PDPL BULLETIN – MAY 2024
The Law on the Protection of Personal Data (“Law”) and its secondary legislation is a living law that is frequently updated since its effective date. Many procedures and principles regarding data protection are determined not only by the Law and the secondary regulations enacted under the Law, but also by the Personal Data Protection Board (“Board”) Decisions, Principle Decisions and Board Decision Summaries. Therefore, our monthly bulletins aim to inform the relevant parties about the Board’s practices and to keep them up-to-date.
In May 2024, in addition to data breach notifications, the Board published the commitment letter announcement of Bosch Termoteknik Isıtma ve Klima Sanayi ve Ticaret Anonim Şirketi and Huawei Telekomünikasyon Dış Ticaret Limited Şirketi. In addition, the Personal Data Protection Authority (“Authority”) prepared the “Draft Regulation on the Procedures and Principles Regarding the Transfer of Personal Data Abroad” within the scope of the new articles of the Law, which will enter into force on September 1, and submitted it for public opinion. Thereupon, with the Board’s Decision dated 16/5/2024 and numbered 2024/763, draft documents on the Standard Contract and Binding Corporate Rules, which are envisaged as appropriate assurance methods for the transfer of personal data abroad pursuant to Article 9/4 of the Law, were published.
DATA BREACH NOTIFICATIONS
Article 12/5 of the LPPD titled “Obligations regarding data security” states that “In the event that the processed personal data is unlawfully obtained by others, the data controller shall notify the relevant person and the Board as soon as possible. If necessary, the Board may announce this situation on its website or by any other method it deems appropriate.”
In May 2024, thirty-seven data breach notifications were published on the Board’s website kvkk.gov.tr.
Alexion İlaç Ticaret Limited Company
In the data breach notification submitted to the Board by Alexion İlaç Ticaret Limited Şirketi, which has the title of data controller, in summary; it was stated that the breach occurred between 13.02.2024-21.02.2024 and was detected on 05.05.2024, a cyber attack was organized on the systems of eClinical Solutions LLC (data processor), from which the data controller receives services for clinical research, and it was determined that the data stored on the sFTP server of the data processor was leaked by unauthorized person(s). It was stated that the relevant groups of people affected by the breach were the principal investigators, research center staff, persons assigned for the research study and clinical trial participants/volunteers, and that a total of 607 people, 150 of whom were clinical trial participants/volunteers, were affected by the breach. Personal data affected by the breach; for the participants/volunteers participating in the clinical trial (all of them “pseudonymized/encoded”); participant ID (key-coded identifier), study name, status, date of explicit consent, date of screen failure, randomized date, arm/cohort/specification, date of first dose, date of current dose, date of last dose, date of last visit, number of rescreenings, previous participant ID, age, gender, race, ethnicity, randomized end of period, reason for stopping treatment, date treatment was stopped, reason for stopping the study, date the study was stopped, completed study, study completion date, date of death, SDVTier, participant ID, year of birth, laboratory results, value within range, laboratory date, medications used, medical history information for principal investigators, research center staff, persons assigned for the research study; field personnel information, UserOID, login name, screen name, full name, user role, country, institutional contact information (address, e-mail, fax, telephone, license number).
Pınar Tekstil Tuh. İnş. and Paz. Tic. Limited Company
As the data controller, Pınar Tekstil Tuh. Construction and Paz. Tic. Ltd. Şti. as the data controller, in summary; the breach occurred between 23.04.2024-25.04.2024 and was detected on 24.04.2024, the system used by the data controller was accessed by a cyber attacker who obtained the user information of an admin account, the personal data categories affected by the breach; identity (name, surname), contact (mobile phone number, e-mail address) and customer transaction (shopping history of natural and legal persons) information. It has been informed that the number of persons affected by the breach is 36,956, the relevant group of persons affected by the breach are customers and that the relevant persons can get information about the data breach through the website of the data controller (b2b.pinartekstil.com.tr) and the phone number 0850 241 76 70.
Abi International Dış Ticaret Limited Şirketi, Hamra Global Dış Ticaret ve Sanayi Limited Şirketi, Titiz Bebek ve Sağlık Ürünleri Anonim Şirketi, Akıl Plastik Sanayi ve Ticaret Limited Şirketi, Titiz Gayrimenkul Yatırım ve İnşaat Sanayi Ticaret Anonim Şirketi, Karcam Plastik ve Cam Sanayi Ticaret Limited Şirketi
In the data breach notification submitted to the Board by the Companies acting as data controllers, it was stated that the breach occurred as a result of a cyber-attack, some of the company data was encrypted and a ransom was demanded from the data controller, the breach started on 13.04.2024 and was detected on 22.04.2024. It was stated that the personal data categories affected by the breach are; identity, communication, location, personal, legal transaction, customer transaction, physical space security, transaction security, risk management, finance, professional experience, marketing, audio-visual records, appearance and dress, health information, biometric data, criminal conviction and security measures, the number of people and records affected by the breach could not be determined, and the relevant groups of people affected by the breach are; employees, customers and potential customers.
Data Breach Notifications of Data Controllers Receiving Service from Data Processor Tekrom Teknoloji Anonim Şirketi
Data Controller Name | Estimated Number of People Affected |
Agadigital Elektronik Mağazacılık ve Tic. A.S. | 4.235 |
Kervan Tekstil San. ve Dış Tic. A.S. | 3 (Number of Registrations 13,873) |
Sezer Plastik Kalıpsan.ve Tic. Ltd. Şti | 5.000 |
Tesbihci Baba Değerli Taşlar Ltd. Şti. | 65.536 |
Ser Dayanıklı Tüketim Malları İç ve Dış Tic. San. A.Ş. | 9.300 |
Tepe Home Mobilya ve Dekorasyon Ürünleri San. Tic. A.Ş. | 39.973 |
Acar Züccaciye Dış Tic. Ltd. Şti. | 17.330 |
Alkan Kardeşler Elektrik Sanayi ve Tic. A.Ş. | 800 |
AYS Ayshan Moda Tekstil Sanayi ve Dış Tic. Ltd. Şti. | 50,000-100,000 |
Aytek Giyim San. ve Tic. Ltd. Şti. | 1.404 |
Dayne Sağlık Ürünleri Ltd. Şti. | 40.770 |
Dermo Grup İnt. Mağ. San. ve Tic. A.Ş. | Unknown |
Hacı Şerif Gıda İth. İhr. San. ve Tic. Ltd. Şti. | Unknown |
Hedef Dağıtım Kozmetik Tic. A.Ş. | Unknown |
Hobiyün İplik San. Tic. Paz. Ltd. Şti. | Unknown |
Mib Mağazacılık Tic. A.Ş. | 77.310 |
Novastore Hazır Giyim ve Mağazacılık A.Ş. | 8.694 |
Robolink Teknoloji Elektronik Medikal Mühendislik İnşaat Danışmanlık Yazılım Sanayi ve Tic. Ltd. Şti. | 90.000 |
Sarar Büyük Mağazacılık Ticaret A.Ş. | Unknown |
Setre Konfeksiyon Tekstil Kuyumculuk Sağlık Ürünleri Sanayi ve Ticaret A.Ş. | 29.997 |
GIZIA Moda Tekstil Sanayi ve Dış Ticaret Ltd. Şti. | Unknown |
Age Mutfak Eşyaları Ticaret A.Ş. | 298.906 |
Aslan Ticaret Dayanıklı Tüketim Malları Ltd. Şti. | Unknown |
BYM Fashion Tekstil Sanayi Ticaret Ltd. Şti | 11.177 |
Express Sanal Mağazacılık Anonim Şirketi | Unknown |
It has been stated that the data of the data controllers were captured by infiltrating the management panel provided to the data controllers by Tekrom Teknoloji Anonim Şirketi (“T-Soft”), which is the data processor, and that the breach occurred as a result of the cyber attacker obtaining the username and password registered in the data controller systems and capturing the data belonging to the users. It has been understood that the data controllers receive services from T-Soft regarding the E-Commerce infrastructure, the breach was detected on different dates by each data controller, but from the notifications received, the breach was generally detected after April 20, 2024, the relevant groups of persons affected by the breach differ in terms of data controllers, including employees, users, subscribers, customers, and the common affected group of persons is customers.
Aker Mağazacılık Tekstil Ticaret ve Sanayi Anonim Şirketi
In the data breach notification submitted to the Board by Aker Mağazacılık Tekstil Ticaret ve Sanayi Anonim Şirketi, which has the title of data controller, in summary; it is stated that the start date of the breach is unknown, that it ended on 24.04.2024, and that the data controller has been receiving services through T-Soft (data processor) application software since 2021. It was stated that a cyber attacker sent a message to the data controller that he had captured the data (including e-mail address/passwords) of the members in the T-Soft application used by the data controller and that the breach was detected on 24.04.2024 when this message was seen by a data controller employee. It is stated that the relevant groups of persons affected by the breach are; employees and customers, approximately 25.735 persons, 8 of which are employees, are affected by the breach, the categories of personal data affected by the breach are; identity (name, surname), contact (e-mail address, mobile phone number) for employees, identity (name, surname, TR ID), contact (e-mail address, mobile phone number), transaction security and customer transaction information for customers, the relevant persons; the website of the data controller (www. aker.com.tr), Aker Mağazacılık Call Center (444 25 37) and the e-mail address of the data controller (destek@aker.com.tr).
Lizay Kuyumculuk Ticaret Anonim Şirketi
In the data breach notification submitted to the Board by Lizay Kuyumculuk Ticaret Anonim Şirketi, which has the title of data controller, in summary; the breach started on 20.04. 2024 and was detected on the same day, that the data controller receives e-commerce infrastructure services from T-Soft and that the data of the data controller was compromised by infiltrating the management panel provided by T-Soft, that the breach occurred as a result of obtaining a username and password registered in the systems of the data controller and obtaining the data of other users registered in the system, and that the breach was detected by the e-mail sent by the cyber attacker to the data controller. It was informed that the relevant groups of people affected by the breach are subscribers/members, customers and potential customers, the number of people affected by the breach is 34,602 and the categories of personal data affected by the breach are identity, contact and location.
Asimetrik Ses Işık ve Görüntü Sistemleri Anonim Şirketi
In the data breach notification submitted to the Board by Asimetrik Ses Işık ve Görüntü Sistemleri A.Ş., the data controller, in summary; it was stated that the breach started on 23.04.2024 and was detected on the same day, the data was obtained by infiltrating the management panel provided by T-Soft, the data processor, and the breach is thought to have occurred as a result of the cyber attacker obtaining a username and password registered in the data controller system and obtaining the data of other users registered in the system. The number of people affected by the breach is 26,968, the relevant group of people affected by the breach are customers and potential customers, and the personal data affected by the breach; name, surname, address, Turkish ID numbers if entered correctly, telephone numbers, date of birth if shared by customers, e-mail address, last order information of customers.
Announcements about the Letter of Undertaking Application
The application for the Letter of Undertaking for the transfer of personal data abroad submitted by Bosch Termoteknik Isıtma ve Klima Sanayi ve Ticaret Anonim Şirketi to the Authority on 15.02.2024 was evaluated by the Board within the scope of Article 9/2-b of the Law and it was found that there were no procedural and substantive deficiencies. On 02.05.2024, the Board authorized the said data transfer.
Huawei Telekomünikasyon Dış Ticaret Limited Şirketi’s application for a Letter of Undertaking regarding the transfer of personal data abroad submitted to the Authority was evaluated by the Board within the scope of Article 9/2-b of the Law and it was found that there were no procedural and substantive deficiencies and the Board authorized the data transfer on 28.05.2024.
Thus, as of the eighth effective year of the Law, the number of companies approved to transfer personal data from Turkey to abroad increased to 10.
GRC LEGAL Comment: An analysis of the data breach notifications published in May reveals that the breaches in question occurred as a result of cyber-attacks due to security vulnerabilities and breaches within the data processor. In particular, it was observed that many data controller companies suffered data breaches as a result of receiving services from T-Soft software company and their titles were announced on the Board’s website. In addition, it is observed that the customers of these companies, as well as many other groups of data subjects, have been affected by the breaches.
Pursuant to the Law, data controllers are obliged to take all necessary technical and administrative measures to ensure the appropriate level of security in order to ensure data security. Considering that even well-known and powerful companies in today’s market are exposed to cyber-attacks, it is important for data controllers to keep up with the constantly developing and changing technology and to build their infrastructure in a secure manner in order to prevent possible data breaches. In addition, it is essential to take certain additional contractual actions in order to ensure the execution of the recourse relationship within the scope of joint liability imposed on data controllers and data processors.
