Data Protection Newsletter – September 2021 – Privacy – Turkey – Mondaq News Alerts

data-protection-newsletter-–-september-2021-–-privacy-–-turkey-–-mondaq-news-alerts

Have you considered that someone could be secretly watching you or your child with your webcam right now? Is it worth taking such a risk? camDown FREE can help stop them!

To print this article, all you need is to be registered or login on Mondaq.com.

We share with you important decisions and announcements
published by the Personal Data Protection Authority
("Authority") and other important developments about data
privacy as of this month.

In August, the Authority published an announcement regarding the
transfer of personal data owned by Turkish citizens, a decision
regarding attorneys' unauthorized access to personal data
located in execution files, and its decisions as to data breach
notifications. We set out summaries of such announcement and
decisions below.

Announcement – Public announcement on requests of Turkish
citizens living abroad not to transfer their personal data
abroad

Following the applications before the Authority by Turkish
citizens living abroad requesting the Authority not to share their
personal data with institutions and organizations of foreign
countries, the Personal Data Protection Board ("Board")
has concluded the following within its decision of No. 693 dated 7
July 2021:

  1. The Board will not be able to review these applications as such
    applications do not meet the criteria under Articles 13 and 14 of
    the Law on Protection of Personal Data No. 6698 ("Law")
    governing applications addressed to data controllers, since they
    are of abstract nature and the data controllers are unknown.
  2. Automatic data sharing is subject to the "Multilateral
    Competent Authority Agreement on the Automatic Exchange of
    Financial Account Information," whereby the competent
    authority for implementation is the Turkish Revenue Administration
    under the Ministry of Treasury and Finance. Accordingly, the Board
    has not taken further actions as per the Law, stating that
    applications as to automatic data sharing must be made before the
    Ministry of Treasury and Finance.

The public announcement dated 9 August 2021 is available online
here (in Turkish).

Decision – Decision on unauthorized access to execution
files by attorneys

The Board evaluated complaints as to unauthorized access of
attorneys to execution files without having a power of attorney and
illegal transfer of such data by personnel of the Ministry of
Justice.

The Board emphasized that debtors' properties, rights or
receivables can be inquired as per Article 8/a and 78 of the Law on
Enforcement and Bankruptcy. In addition, the Board underlined that
in order to collect the receivables of their clients, attorneys are
allowed examine litigation and execution files without presenting a
power of attorney, as per Article 46 of the Attorneys' Act No.
1136. Accordingly, the Board found that such data processing
activity can be conducted, upon the legal basis "explicitly
stipulated under the laws" as per Article 5/2(a) of the Law.
As a result, the Board found such processing in line with the Law
and did not impose any sanctions.

Decision No. 2020/511-512-513 dated 20 May 2021 is available
online here (in Turkish).

Decision – Decision on the data breach notification of a
data controller operating in the energy sector

In the data breach notification submitted to the Board, the data
controller stated that user passwords along with identifiers such
as usernames, names and email addresses were publicly available in
the in-house archive platform, and two data subjects were affected
by the data breach.

The Board's assessment is as follows:

  • Two data subjects were affected by the data breach, and eight
    people who were suspected to have had access to the files were
    questioned to confirm whether they were under confidentiality
    obligation.
  • The data, by its nature, is unlikely to cause negative
    consequences due to the breach.
  • The passwords were masked and the file was promptly removed by
    the data controller following the breach.

In light of the foregoing, the Board decided not to impose any
sanctions as per Article 12/1 of the Law. The Board also excused
the data controller's delay in notifying of the breach (failing
to comply with the 72-hour time period), considering that the data
controller is a multinational company.

Decision No. 2020/934 dated 8 December 2020 is available online
here (in Turkish).

Decision – Decision on the data breach notification of a
data controller providing online grocery shopping services

In the data breach notification submitted to the Board, the data
controller stated that the data of 43 data subjects were shared by
mistake in an email addressed to a group of 400 recipients.

The Board's assessment is as follows:

  • Forty-three data subjects were affected by the data
    breach.
  • Affected data include mere names, surnames and email
    addresses.
  • Data subjects were notified about the breach within 48
    hours.
  • The breach is unlikely to have negative consequences.
  • Four hundred recipients were requested to delete the infringing
    email.

In light of the foregoing, the Board decided not to impose any
sanctions as per Article 12/1 of the Law, considering that the data
controller fulfilled its obligation to report the data breach
"as soon as possible" (within the 72-hour period
specified in the decision of the Board No. 2019/10 dated 24 January
2019).

Decision No. 2020/763 dated 1 October 2020 is available online
here (in Turkish).

Decision – Decision on the data breach notification of a
data controller operating in the self-care industry

The data controller stated in the data breach notification that
third parties verified passwords of 2,092 accounts through data
they obtained from external sources without any leakage from
databases by trying over 500,000 email/password combinations
connecting from over 14,000 IP addresses.

Further to its assessment, the Board determined that the data
controller's failure to detect such a large number breach
attempts, even if such attempts were unsuccessful, implies its
failure to create an IT monitoring system. The Board decided to
impose an administrative fine of TRY 210,000 against the data
controller for failure to take appropriate technical and
organizational measures.

Decision No. 2020/421 dated 22 May 2020 is available online here (in Turkish).

Decision – Decision on the data breach notification of a
bank

The bank notified the Board of the data breach that occurred by
means of multiple Credit Bureau ("KBB") inquiries
conducted by a former employee, wherein 5,695 data subjects were
affected. The bank has prepared an inspection report stating that
the former employee examined KKB records, took physical notes and
photographed the same.

The Board's assessment is as follows:

  • The data controller failed to regularly monitor security of
    personal data in accordance with the Guidance on Personal Data
    Security; it thus failed to take appropriate technical and
    organizational measures.
  • The data controller did not provide required trainings to some
    of its employees.
  • The breach resulted from the absence of a quota limitation to
    the inquiries.

The Board imposed an administrative fine of TRY 400,000 against
the data controller for abovementioned reasons and imposed another
fine of TRY 50,000 on the grounds that the data controller failed
to: (i) notify the breach to the Board in due time without a valid
reason; (ii) show reasonable efforts to notify all data subjects;
and (iii) provide necessary information requested by the Board.

Decision No. 2020/359 dated 7 May 2020 is available online here (in Turkish).

Decision – Decision on the data breach notification of a
data controller operating in the field of computer games

In the data breach notification submitted to the Board, the data
controller stated that a former employee (web developer) uploaded
to a website a folder containing source codes and data files.
Further to the investigation initiated by the data controller, it
is determined that 62 data subjects were affected and involved data
included date of birth, email address and location information.

The Board determined that the data controller did not implement
appropriate technical and organizational measures and underlined
that the principle of "Everything is Forbidden Unless
Permitted" rather than "Everything is Free Unless
Prohibited" shall be adopted when giving access to media
containing personal data or when creating a related corporate
culture.

In this context, the Board decided to impose and administrative
fine of TRY 100,000 on the grounds that the breach was detected two
years after its occurrence and the data controller failed to raise
awareness among its employees. Another fine of TRY 30,000 was also
imposed for violation of the obligation to notify the Board
"as soon as possible."

Decision No. 2020/345 dated 5 May 2020 is available online here (in Turkish).

Decision – Decision on the data breach notification of a
pharmaceutical company

In the data breach notification submitted to the Board, the data
controller stated that as a result of a systematic error, the
payrolls of 337 employees were sent to wrong recipients.

The Board's assessment is as follows:

  • The breach was detected 13 minutes after its occurrence and
    terminated within two hours.
  • The breach occurred in the course of a transition into a new
    server, aiming to increase data security levels.
  • The breach is unlikely to have negative consequences.
  • Emails that caused the breach were deleted and relevant
    recipients were warned accordingly.
  • Appropriate technical and organizational security measures were
    taken following the breach.

The Board decided not to impose any sanctions as per Article
12/1 of the Law. However, considering that the violation was not
reported to the Board within 72 hours upon detection, the Board
decided to: (i) warn the data controller on giving due importance
to notify the Board and data subjects at the earliest, in
accordance with Article 12/5 of the Law and the decision of the
Board No. 2019/271 dated 18 September 2019; and (ii) request the
data controller to submit documents showing that the data subjects
were duly notified and that the recipients of the emails were
requested to delete such data.

Decision No. 2020/957 dated 15 December 2020 is available online
here (in Turkish).

Decision – Decision on the data breach notification of an
e-commerce company

In the data breach notification submitted to the Board, the data
controller stated that the breach resulted from its e-commerce
website being hacked, whereby a maximum of 257,000 data subjects
were suspected to have been affected.

The Board's assessment is as follows:

  • The system was accessed without any restrictions from public
    connections and was vulnerable to unauthorized access prior to the
    breach.
  • Data leak tests were carried out only after the breach.
  • Traffic of the mobile application can easily be monitored.
  • Data breach response plan was prepared only after the
    breach.
  • Corporate training and awareness activities were not organized
    beforehand.

The Board decided to impose an administrative fine of TRY
200,000 against the controller, considering the abovementioned
points as well as the fact that the breach was detected by way of
the attacker's contact with controller itself.

Decision No. 2020/113 dated 11 February 2020 is available online
here (in Turkish).

Decision – Decision on the data breach notification of a
clothing company

In the notification submitted to the Board, the data controller
stated that the breach whereby 44 data subjects were affected
occurred due to an accidental transfer of personal data to internal
systems of the controller and third-party vendors while creating a
new account on the data controller's website.

The Board decided to impose an administrative fine of TRY 50,000
on the grounds that the breach: (i) occurred due to the failure of
data controller to conduct necessary tests; and (ii) was detected
one year after its occurrence, indicating the absence of regular
controls. The Board excused the controller and did not impose any
further fine due to delayed notification to the Board (i.e., eight
days after detection of the breach), as that eight-day period was
found reasonable for a foreign controller to determine whether or
not data subjects located in Turkey were affected by the
breach.

Decision No. 2019/170 dated 18 June 2019 is available online here (in Turkish).

Other decisions published by the Board in August are as
follows:

  • In the decision regarding data breach notification of an
    insurance company, the Board decided to impose an administrative
    fine of TRY 30,000 on the grounds that the controller failed to
    comply with the Guidance on Personal Data Security and did not
    implement appropriate technical and organizational measures. The
    fine amount was kept at a lower range, considering the financials
    of the controller and also because the error that caused the breach
    was exceptional. The decision No. 2020/532 dated 9 July 2020 is
    available online here (in Turkish).
  • In the decision regarding the data breach notification of a
    data controller providing software services, the Board decided to
    impose administrative fines of: (i) TRY 75,000 for violation of the
    Guidance on Personal Data Security and not taking appropriate
    technical and organizational measures; and (ii) TRY 50,000 for a
    delay of 55 days in notifying the Board. Decision No. 2020/465
    dated 16 June 2020 is available online here (in Turkish).
  • In the decision regarding the data breach notification of a
    data controller operating in the pharmaceutical industry, the Board
    decided to impose an administrative fine of TRY 125,000 after
    determining that the controller did not take appropriate technical
    and organizational measures and violated the Guidance on Personal
    Data Security. Decision No. 2020/463 dated 16 June 2020 is
    available online here (in Turkish).
  • In the decision regarding the data breach notification of an
    insurance company, although affected data was health data, the
    Board refrained from imposing any sanctions as the controller
    promptly notified the breach and only two data subjects were
    affected. Decision No. 2020/935 dated 8 December 2020 is available
    online here (in Turkish).
  • In the decision regarding the data breach notification of a
    technology company, the Board refrained from imposing any sanctions
    as the breach, where one data subject was affected, was unlikely to
    have negative consequences and was promptly responded to by the
    data controller. Decision No. 2020/816 dated 22 October 2020 is
    available online here (in Turkish).
  • In the decision regarding the data breach notification of an
    e-commerce company, the Board decided to impose an administrative
    fine of TRY 165,000 on the grounds that the data controller failed
    to take appropriate technical and organizational measures for the
    protection of personal data that carries a higher risk. Decision
    No. 2020/715 dated 17 September 2020 is available online here (in Turkish).
  • In the decision regarding the data breach notification of a toy
    company, the Board decided to impose an administrative fine of TRY
    75,000 on the grounds that the data controller failed to take
    appropriate technical measures. The Board refrained from imposing
    further sanctions due to delayed notification (i.e., delay of one
    day), as the delay was caused by the COVID-19 pandemic. Decision
    No. 2020/567 dated 22 July 2020 is available online here (in Turkish).
  • In the decision regarding the data breach notification of a
    bank, the Board decided to impose an administrative fine of TRY
    200,000 for failure to take appropriate technical and
    organizational measures on the grounds that prior to the breach,
    the controller: (i) did not limit the KKB inquiries of its
    personnel; (ii) did not carry out adequate supervision and
    surveillance thereof; and (iii) failed to provide necessary
    training to its employees. Decision No. 2020/530 dated 9 July 2020
    is available online here (in Turkish).
  • In the decision regarding the data breach notification of an
    insurance company, the Board decided to impose an administrative
    fine of TRY 90,000 after determining that the data controller
    failed to take appropriate technical measures to ensure data
    security. Decision No. 2020/357 dated 7 May 2020 is available
    online here (in Turkish).
  • In the decision regarding the data breach notification of a
    bank, the Board decided to impose an administrative fine of TRY
    75,000 due to the failure to take appropriate technical and
    organizational measures as per Article 12/1 of the Law and
    emphasized that: (i) the control mechanisms were insufficient; and
    (ii) the errors causing the breach must have been detected in the
    testing phase and corrected prior to release. Decision No. 2020/201
    dated March 3, 2020 is available online here (in Turkish).

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.

Let's keep in mind that camDown FREE is a highly advanced, specialized webcam blocker and disabler with the best in class protection from variety of on-line threats and your family would agree.