PERSONAL DATA PROTECTION LAW

The Law on the Protection of Personal Data (“LPPD”) and its secondary legislation is a living law that is frequently updated since its effective date. Many procedures and principles related to data protection are determined not only by the Law, Regulation and Communiqué, but also by the Board Decisions, Principle Decisions and Board Decision Summaries. Therefore, our monthly bulletins aim to inform those concerned about the practices of the Personal Data Protection Board (“Board”) and to keep them up-to-date.

In September, Data Breach Notifications were published by the Personal Data Protection Board.

With the announcement made by the Board on 17 September 2022, it was stated that the 1st National Symposium on the Protection of Personal Data in Audiovisual Media will be held in Ankara on 4 October 2022, and the program details, questions and suggestions can be sent to gorselisitselmedyadakvk@rtuk.gov.tr.

DATA BREACH NOTIFICATIONS

Article 12/5 of the LPPD titled “Obligations regarding data security” states that “In the event that the processed personal data is obtained by others through unlawful means, the data controller shall notify the relevant person and the Board as soon as possible. If necessary, the Board may announce this situation on its website or by any other method it deems appropriate.”

In September 2022, six data breach notifications were published on the website of the Personal Data Protection Authority, www.kvkk.gov.tr.

Postal and Telegraph Organisation Savings and Relief Fund

In the data breach notification submitted to the Board by the Postal and Telegraph Organisation Savings and Relief Fund, in summary; The breach occurred between 29.08.2022 and 30.08.2022 and was detected on 30.08.2022, unauthorised access was provided to the system containing the information of the members by means of malicious software, unauthorised persons claimed that personal data of PTT employees such as mother’s maiden name, skin serial number, 3. 2 gb database backup and all files of the website, that the personal data affected by the breach were information regarding identity and membership transactions, that approximately 38,000 records were affected by the breach, and that work on the breach is ongoing.

Biblos Alaçatı Turizm Yatırımları A.Ş.

In the data breach notification submitted to the Board by Biblos Alaçatı Turizm Yatırımları A.Ş., which has the title of data controller, in summary; It was informed that the source of the breach was a ransomware attack and password attack, that it started on 19.08.2022, and that the cyber attack was detected on the same date through messages sent to the business phones of the data controller and e-mails sent to its personnel.

It is seen that the categories of personal data affected by the breach are identity, communication, customer transaction, finance, marketing, visual and audio-visual records, the categories of sensitive personal data are health information and biometric data, on the other hand, it is stated that it is possible that personnel payroll records, guest data and financial data of the company may be exposed to the breach through the programmes used in the human resources, front office and finance departments, and there are data items that have not yet been identified.

It was stated that the relevant groups of people affected by the breach are employees, customers and potential customers, and the estimated number of people is 450, but the inventory study on the cyber-attacked programmes and data is ongoing. It was stated that no notification could be made due to the deletion of the data of the relevant persons as a result of the cyber attack.

Fuudy Elektronik İletişim Perakende Gıda Lojistik A.Ş.

In the data breach notification submitted to the Board by Fuudy Elektronik İletişim Perakende Gıda Lojistik Anonim Şirketi, which has the title of data controller, in summary; It has not yet been determined on which date the breach started, the breach was detected by the data controller on 12.09. 2022, an e-mail was sent to the corporate e-mail address of the data controller regarding the alleged breach and the records in the e-mail match the records within Fuudy, it has not yet been determined how the person or persons who committed the breach obtained this information and by which method the breach was carried out, and the determination of how the breach occurred continues.

It is stated that the personal data affected by the breach are the name, surname, e-mail address, mobile phone number and address ID in the test part of the system, the address ID among these personal data is not up-to-date, the estimated number of people affected by the breach is approximately 81,452, and studies to determine the exact number of people are ongoing.

Marmara University

In summary, in the data breach notifications submitted to the Board by Marmara University, which has the title of data controller; 15.09. 2022, the breach occurred by obtaining the authorised user account in the SMS sending service in the Information Management System (IMS) of the data controller by an unauthorised person and sending SMS, since the account has the authority to define new user accounts, it was also determined that 3 new user accounts were defined, “bulk sms sending” can be done through the dynamic reporting screen subject to unauthorised access and access to the identity, contact and personal information of the academic and administrative staff working at the university, the number of people affected by the breach is 5698, the group of people is employees and users. The telephone number and e-mail address where the relevant persons can get information about the violation are stated.

Private Keystone Eğitim ve Eğitim Dan. A.Ş.

The data controller is Özel Keystone Eğitim ve Eğitim Dan. A.Ş., which is the data controller, in summary: It was stated that the breach occurred on 22.09.2022 and was detected on the same day, by opening the closed e-mail address of a former teacher working for the data controller and sending e-mails to all school parents and staff with the school’s accounting records, wage scale information on Drive, parent and student names.

It is stated that the personal data affected by the breach consists of identity, communication, personal, legal proceedings, transaction security, risk management, financial information and other categories, the number of persons and records has not yet been determined, and the relevant groups of persons are employees, users, subscribers/members, students and customers/potential customers.

Flo Mağazacılık ve Pazarlama A.Ş.

In the evaluation made as a result of the notification submitted to our Institution about Flo Mağazacılık ve Pazarlama A.Ş., which has the title of data controller; it has been determined that the personal data of the users of the instreet.com.tr website of the data controller is published on a publicly accessible website, the personal data affected by the violation are the name, surname, user name, user password and the first 4 and last 4 digits of the credit card belonging to 380 of these users and the information showing which bank these credit cards belong to, and the number of relevant people affected by the violation may be approximately 3500 people.

It has been decided to apply to the Criminal Judge of Peace in order to stop the personal data processing activities on the website where user information is published.