PDPL BULLETIN – NOVEMBER 2024
The Law on the Protection of Personal Data (‘Law’) and its secondary legislation is a living law that is frequently updated since its effective date. Many procedures and principles related to data protection are determined not only by the Law and the secondary regulations enacted under the Law, but also by the Personal Data Protection Board (‘Board’) Decisions, Principle Decisions and Board Decision Summaries. Therefore, our monthly bulletins aim to inform the relevant parties about the Board’s practices and to keep them up-to-date.
In November 2024, one data breach notification, ‘Information Note on Chat Robots’ was published on the website of the Personal Data Protection Authority, www.kvkk.gov.tr.
In addition, according to the statements made by the Chairman of the Board recently, only 1,039 Standard Contract notifications have been made to the Board, and considering that most of the companies operating in our country use e-mail infrastructure services such as Microsoft 365 and G-Suite, it is observed that this number is quite low. We are of the opinion that this situation is caused by the difficulties arising from the uncertainty of implementation, especially in the adaptation process of companies to the amendments of the Law and taking steps to move forward with data recipients located abroad.
DATA BREACH NOTIFICATION
Article 12/5 of the LPPD titled ‘Obligations regarding data security’ states that ‘In the event that the processed personal data is obtained by others through unlawful means, the data controller shall notify the relevant person and the Board as soon as possible. If necessary, the Board may announce this situation on its website or by any other method it deems appropriate.’
Zello Inc.
The personal data submitted to the Board by Zello Inc. In the personal data breach notification submitted to the Board by the data controller, it is stated that the breach the breach occurred with a ransomware attack as a result of a threat actor gaining access to personal data held by the data controller, the breach was detected when the threat actor contacted the data controller, the relevant groups of people affected by the breach are users, subscribers / members , customers and potential customers, the personal data affected by the breach are the username, hashed password (encrypted with MD5 algorithm), e-mail address and phone number provided by the users when creating a Zello account, the number of relevant people affected by the breach is 494. 746.
GRC LEGAL Comment: In accordance with the obligation imposed on data controllers to ‘take all kinds of technical and administrative measures ’; it should be emphasised once again that it is essential to take administrative measures such as increasing the awareness of employees and taking technical measures such as checking which software and services are running on information networks.
INFORMATION NOTE
Information Note on Chatbots
A guidance note was published by the Board on 08.11.2024, which discusses the need to consider privacy from the outset and default privacy approaches at every stage of the development of chatbots.
GRC LEGAL Commentary: Considering the personal data that chatbots, which have become a central part of our daily lives and a tool that we all use, come into contact with and how little work there is on this subject, it is expected that a more comprehensive guide on chatbots will be prepared for users and organisations operating in the field of artificial intelligence in order for this information note to fully serve today’s needs.