The Personal Data Protection Authority (“Authority”) issued several data breach notifications on its website in March 2019. The notifications of data breaches by small and large scale companies including ING Bank A.Ş. reveal the importance of the issue. The data breach notification made by ING Bank A.Ş. created a tremendous impression and therefore it is examined in detail under the subtitle.
As a result of the personal data breach at Optimum Otomotiv Satış Sonrası Çözümleri Tic. A.Ş. (“Optimum”), companies which have a business relationship with Optimum and were affected by the data breach thereof, continued to notify data breaches this month. The further information is as follows:
A noticeable data breach notification published on the Personal Data Protection Authority’s (“Authority”) website on March 2, 2019. A data breach at ING Bank was reported to the Authority by ING Bank (“Bank”) which acts as data controller on February 21, 2019. In the course of works carried out by Risk Center of the Banks Association of Turkey (“BAT”) regarding information security, suspicious inquiries rendered by an ING Bank employee were detected. In order to determine whether these operations caused a possible data breach, the General Directorate of ING Bank was notified that an investigation should be carried out by the inspection teams in the presence of ING Bank. An investigation was carried out for any kind of operations which was considered to be a data breach that the employee of the Bank performed with the relevant devices. As a result of the investigation, it was determined that the Bank employee performed unauthorized access to certain database of Risk Center of BAT. In this way, the employee made inquiries about some companies that are mostly non-Bank customers by unauthorized access through systems of TBB Risk Center and took the data he reached out of the bank by means of electronic communications in the course of 2018. The Bank’s employee reached not only the personal loan records that can provide the individual credibility information, but also the KRM records which can only query individuals who are real person traders and legal entity traders. According to the information in the KRM reports, IDs and names of 19,055 real persons were leaked outside of the bank. In the official letter sent to the Authority by the Bank, it is stated that the audit, determination and awareness raising factors for the areas that can be controlled by the Bank were taken into consideration, the method used to deactivate the authorization control was blocked and the works related to the notifications to the real persons affected by the leak were carried out in coordination with the TBB Risk Center.
As per Article 5 of the Regulation on Deletion, Destruction or Anonymization of Personal Data, the data controllers responsible for registering to the Data Controllers Registry became obliged to prepare a personal data retention and destruction policy (“destruction policy”) in accordance with the personal data processing inventory. In this context, the “Personal Data Protection Law Personal Data Retention and Destruction Policy” prepared by the Authority shared publicly on the website in order to guide the data controllers who are obliged to prepare a destruction policy. The destruction policy issued by the Authority is a best practice example on the destruction of personal data processed by the Authority. When the institution’s destruction policy is examined, the following points are particularly noteworthy:
Thus, it would be appropriate to review the destruction policies prepared by data controllers in accordance with the policy published by the Authority.
The Personal Data Protection Authority (“Authority”) published three separate guidelines on the obligation of controller to inform, data controllers registry system and the glossary of terms for personal data protection in order to provide data controllers with examples of good practice and to eliminate confusion in the implementation of the legislation. The Authority set forth the procedure and principles to be followed by data controllers to comply with the obligation to inform data subjects with the “Guideline on the Fulfillment of the Obligation to Inform” published on its website. Secondly, the Authority shed light on the process of registering to the Data Controller Registry System (VERBIS) with the “VERBIS Q&A” handbook. Finally, the rights and responsibilities regulated by the Law No. 6698 and the explanations of the terms which are frequently encountered by the data subjects and data controllers are clarified in the “Articles and Preamble of the Law on the Protection of Personal Data (Annotation) and Glossary of Terms for the Protection of Personal Data” published on the website. These guidelines and other related handbooks published by the Authority are important for data controllers to make their processes for personal data comply with the personal data protection legislation.
The Block Exemption Communiqué on Vertical Agreements in the Motor Vehicles Sector numbered 2017/3 (“Communique numbered 2017/3”), which revoked the Block Exemption Communique in the Motor Vehicles Sector numbered 2005/4, entered into force upon its publication in the Official Gazette dated 24.02.2017 and numbered 29989. Following the entry into force of the Communiqué No. 2017/3, the two-year transition period, which was determined for the players in the motor vehicles sector to comply with the new regulations, ended at the end of last month as of February 24, 2019. The Communiqué No. 2017/3, which includes regulations that allow providers to establish a more flexible distribution network for the distribution of motor vehicles, also includes amendments regarding provisions of multi-branding and establishing additional point-of-sale. In particular, the enterprises providing the purchase, sale or resale of new motor vehicles, spare parts and providing maintenance and repair services were required to review their practices under the Communiqué No. 2017/3.
Türksat Uydu Haberleşme Kablo TV ve İşletme A.Ş. (“Türksat”), with the application made to the Information and Communication Technologies Authority (“ICTA”), requested to provide access to other operators’ networks and to sell/market mobile services through the method of sub-brand management. The ICTA decided that Türksat was able to provide its services based on Cable TV infrastructure, with the bit-scream access to other operators’ cabled infrastructure such as xDSL, xPON, FTTX etc. and as well as by accessing to other operators’ infrastructure with the wholesale buy/sell and other similar models. It is also decided that the sales and marketing of mobile services by Türksat through the sub-brand method should be carried out in compliance with the Article 19 of the Authorization Regulation Regarding Electronic Communication Sector. According to the decision, Türksat shall not use the sales and marketing methods which give the impression that Türksat provides these services and should also clearly state the mobile network operator which provides services in all kinds of sales and marketing activities. Resale of mobile services shall not be made with a business model such as buy-sell method in any way and it is obliged to comply with the provisions of the other relevant legislation.
The Competition Authority (“Authority”) prepares five-year strategic plans dating from 2014, in accordance with the set mission and vision together with an understanding of conducting activities in a planned and scheduled manner. 2019 – 2023 Strategic Plan (“Plan”) published on the website of the Authority on March 12, 2019. The plan includes assessments regarding the extent to which the Agency’s objectives for policy development, competition advocacy, supervision and regulatory activities were achieved and opinions are provided in the context of the situation analysis. As the Strategic Plan is put into practice, it will be periodically evaluated and revised as required under current conditions. In order to make monitoring and evaluation activities easier, performance criteria related to the objectives and targets stated in the plan are also included. Besides, it is stated that the developments regarding the realization of the objectives included in the Strategic Plan would be reported on an annual basis.
Powered by themekiller.com