PERSONAL DATA PROTECTION LAW

The Law on the Protection of Personal Data and its secondary legislation is a living law that is frequently updated since its effective date. Many procedures and principles related to data protection are determined not only by the Law, Regulation and Communiqué, but also by the Board Decisions, Principle Decisions and Board Decision Summaries. Therefore, our monthly bulletins aim to inform those concerned about the practices of the Personal Data Protection Board and to keep them up-to-date.

In May 2023, two data breach notifications were issued by the Board, and the companies that received data breach notifications include companies that are industry leaders.

In addition to the data breach notifications, our May 2023 issue includes a review of 4 of the Board’s decision summaries published by the Board on 24 April 2023, together with the Board’s decision to increase the upper limit of the European Union General Data Protection Regulation (General Data Protection Regulation, “GDPR”).

HISTORICAL PENALTY TO META FROM EUROPEAN DATA PROTECTION AUTHORITY

The largest ever fine under the GDPR was imposed on META Ireland in May 2023, following a 3-year wait for the Irish Data Protection Authority’s decision. The €1.2 billion fine for META is the highest fine ever imposed on any company for breaching the GDPR, while the previous largest fine was the €746 million fine imposed on e-commerce giant Amazon for breaching the GDPR in 2021.

In the decision, it was stated that META breached Article 46(1) of the GDPR by continuing to transfer personal data from the European Union/European Economic Area to the United States following the Court of Justice of the European Union’s (“CJEU”) decision in Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems.

As a result of META’s defences to these allegations, it was concluded that META did not respond to the risks to the fundamental rights and freedoms of data subjects, and META was ordered to impose an administrative fine of EUR 1.2 billion, to suspend the transfer of personal data to the USA for a period of five months, to cease the unlawful processing, including storage in the USA, of personal data of EU/EEA users transferred in violation of the GDPR, and to bring its processing activities into compliance with the GDPR within six months from the notification of the decision.

DATA BREACH NOTIFICATIONS

Article 12/5 of the LPPD titled “Obligations regarding data security” states that “In the event that the processed personal data is obtained by others through unlawful means, the data controller shall notify the relevant person and the Board as soon as possible. If necessary, the Board may announce this situation on its website or by any other method it deems appropriate.”

In May 2023, two data breach notifications were published on the website of the Personal Data Protection Authority, www.kvkk.gov.tr.

Trabzonspor Sportif Yatırım ve Futbol İşletmeciliği Ticaret A.Ş.

In the data breach notification sent to the Board by Trabzonspor Sportif Yatırım ve Futbol İşletmeciliği Ticaret A.Ş., which has the title of data controller, in summary

The servers of the data controller were encrypted as a result of a cyber-attack, the breach occurred on 19.05.2023 and was detected on the same day, the cyber-attack also affected Trabzonspor Ticari Ürünler ve Turizm İşletmeciliği Ticaret A.Ş., Trabzonspor Futbol İşletmeciliği Ticaret A.Ş., Trabzonspor Telekomünikasyon Danışmanlık ve Servis Hizmetleri Ticaret A.Ş., Bordo Mavi Futbol Yatırımlar Ticaret A.Ş., Trabzonspor Club Association, Trabzonspor Bordo Mavi Enerji Elektrik Üretim A.Ş. were also affected, access to the files kept on the encrypted servers could not be provided; for this reason, the number of people and records affected by the breach could not be determined, the relevant groups of people affected by the breach are employees, users, students and customers and potential customers, Identity, communication, personal, customer transaction, finance, professional experience, marketing, audio and visual records and other data categories were affected by the breach, and the relevant persons can get information about the data breach through the call centre.

Boyner Büyük Mağazacılık A.Ş.

In the data breach notification submitted to the Board by Boyner Büyük Mağazacılık Anonim Şirketi, which has the title of data controller, in summary

The data controller uses messaging services for sending bulk SMS and MMS for the purposes of informing about the issues permitted and / or required by the legislation and sending commercial electronic messages to its customers who have given commercial electronic communication permission; this messaging service is carried out through the SMS Submission Panel created on the website owned by the data processor; during the checks, it was understood that successive and various suspicious logins were made to the SMS Submission Panel using the username and password of one of the accounts used to access the services offered through the SMS Submission Panel; since it was observed that there were no incorrect password attempts in these logins, it was thought that the people accessing the system had the correct username and password combination information; however, it has not yet been determined how this username or password information was obtained.

It is stated that the breach started on 28.04.2023 and was detected on 06.05.2023 and that an estimated 3,055,907 people were affected by the breach; it is understood that the contact (mobile phone number) and customer transaction data (information on which marketing SMSs were sent to the relevant customer and whether these SMSs reached the relevant customer or not) of a total of 2,313,962 customers registered in the SMS Submission Panel were accessed; in addition, 534,605 people among these people, 534,605 of these people were given fake SMSs imitating the “www.mediamarkt.com. tr” website operated by Media Markt Turkey Ticaret Ltd. Şti. and that through the said fake website, it was aimed to collect the identity, contact and financial information of the users, as well as to send money to an account in the application that enables sending and receiving money and uploading and withdrawing money without a bank account, and that a total of 741,945 customers registered in the SMS Sending Panel were sent SMSs again by changing the content of the SMSs previously sent from the SMS Sending Panel, without accessing any data of these customers.

GRC LEGAL Comment: Considering that, within the scope of the marketing activities carried out by BOYNER, permissions may have been obtained to subscribe to the HOPI application in order to benefit from campaigns and discounts, question marks may arise regarding the free will of the persons subject to the infringement, and the concept of illusion of free will may be brought to mind again.

BOARD DECISION SUMMARIES

In order to keep up with the pace of the data world, the most important source has been the Board’s Principle Decisions and Summaries of Decisions on administrative sanctions. The legislation has been shaped in line with these decisions, and many procedures and principles as well as adjectives and expressions familiar from the European General Data Protection Regulation are included here. The duties and powers of the Board are listed in Article 22 of the LPPD and the binding nature of the Decision Summaries is based on this provision.

THE DATA CONTROLLER SHOULD NOT MAKE IT DIFFICULT FOR DATA SUBJECT APPLICATIONS TO BE MADE TO HIM/HER!

In the complaints of the persons concerned (debtor and his son), in summary regarding the execution proceedings initiated against the debtor, the phone number belonging to his son was repeatedly called by the data controller lawyer and information about the debt was given, the legal transaction and financial information of the debtor was shared with his son, who is in the position of a third party, without his explicit consent, on the other hand, the phone number of the debtor’s son, with whom debt information was shared, was obtained and used unlawfully, and the application made by the relevant persons to the data controller lawyer was not answered although it reached the data controller, and it was requested that the necessary action be taken within the scope of KVKK.

As a result of the execution proceedings finalised against the debtor father, the data controller; as a result of the execution proceedings finalised against the debtor father, a lawyer working in the law office went to the address which is the place of seizure in order to carry out the seizure and preservation procedures on the date determined by a lawyer working in the law office, and the reason for the arrival of the debtor and his son was explained by the seizure officer to the debtor and his son who were present here, and this issue was also fixed by the seizure minutes, and the debtor’s son said “I am the official of the debtor company, the debtor came as my guest, the debtor has nothing to do with the company, the seized goods belong to the company. “, the seized goods were left to him as a trustee and the seizure report was signed, in this way, the personal data of the debtor’s son was processed by the bailiff on the date of the seizure, contrary to what is claimed, the son was not informed about the debtor’s debt, and both parties are already aware of the issue, It was stated that the relevant persons did not make a proper application to the data controller, the power of attorney in the application of the debtor did not contain a special provision containing the explicit consent required to apply to the data controller within the framework of the protection of personal data, and the application of the debtor’s son was irregular since the proxy in the application and the proxy in the power of attorney were different.

As a result of the evaluation made on the subject, since it is understood that it cannot be proved that the data controller processed the phone number of the debtor’s son unlawfully from the available information and documents, there is no action to be taken within the scope of KVKK regarding the claim in question, and from the documents submitted by the data controller to the Board, the debtor’s son was also present at the scene of the seizure during the collection of the said debt by seizure and signed the Seizure Report, therefore, he already had information about his father’s debt, and the records of the calls subject to the complaint belong to the day after the date of the issuance of the said Seizure Report, For these reasons, it has been decided that there is no action that can be taken within the scope of KVKK regarding the debtor’s complaint that “the information that he is a debtor, which is also his personal data, is transmitted to his son by the data controller”, and that the data controller requests “special authorisation regarding personal data” from the data subjects who apply to the data controller through their attorneys, although there is no legal obligation, and that this situation makes it difficult for the data subjects to apply to the data controller.

Caution in Distributing Brochures for Marketing Purposes!

The petition received by the Board summarises For a product belonging to a marketing company, a promotional brochure was sent by a free entrepreneur to an 8-year-old child (data subject) by letter, upon this, the real person whose phone number was found in the letter was contacted by the parent by phone and asked how he accessed the personal information of his 8-year-old daughter, but no information was given to him by the other party in this conversation, and no action was taken regarding the personal data of his daughter, In this context, it was stated that the parent applied to the marketing company regarding how the personal data such as the home address and name of the child was accessed by the parent, and as a result of the application made, no information was provided, the parent did not have any consent regarding the processing of the personal data of the child and the personal data of the child was processed without explicit consent for the purpose of promoting for commercial purposes, and it was requested to take the necessary action within the scope of KVKK.

In the reply letter received from the marketing company, in summary; the company is a direct sales company that sells products such as health and beauty products, there is a contractual relationship between the sales person and the company that gives the option to buy and sell company products, the sales person acts as an independent business owner / free entrepreneur and is independent of the company, people who want to sell company products can become free entrepreneurs by applying to the company and only in their own interests, the free entrepreneurs act as sole and independent data controllers in respect of the personal data they obtain from the customers they serve, including for direct marketing purposes; in the concrete case, the brochure was not sent by the marketing company and the free entrepreneur was not instructed by the company to send the brochure, that the brochure was sent by the free entrepreneur using the personal data previously collected independently by the company, that the company did not process any personal data of the relevant person and did not transfer these data to the free entrepreneur, that the company, although not being the data controller in terms of the personal data processed by the free entrepreneurs, supervises the free entrepreneurs and imposes sanctions in case of violation of the rules within the scope of the contract, that as a result of the investigation made upon the complaint, it was stated that the free entrepreneur sent brochures to the customers he had sold online in the past and that there was a mistake because he did not know that the shopper was an 8-year-old child.

In summary in the reply letter received from the entrepreneur; It was stated that the personal data of the person concerned was obtained from the company products that he sold on his own behalf and account through an e-commerce site during the period when he was selling on the internet, that the parent of the person concerned had an invoice prepared on behalf of his daughter, that the parent of the person concerned, who voluntarily shared his own address and contact information with him through the e-commerce site, although he gave his own information as address and telephone information, he placed an order using the name of his child, and that this brochure was sent to him within this order, so the processing in question should be considered as an exception, and that the issue arose from misunderstanding.

As a result of the examination carried out on the subject, the real person who sent the brochure to the data subject is a free entrepreneur according to the terms of the contract signed with the company and acts independently of the company, therefore, the real person who is a free entrepreneur has the title of data controller independently of the company while processing the personal data of its customers, Although it has been decided that there is no action to be taken against the company within the scope of KVKK since the company has no interest in the personal data processing activity subject to the examination, the processing of the name and contact information, which is the personal data of the person concerned by sending a promotional brochure by letter on behalf of the person concerned, has no connection with the order subject to the invoice submitted by the data controller, The brochure sent to the data subject for promotional purposes was not sent together with the order specified in the invoice, the mere sending of the brochure subject to the examination was carried out without relying on any of the processing conditions defined in the KVKK, and considering the unfair content of the misdemeanour committed together with the fault and economic situation of the data controller, it was decided to impose an administrative fine of 30. 000 TL administrative fine was decided to be applied.

Legal Basis for the Authorisation Certificate Allocated to the Lawyer Acting for a Public Legal Entity

In his complaint, the person concerned, who is a lawyer, stated that during the termination negotiations of the legal consultancy and advocacy contract between the Union, which has a public legal entity, and the Union, a lawyer who introduced himself as the Union’s representative called the person concerned and asked him to terminate the contract, and that the person concerned complained to the Bar Association in order to conduct a disciplinary investigation against the lawyer in question due to the fact that he spoke in a way that was not in accordance with the ethics of the lawyer profession while the negotiations on the subject were continuing, and that the lawyer complained thereupon included photocopies of the self-employment receipt and withholding tax payment list, the originals of which were only available to the Union within the scope of the consultancy contract and which were issued to the Union; and the photocopies of the self-employment receipt and withholding tax payment list containing the personal data of the data subject in the annex of the defence petition submitted to the Bar Association Presidency.

As a result of the Board’s examination, the Board stated that the Decree Law on the Execution of Legal Services in Public Administrations within the Scope of the General Budget and Special Budget Administrations stipulates that “…services may be purchased from self-employed lawyers or law partnerships through direct procurement in order to carry out accountancy services. “, the Regulation on the Procedures and Principles Regarding the Procurement of Services from Independent Lawyers states that “Administrations may procure services from their own legal departments, … or from independent lawyers in cases where the service requires special expertise and is determined with the approval of the relevant minister.”, and the Law on Attorneys states that “Lawyers or attorney partnerships may give another lawyer or attorney partnership a certificate of authorisation replacing a power of attorney to cover all their powers of attorney in which they have the authority to delegate others. This authorisation document shall have the effect of a power of attorney.” and the Regulation on the Attorneyship Law stipulates that “Attorneys or attorney partnerships may appoint another attorney or attorney partnership as an attorney on behalf of their clients by issuing a special authorisation document…covering all powers of attorney in which they have the authority to delegate others. This authorisation document, which has the effect of a power of attorney, has the function and effect of a power of attorney for all judicial authorities and public and private persons, institutions and organisations.”

In this framework; after the termination of the legal counselling contract between the person concerned and the Association, the lawyer complained of became the attorney of the Association with the authorisation certificate issued by the lawyer contracted by the Association.

Within the scope of the Association sharing the documents containing the personal data of the data subject with the complained lawyer from whom it received legal counselling services, the Association has the title of data controller, since it has determined the purpose and means of processing personal data, and the Association, as an institution with public legal personality, receives external legal services in the process of fulfilling the duties assigned to them as an institution with public legal personality, and in this case, sharing the documents containing the personal data of the data subject with the lawyer in question is ‘the establishment of a right, ‘data processing is mandatory for the use or protection of the data’ can be evaluated within the framework of the processing condition, and it is stated that there is no action to be taken within the scope of the Law regarding the data subject’s complaint against the Union.

The complained lawyer, who obtained the documents subject to the complaint containing the personal data of the data subject as a requirement of the work within the scope of the contract between the Union and the Union and then transmitted the documents in question to the Bar Association after the dispute with the data subject, thus determining the purpose and method in the processing of personal data, has the title of data controller in the concrete case, and the transfer of the documents containing the personal data of the data subject to the Bar Association as evidence within the scope of the investigation carried out, in accordance with Article 8 of the KVKK. In accordance with Article 8 of the KVKK, it has been decided that there is no action to be taken within the scope of the Law regarding the complaint of the data subject about the lawyer in question.

‘Distribution Service Provider’ Status of Cargo Companies

The headphones delivered by the relevant person to the shopping centre branch of the electronics retail chain for a repair were delivered to the cargo company by the store authorities to be forwarded to the distributor company; however, the cargo company delivered the relevant product to an unrelated third party instead of the distributor company.

In the defence submitted by the cargo company to the Institution, in summary; the cargo company, which has ISO/IEC 27001 certificate for information security management, protection of personal data and compliance with the relevant legislation, carries out its services through its agencies and the information and clarifications regarding the protection of personal data are fulfilled by the cargo company in the annex of the agency agreement concluded with the agency and the security of personal data in the service contract concluded between the agency and the agency, It has been reported that all cargo company employees and supplier/agency employees have been provided with pre-service training on the confidentiality of personal data and information security, that the content of the cargo sent is not included in the records and therefore the parties have no knowledge that the personal information of the data subject is included in the content of the shipment.

In the final examination of the Board, it was decided that the personal data processing/transfer activity, which consists of sending the documents containing some personal data of the data subject to the distributor company by the data controller, which are stated to be placed in the cargo package so that the headphones of the data subject can be repaired by the distributor company, is based on the legal conditions of “It is necessary to process the personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract” and “It is mandatory for the data controller to fulfil its legal obligation”, and therefore there is no action to be taken under the Law.

It was decided that the personal data of the person concerned in the documents sent by the data controller to the distributor company in order to carry out a repair operation is in accordance with the ordinary course of life and that no clear violation of the general principles specified in Article 4 of the KVKK could be detected, however, it was decided to warn the data controller to take the necessary measures to ensure that minimum personal data is shared in the forms in the cargo packages that may be sent to the repair companies by the data controller for product repair in the future and that the shared personal data is masked as much as possible.

In the cargo shipment process subject to the complaint, the legal entity data controller has the title of “sender” and the legal entity distributor company has the title of “receiver” and the person concerned is not a party to the cargo shipment, Here, since the cargo company, which is not expected to know the content of the cargo in the concrete case, has not carried out any personal data processing activities directly carried out by the cargo company in the capacity of data controller or data processor about the data subject, there is no action that can be taken against the cargo company in accordance with the provisions of the Law, since the Guideline titled “Data Controller and Data Processor” published on the official website of the Authority states that “… . However, although the courier company physically holds the credit cards, it is not possible to access the information related to the credit card in question. In this case, the courier company, which serves as a delivery service provider, is neither a data controller nor a data processor. Therefore, it is only obliged to ensure the security of the physical goods it carries, and there is no obligation to comply with the processing of personal data.”

GRC LEGAL Comment

We are of the opinion that the decision summaries published by the Board frequently refer to fundamental principles, and the reason for this reference is to draw attention to compliance with the general principles listed in Article 4, even if the processing conditions in the LPPD are relied upon.

In the world of personal data protection, it is easy to come to the conclusion that the goal is to establish a culture before the management of documentation such as clarification texts and data transfer undertakings, that terms such as proportionality and data minimisation should be brought up more frequently, and that companies should be encouraged to think about which data items they can give up in their life cycles before stepping into a KVKK compliance project.

Another issue that should be noted in the set of decision summaries examined is that the economic situation of the data controller is evaluated in the infringement fines imposed, the size of the data controller is evaluated independently of the violation and complaint, and it can be said that it is used as a criterion in determining the amount of the fine.