KVKK BULLETIN – JULY 2024
The Law on the Protection of Personal Data (“Law”) and its secondary legislation is a living law that is frequently updated since its effective date. Many procedures and principles are determined not only by the Law and the secondary regulations enacted under the Law, but also by the Personal Data Protection Board (“Board”) Decisions, Principle Decisions and Board Decision Summaries. Therefore, our monthly bulletins aim to inform the relevant parties about the Board’s practices and to keep them up-to-date.
In July 2024, the Board published the “Common Mistakes in Complaints and Notifications Submitted to the Board” study in addition to data breach notifications. In the relevant study; the reasons for the invalidity of 89% of the complaint and notification applications submitted to the Personal Data Protection Authority (“Authority”) were discussed, and the most common mistakes such as filing a complaint to the Board before exhausting the remedy to the data controller, and not using the e-mail address previously notified to the data controller and registered in the system of the data controller in case of application to the data controller by e-mail.
In addition, the “Regulation on Procedures and Principles Regarding the Transfer of Personal Data Abroad” (“Regulation”) entered into force after being published in the Official Gazette numbered 32598 on 10.07.2024. On the same date, the Authority published the Public Announcement on Documents Regarding Standard Contracts and Binding Corporate Rules and the Auxiliary Guidelines on Standard Contracts, Binding Corporate Rules Application Form and Basic Issues to be included in Binding Corporate Rules.
It is seen that some concrete steps have been taken by the Authority through the entry into force of the Regulation and the documents and guidelines published in parallel with the Regulation regarding the gradual overseas transfer procedures regulated in Article 9 of the Law. However, the compliance process within the scope of the aforementioned article regulating the principles for the transfer of personal data abroad must be completed by the data controllers until 01.09.2024.
DATA BREACH NOTIFICATIONS
Article 12/5 of the LPPD titled “Obligations regarding data security” states that “In the event that the processed personal data is obtained by others through unlawful means, the data controller shall notify the relevant person and the Board as soon as possible. If necessary, the Board may announce this situation on its website or by any other method it deems appropriate.”
In July 2024, five data breach notifications were published on the website of the Personal Data Protection Authority, www.kvkk.gov.tr.
Adnan-Özen İnşaat Taahhüt Enerji Turizm Ticaret ve Sanayi Anonim Şirketi
In the data breach notification submitted to the Board by Adnan Özen İnşaat Taahhüt Enerji Turizm Ticaret ve Sanayi Anonim Şirketi, which has the title of data controller, in summary; it was stated that the breach occurred through a leakage on the Application Programming Interface (API) of the website where the car rental reservations of the data controller are received, the breach was detected by the cyber attacker’s e-mail sent to the company personnel on 26 June 2024, and the relevant groups of people affected by the breach are customers and potential customers.
It is stated that the categories of personal data affected by the breach are identity (name, surname, Turkish ID Number), contact (address, telephone number, e-mail address) and customer transaction (reservation date, rental period and rental price) information, the number of relevant persons affected by the breach is 185, the database contains personal data of approximately 12,000 customers and technical investigations regarding the breach are ongoing.
Creditwest Faktoring Anonim Şirketi
In the personal data breach notification sent to the Authority by Creditwest Faktoring Anonim Şirketi, which has the title of data controller, in summary; it was stated that the breach occurred as a result of the attack on the servers of the data controller, the technical analysis process regarding the breach is ongoing, the breach was detected as a result of receiving a SOC monitoring warning, the number of people affected by the breach has not yet been determined, the breach started on 27.06.2024 and ended on the same date.
It is stated that the personal data categories affected by the breach are identity, contact, location, personal, customer transaction information, the person group affected by the breach is employees and customers, and the relevant persons can get information via www.creditwest.com.tr, data controller phone lines and e-mail.
Uber Technologies Incorporated
In the data breach notification submitted to the Board by Uber Technologies Incorporated, which has the title of data controller, in summary; it was stated that the data controller received an e-mail on 2 July 2024 from a person who revealed his intention to make personal data that may originate from Uber publicly available, that it has not yet been determined when the data breach occurred and what the source of the breach was, and that Uber users (passengers and/or persons ordering food) and/or drivers and/or delivery persons were affected by the breach.
Regarding the data affected by the breach; it is foreseen that the screenshots of the data of Uber users (passengers and / or people who order food) contain name, e-mail address, phone number, profile photo, registration date and score information, and the data foreseen to be affected by the breach in terms of drivers and / or delivery persons on the Uber platform; It was informed that the data within the scope of documents such as driver’s licence, insurance, identity card, vehicle registration and controls within the scope of the duty of care in the screenshots, but the affected personal data is not known exactly at the moment and the number of people affected by the breach has not yet been determined.
Güneş Ekspres Havacılık Anonim Şirketi (SunExpress)
In the data breach notification submitted to the Board by SunExpress, as the data controller, in summary; it was stated that a cyber attacker gained unauthorised access to the campaign management platform used by the data controller by obtaining the login information of an administrator account and sent phishing e-mails through this account, the breach occurred on 15.07.2024 and was detected on the same day, the cyber attacker sent a total of 1,986,293 e-mails to 596,659 unique e-mail addresses, and the relevant groups of people affected by the breach are; employees, customers and potential customers.
It is stated that the category of personal data affected by the breach is contact (e-mail) information, of the 596,659 e-mail addresses to which the cyber attacker sent e-mails; 86 belong to employees (current and former employees), 249,668 belong to customers, 346,905 e-mail addresses are e-mail addresses whose source is unknown and uploaded to the system during the attack by the cyber attacker, and that the data subjects can get information about the data breach through the form on the data controller’s website.
Ann & Robert H. Lurie Children’s Hospital of Chicago
Data controller Ann & Robert H. Lurie
In the data breach notification submitted to the Board by Children’s Hospital of Chicago, in summary; it was determined that cyber criminals gained access to the systems between 26-31 January 2024 as a result of a cyber attack within the data controller, it was determined that personal data related to approximately 791,784 people worldwide was leaked, and that this information is related to patients and patient relatives, current and former Lurie Children’s team members and family members, and current and former contractors.
It was stated that the affected data varied from person to person and could be contact information, identity information or information related to a patient’s health or medical care, that there is no clear information regarding the number of relevant persons affected by the breach in Turkey, and that detailed information about the breach can be accessed by visiting Lurie Children’s website “www.luriechildrens.org” and via the “Cybersecurity Matter” link at the top of the page.
GRC LEGAL Comment
When the data breach notifications published in July are analysed, it is seen that the breaches in question were caused by cyber-attacks on the servers of data controllers due to security vulnerabilities and data leakage. Especially in the data breach at SunExpress, it is seen that unauthorised access to the e-mail addresses of almost 600,000 people was gained and the extent of the data breach may be extensive as a result of the failure of data controllers to take all necessary technical and administrative measures.
In this context; data controllers should act with the awareness that they are obliged to take all necessary technical and administrative measures to ensure data security in accordance with the Law, use monitoring systems effectively by constantly updating security measures, and prevent possible data breaches by raising awareness through user training.