The Board of Protection of Personal Data Has Published New Decisions 09 October 2019
Pursuant to the articles 15 and 22 of the Law on Protection of Personal Data no. 6698 (“the Law”), the Board of Protection of Personal Data (“the Board”) is entitled to conduct necessary inspection within the scope of its remit either ex officio in case that it learns the allegation of a violation or upon complaint, and to impose administrative fines in case of breach. The Board publishes decision summaries of its investigations which are considered to be important and to establish precedent on its website.
We hereby present the summary of these decisions by the Board.
The decision No. 2019/269 on Facebook published on 18.09.2019 by the Board
Although it is stated that the notice will be submitted to the Board in writing within the week following the e-mail giving information about data breach related to ‘’View as Someone Else’’ sent by the Facebook representative, dated 14.10.2018, Facebook has not made any notice to the Board. As a result of this failure of notice, the Board has decided to examine ex officio.
As a result of the review of the Board, it is determined that the data breach is a result of an error caused by the 3 different interaction of Facebook system which are ‘’View as Someone Else’’, ‘’Birthday Celebration’’ and ‘’Video Uploader’’. The Board, ascertained that the personal data such as name, gender, birthday, relationship status, educational background, religious information, country, location, recent searches on Facebook, up to 500 major accounts followed by the user were affected by the breach. The Board also stated that 280,959 users using Facebook in Turkey were affected by the data breach.
For this reason, the Board, pursuant to Article 12 of the Law, decided to impose 1.150.000 TL due to lack of administrative and technical measures to ensure the protection of personal data within the scope of Article 18 of the Law No. 6698 and also decided to impose 450.000 TL due to application which violates the obligation to notify as soon as possible. Thus, the Board of Protection of Personal Data decided to impose an administrative fine of 1 million 600 thousand TL in total, on Facebook. The Board had previously given an administrative fine of 1 million 650 thousand TL to Facebook due to data breach.
The decision No. 2019/254 on S Şans Oyunları A.Ş published on 27.08.2019 by the Board
The Board has been informed of the data breach in line with the S Şans Oyunları A.Ş.’s notification that they were operating as a virtual bookmaker on the website www.tuttur.com and that they were informed of the data breach by one of the members of the Company sharing the data leakage information and as a result, the Board has initiated an investigation to examine the claims.
As a result of the review of the Board of Protection of Personal Data, it is stated that the failure to determine the date of occurrence of the breach is an indication of failure of the data supervisor to carry out the necessary supervision, the failure to determine when the data in the Excel list was withdrawn from the system and when it was transferred to the data processor is an technical and administrative defect. And also, the fact that the number of person affected by data breach cannot be determined although 90% of the members in the list have been declared by the Company that they have never entered the system is an indication that the technical and administrative measures have not been fully implemented or applied, that the Company has not been able to take action to notify the people concerned in connection with the data breach.
For this reason, the Board, pursuant to Article 12 of the Law, decided to impose 150.000 TL due to lack of administrative and technical measures to ensure the protection of personal data within the scope of Article 18 of the Law No. 6698 and also decided to impose 30.000 TL due to application which violates the obligation to notify as soon as possible.
The decision No. 2019/255 on a Tourism Company published on 27.08.2019 by the Board
As a result of the notification by Company to the Board that the cyber-attack is realized because of the entrance of the unauthorized passwords through the Local Area Network (LAN) and that this situation was occurred through a leakage from the computer of an employee located in the general areas of Company, the Board has decided to examine ex officio.
As a result of this review, the Board determined that there is not any special personal data among the affected personal data, that the access by unauthorized third parties who are not employees of the Company is an administrative imprudence, that the fact that the employees have not received pre-infringement security training is an administrative deficiency in terms of providing personal data security and awareness, that the failure of taking notice whether the leakage in computer network existed is an technical deficiency and the notification of the incident from employees in the other departments to the IT Department is an indication that the Company’s IT Department and Information Systems are not functioning properly.
For this reason, the Board, pursuant to Article 12 of the Law, decided to impose 400.000 TL due to lack of administrative and technical measures to ensure the protection of personal data within the scope of Article 18 of the Law No. 6698 and also decided to impose 100.000 TL due to application which violates the obligation to notify as soon as possible.
The decision No. 2019/225 about Obligations of the branches in Turkey of legal entities resident abroad and the Liaison Office published on 23.07.2019 by the Board
The Board, after the assessment, decided that;
- Data supervisor resident abroad which process personal data activities directly or through branches in Turkey must be registered.
- In the case of the branches, of legal entities resident abroad, located in Turkey, by definition, are responsible for determining the personal data aims and the means and for managing of the establishment of the data recording system, they will be considered as a data supervisor in Turkey as distinct from legal entity resident abroad, also, in this case, as a result of the evaluation to be made in terms of ‘’annual number of employees’’ and ‘’ annual financial statement’’, it will be decided for the branches, of the legal entity resident abroad, located in Turkey, whether there is an obligation to register to the Registry or not. The branches in this case does not have any obligation to register.
In order to open a Liaison Office in Turkey, incorporation of a company must be executed according to the foreign law and the established Liaison Office is not be able to do commercial activities. And also, considering the fact that the Liaison Offices are not like branches and that are established for communication, feasibility research, conducting some projects in social and cultural areas, making preparations for the mergers and acquisitions between companies, promotions and advertising, closely monitoring the job opportunities in the country and informing the central company about these issues, these liaison offices are not obliged to register to Registry.
Other News
-
21.11.2024
The Procedure of Sale by Auction and The Legal Aspect of New Regulations Brought by the 9th Judicial Package
By new regulations brought by the 9th Judicial Package, a new legal frame for the sale of seized goods electronically is instructed according to Enforcement and Bankruptcy Law Article 111/b. Transactions about the sales of seized goods are made via a sale portal integrated with the National Judicial Network Information System (UYAP) by auction. However, because of the legal gaps of the law, an application about the sale transactions cannot be displayed. The amendments introduced by legislators to the law regarding electronic sales in the 8th and 9th Judicial Packages, as well as the newly established regulations, are considered an important step toward making foreclosure processes faster and ensuring that sales transactions are conducted in a safer and more transparent environment.
-
14.11.2024
Law Numbered 7531 On Amendments To Certain Laws Was Published
Law1 No. 7531 on the Amendment of Certain Laws ("Law"), also known as the 9th Judicial Package, was published in the Official Gazette dated 14.11.2024 and numbered 32722 and contains significant amendments to 17 different laws.
-
12.11.2024
E-Government Era Begins In Lease Agreements!
The Ministry of Treasury and Finance ("Ministry") announced in the 2023-2025 period of its 2022 Action Plan for Combating the Informal Economy ("Action Plan") that lease agreements could be concluded through the e-Government portal to support the decision-making processes of the parties involved and conduct risk analysis studies. The first phase of this activity was launched on November 4, 2024, through the e-Government portal, and the second phase is expected to be implemented by the end of the year.
-
10.11.2024
A New Era in Digital Markets: The Competition Authori's The Competition Authority's 2024-2028 Strategic Plan Published
The Competition Authority ("the Authority") has published its 2024-2028 Strategic Plan ("the Strategic Plan") with the aim of adapting to the rapidly evolving dynamics of digital markets and maintaining a competitive economic order. Developed in light of recent shifts in the global competitive environment, the Strategic Plan focuses on new regulations in digital markets and emerging technologies. The Authority aims to ensure fair and competitive markets through this plan, with a clear focus on enhancing consumer welfare.
-
30.10.2024
Public Announcement on Standard Contract Notification Module Published
Public Announcement on Standard Contract Notification Module published on 24.10.2024 on the official website of Personal Data Protection Authority ("Authority"). By the decision dated 17.10.2024, the Personal Data Protection Board ("Board") created "Standard Contract Notification Module" ("Module") in order to carry out standard contract notification processes in a faster and more efficient manner and decided that the notifications could also be carried out online via the Module.
-
27.10.2024
Warning To Research Companies: Inform First, Then Obtain Consent
After the number of complaints to the Personal Data Protection Authority ("Authority"), the Authority published a Public Announcement on "Personal Data Processing Activities of Research Companies by Using "Random-Digit Dialing as a Method of Telephone Sampling" for the purpose of Statistical Research" ("Public Announcement").
-
20.10.2024
EU Data Act
In today's world, where digitalization is gaining significant pace, data sharing and management are of vital importance for all sectors. In this context, the European Union has adopted the EU Data Act, which reshapes the regulations on data sharing. It aims to promote the wider use of data generated by digital devices and services while introducing new rules for a fair data economy.
-
1.10.2024
Regulation No.2023/1115 on the Prevention of Deforestation and Rules for Companies Exporting Products to the European Union
According to data from the United Nations Food and Agriculture Organization, it has been determined that the world's forests decreased by 178 million hectares over the 30-year period from 1990 to 2020.
-
30.9.2024
SEC Climate Disclosure Rule
For the sake of a livable environment and the future of our world, sustainability and ecosystem protection are becoming increasingly important. In this context, governments are introducing environmental reporting standards for companies, which are among the actors that most significantly impact the ecosystem.
-
25.7.2024
2024-2025 Action Plan For The National Artificial Intelligence Strategy Has Entered Into Force
Presidency of the Republic of Türkiye Digital Transformation Office published 2024-2025 Action Plan for the National Artificial Intelligence Strategy within the framework of the 12th Development Plan in order to further Turkey's progress in the field of artificial intelligence and to achieve the set targets.
-
29.5.2024
Important Amendments Introduced to the Turkish Commercial Code by Law No.7511
The Law on Amendments on Turkish Commercial Code and Certain Laws (the "Law") was published in the Official Gazette dated 29 May 2024 and numbered 32560.
-
7.5.2024
Law Proposal on the Amendments on the Turkish Commercial Code Numbered 6102 and Certain Laws in Offered to the Parliament
Law Proposal on the Amendments on the Turkish Commercial Code and Certain Laws is offered to the parliament. Within the scope of the proposal, it is planned to make important amendments to a number of laws, particularly the Turkish Commercial Code, the Cooperatives Law, the Law on the Protection of Competition and the Law on Consumer Protection.
-
18.4.2024
The Constitutional Court Decision Annulled The Regulation Envisaging Liability For Litigation Expenses Within The Scope Of Mediation In Civil Disputes
In accordance with paragraph 11 of Article 18/A of Law No. 6325 on Mediation in Civil Disputes1 ("the Code"), a party shall be held liable for the entire cost of the litigation, nothwithstanding justification at the conclusion of the proceedings, and shall not be granted power of attorney fee if he or she fails to appear for the initial session of mandatory mediation without providing an explanation.The aforementioned regulation is outlined as follows:
-
7.4.2024
E-Application" Period In Capital Markets Board Applications
With its announcement dated 5 February 2024, the Capital Markets Board ("Board") announced to the public that capital market institutions, organisations and partnerships will be able to make their applications more quickly and effectively through the e-Application System.
-
4.4.2024
The Amounts In The Pre-Conditions To Be Complied With Before The Initial Public Offering Of Shares In Several Sectors Were Decreased
The Capital Markets Board ("Board" or "CMB") decreased the financial thresholds for financial statements, especially considering the sectoral differences of the companies that submitting to the Board for initial public offering and the 12th Development Plan ("Plan") prepared by the Presidency of the Strategy and Budget Directorate.