PDPL BULLETIN – AUGUST 2024
The Law on the Protection of Personal Data (“Law”) and its secondary legislation is a living law that is frequently updated since its effective date. Many procedures and principles regarding data protection are determined not only by the Law and the secondary regulations enacted under the Law, but also by the Personal Data Protection Board (“Board”) Decisions, Principle Decisions and Board Decision Summaries. Therefore, our monthly bulletins aim to inform the relevant parties about the Board’s practices and to keep them up-to-date.
In August 2024, in addition to data breach notifications, the Board published a summary of its decision dated 18/07/2024 and numbered 2024/1176 on “Unlawful Processing of Personal Data for the Purpose of Subscription Establishment” and a public announcement on “Personal Data Processing Activities of Research Companies Using Random Number Dialing and Telephone Interview Method for the Purpose of Conducting Statistical Research” on its website for the first time this year.
In addition, the Board stated that a Cooperation Protocol was signed with the Ministry of Trade. In the related statement, the Board stated that the Cooperation Protocol was signed in order to raise awareness in all segments of the society about targeted advertising and deceptive commercial design practices, to follow international regulations and practices in common areas related to digital advertising and applications and the use of personal data, and to produce joint policies against existing or potential violations, in other words, the signed protocol aims to increase consumer awareness about digital advertising and applications and to strengthen consumers’ control over their personal data.
DATA BREACH NOTIFICATIONS
Article 12/5 of the LPPD titled “Obligations regarding data security” states that “In the event that the processed personal data is unlawfully obtained by others, the data controller shall notify the relevant person and the Board as soon as possible. If necessary, the Board may announce this situation on its website or by any other method it deems appropriate.”
In August 2024, two data breach notifications were published on the Board’s website kvkk.gov.tr.
Gündoğdu Mobilya Sanayi Ticaret Ltd. Şti.
Gündoğdu Mobilya Sanayi Ticaret Ltd. Şti., in its data breach notification submitted to the Board as a data controller, stated that the data on its servers were encrypted, the breach started on August 9, 2024 and was detected on the same day. It was stated that the categories of personal data affected by the breach are identity, communication, location, personal, legal transaction and customer transaction data, and the relevant group of persons affected by the breach are employees, users and customers. The number of people affected by the breach could not be determined due to lack of access to the system. It has been informed that the relevant persons can use the call center of the data controller to get information about the data breach.
Maltepe University
In the data breach notification submitted to the Board by Maltepe University as the data controller, it was stated that on June 19, 2024, between 01.27-06.35, a cyber attacker captured the password of a user account in the systems of the data controller and carried out a ransomware attack. The attacker demanded a ransom from the data controller, but the data controller stated that there was no outflow of data from the systems. In the data controller’s notification, information on the relevant groups of persons affected by the breach, the number of persons and personal data was not shared.
GRC LEGAL Comment
When the data breach notifications published in August are analyzed, it is seen that these breaches occurred due to cyber-attacks on the servers of data controllers due to security vulnerabilities and data leakage.
Data breaches occurred within data controllers due to the encryption of data on the servers of Gündoğdu Mobilya Sanayi Ticaret Ltd. Şti. and cyber-attacks within Maltepe University. In this context, it is critical for data controllers, who are obliged to take all kinds of technical and administrative measures, to back up data and apply strong encryption methods, especially in cases where ransomware is used.
Regular cybersecurity trainings, system updates, strong encryption protocols and the development of emergency action plans will ensure that proactive measures are taken both technically and administratively, thus preventing such breaches from occurring.
In addition, data breach notifications may also lead to a loss of reputation for the data controllers whose names appear on the Board’s website. In this respect, in order to minimize loss of reputation and legal problems, it is important to inform the relevant persons affected by the breach in the fastest and most transparent manner in order to protect the rights of both data controllers and data subjects.
BOARD DECISION SUMMARIES
In order to keep up with the pace of the data world, the most important source has been the Board’s Principle Decisions and Summaries of Decisions on administrative sanctions. The legislation has been greatly shaped in line with these decisions, and many procedures and principles, as well as adjectives and expressions familiar from the European General Data Protection Regulation (“GDPR”) world, are included here. The duties and powers of the Board are listed in Article 22 of the KVKK and the binding nature of the decision summaries is based on this provision.
Data Processors Should Not Exceed the Authorizations and Instructions Given by Data Controllers!
In the Board’s decision dated 18/07/2024 and numbered 2024/1176 The relevant person, who made a complaint to the Personal Data Protection Authority (“Authority”), stated that after the expiration of the internet service commitment period, while looking for new tariffs on the internet, he accidentally entered a site that shares the same / very similar visuals with the Türk Telekom website, and that he was called by a representative he thought to be a Türk Telekom official after entering his mobile phone information on the relevant site and transferred his other personal data, Subsequently, on the same day, the Company received an SMS stating that it had switched to Demirören İnternet ve İletişim Hizmetleri Ticaret Anonim Şirketi (“D-Smart”) and that the caller was not a Türk Telekom customer representative and that it understood that its will had been violated and its information had been obtained unlawfully.
As a result of the investigation conducted on the matter; Within the scope of the checks made on D-Smart systems, it was found that a “D-Smart Solution Partnership Agreement” was concluded between Andromeda TV Dijital Platform İşletmeciliği Anonim Şirketi (“Andromeda”) and İkra İletişim Telekomünikasyon ve Danışmanlık Hizmetleri Sanayi Ticaret Limited Şirketi (“İkra İletişim”), in which D-Smart is the sole shareholder and which deals with all kinds of business and transactions of D-Smart subscribers within the scope of operational operation, Accordingly, it has been determined that the entry of the data in question was carried out by İkra İletişim, which acts as an intermediary for D-Smart processes, and that İkra İletişim obtained the data of the potential subscriber independently as the data controller without the instruction or knowledge of D-Smart and transferred it to the relevant system.
As a result of the assessments; it was decided that there is no action to be taken against D-Smart and Andromeda within the scope of the Law; İkra İletişim misled potential customers by using the visuals of another company, despite being in the status of data processor pursuant to the contract concluded with Andromeda, and thus obtained and processed the personal data of the relevant person, Due to the fact that this activity is contrary to the provisions of the contract, it was evaluatedthat İkra İletişim acted in the capacity of data controller in the concrete case and did not rely on the processing conditions regulated in Article 5 of the Law, and did not comply with the basic condition that explicit consent must be expressed with free will in order to rely on the explicit consent condition, and it was decided to impose an administrative fine of 450. 000 Turkish Liras administrative fine was imposed.
GRC LEGAL Comment
As defined in Article 3 of the LPPD, a data processor is a natural or legal person who processes personal data on behalf of the data controller based on the authorization granted by the data controller. Data processors are a separate natural or legal person authorized by the data controller by concluding a personal data processing agreement, who processes personal data within the framework of the instructions given to them.
However, each process and activity should be evaluated on a case-by-case basis and the legal nature of the contracting parties within the scope of the LPPD should be determined. Likewise, if they act outside the authority and instructions granted to them, data processors will have the title of data controller and will become the subject of administrative fine sanctions in case of violation of the law of personal data processing activities. In this respect, it is essential that data processors clearly determine the framework of the contractual relationship they conclude with data controllers and act within the contractual obligations and obligations.
PUBLIC ANNOUNCEMENT
The Board has been obliged to publish a public announcement due to the fact that research companies contacted many data subjects by processing personal data using the “random number dialing and telephone interview method ” and due to the increase in various complaints submitted to the Authority.
Pursuant to Article 28 of the LPPD, the cases in which the Law will not be applicable are explained and the exception of ‘ processing ofpersonal data for purposes such as research, planning and statistics by anonymizing themwithofficial statistics ‘ has been stipulated in accordance with subparagraph b of paragraph 1.
- In the relevant public announcement published on 08.2024, the Board stated that the random number dialing method and telephone interview method activities cannot be evaluated within the scope of the exception of ‘processing personal data for official statistics purposes ‘ pursuant to Article 28 of the LPPD by considering the relevant legislation, upon the failure of the data controllers to submit any concrete information or document certifying such activities.
- It is emphasized that according to the Regulation on Deletion, Destruction or Anonymization of Personal Data, anonymous data is defined as data that cannot be associated with a specific person from the beginning, while anonymized data is defined as data that was previously associated with a person but can no longer be associated. The Board made the explanation regarding the said definition upon the determination that the personal data processed within the scope of the relevant searches were kept for 2 years by pseudonymization method and stated that the said process cannot be evaluated within the scope of the exception of ‘processing personal data for purposes such as research, planning and statistics by anonymization ‘.
In this context, it has been stated that the process in question is not listed among the exceptional cases listed in the Law, therefore, the provisions of Law No. 6698 must be complied with in personal data processing activities carried out using the random number dialing and telephone interview method.
The Board stated that the telephone numbers were derived within the scope of the “telephone interview with random number dialing” method in public opinion surveys and were not obtained from somewhere, that the derived number was not seen by the personnel making the call, that the personal data processing activity was started by calling the phone number of the person concerned, as well as the date and duration of the call of the persons concerned to the extent necessary and limited for the research, the traffic log in the form of the caller number and the number called, It has been accepted that the personal data processing activities carried out by processing phone numbers into the list of those who will not be called in the context of the requests of the data subjects not to be called again and audio recording of the call may be deemed lawful within the scope of “data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject ” in subparagraph (f) of the second paragraph of Article 5 of the Law for the purposes of auditing the research within the scope of quality control, fulfilling the obligations of the researcher and proving that the obligations are fulfilled in case of legal dispute.
However, in the first contact with the data subject; it is stated that information such as who made the call, which personal data is processed, the phone number is generated by random number dialing method and the purpose of the processing should be given, and the data processing activity should continue by obtaining explicit consent after the clarification.