KVKK BULLETIN – SEPTEMBER 2024
The Law on the Protection of Personal Data (“Law”) and its secondary legislation is a living law that is frequently updated since its effective date Many procedures and principles regarding data protection are determined not only by the Law and the secondary regulations enacted under the Law, but also by the Personal Data Protection Board (“Board”) Decisions, Principle Decisions and Board Decision Summaries Therefore, our monthly bulletins aim to inform the relevant parties about the Board’s practices and to keep them up-to-date
In September 2024, in addition to the data breach notifications issued by the Board, the Medium Term Program (“MTP”) for the years 2025-2027 was published by the Presidential Strategy and Budget Directorate on 05.09.2024. In the MTP, in line with the European Union (“EU”) digital economy regulations affecting the export of goods and services, it was stated that the harmonization process of the Law with the EU acquis, particularly the EU General Data Protection Regulation (“GDPR”), will be completed by the 4th quarter of 2025.
DATA BREACH NOTIFICATIONS
Article 12/5 of the KVKK titled “Obligations regarding data security” “In the event that the processed personal data is obtained by others through unlawful means, the data controller shall notify the relevant person and the Board as soon as possible If necessary, the Board may announce this situation on its website or by any other method it deems appropriate.”
In September 2024, two data breach notifications were published on the Board’s website kvkk.gov.tr
Incirli Sağlık ve Sosyal Tesisler Anonim Şirketi
In the data breach notification submitted to the Board by İncirli Sağlık ve Sosyal Tesisler Anonim Şirketi, which has the title of data controller; the breach occurred in the form of external intervention to the information system of the data controller by deleting, destroying and destroying the backups of all data, including all applications registered, the breach started on 14.08.2024 and ended on 04.09.2024. 2024, the breach started on 14.08.2024 and ended on 04.09.2024, the person group affected by the breach is employees and patients, the personal data categories affected by the breach are; identity, communication, location, personal, legal transaction, customer transaction, physical space security, health information, sexual life, biometric data, genetic data categories Due to the deletion of all records, it is not possible to know the number of outpatients and inpatients with all personnel who have ever worked at the data controller, but the number of people affected by the breach is estimated to be 1000 or more, and that the relevant persons can get information from the data controller’s internet address and call center.
Kentaş Gıda Pazarlama ve Dağıtım Ticaret Limited Company
In the data breach notification submitted to the Board by Kentaş Gıda Pazarlama ve Dağıtım Ticaret Limited Şirketi, which has the title of data controller, it was stated that the data controller was subjected to a ransomware attack on 12.09.2024 and the files were encrypted, the information belonging to the accounting program was affected by the breach, therefore, it is estimated that the invoice information related to accounting and the official books of the data controller, debit / credit accounts and the addresses and identification numbers of the personnel registered in the system were accessed. The relevant groups of people affected by the breach are employees, users and customers and potential customers, an estimated 1000 people were affected by the breach, the categories of personal data affected by the breach are identity, contact, location, customer transaction, transaction security, finance, marketing
GRC LEGAL Comment
When the data breach notifications published in September are analyzed; it is seen that data breaches occurred due to external intervention to the information system of Incirli Sağlık ve Sosyal Tesisler Anonim Şirketi and due to the ransomware cyber attack on Kentaş Gıda Pazarlama ve Dağıtım Ticaret Limited Şirketi
It is critical that data controllers, who are obliged to take all kinds of technical and administrative measures in accordance with the Law, take measures to prevent any external intervention to their information systems In this context, administrative and technical measures that can be taken by data controllers, such as checking the software running on information networks, performing penetration tests at regular intervals, performing system updates, increasing personal data and cyber security awareness, can prevent technical vulnerabilities and prevent data breaches from occurring as much as possible.