KVKK Bulletin April 2024
The Law on the Protection of Personal Data (‘Law’) and its secondary legislation is a living law that is frequently updated since its effective date. Many procedures and principles are determined not only by the Law and the secondary regulations enacted under the Law, but also by the Personal Data Protection Board (‘Board’) Decisions, Principle Decisions and Board Decision Summaries. Therefore, our monthly bulletins aim to inform the relevant parties about the Board’s practices and to keep them up-to-date.
In April 2024, five data breach notifications were issued by the Board and the data breach notifications were issued by leading companies in their sectors.
DATA BREACH NOTIFICATIONS
Article 12/5 of the LPPD titled ‘Obligations regarding data security’ states that ‘In the event that the processed personal data is obtained by others through unlawful means, the data controller shall notify the relevant person and the Board as soon as possible. If necessary, the Board may announce this situation on its website or by any other method it deems appropriate.’
In April 2024, five data breach notifications were published on the Board’s website kvkk.gov.tr.
Yamaha Motor Europe N.V.
In the data breach notification submitted to the Board by Yamaha Motor Europe N.V., as the data controller, in summary, it is stated that the data breach was detected on 26.03.2024, the exact date of the start of the breach is not known, but it may have started in 2019, the security vulnerability is caused by a faulty configuration in the customer portal running on the CRM system and therefore any registered user can access the data of other users, it is thought that all customer records added in 2021 and before are affected by this vulnerability, 35,988 people across Turkey may be affected by the breach.
It was stated that the groups of people affected by the breach are customers and potential customers, and the personal data affected are name-surname, gender, e-mail addresses, (internal) customer number data, and for a small number of people, in addition to these, postal address and telephone number data.
TTZ Marketing Plastic Industry Limited Company
In the data breach notification submitted to the Board by TTZ Pazarlama Plastik Sanayi Limited Şirketi, which has the title of data controller, in summary, it was stated that the breach occurred as a result of a cyber attack, some of the company data was encrypted and a ransom was demanded from the data controller, the breach started on 19.03.2024 and was detected on 19.04.2024.
It is stated that the personal data categories affected by the breach are identity, communication, location, personal, legal transaction, customer transaction, physical space security, transaction security, risk management, finance, professional experience, marketing, audio-visual records, and the categories of personal data affected by the breach are clothing, health information, biometric data, criminal conviction and security measures. It was informed that the number of persons and records affected by the breach could not be determined, and that the affected groups of persons are customers and potential customers. In addition, the relevant persons were directed to the e-mail address kvkk@titizplastik.com in order to receive information about the data breach.
Titiz Plastic Foreign Trade and Industry Limited Company
In the data breach notification submitted to the Board by Titiz Plastik Dış Ticaret ve Sanayi Anonim Şirketi, which has the title of data controller, in summary, it was stated that the breach occurred as a result of a cyber attack and some of the company data was encrypted, a ransom was demanded from the data controller, the breach started on 13.04.2024 and was detected on 14.04.2024.
It is stated that the personal data categories affected by the breach are identity, communication, location, personal, legal transaction, customer transaction, physical space security, transaction security, risk management, finance, professional experience, marketing, audio-visual records, and the categories of special categories of personal data affected by the breach are clothing, health information, biometric data, criminal conviction and security measures. It has been informed that the number of persons affected by the breach has not yet been determined, and that the relevant groups of persons affected by the breach are; employees, customers and potential customers. In addition, the relevant persons were directed to the e-mail address kvkk@titizplastik.com in order to receive information about the data breach.
SporPark Shoe Teks. and Sports Goods. Tic. Limited Company
The data controller is SporPark Ayakkabı Teks. ve Spor Malz. Tic. Ltd. Şti. it was stated that the data breach occurred as a result of cyber attackers obtaining the username and password of a person registered in the data controller systems and obtaining the data of other users registered in the system, the breach started on 01.11.2023 and was detected on 21.04.2024, and that the user names and passwords registered in the system were captured by cyber attackers for six months. It was stated that the personal data affected by the breach are identity, contact, location and customer transaction data, the number of people affected by the breach could not be determined, and the groups of people affected by the breach are; employees, users, members and customers. It is stated that the relevant persons can get information about the data breach from the call centre of the data controller at 08504807616.
Modaselvim Textile San. and Tic. Joint Stock Company
Modaselvim Tekstil San. ve Tic. A.Ş., it was stated that the breach occurred with unauthorised access to the systems as a result of obtaining the user information of the authorized person of the data controller, and that the breach was notified by the blackmail e-mail received on 20.04.2024, but it could not be determined when it started.
It was stated that the groups of people affected by the breach were users, subscribers/members and customers, and that their identity and communication data were affected, and that the number of affected people and records has not yet been determined, but identification efforts are ongoing. It is stated that the relevant persons affected by the breach can receive information about the personal data breach from the data controller via the call centre.
GRC LEGAL Review
When the data breach notifications published in April are analysed, it is seen that these breaches occurred as a result of security vulnerabilities and cyber-attacks. Pursuant to the LPPD, data controllers are obliged to take all necessary technical and administrative measures to ensure the appropriate level of security in order to prevent unlawful processing of personal data, to prevent unlawful access to personal data and to ensure the preservation of personal data. With the phrase ‘any kind’, the legislator does not place the obligation imposed on data controllers in a framework with limits and attributes a broad responsibility.
Considering that even companies with strong technological infrastructures are exposed to cyber-attacks today, it would not be wrong to say that sometimes even the highest level technical measures cannot prevent unauthorised access. Accordingly, it will be important for data controllers to keep up with the constantly developing and changing technology and to build their infrastructure in a secure manner. However, small-scale companies that do not have the means to take technical measures that require a high budget will be able to minimise the risk by taking at least certain technical measures.
