Turkey: Two-Minute Recap Of Recent Developments In Turkish Personal Data Protection Law – February 2022

March 2022 - In February 2022, the Turkish Personal Data Protection Board (the "Board") issued two decisions and announced five data breach notifications. The Board also made publically available on its website all of the principle decisions that it has ever issued. You can access the compiled principle decisions here (in Turkish only). The Board also discussed the Metaverse at one of its weekly seminar programs in February. A recording of the live seminar is available here (in Turkish only).

Increasing attention for user security on online platforms

In February the Board published a public announcement regarding technical and organisational measures that data controllers should take to ensure user security due to the increase of data breaches involving the username and passwords of data subjects on different websites relating to finance, e-commerce, social media, and gaming. Following these incidents, the Board emphasised data controllers' obligation to protect data subjects' personal data and recommended that data controllers should take the following measures (among others) to prevent unauthorised access to personal data:

• Establish two-factor authentication systems and present them to data subjects as an alternative security measure;
• In case of logging in with different devices, this should be detected and such login information to the system should be forwarded to the contact addresses of the data subjects, by methods such as e-mail and SMS;
• Technologies such as security codes (CAPTCHA) that can distinguish between computer and human behaviour should be used for data subjects' accounts;
• Newly created passwords should be prevented from being the same as previous passwords, and password protection should be ensured by using up-to-date hashing algorithms;
• The number of unsuccessful login attempts from the same IP address should be limited.

A record fine is in the basket for Turkish food delivery platform

On 7 February 2022, the Board published its decision on Yemeksepeti, an online food delivery platform that was acquired by Delivery Hero in 2015. The Board initiated an investigation due to a data breach incident that occurred in March 2021. As a result, the Board imposed an administrative fine of approximately EUR 121,800 on Yemeksepeti for its failure to comply with Turkish Data Protection Law.

In its decision, the Board states that over 21.5 million data subjects were affected by this data breach, and that almost the entire customer database was leaked. As a result, the Board concluded its evaluation on Yemeksepeti and found it negligent, in particular for the following reasons:

• After attackers logged into the system with malware and tools, the incident was not realised by the data controller for 8 days.
• Although data obtained by the attackers from the data controller was forwarded to an IP address in France and over 28 GB of data left the system, the data controller did not realise this data traffic and did not duly monitor its system.
• The data controller did not take the necessary technical and organisational measures to ensure data security.

Protection of personal data during remote healthcare service

Turkey's Ministry of Health recently issued the "Regulation on the Provision of Remote Healthcare Service", which allows healthcare facilities to carry out telemedicine. This new regulation underlines compliance with Turkish personal data protection legislation and sets out liabilities arising from the breach of data protection by both healthcare facilities and professionals.

During the provision of medical services to patients desiring to receive healthcare services remotely, the Regulation emphasises the following measures to ensure data security:

• It is forbidden to record audio or video regarding the service without the explicit consent of the data subjects.
• The data controller and data processor must (i) act in compliance with Turkish Data Protection Law and relevant legislation, (ii) take all kinds of technical and organisational measures to ensure data security, and (iii) fulfil obligations to keep data subjects informed.
• Audio and video recordings from telemedicine services cannot be stored for more than 12 months and must be erased upon the expiration of this period without any further notification.

The Board announced the following data breach notifications in February