December 2021 - In November 2021, the Turkish Personal Data Protection Board (the "Board") published two decisions and announced three data breach notifications. The amounts of administrative fines for 2022, calculated according to the revaluation rate, were also determined in November.

To remind you: On 11 March 2021, the Board announced its decision on the postponement of the registration deadline with the Turkish Data Controllers Registry ("VERBIS") until 31 December 2021. Accordingly, the current month is the last before the deadline. Do not forget to register with VERBIS. For more information to determine if you are obliged to register with VERBIS, please read our article here.

Revaluated amounts of administrative fines

The amounts of administrative monetary fines stipulated for violations of Turkish data protection law are re-determined each year according to the revaluation rate of the previous year. For the year 2022, these amounts have been published in the Official Gazette as follows:

Revaluated Amount (2022)

For those who do not fulfil the obligation to inform:

TRL 13,393 - TRL 267,886
(approx. EUR 863 - 17,253)

For those who do not fulfil the obligations related to data security:

TRL 40,183 - TRL 2,678,866
(approx. EUR 2,588 - 172,532)

For those who do not fulfil the decisions issued by the Board:

TRL 66,972 - TRL 2,678,866
(approx. EUR 4,313 - 172,532)

For those who violate the obligations for registry with VERBIS and for notification:

TRL 53,576 - TRL 2,678,866
(approx. EUR 3,451 - 172,532)

Data breach hunting continues

In November the Board imposed an administrative fine of TRL 450,000 (approximately EUR 28,982) on a merchandising company (as a data controller). In this instance, the Board initiated an investigation upon receipt of a data breach notification from the merchandising company.

According to the incident in the decision, the merchandising company realised that various categories of personal data belonging to its 4,792 customers were offered for sale through an internet forum site. The merchandising company stated that it thought that a data breach had occurred at the data processor-a company the data controller had previously received services from and no longer has a relationship with.

The Board accepted that the merchandising company bases its claim that the personal data was obtained from systems of the data processor on solid grounds. However, the Board stated that the merchandising company as a data controller is obliged to:

  • take all necessary technical and administrative measures to prevent the unlawful processing of personal data, and
  • ensure the appropriate level of security.
  • Further, the data controller is jointly responsible with the data processor in taking these measures.

For the reasons listed above, the Board decided to impose an administrative fine of TRL 450,000 (approx. EUR 28,847) on the merchandising company and reminded the company that it needs to duly notify the data subjects affected in case of future data breaches.

The Board also decided to initiate an ex officio investigation against other data controllers, as it was observed that the personal data of the customers of other data controllers are also placed for sale on the internet forum site in question.

There is someone in the e-Nabiz system

Following a complaint of a data subject that a medical doctor had access to the e-Nabiz system (a digital health application where people can make an appointment with a hospital or review their previous examination and analysis results) without a request to or consent from the data subject, the Board imposed an administrative monetary fine on the hospital as a data controller.

The data subject claimed that although they did not visit the said medical doctor with a request for an examination, their personal health data, including examination and test results, were unlawfully accessed by the medical doctor, and therefore the data subject made a request to the data controller for information on this matter.

As a result, the Board concluded that

  • the actions of the medical doctor and the secretary working with him/her, who are found to have provided unlawful access, should be considered within the scope of the provisions of the Turkish Penal Code, and
  • the data controller did not take adequate technical and administrative measures to prevent unlawful access to personal data, considering that although the medical doctor is authorised to access the personal data in question, the doctor's secretary also had access to the mentioned personal data, and therefore the data subject is entitled to compensation in accordance with the general provisions.

The Board announced the following data breach notifications in November

Data Controller

Affected Data Subjects

Affected Personal Data

Number of Data Subjects

May Group Companies

Employees, Users, Customers, Potential Customers

Identity, contact, personnel information, legal transaction, customer transaction, transaction security, risk management, finance, marketing, audio-visual recordings, convictions and security measures

N/A

Media Markt Turkey Ticaret Limited Sirketi

N/A

N/A

N/A

Hedefevim Gayrimenkul ve Otomotiv Tic. AS (in liquidation)

Customers

Identity, customer transaction, finance,

Approximately - 10,000

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.