In terms of personal data protection legislation, February 2022 was a very busy month (“KVKK”). The Personal Data Protection Authority (“Authority”) issued several decisions and statements in February, and this study briefly discusses the issues that drew attention in the international arena in addition to these decisions and statements.
DECISION OF YEMEKSEPETİ
On 7 February 2022, the Authority announced that an administrative fine had been imposed on the company as a result of data breach notifications received by Yemek Sepeti Corporation (“Yemek Sepeti”).
In the violation that Yemek Sepeti reported to the Authority, it was stated that on 18.03.2021, the web application server of Yemek Sepeti was accessed by persons whose identities could not be determined, that the attackers forwarded the data on the server to an IP address in France, and that the attack was detected by Yemek Sepeti following a warning on 25.03.2021. One of the notable details from the reported violation is the fact that the breach affected 21,504,083 Yemek Sepeti users.
In the Authority’s investigation into this violation, it has stated that leaking data to cover nearly the entire customer database is a very large-scale violation and considering the large of the leaked data and the nature of the personal data, significant risks, such as loss of control over their personal data, may occur for the data subjects. It has been explained that the leaking of almost all user data was not noticed for 8 (eight) days, indicating that the data controller’s security controls and data security monitoring were not carried out properly, and as a result of this carelessness, the exact extent of the data leak could not be determined, and the data controller was found to be at fault.
Since the fact that such a serious personal data breach occurred within a company like Yemek Sepeti in the international market and the response was delayed demonstrates that the data controller was unable to accurately assess the current risks and threats.
In this context, the Authority has decided to impose an administrative fine of 1,900,00 TL on the data controller who fails to take the necessary technical and administrative measures to ensure data security within the framework of Article 12 of the Law on the Protection of Personal Data No. 6698 (“Law”), considering the extent of the violation, the data controller’s fault, and the economic situation.
As previously stated, the administrative fine imposed on Yemek Sepeti clearly demonstrated the importance of the data controller fulfilling the necessary legal, technical, and administrative obligations regarding the protection of personal data in terms of economic and consumer confidence.
WHATSAPP DECISION OF THE CONSTITUTIONAL COURT
On February 11, 2022, the decision of The Constitutional Court of Turkey (“Court”) dated January 28, 2021, and application number 2018/34548 (“Decision”) was published in the Official Gazette, and the aforementioned important decision also deals with respect for private life, freedom of communication, labor law, and personal data protection.
The dispute that is the subject of the Decision arose as a result of the applicant’s (“Employee“) making insulting remarks to his colleagues in the Whatsapp chat group and the termination of his employment contract after his superior at the workplace read the said messages. In his application to the Court, the employee claimed that the WhatsApp conversations in question were closed to the third parties, that his superior’s reading of his messages and the termination of his employment contract for reasons that constitute unlawful evidence were violations of his constitutional rights.
In its investigation, the Court determined how restrictive and compelling regulations are determined in employment contracts, whether the parties are informed about these regulations, whether the legitimate goal that causes the interference with the fundamental rights of employees is proportional to the intervention, and whether there is a reasonable and proportional action against the employee’s action in the termination of the contract highlighted.
In this context, the communication tools offered to the employee for justifiable reasons such as the effective conduct of work, the control of information flow, the protection of the employee against legal and criminal liability related to his actions, the measurement of efficiency and performance, and security concerns can generally be controlled, and restrictions imposed on their use. However, it should be remarked that all these interventions are limited to the execution of work within the scope of the employer’s right of management and to the maintenance of workplace order and security. Since the communication tools made available at the workplace belong to the employer, the employer does not have unlimited and absolute control and supervision authority in this context.
In the Court evaluation, discussed the privacy of private life and the protection of personal data, and stated that the employer and the public power should use the power of protection and limitation on this right within a certain framework. In the workplace, the employer’s management authority is limited to regulating and ensuring security. Even though there were speeches made on the computer at the workplace in the incident at issue, the employer’s intervention in these conversations was incompatible with a democratic society and the fundamental rights of the individual. As a result of exceeding the employer’s authority by leaving the employee’s computer open, he emphasized that the termination of his employment contract as a result of his responsible supervisor reading the conversations on his computer constituted a clear violation of the Constitution under the articles of privacy and freedom of communication. Furthermore, it has been emphasized in the decision that the messaging program had nothing to do with workplace operations and contained private messaging. It was also stated in the concrete case that there was no evidence that a notification demonstrating the scope of the employer’s authority to examine the workplace computer was given to the plaintiff, and it was emphasized that no clear information was given to the employee that communication made by the employer over the computer allocated for use at the workplace could be monitored and supervised.
In this sense, since the privacy of the individual is the foundation of personal data protection, in the case, learning of the said data by third parties without the explicit consent of the individual and the termination of the employment contract clearly constitutes a violation of the Personal Data Protection Law.
Considering this decision, it is understood that the means of communication assigned by the employer cannot be audited indefinitely, and first and foremost, information and clarification regarding this audit should be provided in accordance with Article 20/3 of the Constitution and Article 10 of the Personal Data Protection Law No. 6698. Even if all this information is provided in accordance with the law, it should be noted that the necessary inspection and surveillance rights are limited to the execution of the employer’s right to management and the maintenance of workplace order and security.
ANNOUNCEMENT REGARDING USER SECURITY
The Public Announcement (“Announcement”) on the Technical and Administrative Measures Recommended to be Taken by Data Controllers on User Security was published on the Authority’s website on February 15, 2022.
In the examinations conducted as a result of the violation notifications received by the Authority, it was discovered that the user account information used on the websites in sectors such as e-commerce, finance, social media, and so on is openly published on some of them. According to Article 12 of the Law, the data controller is required to take the necessary security measures to prevent the unlawful processing of personal data, to prevent unauthorized access to personal data, and to ensure the storage of personal data. As a result, the Authority issued the Announcement, which includes recommendations for precautions to be taken to ensure user security in relation to data controllers’ activities. The following are the published recommendations:
- “Creating two-stage authentication systems and presenting them as an alternative security measure from the start of membership,
- Ensuring that login information is forwarded to the appropriate persons via e-mail, SMS, or other similar methods when logging in from a device other than the devices from which users frequently access their accounts,
- Keeping the number of failed logins attempts from the same IP address to a minimum,
- Prevent new passwords from matching old passwords “at least the last three passwords”, In logins to user accounts, the use of technologies such as security code that distinguishes between computer and human behavior, limitation of IP addresses allowed to access,
- Reminder that the same password should not be used on more than one platform,
- Creating a password policy by the data controller and ensuring that user passwords are changed on a regular basis, or reminding the relevant parties about this issue,
- If third-party software or services are used to log into the data controller system, regular security updates and necessary checks must be performed,
- That the passwords used to log into the data controller system are at least 10 characters long, and that strong passwords are created using a combination of upper- and lower-case letters, numbers, and special characters.”
Although the Authority has announced these articles as recommendations, it is critical for data controllers to take the necessary legal, administrative, and technical measures since they are related to the obligations stipulated by the Law.
NOTIFICATION OF VIOLATION AT İTÜ ETA FOUNDATION DOĞA COLLEGE
Many data breach notifications were published on the Authority’s website on February 17, 2022. One of the violations is the statement made by the data controller Arı Innovation and Informatics Education Labour Corporation (“Company”) regarding İTÜ ETA Foundation Doğa Koleji.
The following is the notification’s content: The data on the company platform was accessed and leaked after the capture of an authorized user’s e-mail account and password. The data in question is about students, employees, and parents; it is stated that it contains information about the person, Republic of Turkey ID numbers, the units where the employees are located, the salaries given, the parents’ professions, and the amounts paid at the time of registration. The necessary information will be provided after 79 thousand people affected by the violation apply to the company’s e-mail address regarding personal data.
NOTIFICATION OF VIOLATION AT MARTI
Another notification conveyed to the Authority on February 27, 2022, was made by Martı Advanced Technology Corporation (“Martı”), the owner of the initiative that has recently attracted public attention. The data controller system was accessed by unidentified persons, according to the content of the notification published by the Authority, and a data breach was discovered in the e-mail sent by the persons accessing it. Although the number of people affected by the violation and the categories of this data have yet to be determined, it has been stated that investigations into the source of the violation and the method by which it was carried out are ongoing.
NOTIFICATION OF VIOLATION AT ACIBADEM UNIVERSITY
Another data breach notification made to the Authority was made by Acıbadem Mehmet Ali Aydınlar University (“University”).
According to the university’s statement, because the attack is related to ransomware, the servers can be accessed intermittently, stated that the attack occurred on February 9, 2022, was detected on the same day, and that the necessary investigations were ongoing. It should be stated here that ransomware is malicious software that demands a ransom from users by preventing access to files on infected computer systems.
It was communicated to the relevant parties in the published statement that the users were affected by the said attack, but the exact category of personal data exposed to the attack could not yet be determined.
NOTIFICATION OF VIOLATION AT MUNICIPALITY OF ŞİŞLİ
The data breach notification of Şişli Municipality (“Municipality”) was published on 17 February 2022.
The municipality stated in its notification that there was a cyber-attack on the system with ransomware, that the attack occurred on 12.02.2022, and that the files and folders of employees, users, and members were encrypted as a result of the attack. The number of people affected by the attack and the types of personal data affected have yet to be determined, but necessary precautions have been taken and expert investigations are ongoing.
NOTIFICATION OF VIOLATION AT KENTYOL
According to the data breach notification issued by Kentyol City Labour Corporaiton (“Kentyol”), the files and folders of employees, users, and customers were encrypted by performing a cyber-attack with ransomware, affecting approximately 2100 people. It has been announced that when the investigations are completed, the affected individuals will be notified. Given the number of data breach notifications received by the Authority in February, ransomware is used in many cyber-attacks. The main goal of ransomware cyber-attacks is to extract economic value from a person’s personal data, such as personal information, internet history, and shopping activity, and sell it to the person or persons who want to access this information in the commercial market.
On February 16, 2022, the Decision dated 06/01/2022 and numbered 2022/13 (“Decision”) was published on the website of the Authority. The complaint about the Decision is about the person’s Higher Education Institutions Exam (“YKS”) exam result document being shared on a local news site without his explicit consent, as well as the illegal processing of his personal data.
According to the Authority’s assessment based on Article 5 of the Law titled “Personal Data Processing Conditions”, The exam result document on the website is considered personal data because it reflects the person’s name, surname, photo, as well as knowledge, intelligence, and competence. With the explanation about the exam result document, the Authority has been formed an exemplary decision on how the concept of personal data should be evaluated according to the concrete case.
Another factor to consider in the evaluation is the data controller’s right to demand personal data protection in the face of constitutional rights to freedom of the press and expression. The Authority has stated that the concrete event should be evaluated using the public interest criterion. Within the scope of this criterion, it was stated that the data controller could not escape the responsibility stipulated in Article 12 of the Law by falling within the scope of exceptional provisions because the public interest could not be determined in the processing of the person’s exam result document data, and it was decided to impose an administrative fine on the local news website.
REGULATION ON DATA PROTECTION OFFICERS’ PARTICIPATION CERTIFICATE
The Authority has previously published a Communiqué on the Procedures and Principles Regarding the Personnel Certification Mechanism (“Communiqué”), as well as a regulation concerning the concept of data protection officer. The procedures and principles governing the certificate of participation will be determined and announced later by the Authority, according to Article 5 of the Communiqué. The Procedures and Principles Regarding the Issuance of the Certificate of Participation (“Decision”) published on February 11, 2022 by the Authority regulated the procedures and principles regarding the participation certificate that the data officer should receive.
According to this decision, participants will be subjected to a basic training program in order to gain the necessary knowledge in the field of personal data protection legislation. The theoretical methods determined by the Authority and published with the Decision will serve as the foundation for this training. At the end of the training, an exam will be held to assess the knowledge level of the participants who have completed the basic training. While participants have 3 (three) chances to take the end-of-training exam, passing requires a score of at least 70 (seventy) points. Participants who pass the basic training and exam will be given a certificate of participation approved by the Authority, and with this document, they will be given the title of “Data Protection Officer”.
The Regulation on the Protection and Processing of Data at the Social Security Institution (“SSI”) was published in the numbered 31755 Official Gazette (“Regulation”) on February 19, 2022.
Regulation includes; personnel of the institution, natural persons whose personal data are processed, natural and legal persons providing services such as information processing systems for personal data processing, public institutions and organizations, and private law natural and legal persons that process personal data within the scope of the Institution’s activities, real persons who process personal data on behalf of the Institution, or legal persons, public institutions and organizations. Personal data, personal health data, and trade secret data must be processed in accordance with the obligation to keep secrets under Social Security Institution Law No. 5502 and the Law on the Protection of Personal Data by persons covered by the Regulation. The Regulation does, however, reserve Article 35 of Law No. 5502 on data transfer.
The Regulation states that the data controller and the data processors are jointly responsible for the processing of data and ensuring data security. According to this regulation, the data controller is required to take all necessary technical and administrative measures to prevent illegal data processing and access, as well as to ensure the necessary level of data storage security. The data controller is also required to notify the Institution within 72 hours of discovering that illegal data has been processed.
It has been stated that only the SSI data recording system will be used for data processing of health service providers contracted with SSI, and that copying, storing, or transferring them to another area outside the system is strictly prohibited.
The purpose of this Regulation is to require SSI institutions and organizations to follow the procedures and principles outlined in the legislation when performing data processing activities, as well as to protect all types of information processed within the scope of SSI within the scope of KVKK.
- The UK Information Commissioner’s Office (“ICO”) has published a guide for individuals who use video recording systems to collect and process personal data. Individuals will continue their video recording activities using this guide in accordance with the provisions of the UK General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018. (“DPA”). Individuals will comply with the standards stipulated in the laws on the protection of personal data by applying the articles in the guide to their activities, and thus the rights and freedoms of the person or persons whose personal data is processed will be protected. You can find the guide link here: https://ico.org.uk/your-data-matters/domestic-cctv-systems-guidance-for-people-using-cctv/
- Meta (formerly known as “Facebook”) has set up a Special Operations Center (“Center”) to monitor shipments from Ukraine Because of the ongoing conflicts between Russia and Ukraine. According to Meta’s statement, the Center’s purpose is to protect individuals’ personal data in the Facebook application from cyber-attacks from Russia using the system’s additional privacy method.
In February 2022, there was a very intense period regarding the protection of personal data, as explained in the preceding decisions and notifications. We believe that the reason for this density is that data controllers are still failing to take the necessary legal, administrative, and technical measures in accordance with personal data protection legislation. While regulations on the protection of personal data in international and domestic law strengthen the implementation and compliance of the legislation day by day, it is critical for data controllers to carry out their activities in accordance with the aforementioned legislation, both in terms of their legal and criminal responsibilities and the protection of those concerned’s private life and personality rights.
Nil Merve ÇELİKBAŞ ŞEKER, LL.M. – İlayda Gürel, LL.B.
This post is for the purpose of exchanging information and experiences, and it does not provide a legal guarantee regarding the accuracy or timeliness of the material contained in the articles. Celikbaş Law Office assumes no responsibility for any losses incurred as a result of the use of any information or other content contained in this article, whether direct or indirect.
According to the relevant regulations of the Union of Bar Associations of the Republic of Türkiye, the content given on this site is for informational purposes only and does not constitute an advertisement, offer, legal advice, or consulting. The transmission of this information does not constitute the establishment of an attorney-client relationship. Because this information may not represent the most recent legal developments, readers should contact a lawyer about the current situation.