We share with you important decisions and announcements published by the Personal Data Protection Authority ("Authority") and other important developments about data privacy as of this month.

In August, the Authority published an announcement regarding the transfer of personal data owned by Turkish citizens, a decision regarding attorneys' unauthorized access to personal data located in execution files, and its decisions as to data breach notifications. We set out summaries of such announcement and decisions below.

Announcement – Public announcement on requests of Turkish citizens living abroad not to transfer their personal data abroad

Following the applications before the Authority by Turkish citizens living abroad requesting the Authority not to share their personal data with institutions and organizations of foreign countries, the Personal Data Protection Board ("Board") has concluded the following within its decision of No. 693 dated 7 July 2021:

  1. The Board will not be able to review these applications as such applications do not meet the criteria under Articles 13 and 14 of the Law on Protection of Personal Data No. 6698 ("Law") governing applications addressed to data controllers, since they are of abstract nature and the data controllers are unknown.
  2. Automatic data sharing is subject to the "Multilateral Competent Authority Agreement on the Automatic Exchange of Financial Account Information," whereby the competent authority for implementation is the Turkish Revenue Administration under the Ministry of Treasury and Finance. Accordingly, the Board has not taken further actions as per the Law, stating that applications as to automatic data sharing must be made before the Ministry of Treasury and Finance.

The public announcement dated 9 August 2021 is available online here (in Turkish).

Decision – Decision on unauthorized access to execution files by attorneys

The Board evaluated complaints as to unauthorized access of attorneys to execution files without having a power of attorney and illegal transfer of such data by personnel of the Ministry of Justice.

The Board emphasized that debtors' properties, rights or receivables can be inquired as per Article 8/a and 78 of the Law on Enforcement and Bankruptcy. In addition, the Board underlined that in order to collect the receivables of their clients, attorneys are allowed examine litigation and execution files without presenting a power of attorney, as per Article 46 of the Attorneys' Act No. 1136. Accordingly, the Board found that such data processing activity can be conducted, upon the legal basis "explicitly stipulated under the laws" as per Article 5/2(a) of the Law. As a result, the Board found such processing in line with the Law and did not impose any sanctions.

Decision No. 2020/511-512-513 dated 20 May 2021 is available online here (in Turkish).

Decision – Decision on the data breach notification of a data controller operating in the energy sector

In the data breach notification submitted to the Board, the data controller stated that user passwords along with identifiers such as usernames, names and email addresses were publicly available in the in-house archive platform, and two data subjects were affected by the data breach.

The Board's assessment is as follows:

  • Two data subjects were affected by the data breach, and eight people who were suspected to have had access to the files were questioned to confirm whether they were under confidentiality obligation.
  • The data, by its nature, is unlikely to cause negative consequences due to the breach.
  • The passwords were masked and the file was promptly removed by the data controller following the breach.

In light of the foregoing, the Board decided not to impose any sanctions as per Article 12/1 of the Law. The Board also excused the data controller's delay in notifying of the breach (failing to comply with the 72-hour time period), considering that the data controller is a multinational company.

Decision No. 2020/934 dated 8 December 2020 is available online here (in Turkish).

Decision – Decision on the data breach notification of a data controller providing online grocery shopping services

In the data breach notification submitted to the Board, the data controller stated that the data of 43 data subjects were shared by mistake in an email addressed to a group of 400 recipients.

The Board's assessment is as follows:

  • Forty-three data subjects were affected by the data breach.
  • Affected data include mere names, surnames and email addresses.
  • Data subjects were notified about the breach within 48 hours.
  • The breach is unlikely to have negative consequences.
  • Four hundred recipients were requested to delete the infringing email.

In light of the foregoing, the Board decided not to impose any sanctions as per Article 12/1 of the Law, considering that the data controller fulfilled its obligation to report the data breach "as soon as possible" (within the 72-hour period specified in the decision of the Board No. 2019/10 dated 24 January 2019).

Decision No. 2020/763 dated 1 October 2020 is available online here (in Turkish).

Decision – Decision on the data breach notification of a data controller operating in the self-care industry

The data controller stated in the data breach notification that third parties verified passwords of 2,092 accounts through data they obtained from external sources without any leakage from databases by trying over 500,000 email/password combinations connecting from over 14,000 IP addresses.

Further to its assessment, the Board determined that the data controller's failure to detect such a large number breach attempts, even if such attempts were unsuccessful, implies its failure to create an IT monitoring system. The Board decided to impose an administrative fine of TRY 210,000 against the data controller for failure to take appropriate technical and organizational measures.

Decision No. 2020/421 dated 22 May 2020 is available online here (in Turkish).

Decision – Decision on the data breach notification of a bank

The bank notified the Board of the data breach that occurred by means of multiple Credit Bureau ("KBB") inquiries conducted by a former employee, wherein 5,695 data subjects were affected. The bank has prepared an inspection report stating that the former employee examined KKB records, took physical notes and photographed the same.

The Board's assessment is as follows:

  • The data controller failed to regularly monitor security of personal data in accordance with the Guidance on Personal Data Security; it thus failed to take appropriate technical and organizational measures.
  • The data controller did not provide required trainings to some of its employees.
  • The breach resulted from the absence of a quota limitation to the inquiries.

The Board imposed an administrative fine of TRY 400,000 against the data controller for abovementioned reasons and imposed another fine of TRY 50,000 on the grounds that the data controller failed to: (i) notify the breach to the Board in due time without a valid reason; (ii) show reasonable efforts to notify all data subjects; and (iii) provide necessary information requested by the Board.

Decision No. 2020/359 dated 7 May 2020 is available online here (in Turkish).

Decision – Decision on the data breach notification of a data controller operating in the field of computer games

In the data breach notification submitted to the Board, the data controller stated that a former employee (web developer) uploaded to a website a folder containing source codes and data files. Further to the investigation initiated by the data controller, it is determined that 62 data subjects were affected and involved data included date of birth, email address and location information.

The Board determined that the data controller did not implement appropriate technical and organizational measures and underlined that the principle of "Everything is Forbidden Unless Permitted" rather than "Everything is Free Unless Prohibited" shall be adopted when giving access to media containing personal data or when creating a related corporate culture.

In this context, the Board decided to impose and administrative fine of TRY 100,000 on the grounds that the breach was detected two years after its occurrence and the data controller failed to raise awareness among its employees. Another fine of TRY 30,000 was also imposed for violation of the obligation to notify the Board "as soon as possible."

Decision No. 2020/345 dated 5 May 2020 is available online here (in Turkish).

Decision – Decision on the data breach notification of a pharmaceutical company

In the data breach notification submitted to the Board, the data controller stated that as a result of a systematic error, the payrolls of 337 employees were sent to wrong recipients.

The Board's assessment is as follows:

  • The breach was detected 13 minutes after its occurrence and terminated within two hours.
  • The breach occurred in the course of a transition into a new server, aiming to increase data security levels.
  • The breach is unlikely to have negative consequences.
  • Emails that caused the breach were deleted and relevant recipients were warned accordingly.
  • Appropriate technical and organizational security measures were taken following the breach.

The Board decided not to impose any sanctions as per Article 12/1 of the Law. However, considering that the violation was not reported to the Board within 72 hours upon detection, the Board decided to: (i) warn the data controller on giving due importance to notify the Board and data subjects at the earliest, in accordance with Article 12/5 of the Law and the decision of the Board No. 2019/271 dated 18 September 2019; and (ii) request the data controller to submit documents showing that the data subjects were duly notified and that the recipients of the emails were requested to delete such data.

Decision No. 2020/957 dated 15 December 2020 is available online here (in Turkish).

Decision – Decision on the data breach notification of an e-commerce company

In the data breach notification submitted to the Board, the data controller stated that the breach resulted from its e-commerce website being hacked, whereby a maximum of 257,000 data subjects were suspected to have been affected.

The Board's assessment is as follows:

  • The system was accessed without any restrictions from public connections and was vulnerable to unauthorized access prior to the breach.
  • Data leak tests were carried out only after the breach.
  • Traffic of the mobile application can easily be monitored.
  • Data breach response plan was prepared only after the breach.
  • Corporate training and awareness activities were not organized beforehand.

The Board decided to impose an administrative fine of TRY 200,000 against the controller, considering the abovementioned points as well as the fact that the breach was detected by way of the attacker's contact with controller itself.

Decision No. 2020/113 dated 11 February 2020 is available online here (in Turkish).

Decision – Decision on the data breach notification of a clothing company

In the notification submitted to the Board, the data controller stated that the breach whereby 44 data subjects were affected occurred due to an accidental transfer of personal data to internal systems of the controller and third-party vendors while creating a new account on the data controller's website.

The Board decided to impose an administrative fine of TRY 50,000 on the grounds that the breach: (i) occurred due to the failure of data controller to conduct necessary tests; and (ii) was detected one year after its occurrence, indicating the absence of regular controls. The Board excused the controller and did not impose any further fine due to delayed notification to the Board (i.e., eight days after detection of the breach), as that eight-day period was found reasonable for a foreign controller to determine whether or not data subjects located in Turkey were affected by the breach.

Decision No. 2019/170 dated 18 June 2019 is available online here (in Turkish).

Other decisions published by the Board in August are as follows:

  • In the decision regarding data breach notification of an insurance company, the Board decided to impose an administrative fine of TRY 30,000 on the grounds that the controller failed to comply with the Guidance on Personal Data Security and did not implement appropriate technical and organizational measures. The fine amount was kept at a lower range, considering the financials of the controller and also because the error that caused the breach was exceptional. The decision No. 2020/532 dated 9 July 2020 is available online here (in Turkish).
  • In the decision regarding the data breach notification of a data controller providing software services, the Board decided to impose administrative fines of: (i) TRY 75,000 for violation of the Guidance on Personal Data Security and not taking appropriate technical and organizational measures; and (ii) TRY 50,000 for a delay of 55 days in notifying the Board. Decision No. 2020/465 dated 16 June 2020 is available online here (in Turkish).
  • In the decision regarding the data breach notification of a data controller operating in the pharmaceutical industry, the Board decided to impose an administrative fine of TRY 125,000 after determining that the controller did not take appropriate technical and organizational measures and violated the Guidance on Personal Data Security. Decision No. 2020/463 dated 16 June 2020 is available online here (in Turkish).
  • In the decision regarding the data breach notification of an insurance company, although affected data was health data, the Board refrained from imposing any sanctions as the controller promptly notified the breach and only two data subjects were affected. Decision No. 2020/935 dated 8 December 2020 is available online here (in Turkish).
  • In the decision regarding the data breach notification of a technology company, the Board refrained from imposing any sanctions as the breach, where one data subject was affected, was unlikely to have negative consequences and was promptly responded to by the data controller. Decision No. 2020/816 dated 22 October 2020 is available online here (in Turkish).
  • In the decision regarding the data breach notification of an e-commerce company, the Board decided to impose an administrative fine of TRY 165,000 on the grounds that the data controller failed to take appropriate technical and organizational measures for the protection of personal data that carries a higher risk. Decision No. 2020/715 dated 17 September 2020 is available online here (in Turkish).
  • In the decision regarding the data breach notification of a toy company, the Board decided to impose an administrative fine of TRY 75,000 on the grounds that the data controller failed to take appropriate technical measures. The Board refrained from imposing further sanctions due to delayed notification (i.e., delay of one day), as the delay was caused by the COVID-19 pandemic. Decision No. 2020/567 dated 22 July 2020 is available online here (in Turkish).
  • In the decision regarding the data breach notification of a bank, the Board decided to impose an administrative fine of TRY 200,000 for failure to take appropriate technical and organizational measures on the grounds that prior to the breach, the controller: (i) did not limit the KKB inquiries of its personnel; (ii) did not carry out adequate supervision and surveillance thereof; and (iii) failed to provide necessary training to its employees. Decision No. 2020/530 dated 9 July 2020 is available online here (in Turkish).
  • In the decision regarding the data breach notification of an insurance company, the Board decided to impose an administrative fine of TRY 90,000 after determining that the data controller failed to take appropriate technical measures to ensure data security. Decision No. 2020/357 dated 7 May 2020 is available online here (in Turkish).
  • In the decision regarding the data breach notification of a bank, the Board decided to impose an administrative fine of TRY 75,000 due to the failure to take appropriate technical and organizational measures as per Article 12/1 of the Law and emphasized that: (i) the control mechanisms were insufficient; and (ii) the errors causing the breach must have been detected in the testing phase and corrected prior to release. Decision No. 2020/201 dated March 3, 2020 is available online here (in Turkish).

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.