The Law on the Protection of Personal Data and its secondary legislation is a living law that is frequently updated since its effective date. Many procedures and principles related to data protection are determined not only by the Law, Regulation and Communiqué, but also by the Board Decisions, Principle Decisions and Board Decision Summaries. Therefore, our monthly bulletins aim to inform those concerned about the practices of the Personal Data Protection Board and to keep them up-to-date.

In October 2023, the Board published three data breach notifications and a “Guideline on Matters to be Considered in the Processing of Genetic Data”, which takes into account the international personal data protection legislation by addressing the processing and principles of genetic data and genetic data security, as well as the concepts of Privacy-Based Design and Data Protection Impact Assessment specified in the European Union General Data Protection Regulation. You can access our summary study containing our evaluations on the relevant guide via our LinkedIn account.

DATA BREACH NOTIFICATIONS

Article 12/5 of the LPPD titled “Obligations regarding data security” states that “In the event that the processed personal data is obtained by others through unlawful means, the data controller shall notify the relevant person and the Board as soon as possible. If necessary, the Board may announce this situation on its website or by any other method it deems appropriate.”

In October 2023, three data breach notifications were published on the website of the Personal Data Protection Authority, www.kvkk.gov.tr.

Havaist Taşımacılık Sanayi ve Ticaret A.Ş.

In the personal data breach notification sent to the Board by Havaist Taşımacılık Sanayi ve Ticaret A.Ş., which has the title of data controller, in summary; it was stated that the data controller attacked the systems of the data processor from which the service was received for sending text messages and that the breach occurred by providing unauthorised access to the information of the relevant persons, that text messages were sent to the relevant persons in order to carry out a phishing attack, that the mobile phone data of 77,000 people were affected by the breach, and that the group of people affected by the breach is not yet known.

Tokat Gaziosmanpaşa University

In the personal data breach notification submitted to the Board by Tokat Gaziosmanpaşa University, which has the title of data controller, in summary; It was stated that the data controller was notified on 03.10.2023 that the student information, which was evaluated to belong to Reşadiye Vocational School within the scope of threat intelligence activities carried out by the National Cyber Incidents Response Centre (USOM), was sold or attempted to be sold on various forum sites on the internet by attackers.

In the examinations carried out, it was determined that it was determined that the data controller systems were logged in as an authorised user from foreign IP addresses, the relevant group of people affected by the breach were students, the data affected by the breach; identity, communication, audio and visual recording data, the number of people affected by the breach is estimated to be 741.

Johnson Controls Klima ve Servis Soğutma San. ve Tic. Ltd. Şti.

Johnson Controls Klima ve Servis Soğutma San. ve Tic. Ltd. Şti. which has the title of data controller, in summary; it was stated that the breach occurred as a result of the data controller being exposed to a ransomware attack on 24.09.2023, some information technology assets that may contain personal data were also affected by this attack and cannot be used, the categories of personal data affected by the breach are not known at this stage, and the number and groups of persons affected by the breach are not yet known.

When the data breach notifications published in October are analysed, it is observed that the relevant breaches occurred as a result of phishing and ransomware attacks. It can be said that these data controllers faced a data breach as a result of inadequate or no measures taken within the scope of their obligations to take all necessary technical and administrative measures to ensure the appropriate level of security in order to prevent unlawful processing of personal data, to prevent unlawful access to personal data and to ensure the protection of personal data.

In this context, it is of great importance to integrate the administrative and technical measures exemplified by the Personal Data Security Guide published by the Board into the Company’s business and processes and to create a corporate culture within the scope of the notion of personal data and privacy. In particular, certain measures such as conducting periodic awareness trainings for employees, strengthening technological infrastructures and making external access to the information assets of companies difficult will prevent many data breaches today.

COOPERATION PROTOCOL SIGNED BETWEEN THE PERSONAL DATA PROTECTION AUTHORITY AND THE COMPETITION AUTHORITY!

A cooperation protocol was signed between the Personal Data Protection Authority and the Competition Authority due to the development of a large number and variety of products and services that support the digital economy with data-based technologies, and the fact that the fields of competition and personal data protection have become closely intertwined.

In this context, the two authorities concretely;

Carrying out joint studies in developing areas that fall within the jurisdiction of both authorities and that may cause irreparable damage if not intervened quickly and effectively,

To publish reports with the cooperation of both institutions in order to raise awareness among users in terms of the protection of personal data and competition, especially in digital markets, and to convey a common message to undertakings in terms of practices concerning both areas of law,

Organising joint presentation and discussion programmes within the scope of the traditional “Wednesday Seminars” of the Personal Data Protection Authority and/or “Thursday Conferences” of the Competition Authority,

Organising trainings in which the relevant authorities share their expertise and experience in their areas of responsibility with each other,

To consult on common issues in national and/or international events organised and/or attended by the relevant authorities, and to support these events on issues within the authorities’ own fields,

It has been agreed to apply for active co-operation activities such as.