The Board of Protection of Personal Data Has Published New Decisions 10 October 2019
Pursuant to the articles 15 and 22 of the Law on Protection of Personal Data no. 6698 (“the Law”), the Board of Protection of Personal Data (“the Board”) is entitled to conduct necessary inspection within the scope of its remit either ex officio in case that it learns the allegation of a violation or upon complaint, and to impose administrative fines in case of breach. The Board publishes decision summaries of its investigations which are considered to be important and to establish precedent on its website.
We hereby present the summary of these decisions by the Board.
The decision No. 2019/269 on Facebook published on 18.09.2019 by the Board
Although it is stated that the notice will be submitted to the Board in writing within the week following the e-mail giving information about data breach related to ‘’View as Someone Else’’ sent by the Facebook representative, dated 14.10.2018, Facebook has not made any notice to the Board. As a result of this failure of notice, the Board has decided to examine ex officio.
As a result of the review of the Board, it is determined that the data breach is a result of an error caused by the 3 different interaction of Facebook system which are ‘’View as Someone Else’’, ‘’Birthday Celebration’’ and ‘’Video Uploader’’. The Board, ascertained that the personal data such as name, gender, birthday, relationship status, educational background, religious information, country, location, recent searches on Facebook, up to 500 major accounts followed by the user were affected by the breach. The Board also stated that 280,959 users using Facebook in Turkey were affected by the data breach.
For this reason, the Board, pursuant to Article 12 of the Law, decided to impose 1.150.000 TL due to lack of administrative and technical measures to ensure the protection of personal data within the scope of Article 18 of the Law No. 6698 and also decided to impose 450.000 TL due to application which violates the obligation to notify as soon as possible. Thus, the Board of Protection of Personal Data decided to impose an administrative fine of 1 million 600 thousand TL in total, on Facebook. The Board had previously given an administrative fine of 1 million 650 thousand TL to Facebook due to data breach.
The decision No. 2019/254 on S Şans Oyunları A.Ş published on 27.08.2019 by the Board
The Board has been informed of the data breach in line with the S Şans Oyunları A.Ş.’s notification that they were operating as a virtual bookmaker on the website www.tuttur.com and that they were informed of the data breach by one of the members of the Company sharing the data leakage information and as a result, the Board has initiated an investigation to examine the claims.
As a result of the review of the Board of Protection of Personal Data, it is stated that the failure to determine the date of occurrence of the breach is an indication of failure of the data supervisor to carry out the necessary supervision, the failure to determine when the data in the Excel list was withdrawn from the system and when it was transferred to the data processor is an technical and administrative defect. And also, the fact that the number of person affected by data breach cannot be determined although 90% of the members in the list have been declared by the Company that they have never entered the system is an indication that the technical and administrative measures have not been fully implemented or applied, that the Company has not been able to take action to notify the people concerned in connection with the data breach.
For this reason, the Board, pursuant to Article 12 of the Law, decided to impose 150.000 TL due to lack of administrative and technical measures to ensure the protection of personal data within the scope of Article 18 of the Law No. 6698 and also decided to impose 30.000 TL due to application which violates the obligation to notify as soon as possible.
The decision No. 2019/255 on a Tourism Company published on 27.08.2019 by the Board
As a result of the notification by Company to the Board that the cyber-attack is realized because of the entrance of the unauthorized passwords through the Local Area Network (LAN) and that this situation was occurred through a leakage from the computer of an employee located in the general areas of Company, the Board has decided to examine ex officio.
As a result of this review, the Board determined that there is not any special personal data among the affected personal data, that the access by unauthorized third parties who are not employees of the Company is an administrative imprudence, that the fact that the employees have not received pre-infringement security training is an administrative deficiency in terms of providing personal data security and awareness, that the failure of taking notice whether the leakage in computer network existed is an technical deficiency and the notification of the incident from employees in the other departments to the IT Department is an indication that the Company’s IT Department and Information Systems are not functioning properly.
For this reason, the Board, pursuant to Article 12 of the Law, decided to impose 400.000 TL due to lack of administrative and technical measures to ensure the protection of personal data within the scope of Article 18 of the Law No. 6698 and also decided to impose 100.000 TL due to application which violates the obligation to notify as soon as possible.
The decision No. 2019/225 about Obligations of the branches in Turkey of legal entities resident abroad and the Liaison Office published on 23.07.2019 by the Board
The Board, after the assessment, decided that;
- Data supervisor resident abroad which process personal data activities directly or through branches in Turkey must be registered.
- In the case of the branches, of legal entities resident abroad, located in Turkey, by definition, are responsible for determining the personal data aims and the means and for managing of the establishment of the data recording system, they will be considered as a data supervisor in Turkey as distinct from legal entity resident abroad, also, in this case, as a result of the evaluation to be made in terms of ‘’annual number of employees’’ and ‘’ annual financial statement’’, it will be decided for the branches, of the legal entity resident abroad, located in Turkey, whether there is an obligation to register to the Registry or not. The branches in this case does not have any obligation to register.
In order to open a Liaison Office in Turkey, incorporation of a company must be executed according to the foreign law and the established Liaison Office is not be able to do commercial activities. And also, considering the fact that the Liaison Offices are not like branches and that are established for communication, feasibility research, conducting some projects in social and cultural areas, making preparations for the mergers and acquisitions between companies, promotions and advertising, closely monitoring the job opportunities in the country and informing the central company about these issues, these liaison offices are not obliged to register to Registry.
Other News
-
19.4.2024
The Constitutional Court Decision Annulled The Regulation Envisaging Liability For Litigation Expenses Within The Scope Of Mediation In Civil Disputes
In accordance with paragraph 11 of Article 18/A of Law No. 6325 on Mediation in Civil Disputes1 ("the Code"), a party shall be held liable for the entire cost of the litigation, nothwithstanding justification at the conclusion of the proceedings, and shall not be granted power of attorney fee if he or she fails to appear for the initial session of mandatory mediation without providing an explanation.The aforementioned regulation is outlined as follows:
-
8.4.2024
E-Application" Period In Capital Markets Board Applications
With its announcement dated 5 February 2024, the Capital Markets Board ("Board") announced to the public that capital market institutions, organisations and partnerships will be able to make their applications more quickly and effectively through the e-Application System.
-
5.4.2024
The Amounts In The Pre-Conditions To Be Complied With Before The Initial Public Offering Of Shares In Several Sectors Were Decreased
The Capital Markets Board ("Board" or "CMB") decreased the financial thresholds for financial statements, especially considering the sectoral differences of the companies that submitting to the Board for initial public offering and the 12th Development Plan ("Plan") prepared by the Presidency of the Strategy and Budget Directorate.
-
15.3.2024
New Regulations Introduced With The 8th Judicial Package
The Law No. 7499 on the Amendment of the Code of Criminal Procedure and Certain Laws ("Law"), which contains amendments and new regulations known as the "8th Judicial Package", was published in the Official Gazette dated 12 March 2024 and numbered 32487. In this article, we will discuss the amendments to the Criminal Procedure Code No. 5271 (" CPC"), Turkish Criminal Code No. 5237 ("TCC"), Turkish Civil Code No. 4721 ("TCC"), Enforcement and Bankruptcy Code No. 2004 ("EBC") and Law No. 6384 on the Duties and Working Procedures and Principles of the Compensation Commission.
-
12.3.2024
Changes In The PDPL Was Published In THE Official Gazette
Law No. 7499 on Amendments to the Code of Criminal Procedure and Some Laws ("Law No. 7499") including critical amendments to the Law No. 6698 on the Personal Data Protection Law ("PDPL") was published in the Official Gazette on March 12, 2024.
-
9.2.2024
Amendments Were Made To The Regulations Based On The Occupational Health And Safety Law
In the Official Gazette dated 4 February 2024 and numbered 32450, amendments were made to some regulations issued based on the Occupational Health and Safety Law No. 6331:
-
1.2.2024
Turkish Competition Board Mergers And Acquisitions Outlook Report For 2023 Has Been Published
On January 5th, 2024, the Turkish Competition Authority has published the Report prepared by the Competition Board on Mergers, Acquisitions And Privatisation Transactions in 2023 ("Report").
-
31.1.2024
Important Principle Decision From The Advertising Board Regarding Discount Sale Advertisements
At the first meeting of the year held on January 9, 2024, the Advertising Board made an important principle decision regarding discount sale advertisements by amending the "Guideline on Advertisements Containing Price Information and Discount Sale Advertisements and Commercial Practices" in order to prevent consumer victimization through misleading advertisements and practices that lead to unfair competition in the retail trade sector.
-
17.1.2024
The Authority to Decide on Trademark Cancellation Passed to the Turkish Patent And Trademark Office!
In Article 192/1 (a) of the Industrial Property Law ("IPL") published in the Official Gazette dated 10 January 2017 and numbered 29944, the enforcement of Article 26 of the Law titled "Cancellation Cases and Cancellation Request" was postponed until seven years later, and with the Provisional Article 4 of the IPL, it was stipulated that the authority to decide on the cancellation of trademarks would be directly exercised by the Intellectual and Industrial Rights Civil Courts until 10 January 2024.
-
16.1.2024
Egemenoğlu Hukuk Bürosu / Internship Application
We are pleased to announce the opening of internship applications at Egemenoğlu Hukuk Bürosu. Legal Internship Application Deadline: March 15 Summer Internship Application Deadline: March 29 Prospective candidates are requested to submit their CVs either through our website www.egemenoglu.av.tr or by sending them to info@egemenoglu.av.tr.
-
12.1.2024
Turkish Sustainability Reporting Standards (TSRS) And Scope Of Application Of TSRSs Were Puslished In The Official Gazette
In the Official Gazette dated 29.12.2023 and numbered 32414, the Public Oversight, Accounting and Auditing Standards Authority (POA) announced the Turkish Sustainability Reporting Standards and determined the principles to be followed in sustainability reports.
-
11.1.2024
Important Regulations Which Are Effective As Of 2024 And/ Or Has Been Made Subject To Time Extension
Laws No. 5746 and No. 6550 extended the regulation on higher depreciation (showing expenses related to depreciation) and calculation rates and periods for new machines acquired for use in R&D, innovation and design activities.
-
19.12.2023
The Principles and Rules to be Applied in Retail Trade have been reorganize
With the "Regulation Amending the Regulation on Principles and Rules to be Applied in Retail Trade" prepared by the Ministry of Commerce and published in the official gazette on 14.12.2023, significant changes were made in the principles and rules of retail trade.
-
18.11.2023
Warning From The Authority On Sending Verification Codes To Customers Via Sms During Shopping
The Personal Data Protection Authority ("Authority") published a Public Announcement ("Announcement") on the Processing of Personal Data by Sending a Verification Code via SMS to the Data Subjects during Shopping in Stores.
-
14.11.2023
Communiqué Amending the Communiqué on the Procedures and Principles Regarding the Application of Article 376 of the Turkish Commercial Code No. 6102 has been published
In order to regulate the procedures and principles to be followed in cases of loss of capital or insolvency of joint stock companies, limited liability companies and limited partnership companies with capital divided into shares within the scope of Article 376 of the Turkish Commercial Code No. 6102 (Law), the Communiqué on the Procedures and Principles Regarding the Application of Article 376 of the Turkish Commercial Code No. 6102 (Communiqué) was first published in the Official Gazette dated 15/09/2018 and numbered 30536, and with the Provisional Article 1 of this Communiqué until 01/01/2023, Within the scope of Article 376 of the Law, it was stated that foreign exchange losses arising from foreign currency denominated liabilities that have not yet been fulfilled may not be taken into account in the calculations regarding capital loss or insolvency.