As GRC LEGAL, we present for your benefit the information article and our evaluations we have prepared in order to convey the innovations and updates in March 2024 in the field of Data Protection Law, which is one of our professional areas of expertise.

It is seen that only 2 data breach notifications were published by the Personal Data Protection Board (“Board”) in March. In the data breach notification submitted by Allianz Sigorta A.Ş., the data controller, in summary; it was stated that it was determined by the National Cyber Incidents Response Centre that some information belonging to the data controller was offered for sale on the internet by cyber attackers, and as a result of the investigations made, unauthorised access was provided by cyber attackers to the platform named “Service Desk” where the data controller’s agents submit their requests and complaints to the data controller. Another data breach notification published by the Board was realised as a result of a ransomware attack within the data controller and it was determined that special categories of personal data were among the personal data categories affected by the breach.

Although it is seen that even the structures where the most effective and efficient technical measures are taken with the developing technology are exposed to cyber-attacks, it is necessary to underline the necessity of taking technical measures such as checking which software and services are running on administrative and information networks, checking whether there is an infiltration, keeping a record of transaction movements, and detecting vulnerabilities within the scope of the obligation of ‘taking all kinds of technical and administrative measures’ imposed on data controllers.

Among the agendas of the last month, it is possible to point to the local elections held in our country on 31 March 2024 as a process that touches personal data. Due to the local elections, political parties and candidates contacted many citizens through SMS and calls in the form of commercial electronic messages. It can be said that the fact that citizens who are not members of any political party are constantly exposed to such communications without their consent and that political parties carry out the process without any reservations in this regard is a clear indication that the Law on the Protection of Personal Data (“Law”) is not applied to the relevant legal entities.

Due to the new amendments to the Law, which will enter into force in the near future, it is thought that the Board is taking action on some guiding guides, Standard Contractual Clauses, etc. regarding the new adaptation process that data controllers and data processors will enter into, and it would not be wrong to assume that the passive attitude of this month is due to the adaptation processes.