- The Personal Data Protection Board has issued several data breach notifications.
Data breach notification of Optimum Otomotiv Satis Sonrasi Cozumleri Tic. A.S. (“Optimum”) to the Board dated January 23, 2019 still has effects on companies which have a business relationship with Optimum. In February, seven new companies were added to the group of companies which have a business relationship with Optimum and were affected by the data breach of Optimum. These companies and details of data breaches are as follows:
- In the data breach notification made by Arkas Otomotiv Servis ve Ticaret A.S (“Arkas Otomotiv”), which is data controller and provides fleet and car rental services, it is stated that a cyber-attack with unauthorized password has taken place at Optimum’s servers and Optimum did not provide any information regarding whether any personal data was copied as a result of the cyber-attack; if so, which personal data has been copied.
- In the data breach notification made by Yes Oto Kiralama ve Turizm Yatirimlari A.S. (“Enterprise – Yes Oto”) which is data controller and offers fleet and car rental services; it is stated that customer information and customer related papers have been accessed by unauthorized persons as a result of cyber-attack to Optimum and Optimum did not provide any clear information regarding whether any data belonging to Enterprise-Yes Oto was accessed or not.
- In the data breach notification made by Hedef Arac Kiralama ve Servis A.S. (“HedefFilo”) which is a data controller and offers fleet and car rental services, it is stated that whether the cyber-attack covers personal data belongs to the real persons of HedefFilo corporate customers or not.
- In the data breach notification made by data controller Derindere Turizm Otomotiv San. ve Tic. A.S. (“DRD”), it is stated that the personal data regarding the DRD’s employees, customers and its employees, vehicle users, service providers and their employees, insurance companies providing insurance services and their employees, counterpart drivers and all other persons involved in the accidents processed by the servers of Optimum accessed by unauthorized persons and DRD has not been informed as to which personal data has been affected as a result of unauthorized access to Optimum servers processing personal data on behalf of DRD.
- In the data breach notification made by Borlease Otomotiv A.S. (“Borlease”), it is stated that in relation with the data breach of Optimum which is a business partner of Borlease, 4.000 people may be affected by the breach but the consequences of the breach are not known yet clearly.
- In the data breach notification made by Garanti Filo Yonetim Hizmetleri A.S. (“Garanti Filo”) it is stated that Garanti Filo has a business relationship with Optimum within the scope of car rental services and as a result of unauthorized access to Optimum, approximately 90 real person customers’ personal data (name, surname) which were directly transferred to Optimum has been affected. In addition, it is indicated that personal data belongs to real person customers of Garanti Filo has been obtained through other company/institutions that Optimum cooperates and these personal data such as identity, driver’s license, accident record etc. may also be obtained by unauthorized persons.
As a result of cyber-attack on Optimum Company, it is foreseen that other companies which have business relations with Optimum will continue to report data breach. On the other hand, in addition to these firms, two companies also reported a further data breach this month:
- Clickbus Seyahat Hizmetleri A.S. (“ClickBus”), data controller, has noticed unusual activities on its servers in October and November 2018. According to the analysis of these activities, an unauthorized access to its systems which includes personal data of its customers who used ClickBus between September 25, 2018 and November 25, 2018 has been detected. As a result of the data breach, it was indicated that a large number of personal data, from the travel information to the payment and contact information and 67.519 people could be affected. On the other hand, ClickBus stated that no evidence was found showing that personal data is misused.
- In the data breach notification made by Sisli Turizm Yatirimlari Insaat San. ve Tic. A.S. (“Holiday Inn Istanbul – Sisli”), it is stated that a cyber-attack has taken place on Holiday Inn Istanbul Hotel on January 1, 2019. Following the cyber-attack; related data backups have been deleted by the attackers and technical team of Holiday Inn Istanbul has started investigation in detail.
- Timeline for application to the data controller and the Board has been clarified.
Article 13 of Law No. 6698 on Personal Data Protection (“PDP Law”) regulates duration and methods to submit requests to the concerned data controller relating to the enforcement of the Law and response procedures of data controllers regarding the data subjects’ application. In the event that the requests of data subjects are rejected, the answer is to be found inadequate or the data subject’s request is not answered in time; Article 14 of PDP Law regulates another mechanism which enables the data subjects to lodge complaints to the Authority in relation with their applications made to the data controllers. In this sense, the Board clarified the interpretation of the time periods stated in the PDP Law on the application for complaint to the Board by the announcement published on the website on February 13, 2019. According to the decision dated 24.01.2019 and numbered 2019/9 published by the Board, in the event that;
- data subject’s request is concluded by the data controller within 30 days upon the request, the data subject may lodge a complaint to the Board within 30 days following the response of the data controller,
- the data controller does not conclude the request, the data subject may lodge a complaint to the Board within 60 days following the date of request.
In addition to these periods included in the relevant articles of the PDP Law, the Board also draws attention to the commencement and expiration times of the periods. Accordingly, in case that the data controller concludes the request of data subject after 30 day time period stated in the PDP Law, data subjects will not be obliged to wait for the response and will be able to lodge a complaint to the Board upon the expiration of the time period given to the data controller, therefore, it is decided that data subjects can lodge a complaint to the Board within 60 days as of the date of application to the data controller instead of 30 days upon the date of data controllers’ response.
- The Personal Data Protection Board has made an important decision regarding data breach notifications.
The Personal Data Protection Board detailed the procedure to be followed by the data controllers in the event of a data breach by taking into account the GDPR regulations. According to the board resolution dated 24.01.2019 and numbered 2019/10, the maximum time period for data breach notifications is determined as 72 hours after becoming aware of such breach. Likewise, the data controller shall notify the concerned data subjects in the shortest time possible following the determination of the affected individuals through appropriate methods. Data controllers shall report data breaches by using ‘Personal Data Breach Notification Form’ which is published in the Authority’s website. In addition to the obligations stated in the PDP Law, several obligations such as obligation to prepare a “Data Breach Response Plan” and recordkeeping of data breach have been imposed on data controllers.
- The Personal Data Protection Board has published new decisions on the complaints of data subjects.
The Board has published three new decisions regarding personal health data and security of personal data on its official website on February 18, 2019. Details of the decisions are as follows:
- A public officer applied to the public institution and requested the destruction of the documents relating to the investigation which had been initiated against him/her within his/her incumbency period by public authorities. Upon the non-fulfilment of the complainant’s request by the public authority, data subject has brought the application to the Board. The Board concluded that the decision of the public authority is appropriate since the retention period is not expired and the processing purposes have not ceased to exist considering that the documents requested to be destroyed must be kept by the public authority in line with the related legislation.
- The complainant, who has shopped on an online clothing shopping site, requested the data controller to destruct its personal data and also to have its personal data destructed within the companies in Turkey or abroad which have been provided with the complainant’s personal data because its personal data such as delivery place, name, surname and phone number has become accessible to third parties who shop on the same website. The complainant found the company’s response inadequate and therefore lodged a complaint before the Authority. According to the statement made by the company to the Authority; it is stated that they have been aware of the situation together with the incident which is caused by a systematic error and that they have taken some measures to prevent other customers to be affected. However, according to the review of the Authority, it is concluded that the necessary technical and administrative measures were not taken in order to ensure personal data security in accordance with the Article 12/1 of the PDP Law before abovementioned data breach has been identified. Due to these reasons, the Board concluded to impose an administrative fine to the company and instructed the company to provide the complainant with explanations and probative documents regarding the destruction of personal data.
- A data subject who uses medication under the supervision of a doctor has lodged a complaint before the Authority on the grounds that the personal health data is shared with third parties without relying on any processing condition by the pharmacy in which the drugs are provided. In the evaluation made by the Authority, it is concluded that special categories of personal data have been transferred to the third parties without existence of the processing conditions in the PDP Law by the data controller pharmacy. Therefore, the Board decided to impose an administrative fine on the pharmacy on the grounds that data controller pharmacy processed personal health data without existence of processing requirements stated in the PDP Law and that the personal data security has been violated.
- Turkish Competition Authority has issued the final decision on the investigation into Google.
The Turkish Competition Board (“Board”) opened an investigation into Google Inc., Google International LLC and Google Reklamcılık ve Pazarlama Ltd. Şti. (all together “Google”) upon the complaint of Limited Liability Company Yandex (“Yandex”) dated July 10, 2015. As a result of the investigation, it is concluded that Google violated Article 6 of Law No. 4054 on the Protection of Competition by means of abusing its dominant position in the market of ‘licensed mobile operating systems’ through its practices and contracts signed between Google and device manufacturers. Therefore, the Board decided to impose an administrative fine of 93.083.422, 30 TL. Additionally, in order to ensure publicity and effective competition with regards to device manufacturers, the Board is decided to amend the contractual provisions that are capable of infringing competition signed with the device manufacturers. Thus, not providing financial or any other incentives which cause prohibited results is decided.