Legal AlertUp-dates Regarding January 2019

7 February 2019


  • Public announcements from Personal Data Protection Board.

The Personal Data Protection Board (“Board”) published four separate data breach notifications on its website on 24 January 2019 and 25 January 2019. The details of the related data breach notifications are as follows:

  • Animoto Inc. (“Animoto”), offering cloud-based video services, detected unusual network traffic on its servers and identified the possibility of a data breach on 6 August 2018. In the data breach notification made by Animoto to Personal Data Protection Authority (“Authority”), Animoto disclosed a possible data breach affecting 22 million users worldwide and roughly 90,000 users in Turkey.  It is detected that the data such as customer name, user name (e-mail adress), hashed and salted passwords, high level geographic location information (corresponding to city and country), gender and data of birth might have been effected by the data breach. 
  • A cyber-attack with unauthorized password entry was detected on December 2018 on the server systems of Optimum Otomotiv Satış Sonrası Çözümleri Tic. A.Ş. (“Optimum”), the company offering post-purchase services. As part of the data breach notification, it is stated that the technical support team of the company  taken action  for  to prepare a detailed report regarding  the personal data that were affected by the data breach and also data subject of personal data; however, the study has not been concluded due to the technical aspect of the issue. As a result of the cyber-attack, it is stated that employees’ personal data might be affected but which customers and data groups affected by the attack could not be accurately determined.
  • TEB Arval Araç Filo Kiralama A.Ş. (“TEB Arval”), which provides fleet and car rental services, receives outsourcing support services from Optimum in order to manage the damage and accident processes of the vehicles rented to customers. TEB Arval uses Optimum Solution application to carry out its own operations. The application contains numerous data belonging to customer, driver, supplier and third parties. On 11 January 2019, unauthorized persons accessed Optimum solution application by using the customer contact form on the TEB Arval website and a message stating that corporate data was accessed was delivered. According to TEB Arval’s data breach notification, it is considered that those who received damage and accident management services from TEB Arval by using this application as of 13 September 2013 may have been affected by the said data breach.
  • ALD Automotive Turizm Ticaret A.Ş. (“ALD Automotive”), which acts as a data controller, receives various services from Optimum for the rented vehicles to the customers and its processes. Numerous personal data are processed within the scope of ALD Automotive’s commercial activity on the system managed by Optimum. Optimum informed ALD Automotive about the unauthorized access to their websites and the servers. In the data breach notification made by ALD Automotive, it is stated that the information regarding whether the data replicated as a result of the cyber-attack and if done, the data which were replicated were not shared with ALD Automotive.
  • Draft Share-Based Crowdfunding Communiqué is presented to the public opinion

Long awaited secondary regulation on crowdfunding is presented to the public opinion by the Capital Markets Board (“CMB”) under the title of “Draft Share-based Crowdfunding Communiqué” (“Communiqué”) on the January 3, 2019. Raising funds from the public in exchange of company shares through crowdfunding platform and procedures and principles on crowdfunding platforms, subscription, campaign process, use of funds and venture capital companies are regulated in the draft Communiqué. By means of the Communiqué, venture companies operating in technology or production sector are entitled to crowdfunding. 

  • Information Technology and Communication Authority published the Business Plan for   the year of 2019.

The Information and Communication Technologies Authority (“ICTA”) recently shared the Business Plan for 2019 (“Business Plan”) on its official website. The details of the Business Plan, where the ICTA’s efforts to be carried out in the next year and related strategic plan objectives are set out, as follows:

  • “Regulation on Processing of Personal Data and Protection of Privacy in the Electronic Communications Sector” is planned to be released. The regulation, which is expected to be completed as of May 2019, aims to ensure that consumers benefit from electronic communication services at the maximum level and minimize grievance of consumers.
  • It is aimed to establish a capability matrix on sectoral basis by establishing a domestic and national product portal. By means of this portal, which will be established by ICTA, it is aimed to bring together the operators and the manufacturers operating in the electronic communication sector and operators are expected to be able to announce their needs.
  • Amendments to the Regulation on Authorization for the Electronic Communications Sector are planned. Regulation amendment studies are expected to be began by January 2019 and be completed in December 2019.