New decision summaries have been published by the Personal Data Protection Authority (“Authority”) through the month of August 2019. The details of the published summaries are detailed below:
The event which constitutes the basis of the Personal Data Protection Board’s (“Board”) decision, is the data controller, a securities and investment firm, calling the data subject for marketing and advertising purposes while lacking prior explicit consent of the said data subject. Following this unauthorized communication, the data subject has requested information from the data controller, however the data controller did not provide a sufficient response and thus the data subject filed a complaint.
Pursuant to the information provided by the data controller, the Board has ascertained that the data subject is an old customer of the employee of the data controller who had been previously been employed by a company conducting business within the same scope as the data controller’s business, and thus the contact information of the said data subject was acquired through this method and the data subject was called for marketing and advertising purposes.
Considering this information, the Board decided that the data controller’s processing of the personal data of the data subject was against the law since it was not in line with the legal purposes laid out in KVKK art. 5 and so decided to impose an administrative fine against the; The Board also decided that the employee realizing the data transfer be informed regarding article 136 of the Turkish Penal Code regulating “ the unlawful transfer/ acquisition of data”; and that the company be warned to take the necessary care to comply with KVKK and to respond to the complainant in a sufficient manner; also since the data controller processed data illegally and in violation of KVKK art.12/1-(a) the Board decided to impose an administirative fine to the data controller in the amount of TRY 75,000.
The summary of the communication exchange on the dates of 08.04.2019 and 25.06.2019 between the Board and Lewis Brisbois Bisgaard & Smith LLP, duly representing Dubsmash, Inc. (“Dubsmash”), the owners of an aptly named application called Dubsmash developed by Mobile Motion GmbH for iOS and Android operating systems, is as follows; Dubsmash has been made aware of the data breach through an email sent by a person claiming to be a journalist, the journalist has declared to be tipped off by an individual who claimed to have access to the personal data of Dubsmash users through the Darkweb, subsequently a digital forensics firm was hired to investigate the claims, following the investigation made by Dubsmash it was realized that 679,269 people who had listed Turkey as their location information on their public accounts were involved in the breached data set that was made available for sale, and finally Dubsmash created a call center to respond to user questions regarding the matter.
The Board, within its decision dated 17.07.2019 and numbered 2019/222, decided to impose an administrative fine in the amount of TL 730,000 on the data controller by taking into consideration that; the document proving that Lewis Brisbois Bisgaard & Smith LLP is the legal representative of Dubsmash has not been delivered to the Authority, the data of 162 million users worldwide using said application named Dubsmash developed by Mobile Motion GmbH for iOS and Android operating systems has been sold to Darknet Web, that such data include the data belonging to real persons and that since Dubsmash had been made aware of the data breach via a journalist, Dubsmach has not upheld an appropriate technical and administrative measures and finally Dubsmash has not informed its users despite such an extensive data breach.
The Turkish Data Protection Authority (“Authority”) has announced on its website on 03.09.2019 with its decision numbered 2019/265 and dated 05.09.2019 that the deadline for registration of the real persons and legal entities that are data controllers employing more than 50 employees per year or which have an annual balance sheet above TRY 25 million (approx. USD 4 million) before the Data Controllers’ Registry has been extended until 31.12.2019.
Following the notification by the Turkish Economy Bank, Denizbank also notified a data breach to the Board. Denizbank informed the Board on 31th of July 2019 that a data breach occurred between July 2018 and May 2019. Denizbank notified the Board that, it has detected that a bank staff member working in the area of customer operations and sales, although authorized to access Consumer Reporting Agency (KKB) inquiry pages, did so more often than was required and to a degree that violated the information security policy and that Denizbank discovered that 3038 Bank clients and 2851 unrelated persons were affected by the said access.
The Authority has published a guideline highlighting the principle issues that the data subject may face regarding personal data, fundamental principles of personal data processing, conditions for personal data processing, conditions for special category of personal data processing, deletion and anonymization of personal data, obligation to provide information, data subject rights, application to data controller, complaint to the Board, obligation to register to data controller’s registry, its exceptions, and also precedents of issues regarding data controllers and data subjects.
The Radio and Television Supreme Council (“RTÜK”) published the Regulation on the Presentation of Radio, Television and On-Demand Broadcasting on the Internet (“Regulation”) in the Official Gazette dated August 1, 2019. The Regulation provides detailed provisions regarding broadcast services, broadcasting transmission, the broadcasting license and transmission authorization, as well as the supervision of broadcasting on the internet.
As per the Regulation, media service providers wishing to provide radio, television or on-demand broadcast services exclusively on the internet must obtain a broadcast license. However, the same media provider may only offer a radio, television or on-demand service. In this scope media service providers must obtain a broadcast license from RTÜK for each broadcasting medium, i.e. radio, television or on-demand and RTÜK’s authority to supervise and impose sanctions includes all medium. Additionally, platform operators wishing to transmit radio, television and on-demand broadcasting services over the internet must obtain a broadcast transmission authorization from RTÜK.
Besides, broadcasting organizations that do not broadcast in Turkish but include commercial communications aimed at persons located in Turkey and broadcasting organizations that broadcast internet content in Turkish aimed at audiences in Turkey must obtain broadcast licenses to broadcast their content or hold a transmission authorization to transmit broadcasting services and should establish a joint stock company pursuant to the provisions of the Turkish Commercial Code.
Pursuant to the Provisional Article of the Regulation, media service providers broadcasting content without temporary broadcasting rights and/or broadcast licenses, and platform operators transmitting broadcasting services must apply for licenses or authorization within a month from the effective date of this Regulation, i.e. August 1, 2019. In case these service providers or operators fail to make their application, RTÜK may request the removal of content and/or blocking of access from a criminal court of peace.
The Radio and Television Supreme Council (“RTÜK”) amended the Regulation on the Supervision of Media Service Providers’ Commercial Communication Revenue and Revenue Declaration and Collections Payable to the Supreme Council (“Regulation”) on August 1, 2019. Pursuant to the amendments, the commercial communication revenues of media service providers holding a license for broadcasting services on the internet are now subject to the Regulation. The amendments also revised the amounts that RTÜK collects from these commercial revenues.
The amendment decreased media service providers’ gross commercial communication revenue collections payable to RTÜK to 1.5% from 3%.
Pursuant to the amendments, RTÜK shall now collect shares from the commercial revenues of media service providers broadcasting on the internet. Accordingly, the relevant media service providers must declare their commercial communication values according to the provisions of the Regulation.
On the other hand, the commercial communication activities of media service providers broadcasting on the internet but that have a temporary broadcasting right and/or broadcast licenses for cable, satellite, terrestrial or similar platforms are exempt from the Regulation, provided that these organizations provide their broadcasting services simultaneously on their platforms and broadcast their on-demand content on the basis of the same program catalogue. However, if the organizations provide on-demand broadcasting services for their programs broadcasted on cable, satellite, terrestrial or similar platforms with their own logos, the Regulation shall apply and these organizations must declare their commercial communication revenues to the RTÜK.
Administrative fees imposed on the media service providers failing to declare their commercial communication revenues according to the Regulation are also applicable for organizations providing on-demand broadcasting services.
The Ministry of Trade published the Communiqué on the Import of Devices with Electronic Identity and the Communiqué on the Export of Devices with Electronic Identity (“Communiqués”) in the Official Gazette numbered 30805 and dated June 18, 2019. The Communiqués regulate the procedures and principles regarding the Information Technologies and Communication Authority’s (“ITCA”) electronic supervision for the import and export of devices with electronic identity. The Communiqués shall enter into force 20 days following the publication date.
Pursuant to the Communiqués in order to export devices with an electronic identity number or release such devices into free circulation an application has to be made to the ITCA through the Single Window System and a conformity letter has to be obtained. When issuing conformity letters, the ITCA takes certain conditions into consideration, such as the consistency of the IMEI number of the devices with the brand and model information, the status of the device (whether the device has been lost, stolen or had its IMEI number changed) and compliance with the provisions of the Regulation on Registration of Devices with Electronic Identity.
Accordingly, following the entry into force of the Communiqués, conformity letters obtained from the ITCA shall be required for the registry of devices in the customs declarations. However, the conformity letter shall not qualify as a substitute for any certificates or permits contemplated under product safety and supervision regulations or other legislation.
Powered by themekiller.com