Turkey: Data Protection Newsletter - December 2021

In November, the significant developments in the field of personal data protection were the Personal Data Protection Authority's ("Authority") announcement on certain municipalities' online query services, its decisions as to a data breach conducted by a retail store and unauthorized access to the Personal Health System (e-nabiz) by hospital staff.

We set out summaries of developments in November in Turkey and from the world below :

Announcement - public announcement on online tax debt inquiry and debt payment systems of municipalities

The Authority published a public announcement on 5 November 2021 regarding the municipalities that only apply the single-factor verification method in their online tax debt payment and inquiry systems.

In its decision dated 25 February 2021, the Personal Data Protection Board ("Board") determined that individuals' access to debt information provided by some municipalities without a membership, password entry or double-factor authentication method violate the obligation to prevent unlawful access to personal data. Accordingly, the Board requested the termination of the unlawful data processing activities within three months in the letter sent to the metropolitan, provincial, district and town municipalities on 9 April 2021.

It was set out in the announcement that authentication through easily accessible data such as an identity number or date of birth constitutes single-factor authentication and instead of such authentication, double-factor authentication methods such as the use of personal password or SMS code should be preferred. The Authority's examination particularly focused on whether the information requested by the municipalities for identity verification purposes in the second stage is private and accessible by only the data subject. Following the examination, the Board decided to impose disciplinary provisions on the municipalities that continue to use a single-factor authentication system after the three-month period, and requested the relevant municipalities to inform the Board.

The announcement is available online here (in Turkish).

Decision - decision on the unauthorized access of the hospital staff to "e-nabiz" system

In the complaint submitted to the Board, the data subject claimed that two different hospital employees accessed the data subject's e-nabiz account without permission.

According to the Board's decision No. 2021/962 dated 21 September 2021: (i) only doctors operating at a data controller hospital are authorized to access the health data of data subjects, and thus access to the system by the doctor's assistant indicates that reasonable organizational and technical measures to prevent unlawful access to personal data have not been taken; and (ii) the provisions of the Turkish Criminal Code may be applicable against the employees who accessed health data unlawfully.

Accordingly, the Board decided to impose an administrative fine on the data controller hospital on the grounds that it failed to take reasonable technical and organizational measures and instructed the data controller hospital to respond to data subjects' applications with due care and diligence.

The decision is available online here (in Turkish).

Decision - decision against a retail store due to an attempt to sell customers' personal data

As claimed by the complainant in its submission before the Authority, personal data of a retail store's customers were offered for sale on the internet.

According to the Board's decision no. 2021/1021 and dated 7 October 2021;

• The fact that customer data of other data controllers, who received service from the same data processor were also offered for sale on the same date indicates that the data was obtained from the data processor.
• Although the violation is caused by the systems of the data processor, the data controller is jointly responsible with the data processor in taking the adequate measures.
• The fact that penetration test reports for the systems of the data processor were not provided prior to the breach indicates that the data controller failed to ensure appropriate level of security for the protection of personal data.
• The data controller failed to ensure that the data processor destroyed all data after termination of the commercial relationship.
• The fact that 4792 persons were affected by the breach and the breached data included name, surname, identity number, telephone number, gender, date of birth and order information, is likely to have negative consequences on the data subjects.

In light of the above, the Board decided to (i) impose an administrative fine of TRY 450,000 (approx. USD 35,000) against the data controller due to failure to take necessary technical and organizational measures, (ii) request the data controller to ensure that the affected data subjects are informed with notifications providing at least the elements required as per the decision No. 2019/271 dated 18 September 2019, and (iii) initiate an ex officio investigation subject to the decision on other data controllers whose personal data were offered for sale on the website.

Significant developments from the world

• European Data Protection Board released a draft guideline to clarify the scope of cross-border data transfers

On 19 November 2021, the European Data Protection Board (EDPB) published a draft guideline on the interplay between Article 3 of the General Data Protection Regulation (GDPR) and the provisions regarding cross-border data transfers. As per the guideline, the following three criteria must be met for data processing to qualify as a transfer to a third country: (i) the data processor or data controller is subject to the GDPR for the given processing, (ii) the data processor or controller (exporter) makes personal data available to another data controller, joint controller or processor (importer) through transmission or otherwise and (iii) the importer is in a third country or is an international organization¹ regardless of whether it is subject to the GDPR, according to Article 3.

The guideline provides for processing examples for further guidance on the three criteria that are required cumulatively for cross-border data transfers. Accordingly, direct collection of personal data by a data controller located in a third country does not qualify as crossborder data transfer since the criterion number (ii) is not fulfilled.

The guideline is available online here.

Footnote

1. According to the guideline "International organization" means an organization and its subordinate bodies governed by public international law, or any other body that is set up by, or on the basis of, an agreement between two or more countries.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.