KVKK BULLETIN – OCTOBER 2024

The Law on the Protection of Personal Data (‘Law’) and its secondary legislation is a living law that is frequently updated since its effective date. Many procedures and principles related to data protection are determined not only by the Law and the secondary regulations enacted under the Law, but also by the Personal Data Protection Board (‘Board’) Decisions, Principle Decisions and Board Decision Summaries. Therefore, our monthly bulletins aim to inform the relevant parties about the Board’s practices and to keep them up-to-date.

In October 2024, three data breach notifications and ‘Public Announcement on Standard Contract Notification Module’ were published on the website of the Personal Data Protection Authority, www.kvkk.gov.tr.

DATA BREACH NOTIFICATIONS

Article 12/5 of the LPPD titled ‘Obligations regarding data security’ states that ‘In the event that the processed personal data is unlawfully obtained by others, the data controller shall notify the relevant person and the Board as soon as possible. If necessary, the Board may announce this situation on its website or by any other method it deems appropriate.’

Kilis 7 December University

In the data breach notification submitted to the Board by Kilis 7 Aralık University, which has the title of data controller; It was stated that the source of the breach and how it occurred have not yet been determined. Data confidentiality has been breached as a result of unauthorised access, and although the start date of the breach is unknown, it was reported to have ended on 25.09.2024. The breach was detected upon notification made by the National Cyber Incident Response Centre (USOM) on 24.09.2024. It has been stated that students, customers and potential customers are among the groups of people affected by the breach, and the personal data affected by the breach are T.R. ID number, first name, surname, address and telephone number in the Transfer Table, T.R. ID number, first name, surname and telephone number in the Health Culture and Sports Registration Table, first name, surname, e-mail and telephone number in the Astroturf Field Reservation Table, and T.R. ID number, first name, surname and telephone number in the Formation Tables. It is stated that the tables subject to the breach contain data of 2,747 people in total.

Atılım University

In the data breach notification submitted to the Board by Atılım University, which is the data controller, it was stated that cyber attackers gained unauthorised access tothe systems ofthe data controller and queried the education information of some individuals through the Higher Education Information System (‘YÖKSİS’) of the Council of Higher Education through a service in these systems. It has been reported that the violation started on 09.05.2024 and ended on 05.06.2024, only the YÖKSİS education information (with T.C. ID number) of active (studying) students can be queried through the service subject to the violation, but the number of people affected by the violation cannot be clearly determined.

Lokman Hekim University

In the data breach notification submitted to the Board by Lokman Hekim University, which has the title of data controller; It was stated that the data controller received hosting services from the company named Natro, and that the breach occurred as a result of the login information of the natro.com customer account used by the data controller was captured by cyber attackers and unauthorised access to the account. It was stated that the breach started on 05.10.2024 and ended on 06.10.2024. Students and employees are among the groups of people affected by the breach, and the personal data affected are name, surname, Turkish ID number, address, telephone number, e-mail address and encrypted (MD5) website login passwords. The number of persons affected by the breach is stated to be 2,308 and the data subjects can get information about the breach via the data controller’s e-mail address and call centre.

GRC LEGAL Comment: Looking at the data breach notifications for October, it is seen that unauthorised access to the information systems of Kilis 7 December and Atılım University occurred as a result of external interventions and these accesses led to data breaches. Within the scope of the obligation to take all kinds of technical and administrative measures imposed on data controllers pursuant to the Law, it is vital to take effective measures especially against external attacks on information systems.

Data controllers are required to regularly check the software used in information systems, conduct periodic penetration tests to ensure network security and make necessary improvements according to the results of these tests. In addition, it should not be neglected to take administrative measures such as making all software and hardware updates on time to ensure the security of the systems, and organising training and information activities to increase awareness of personal data and cyber security.

When the data breach notification made by Lokman Hekim University is examined, it is seen that the breach was caused by a cyber-attack that occurred within the business partner working in hosting processes. It is essential for data controllers to bind the management of their relations with data processors to a strict legal framework. In this context, one of the other important actions to be taken as an administrative measure is to sign a Data Processor Protocol in addition to the contracts to be concluded with business partners who have the title of data processor and to conduct data security maturity assessment with suppliers through tools such as the Business Partner Awareness Form . In this way, a recourse relationship may be brought to the agenda within the scope of the joint liability imposed on data controllers and data processors by Article 12 of the Law.

Effective implementation of such technical and administrative measures will contribute to the prevention of possible data breaches. Thus, both the protection of personal data will be ensured and the obligations under the Law will be fulfilled.

Public Announcement on Standard Contract Notification Module

As it is known, within the scope of the Law No. 7499 on the Amendment of the Code of Criminal Procedure and Certain Laws, with the amendment made to Article 9 of the Law on the transfer of personal data abroad, standard contracts are envisaged as an appropriate assurance method that data controllers and data processors may apply in the transfer of personal data abroad. The aforementioned article also imposes an obligation on the data transferor or the relevant party to be determined according to the preference of the parties to notify the Personal Data Protection Authority within five business days following the signing of the standard agreements.

The Regulation on Procedures and Principles Regarding the Transfer of Personal Data Abroad regulates that notifications can be made physically, by registered electronic mail (REM) address or by other methods determined by the Board. Within this framework, with the Board’s decision dated 17 October 2024 and numbered 2024/1793, the Standard Contract Notification Module (‘Module’) was put into use in order to enable data controllers and data processors to fulfil their notification obligations more quickly and effectively over the internet.

A Standard Contract Notification Guide has been published together with the Module and a guidance on how to perform standard contract notifications has been provided. In order to make these notifications, data controllers and data processors must appoint an authorised person. Likewise, the entry of an authorised person is a prerequisite for contract addition, contract modification and other activities to be carried out within the framework of the Module.

GRC LEGAL Comment: The introduction of the Module will both accelerate business processes and reduce the operational difficulties that companies may experience in fulfilling their obligations. The module aims to make processes easier for organisations. In this sense, it will be healthy for data controllers, especially those who transfer personal data abroad, to master this new Module as soon as possible and perform contract notifications through this system.