The Turkish Personal Data Protection Board (“The Board”), published on its website on May 10, 2019, the decision numbered 2019/104 on the imposition of an administrative fine of TRY 1,650,000 in total on Facebook, on the grounds that Facebook’s failure to take the necessary technical and administrative measures to prevent data breach and fulfilling its obligations regarding the notification of said data breach in a timely manner. In the announcement made on December 14, 2018 by Facebook entitled “Notifying our Developer Ecosystem about a Photo API Bug“, it was indicated that the photo API bug occurred between 13 September 2018 and 25 September 2018. Due to this bug which has been disclosed by Facebook, it has been determined that third party applications were able to access other photos of Facebook users shared on Marketplace or Facebook Stories, excessing the consent granted by said Facebook users. The Board indicated that an investigation regarding Facebook was initiated upon the announcement of Facebook. During the investigation, the announcement made by Facebook, indicating that approximately a number of 6,8 million users including approximately a number of 300,000 users in Turkey may be affected by the bug, was considered by the Board as an acceptance of the ‘data breach’. Additionally, Facebook’s failure to timely respond to the API bug was considered as an indication of its inadequacy regarding technical and administrative measures.
In the Decision, it is stated that the following issues are against the law; third party applications accessing personal data of Facebook users beyond the personal data to which access was granted including the photos of Facebook users regarding which public access permission was not granted by said Facebook users; the restriction of user rights due to the consent of users not being given with free will within Facebook application platforms, and the delay regarding the response to the data breach.
According to the data breach notification made by Microsoft Corporation (“Microsoft”) on May 8, 2019; it has been determined that as a result of an unlawful access to the credentials of an administrator in one of Microsoft’s service providers, the content within Microsoft users’ e-mail accounts were accessed and it has also been determined that the administrator shared his/her account login information with 13 of his/her support representatives. According to the notification, the data breach may have occurred as a result of one of the representatives being subjected to phishing attacks or due to a direct action of one of said representatives; and following the determination of the breach the related account login information has been immediately deleted. It has also been stated that the data breach has affected approximately 1.820 persons which are resident in Turkey and that as a result of this unauthorized access between the dates of 1 January 2019 and 28 March 2019, except for the content of e-mails and attachments, the e-mail addresses, folder names, subject lines of e-mails, other communicated e-mail addresses may have been accessed and/or viewed. It has also been stated that in addition to the aforementioned data, the e-mail content including attachments belonging to a small portion of affected persons in Turkey may have also been accessed by unauthorized persons and that since the scope of the breach also includes the e-mail addresses of said persons, there may be a possibility that they are subjected to phishing attacks.
The Authority continues to provide guidance and draw attention regarding the implementation of the Personal Data Protection Law No. 6698 (“Law”) and its secondary legislation (“PDP Legislation”) through the newly published board decisions. The details of the Board decisions published in May are as follows:
– The Board decision dated 14/02/2019 and numbered 2019/23, is regarding a notification submitted to the Authority on the grounds that a technical service company has caused a data breach. The Board determined that it is possible to make inquiries about other devices and device owners by changing the last two digits of the query numbers given to the persons for the devices and by clicking the routed links. Therefore, personal data of other device owners such as the name, surname, address and the device IMEI number are determined to be accessible on the website of the data controller. Consequently, an administrative fine of TL 150.000 was imposed on the technical service company on the grounds that the Law was violated due to the failure of the data controller to take the necessary administrative and technical measures regarding personal data protection. Additionally the data controller company had been instructed by the Board regarding the removal of the breach of law.Since, upon the notification of the aforementioned decision to the data controller company, the data controller company has not abided by the instruction of the Board, the Board has in its decision dated 05/03/2019 and numbered 2019/52 decided to impose an administrative fine in the amount of TL 150.000 to the data controller company. The Board in its decision has also instructed the company to change the system which led to the data breach and to block off the access to the system in which the inquiry is made.
– The Board decision dated 01/03/2019 and numbered 2019/47; in the investigation carried out by the Board on the claim that a person has access to data subject’s personal data regarding himself/herself and his/her family through unlawful means, without his/her consent, and shared with the judicial authorities and third parties, it is stated that the person subject to the complaint cannot be considered as data controller on the grounds that there is no data processing activity that is fully or partially through automatic means or through non-automatic means only for the process which is a part of any data registry system set out in the Law. The Board decided that the claim could be subject to criminal justice as it constituted a criminal offence under the Turkish Criminal Law and that there was no action to be taken under the Personal Data Protection Law.
– The Board decision dated 25/03/2019 and numbered 2019/82; The Board has announced a data breach on 27th of May, 2019 according to investigation on complaints that explicit consent regarding the loyalty card application of a market chain is not disclosed with free will and the service fee is received during the receipt of consent. In the investigation conducted by the Board, in the case of not being a member of the loyalty card program, there is no evidence of not giving a shopping service and there is no such situation arising which is obligatory to be a member and the service fee received under the name of “Data Permission Application” was caused by a technical fault arising from the information technology system installed in to the shopping cash registers and the fees which are taken from the customers mistakenly charged to the customers. Besides, this amount is charged to the customer cards with the same amount as discount. According to the Board’s evaluations there is no need to take an action. The Board also decided to eliminate the inconsistencies between the “Membership and Declaration of Consent” and “Privacy Notice” and instructed the company to update the clarification text by taking the basic principles of Law and the provisions of the annunciations into consideration.
– The Board decision dated 02/05/2019 and numbered 2019/122; The Board has announced a data breach on 27th of May, 2019 according to complaints within the scope of the rights of data subjects as per the Article 11 of the Law, the data controller T.C. Ziraat Bank A.S. (“Bank”) did not respond to the data subject’s application and the privacy notice on the Bank’s website does not meet the requirements of the legislation. In the evaluation of the Board, it was understood that the Bank did not respond to the application of the data subject within the 30 days time period and there has been breach of its obligation. In addition, it was determined that the Bank did not respond to this letter even though the letter of the Authority sent to the Bank in respect of the matters subject to the complaint. Due to the failure of the Bank to respond to the letter, the Board decided to take an action in accordance with the disciplinary provisions with regard to the persons responsible for the breach and the persons who are required to take necessary measures and supervision within the framework of the third paragraph of Article 18 of the Law. It has also decided to instruct the Bank to respond to the application of the data subject and to show maximum effort in compliance with the provisions of the legislation. Finally, it has decided to instruct the Bank to comply with the provisions of the Communiqué on Principles and Procedures to be followed in the Fulfillment of the Enlightening Obligation on Privacy Notice published on the Bank’s website, as it does not specify the legal basis on which the processed data is based, and that the statement regarding data processing purposes creates uncertainty.
In the Constitutional Court’s (“Court”) decision dated 17 April 2019 and numbered 2015/4821 (“Decision“), the Court decided that the Court of Peace Judgeship’s block access decisions on social media content violate the freedom of speech and freedom of the press. According to the Decision, the decision to block access to content is an exceptional remedy provided under the Law No. 5651 and can only be applied in certain situations where the content explicitly and directly violates someone’s personal right. If the content does not explicitly and directly violate someone’s personal right, persons must resort to civil and criminal remedies in order to protect their personal rights. According to the Decision, when rendering a block access decision, the courts should carefully evaluate and determine whether the content is unlawful, the personal right is explicitly intervened and the indemnification of damages is essential.
With the decision of the Turkish Personal Data Protection Board (“Board”) dated 02/05/2019 and numbered 2019/125 (“Decision”), the criteria that will be taken as basis by the Board for the determination of the countries that have adequate level of protection for the transfer of personal data abroad are determined as specified under Article 9 of the Law on Protection of Personal Data. Article 9 of the Law regulates that personal data transfer abroad is subject to explicit consent. Together with Article 9, the provisions of Articles 5 and 6 of the Law stipulated the adequate level of protection criteria for personal data transfer abroad in lawful processing cases where the explicit consent of the data subjects shall not be sought. Also, it has been stipulated that the “Countries with Adequate Level of Protection” shall be determined by the Board. Together with the Decision, it has been decided that an assessment shall be made by the Board regarding whether the level of protection in a country is adequate shall be made on the basis of reciprocity principle, the legislation and practice in the relevant country regarding the processing of personal data, the existence of an independent data protection authority in the country , whether the country is a party to international treaties related to the protection of personal data or a member of international organizations, whether the country is a member of global and regional organizations of which Turkey is also a member and the volume of trade which is realized between said country and Turkey.
Together with the decisions of the Personal Data Protection Board (“Board”) dated 18 June 2019, three data breach notifications have been published on the Board’s website.
– Vodafone Telekomünikasyon A.Ş. (“Vodafone”) has sent three letters regarding the data breach to the Authority on different dates. In brief, it was stated by Vodafone that a notification was sent to them regarding an employee of Lotus Telekom, who has a semi-exclusive dealership relationship with Vodafone sharing his/her Central Population and Administration System (MERNİS) user name and password information with a third party. Thereafter, it was determined that the dealership employee was copying the screen shots of the ID photos provided to him/her by people intending to become GSM line subscribers and that the dealership employee sold such ID information to some people involved in illegal betting sites and Vodafone filed a criminal complaint regarding the said employee. Vodafone has stated that no notification has been made to the people affected, which are approximated to be 6,000 people, regarding the data breach due to the pending examination and investigation of the data breach.
– According to the data breach notification made to the Board by Bartu Turizm Yatırımları A.Ş. (“Bartu Turizm”) on 10 June 2019, the data breach occurred as a result of a hacker group leak into the Bartu Turizm’s systems and the leak has been found on 5 June 2019 through an e-mail message which could not be verified and which contained threats and blackmail. In the data breach notification made by Bartu Turizm, it is stated that officials, employees of Bartu Turizm and third parties whose relations with the Bartu Turizm were affected by the data breach and determined that approximately 52 individuals who are also an employee of Bartu Turizm were affected. However in the e-mail sent to the Company by the hacker group, it was alleged that more than seventy thousand individuals’ ID information have been hacked.
– According to the data breach notification made to the Authority by Metro Grosmarket (“Metro”) on 14 June 2019, in some Metro stores, e-archive invoices of customers who shopped between 31 May to 12 June with a daily card (customers who do not own MetroCard) were accidentally sent to the wrong recipient addresses. It was determined that 806 e-archive invoices belonging to 658 people were sent to eight different e-mail accounts. In the data breach notification it was stated that the invoices contains the ID information such as name, surname and ID number obtained by taking oral statements from the customers, that the accuracy of these ID information could not be verified as these information was obtained verbally and that the data subjects could not be notified due to lack of contact information.
Regulation on Personal Health Data (“Regulation”) published in the Official Gazette dated June 21th, 2019 and numbered 30808 by the Ministry of Health and which entered into force on the date it was published repealed the Regulation on Processing and Protecting the Privacy of Personal Health Data, the execution of which was ceased by the Council of State. The Regulation includes provisions which are in accordance with the Law on the Protection of Personal Data (“Law”) and secondary legislations. The scope of the Regulation has been determined as activities of natural persons and legal persons and public legal entities which process personal health data, regarding the process and practices executed by the Ministry of Health. Together with the Regulation, open data, open health data and de-identification terms which were previously unspecified in the legislation, and definitions of these terms were included.
In the “General Principles and Basis” section of the Regulation, detailed information regarding security measures have been included, references have been made to the Law and secondary legislation and regulations have been made in accordance with principal decisions of the Turkish Personal Data Protection Board. In the section titled “Access to Personal Health Data”, access to health data of medical personnel, Ministry of Health units, patient relatives and lawyers and access to health data of children and the deceased have been regulated in detail. Confidentiality, correction, destruction and transfer of personal health data have been separately regulated within the provisions of the Regulation.
With the decision of the Competition Board numbered 19-20/291-126 and dated 30.05.2019, it was decided to withdrew the exemption granted to BKM Express service (digital wallet service) termination of BKM Express services, provided by Interbank Card Center (“ICC”) The Competition Board stated in its short decision that the exemption shall not be granted to BKM Express on the grounds that it does not fulfil the conditions specified in Article 5 of the Law on the Protection of Competition numbered 4054 ( “ Law numbered 4054” ) and the exemption granted to BKM with the decision of the Competition Board dated 23.09.2016 and numbered 16-31/525-36 shall be withdrawn pursuant to Article 13 of the Law numbered 4054 and that therefore it has been decided upon the termination of the services provided by BKM within 60 days, following the notification of the justified decision of the Competition Board to BKM.
– As a result of the evaluation of TÜRKSAT A.Ş’s (“Türksat”) service quality measurements for the fourth quarter of 2018, The Information Technologies and Communication Authority (“BTK ”) decided to give written warning to Türksat due to Türksat not complying with the obligations on meeting the targeted measurements specified in the second paragraph of Article 5 of the Regulation on Service Quality in the Electronic Communication Sector and sending the relevant data to the Authority. The BTK has also decided that an announcement be made on the Authority’s website for a period of one month stating that the Quality of Service Target Values for Operators Providing Internet Service could not be met in the fourth quarter of 2018.
– As a result of the evaluation of Vodafone Net Iletisim Hizmetleri A.S.’s (“Vodafone Net”) service quality measurements for the fourth quarter of 2017, BTK decided to give written warning to Vodafone Net due to Vodafone Net not complying with the obligations on meeting the targeted measurements specified in the second paragraph of Article 5 of the Regulation on Service Quality in the Electronic Communication Sector and sending the relevant data to the Authority. BTK has also decided that an announcement be made on the Authority’s website for a period of one month stating that the Quality of Service Target Values for Operators Providing Internet Service could not be met in the fourth quarter of 2017.
As a result of the evaluation of the service quality measurements for the first quarter of 2018, BTK decided to give written warning to Vodafone Net, due to Vodafone Net not meeting the target value of the Invoice Complaint Ratio criterion and has also decided to make an announcement on the Authority’s website for a period of one month stating that the Quality of Service Target Values for Operators Providing Internet Service could not be met in the first quarter of 2018.
The BTK also decided to give written warning to Vodafone Net in the fourth quarter of 2017 and in January 2018 (first quarter) for violating the regulation in Annex-3 of the Communiqué on Internet Service Providers by failing to select the measurement zones as specified in the legislation.
Together with the amendments to the Authority’s Decision dated 05.03.2019 and numbered 2019/DK-THD/074 on Fixed Line Interrogation Services (“Decision”), which was taken in order to prevent the (open line) subscriptions made on behalf of persons without their knowledge and consent and causing the consumers’ rights to be abused, it was decided that the candidates of operators applying to BTK to provide fixed telephone services should have the necessary infrastructure to provide the service specified in the Decision as of the date on which they can provide the line inquiry service specified in the Decision (no later than 01 August 2019 for the first eight operators with the highest number of subscribers specified in the resolution and 31 December 2019 for other operators).
Powered by themekiller.com