of Decisions, which had been suspended for a long time.
In the March 2023 issue of our KVKK Bulletin, the details of the Constitutional Court Decision published in the Official Gazette dated 30.03.2023 in relation to the personal data protection legislation are also included.
DATA BREACH NOTIFICATIONS
Article 12/5 of the LPPD titled “Obligations regarding data security” states that “In the event that the processed personal data is obtained by others through unlawful means, the data controller shall notify the relevant person and the Board as soon as possible. If necessary, the Board may announce this situation on its website or by any other method it deems appropriate.”
In March 2023, five data breach notifications were published on the website of the Personal Data Protection Authority, www.kvkk.gov.tr.
Akbank T.A.Ş.
It was reported that the breach occurred as a result of writing the mail address variable statically when it should have been written dynamically during the writing of the code of a project created for the account opening transactions of the data controller’s legal entity customers, and that the electronic passbooks of some customers whose accounts were opened between 27.08.2022 and 18.10.2022 were mistakenly sent to 20 legal entity customers (each in different numbers) who are also customers of the Bank instead of these customers, and 5,847 bank customers were affected by the breach.
The personal data affected by the breach; within the categories of identity, customer transaction and finance; name and surname, Turkish ID number, customer number, tax office, individual banking service contract number and date, account number, branch name, foreign currency code, IBAN, product name, interest rate, opening and maturity date and account opening amount information and that the relevant persons can get information from akbank.com website and 4442525 telephone number.
Marifet Saatçilik Kuyum. Teks. Tur. Food İnş. Taah. San. and Tic. Ltd. Şti.
It was reported that the breach started on 07.03.2023 and ended on 08.03.2023, and that it occurred by sending SMS to 1,513,947 people as a result of unauthorised persons obtaining the information of the application used by the data controller to send messages to its customers.
It is stated that the data controller has 66.000 customers registered in the application, for this reason, it is thought that the phone numbers sent SMS are uploaded to the system by the people who hijacked the application, the violation was detected as a result of the feedback made by the customers, their contact information was affected, and the relevant persons can get information from www.marifetkuyumcu.com address and 444 9 778 number.
Sahibinden Bilgi Teknolojileri ve Paz. ve Tic.
It was stated that the breach occurred as a result of the cyber-attack of the data controller and that it was determined on 27.03.2023 that the personal data affected by the breach was shared on the internet, but the start date of the breach has not yet been determined.
In the research conducted; It is stated that it is understood that Sahibinden store data (data other than e-mail address) is obtained by copying the web service content required for the operation of the interfaces on Sahibinden’s website and mobile application, and that the e-mail address data of corporate users is obtained from the result output of the password renewal service by sending password renewal messages to users by malicious third parties.
It is stated that the personal data affected by the breach are, in general, the store information of Sahibinden and the e-mail address of corporate users; user ID, user name, surname, store name, phone number, e-mail address, account registration date, location, user type, store number, package category, package status, package period, store product type, registration period, opening date, store commitment start date, the corporate users of the data controller, including private companies, are affected by the breach, the estimated number of data subjects affected by the breach is estimated 71. 422 and that the data subjects can receive information via yaziliiletisim@sahibinden.com e-mail address or call centre.
Destek Bilgisayar ve İletişim Hizmetleri Tic. A.Ş.
It was stated that the breach occurred in the form of encrypting and deleting the data on the server, storage units and some user machines used by the data controller, and extracting the data stored in the system and demanding ransom in return, the data breach started on 23.03.2023 and was detected on the same date.
It has been stated that the number of people affected by the breach has not yet been determined due to encryption and blockage, that the categories of personal data are finance, marketing, professional experience, audio-visual records, and that the groups of people are employees, customers and potential customers, and that the relevant persons can get information via www.destek.as, info@destek.as, kvk@destek.as, callcenter@destek.as addresses as well as (help desk), customer service number 0312 473 51 00 and call centre number 444 37 85.
Getir Perakende Lojistik A.Ş. and Bitaksi Mobil Teknoloji A.Ş.
In the data breach notification and follow-up notification submitted by Getir Perakende Lojistik A.Ş. (“Getir”) and Bitaksi Mobil Teknoloji A.Ş. (“BiTaksi”), which have the title of data controller, in summary; In an e-mail received by the senior management of Getir on 11.03.2023, it was stated that a malicious third party claimed to have some personal data belonging to BiTaksi (a technology company founded by the founder of Getir) users and shared some data lines as an example, on 23. 03.03.2023 to a Getir official and on 25.03.2023 to Getir’s corporate e-mail address, the malicious third party made allegations on the darkweb that personal data about Getir had been breached and shared links containing personal data allegedly belonging to Getir customers.
It was stated that the contents on Darkweb were started to be examined by the response team within Getir; it was determined that the data in one of the software to which log records were transferred overlapped with the data in the relevant darkweb posts, the data did not overlap with the data in Bitaksi systems and the personal data of Bitaksi users were not violated.
It is stated that the personal data affected by the breach, for Getir users; identity (name, surname, TR ID number, gender), contact (GSM number, e-mail address, delivery address) account (Getir customer number and account creation date), customer transaction (date and number of the last order placed from the Getir application, Getir vertical [Getir, Getir Big, Getir Food, etc.], order content, cancelled order. ], order content, number of cancelled orders and total number of orders), other (date and location of the last login to the Getir application, communication permissions given to Getir) information, for couriers serving Getir dealers; identity (name, surname), communication (GSM number), visual and audio records (profile photo), other (instant location information and Getir employee number) information, the estimated number of people is 5098, but each affected data category is not valid for all data subjects, the relevant persons can contact the relevant persons regarding the violation at kisiselveriler@getir.com e-mail address or Etiler Mah. Tanburi Ali Efendi Sok. Maya Residences Sitesi, T Blok, No:13 Interior Door NO:334 Beşiktaş/İstanbul for information regarding the breach.
PUBLIC ANNOUNCEMENTS
Public Announcement on Personal Data Processed by Political Parties and Independent Candidates within the Scope of Election Activities
With the Presidential Decree No. 2023/121 published in the Repeated Official Gazette dated 10 March 2023 and numbered 32128, it has been decided to renew the general election of the Grand National Assembly of Turkey and the Presidential election in accordance with Article 116 of the Constitution of the Republic of Turkey, and the process of organising the elections has officially started in accordance with the relevant Presidential Decree.
Various personal data are processed within the scope of election activities. The data controller is defined in Article 3 of the LPPD, and in this context, political parties process personal data within the scope of establishment, membership, candidate nomination activities in elections, election of their authorised bodies and their notification to the relevant authorities, etc. in accordance with the relevant laws, especially Law No. 2820. Therefore, political parties are one of the data controllers within the scope of KVKK in terms of personal data they process due to their activities.
In their personal data processing activities, political parties and independent candidates are required to process personal data based on the data processing conditions specified in Article 5 of the LPPD titled conditions for processing personal data and Article 6 titled conditions for processing special categories of personal data, depending on the nature of the personal data to be processed. In this regard, an information note has been prepared by the Authority and it is important to act in accordance with the said issues in personal data processing activities during the election processes.
Public Announcement Regarding Electronic Submission of Proxy Complaints to the Authority
Article 15 of the LPPD stipulates that “The Board, upon a complaint or ex officio upon learning of an alleged violation, shall carry out the necessary examination on matters within its jurisdiction.” In this context, the complaints submitted to the Authority are finalised by the Board. Currently, complaint petitions can be submitted to the Board by hand, mail or courier, as well as electronically through the “Complaint Module” available at www.kvkk.gov.tr.
In this context, the “Complaint Module” system has been updated as of 27.03.2023 in a way that lawyers can also submit complaints to be filed by proxy in order to ensure that the complaints to be filed by proxy can be submitted to the Board in a faster and more effective manner and can be followed up, and the said complaint module can be accessed from the internet link.
The announcements detailed above were respectfully submitted to the public on 23 March and 27 March by the Board.
BOARD DECISION SUMMARIES
In order to keep up with the pace of the data world, the most important source has been the Board’s Principle Decisions and Summaries of Decisions on administrative sanctions. The legislation has been shaped in line with these decisions, and many procedures and principles as well as adjectives and expressions familiar from the European General Data Protection Regulation are included here. The duties and powers of the Board are listed in Article 22 of the KVKK and the binding nature of the decision summaries is based on this provision.
TikTok Pte. Ltd. Summary of Decision No. 2023/134 of the Personal Data Protection Board on TikTok Pte.
Regarding the TikTok application, an ex officio review was initiated pursuant to Article 15/1 of the LPPD based on the complaints that the explicit consent was not duly obtained within the scope of the LPPD, that there are illegalities in the acquisition and storage of personal data, and that there are many security vulnerabilities in the software.
Prior to the update in TikTok’s privacy policy in January 2021, it was stated that the default display of profiles publicly and the lack of restrictions on interaction posed a risk within the scope of accessing the data of users in the sensitive age group, in addition, sufficient measures were not taken to identify and mitigate the risks related to users, and the personal information of children under the age of 13 using the application was displayed, data was collected about children without appropriate parental consent, and therefore there was a risk of negative consequences on children who used the application.
In the Confidentiality Agreement on the TikTok website, all of the processing conditions in Article 5 of the LPPD are stated, but no clear information is given about which personal data are processed for which purpose and on the basis of which processing condition, and it is stated that the data controller acts against the principles of “processing for specific, explicit and legitimate purposes” and “being connected, limited and proportionate to the purpose for which they are processed” in Article 4 of the LPPD.
While obtaining approval from users who create TikTok accounts in the Terms of Service section, the relevant text has not yet been translated into Turkish, the content is not presented to users in an easy-to-understand format, and it is possible that users may accept the terms of use without fully understanding them; There is no situation regarding obtaining explicit consent when creating an account on the platform or when the account is actively used, TikTok’s Privacy Policy is essentially a text prepared to fulfil the disclosure obligation, but it is also used instead of an explicit consent text, therefore, in accordance with Art. 5/1-f of the Communiqué on the Procedures and Principles to be Followed in Fulfilling the Obligation to Inform, it was decided to impose an administrative fine of 1.750.000 TL and to instruct the data subject to comply with the translation into Turkish within 1 month and the Privacy Policy within 3 months, since it was understood that no explicit consent was obtained from the data subjects regarding the processing activity carried out by TikTok using cookies for profiling purposes and that the personal data processing activity carried out within this scope was not in accordance with the law.
CONSTITUTIONAL COURT DECISION
In the Constitutional Court Decision numbered 2020/67 E. and 2022/139 K. published in the Official Gazette dated 30.03.2023 and numbered 32148 (“Constitutional Court Decision”), some evaluations were made regarding the personal data that the Competition Board may access within the scope of its on-site examination authority. In the Constitutional Court Decision, contrary to the legislation on the protection of personal data, it is stated that the data of undertakings that have the title of legal entity will also fall within the scope of the right to request the protection of personal data; and the authorisation of the Competition Board to obtain copies and physical samples of all kinds of data and documents of the undertakings introduced in June 2020 was found to be in compliance with the legislation on the protection of personal data by a majority of votes.
The Constitutional Court ruled on the annulment case filed on the grounds that certain provisions of Law No. 7246 amending the Law No. 4054 on the Protection of Competition (“LPC”) are unconstitutional, and ruled that the section regulating structural and behavioural measures in Art. 9/1 regulating structural and behavioural measures, Article 15/1/a regulating on-site examination, Article 34 regulating the status of the personnel of the Competition Authority and Provisional Article 6 regulating the status of the personnel of the Competition Authority.
The main grounds for requesting the annulment of the section of Article 15/1/a of the LPC are, in summary, the provisions of Article 15/1/a of the LPC. 15/1/a of the CML allows the copying and sampling of all kinds of documents of the undertakings without any limitation, there is no condition regarding the presence of the representative of the relevant undertaking during this process, and the rule authorising access to the data on trade secrets and customer environment of the undertakings does not include any assurance regarding the acquisition and processing of personal data, and this issue is incompatible with the principle of certainty and is not proportionate.
Article 15/1/a of the CML stipulates that copies and physical samples of books, documents, records and data that constitute evidence shall be taken in order to detect anti-competitive behaviour or transactions in the market. 15/1/a, which provides for the taking of copies and physical samples of evidentiary books, documents, records and data for the purpose of detecting anti-competitive behaviour or transactions in the market, is not unconstitutional on the grounds that the rule does not cause a disproportionate intervention and does not impose an unreasonable restriction on the right to request the protection of personal data, considering that it meets the provisions of the LPPD and the safeguards regarding the protection of personal data, such as the right to information, the right of access, the right to learn whether it is used for the purpose, and the right to ensure data security; in this respect, the rule does not impose an excessive burden on undertakings and associations of undertakings.
The reasons for the dissenting votes on this issue contain important observations.
It is stated that Article 15/1/a of the OPCL authorises the taking of copies and physical samples of personal data, and that the existence of safeguards against the arbitrary use of this authorisation becomes more important; there is no regulation on how the information and documents in the nature of personal data to be subject to inspection will be used, how long they will be kept, whether the data subjects have the opportunity to object to the information in question, whether the information will be deleted in due time and what the procedure to be followed is, and what kind of inspection will be carried out to prevent abuse of the authorisation.