Data breach notification of Optimum Otomotiv Satis Sonrasi Cozumleri Tic. A.S. (“Optimum”) to the Board dated January 23, 2019 still has effects on companies which have a business relationship with Optimum. In February, seven new companies were added to the group of companies which have a business relationship with Optimum and were affected by the data breach of Optimum. These companies and details of data breaches are as follows:
As a result of cyber-attack on Optimum Company, it is foreseen that other companies which have business relations with Optimum will continue to report data breach. On the other hand, in addition to these firms, two companies also reported a further data breach this month:
Article 13 of Law No. 6698 on Personal Data Protection (“PDP Law”) regulates duration and methods to submit requests to the concerned data controller relating to the enforcement of the Law and response procedures of data controllers regarding the data subjects’ application. In the event that the requests of data subjects are rejected, the answer is to be found inadequate or the data subject’s request is not answered in time; Article 14 of PDP Law regulates another mechanism which enables the data subjects to lodge complaints to the Authority in relation with their applications made to the data controllers. In this sense, the Board clarified the interpretation of the time periods stated in the PDP Law on the application for complaint to the Board by the announcement published on the website on February 13, 2019. According to the decision dated 24.01.2019 and numbered 2019/9 published by the Board, in the event that;
In addition to these periods included in the relevant articles of the PDP Law, the Board also draws attention to the commencement and expiration times of the periods. Accordingly, in case that the data controller concludes the request of data subject after 30 day time period stated in the PDP Law, data subjects will not be obliged to wait for the response and will be able to lodge a complaint to the Board upon the expiration of the time period given to the data controller, therefore, it is decided that data subjects can lodge a complaint to the Board within 60 days as of the date of application to the data controller instead of 30 days upon the date of data controllers’ response.
The Personal Data Protection Board detailed the procedure to be followed by the data controllers in the event of a data breach by taking into account the GDPR regulations. According to the board resolution dated 24.01.2019 and numbered 2019/10, the maximum time period for data breach notifications is determined as 72 hours after becoming aware of such breach. Likewise, the data controller shall notify the concerned data subjects in the shortest time possible following the determination of the affected individuals through appropriate methods. Data controllers shall report data breaches by using ‘Personal Data Breach Notification Form’ which is published in the Authority’s website. In addition to the obligations stated in the PDP Law, several obligations such as obligation to prepare a “Data Breach Response Plan” and recordkeeping of data breach have been imposed on data controllers.
The Board has published three new decisions regarding personal health data and security of personal data on its official website on February 18, 2019. Details of the decisions are as follows:
The Turkish Competition Board (“Board”) opened an investigation into Google Inc., Google International LLC and Google Reklamcılık ve Pazarlama Ltd. Şti. (all together “Google”) upon the complaint of Limited Liability Company Yandex (“Yandex”) dated July 10, 2015. As a result of the investigation, it is concluded that Google violated Article 6 of Law No. 4054 on the Protection of Competition by means of abusing its dominant position in the market of ‘licensed mobile operating systems’ through its practices and contracts signed between Google and device manufacturers. Therefore, the Board decided to impose an administrative fine of 93.083.422, 30 TL. Additionally, in order to ensure publicity and effective competition with regards to device manufacturers, the Board is decided to amend the contractual provisions that are capable of infringing competition signed with the device manufacturers. Thus, not providing financial or any other incentives which cause prohibited results is decided.
Powered by themekiller.com