PERSONAL DATA PROTECTION LAW

The Law on the Protection of Personal Data (“LPPD”) and its secondary legislation is a living law that is frequently updated since its effective date. Many procedures and principles related to data protection are determined not only by the Law, Regulation and Communiqué, but also by the Board Decisions, Principle Decisions and Board Decision Summaries. Therefore, our monthly bulletins aim to inform those concerned about the practices of the Personal Data Protection Board (“Board”) and to keep them up-to-date.

In November, Data Breach Notifications were published by the Personal Data Protection Board.

The publication “Personal Data Protection Authority in its 5th Year”, which compiles the institutional activities carried out by the Board from January 2017, when it started its activities, until April 2022, under general headings, was presented to the public.

Consisting of 222 pages, the publication “Personal Data Protection Authority in its 5th Year” includes the institutional development process, legislation and secondary regulations, public announcements made so far, awareness meetings held on a provincial basis, congresses, workshops, panels and seminars, cooperation protocols, projects and competitions, social media and press activities.

DATA BREACH NOTIFICATIONS

Article 12/5 of the LPPD titled “Obligations regarding data security” states that “In the event that the processed personal data is obtained by others through unlawful means, the data controller shall notify the relevant person and the Board as soon as possible. If necessary, the Board may announce this situation on its website or by any other method it deems appropriate.”

In November 2022, six data breach notifications were published on the website of the Personal Data Protection Authority, www.kvkk.gov.tr.

Baykar Motorlu Araçlar A.Ş.

In the data breach notification submitted to the Board by Baykar Motorlu Araçlar Anonim Şirketi, in summary; it was reported that the data breach occurred as a result of the cyber attack on 14.10.2022 and the use of the systems was blocked, and that the relevant groups of people affected by the breach were employees, users and customers/potential customers.

In addition, it is stated in the breach notification that the personal data categories affected by the breach are identity, communication, personal, legal transaction, customer transaction, transaction security, finance, professional experience, marketing, audio-visual records and health and criminal conviction and security measures among the categories of special categories of personal data, and the number of people has not yet been determined.

Aktif İnşaat Taşımacılık Pazarlama Sanayi ve Ticaret A.Ş.

Aktif İnşaat Taşımacılık Pazarlama San. ve Tic. A.Ş., as the data controller, it was reported that the Company was subjected to a cyber-attack on 28.10.2022, the breach was detected on the same day due to the failure of the software within the data controller, and the data and programmes regarding accounting, human resources and customer records on the servers were deleted.

It is stated that the categories of personal data affected by the breach are identity, contact, personal, legal transaction, customer transaction, transaction security, finance, professional experience, marketing, health information, criminal conviction and security measures, while the groups of persons affected by the breach are employees, customers, children and some real person suppliers, and the number of affected persons has not yet been determined.

AES Otelcilik Turizm ve Ticaret A.Ş.

In the data breach notification submitted to the Board by AES Otelcilik Turizm ve Ticaret Anonim Şirketi, which has the title of data controller, in summary; it was stated that the breach occurred with a cyber attack on 28.10.2022, it was detected on the same day as a result of the examination made after the software within the data controller did not work, and the data and programmes related to accounting, human resources and customer records on the server were deleted.

It has been reported that the categories of personal data affected by the breach are identity, contact, personal, legal transaction, customer transaction, transaction security, finance, professional experience, marketing, health information, criminal conviction and security measures, and although the number of people affected by the breach has not yet been determined, it has been reported that the groups of people are employees, customers, children and some real person suppliers.

Aliza Otelcilik Turizm ve Ticaret A.Ş.

In the data breach notifications submitted to the Board by Aliza Otelcilik Turizm ve Ticaret Anonim Şirketi, which has the title of data controller, in summary; It was stated that due to the cyber attack on 28.10.2022, the data and programmes related to accounting, human resources and customer records on the server were deleted, and it was determined on the same day as a result of the examination made after the software within the data controller did not work, but the number of people affected by the breach is not yet known.

In the breach notification, the categories of personal data affected by the breach are identity, contact, personal, legal transaction, customer transaction, transaction security, finance, professional experience, marketing, health information, criminal conviction and security measures, and the groups of persons are reported as employees, customers, children and some real person suppliers.

Pamukkale Municipality

In the data breach notification submitted to the Board by Pamukkale Municipality, which has the title of data controller, in summary On 18.11.2022, a SQL (Structured Query Language) attack was made on the website of the data controller, within the scope of threat intelligence activities carried out within the USOM (National Cyber Incidents Response Centre), it was determined that some information, which is considered to belong to the data controller, was published by the attackers on various forum sites on the internet and that the breach was notified by the warning and information message transmitted by SOME (Cyber Incidents Response Teams).

*SQL is the name given to the database management system, which finds its equivalent in Turkish as Structured Query Language and can host data in different sizes and functions.

Due to the breach, the possibility of leakage of the Turkish ID number, address, contact information, first and last name data in the scholarship and tradesmen assistance tables in the website database of students and tradesmen is suspected, and the number of people affected by the breach is 11,000.

Shanghai Moonton Technology Co. Ltd.

In the data breach notification submitted to the Board about Shanghai Moonton Technology Co. Ltd. or known as Moonton Games, which has the title of data controller; It was reported that a data breach occurred as a result of sharing the data of users who are members of the discussion forum site related to the game named Mobile Legends operated by the data controller on a website, the breach started on 12.09.2022 and ended on 15.09.2022 and was detected on 03.11.2022.

In the notification, it was stated that the data in the categories of identity, contact (e-mail) and transaction security data of 3,375 users and forum site members and other personal data such as user ID, user name, domain visits, gender, domain used, points, reputation, assets, contribution points, registration date, last visit time, IP used during registration, last visit IP and last activity time were affected by the data breach.