The Law on the Protection of Personal Data and its secondary legislation is a living law that is frequently updated since its effective date. Only the Law, Regulation and
Many procedures and principles related to data protection are determined not only by the Communiqué, but also by the Board Decisions, Principle Decisions and Board Decision Summaries. Therefore, our monthly bulletins aim to inform those concerned about the practices of the Personal Data Protection Board and to keep them up-to-date.
In November 2023, the Board published three data breach notifications and a “Public Announcement Regarding the Processing of Personal Data by Sending Verification Code via SMS to the Data Subjects during Shopping in Stores”.
DATA BREACH NOTIFICATIONS
Article 12/5 of the LPPD titled “Obligations regarding data security” states that “In the event that the processed personal data is obtained by others through unlawful means, the data controller shall notify the relevant person and the Board as soon as possible. If necessary, the Board may announce this situation on its website or by any other method it deems appropriate.”
In November 2023, three data breach notifications were published on the website of the Personal Data Protection Authority, www.kvkk.gov.tr.
BS Bizim Personnel Consultancy Services Inc.
In the data breach notification submitted to the Board by BS Bizim Personel Danışmanlık Hizmetleri A.Ş., which has the title of data controller, in summary; it was stated that the breach occurred on 26.10.2023 as a result of a ransomware attack and that the groups of people affected by the breach are employees, customers and potential customers.
It was stated that unauthorised access was made to the information of the relevant persons affected by the breach in the data categories of identity, personal, legal proceedings, transaction security, union membership, criminal conviction and security measures, and that the number of people breached has not yet been determined, but research is ongoing.
Demirkol Otel İşletmeciliği Turizm ve Ticaret Anonim Şirketi
In the data breach notification submitted to the Board by Demirkol Otel İşletmeciliği Turizm ve Ticaret Anonim Şirketi, which has the title of data controller, it was stated that the breach occurred as a result of a ransomware attack on 04.11.2023, the number of people affected by the breach was 5 and the number of records was 300,000.
It is stated that the personal data categories affected as a result of the breach are identity, contact, location, personal, legal transaction, customer transaction, transaction security, risk management, finance, professional experience, marketing, visual and audio records, and race and ethnicity information. In addition, the relevant persons were directed to the website address in order to obtain information about the violation.
Vava Cars Turkey Otomotiv Anonim Şirketi
In the data breach notification submitted to the Board by Vava Cars Turkey Otomotiv Anonim Şirketi, which has the title of data controller, in summary; It was stated that the breach, which occurred on 31.10.2023 and was detected on the same day, occurred as a result of the identity information of an internal user being obtained and then used to access application data, and that 32,589 people, including employees, users, subscribers / members, customers and potential customers, were affected by the breach.
The categories of personal data affected by the breach are: customer information provided when purchasing a car, including name, address, phone number, email address, IBAN, bank account information, price, VIN, licence plate number and vehicle information; customer information provided for appointments, including name, address, phone number, email address, appointment date, centre name and licence plate number; dealer data, including name, email address, phone number, address, contact name, customer data including customer name, e-mail address, telephone number, warehouse data including name, address, e-mail address, city, manager name, tender details including starting price, reserve price, buy now price, total cost, vehicle details, and that data subjects can obtain information about the data breach from the data controller via e-mail and call centre.
GRC LEGAL Comment
When the data breach notifications published in November are analysed, it is seen that two out of three breaches were carried out by cyber-attackers through ransomware attacks, therefore, as in many other data breaches, data breaches continue to occur due to the data controller’s failure to take action in terms of all kinds of technical measures that should be taken.
Although technical measures are exemplified by the Personal Data Security Guide published by the Board, the expression “all kinds of technical and administrative measures” in Article 12 of the Law imposes a very broad obligation on data controllers. In this sense, although it can be said that there is no end to the measures to be taken, considering the ordinary flow of commercial life, it does not seem reasonable to expect data controllers to take action on all kinds of technical measures.
Nevertheless, taking basic measures at a minimum level and increasing efforts in this direction and strengthening the technical infrastructure of companies by using the developing technology as much as possible will make it easier to prevent possible data breaches.
PUBLIC ANNOUNCEMENT
Public Announcement Regarding the Processing of Personal Data by Sending a Verification Code via SMS to Data Subjects during Shopping in Stores
The Personal Data Protection Authority has stated that it has made an examination upon receiving many notifications and complaints with the allegations that “a verification code is sent to the relevant persons via SMS on the grounds that it is necessary for completing their payments, creating an invoice, forwarding the invoice to the contact address or updating their information within the scope of cash register transactions during shopping in stores, but after the said transaction, commercial electronic messages related to the store activities in question are sent to the relevant persons.
As a result of the examination made by the Board, it was determined that the data controller did not inform the relevant persons in the content of the SMS content or prior to the sending of the verification code during the realisation of the cash register transactions, and/or that the verification code was requested by claiming that it was necessary for the completion of the cash register transactions or updating the information, and that the relevant persons were misled in order to obtain explicit consent for the sending of commercial electronic messages
As a result of the evaluation made in this context, the issues that the data controller should pay attention to are as follows:
As a requirement of layered disclosure, the purpose of the SMS to be sent to the phones of the relevant persons during the cashier transactions following the shopping in the store and the consequences that may arise if the code transmitted by SMS is shared should be clearly and understandably conveyed to the relevant persons by the persons authorised by the data controller in the stores and the necessary information channels should be provided in the SMS content in order to fulfil the disclosure obligation.
During payment transactions, the practices of performing different processing activities such as approval of the membership agreement, obtaining permission to process personal data, obtaining commercial electronic message approval by sending a verification code via SMS to the relevant persons during payment transactions should be terminated, and explicit consent should be obtained separately by offering options for processing activities that need to be carried out with explicit consent.
Data controllers are required to perform the procedures of obtaining explicit consent and fulfilling the disclosure obligation separately.
If there is an application for sending SMS verification code in order to obtain explicit consent for sending commercial electronic messages, the explicit consent to be obtained in the relevant transaction must cover all the elements specified in the Law.
Explicit consent to the processing of personal data for the purpose of sending commercial messages should not be presented to the data subjects as a mandatory element for the completion of the shopping. These practices should be carried out in accordance with the Law, as presenting it as a mandatory element will cause the elements of explicit consent ‘based on information and disclosed with free will’ to be damaged.
Explicit consent for the processing of personal data for the purpose of sending commercial electronic messages should be requested after the completion of the shopping. Thus, it will be prevented that the explicit consent for commercial electronic message authorisation is perceived as a necessary element of the shopping.
GRC LEGAL Comment
Although a public announcement was made on 17.12.2021 in order to ensure the legality of the personal data processing activities in question, it is seen that the Board, which made an update with a new public announcement due to the increase in notifications and complaints as a result of the increase in the awareness of the persons exposed to the relevant activities, has expanded the scope of the issues that data controllers should pay attention to.
It can be said that these assessments stand out with the fact that they include legal and operational guidelines regarding the obligation of data controllers to provide disclosure and explicit consent and the sending of commercial electronic messages within the scope of the LPPD, as well as imposing certain responsibilities on store officials in accordance with Articles 1 and 6 within the scope of sending commercial electronic messages. In this context, informing all employees about their roles and responsibilities and increasing their awareness in line with the LPPD and sending commercial electronic messages is important as an administrative measure, especially for data controllers conducting retail sales.