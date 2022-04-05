ARTICLE

To print this article, all you need is to be registered or login on Mondaq.com.

In March, the most significant development in the field of personal data protection was the Personal Data Protection Authority's ("Authority") decision on the collection of the e-Devlet password and identity number of a data subject on a website.

We set out summaries of the developments in March in Turkey and around the world below.

Decision: Decision regarding the collection of e-Devlet password and identity number on a website

In the complaint submitted to the Authority, the data subject claimed that their e-Devlet password was requested during online shopping with a promissory note.

In Decision No. 2022/137 dated 17 February 2022, the Personal Data Protection Board ("Board") determined that:

the data controller requests the name, surname, e-mail, telephone number, address, password information and identity number of the data subjects for registering on the website,

the consent of data subjects is invalid as the provision of the services and completion of the order is subject to whether the data subjects share their e-Devlet password,

the address of the data subjects whose identity number is entered on the registration page is automatically displayed,

the data controller failed to notify the Authority of the unlawful access to personal data.

Accordingly, the Board decided to (i) impose an administrative fine of TRY 300,000 for making registration subject to sharing one's identity number, not relying on any of the legal grounds for data processing, and allowing third parties unlawful access to the personal data of the data subjects; (ii) instruct the data controller to destroy all e-Devlet passwords and identity number information collected and inform the Board; (iii) instruct the data controller to promptly eliminate the vulnerability of displaying the personal data of the registered data subjects and inform the Board within 30 days; and (iv) initiate an ex officio investigation regarding the unlawful access to the personal data of the registered data subjects.

The decision is available online here (in Turkish).

Significant developments from around the world

EU-US: New transatlantic data transfer arrangement

A situation of uncertainty was created regarding data flows from the EU to the US due to the Court of Justice of the European Union's invalidation decision dated 12 July 2020 on the Privacy Shield framework. To address the situation of uncertainty, on 15 March 2022, the US President, Joe Biden, and European Commission President, Ursula von der Leyen, announced that the two parties have reached a new transatlantic data transfer agreement.

Germany: FAQ document on cookies published

On 4 March 2022, the Baden-Württemberg Commissioner for Data Protection and Freedom of Information published frequently asked questions on the third-party cookies for website operators and mobile application developers.

The document highlights common mistakes made in the use of cookies and cookie banners and proposes rectifications to ensure data protection.

The press release of the state commissioner is available here (German).

UK: Guidance issued for data center operators and users

On 17 March 2022, the National Cyber Security Centre and the Centre for the Protection of National Infrastructure published joint guidance to increase security in UK data centers. The guidance facilitates data center operators and users to foresee security threats and mitigate potential cyberattacks.

The guidance adopts a comprehensive approach to data security and indicates a strategy to ensure physical, employee and cyber security of data centers. It elaborates on attackers' methods of transgressing security measures, the critical importance of employees and the role of location and ownership in data security. The guidance also offers certain case studies exemplifying data breach examples from the world.

The guidance is available online here.

US: Congress publishes act on breach reporting

On 15 March 2022, the Cyber Incident Reporting for Critical Infrastructure Act of 2022 entered into force upon signature of US President, Joe Biden. The Act introduces provisions to facilitate information sharing among governmental departments, reporting on incidents and curtailing cyberattacks. As per the Act, companies operating critical infrastructure, such as financial institutions, are required to report cybersecurity incidents within 72 hours and ransom payments within 24 hours to the Cybersecurity and Infrastructure Security Agency (CISA).

Although it is suggested that the Act will increase transparency and the efficiency of private companies' response to cyberattacks, stakeholders are skeptical due to the ambiguous wording and scope of the provisions.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.