In August 2021, the Turkish Personal Data Protection Board (the “Board”) published a total of twenty decisions and announced seven data breach notifications. The Board clearly continued its focus on data breaches, as all but one of its decisions announced during August relate to data breaches.
The Board also announced that the First International Personal Data Protection Congress on “Developments in the World and Turkey” will be held on 12–14 November 2021. You can access detailed information about the congress, which will be held online in Turkish and English, here (in Turkish only).
The Board penalises a game company
In August, the Board published a decision regarding a data breach of a computer game company. As a result, the Board imposed a total fine of TRL 130,000 (approximately EUR 13,237) on the Game Company—TRL 100,000 (approximately EUR 10,183) for failure to take the necessary technical and organisational measures to ensure data security, and TRL 30,000 (approximately EUR 3,054) for failure to fulfil the obligation to notify the Board within 72 hours.
In its defence, the Game Company stated that during a routine security control it discovered that a folder containing source code and data files had been uploaded to a website without authorisation by a former web developer employee, immediately after the individual’s employment relation had been terminated by the Game Company.
In its decision the Board ruled that the former employee’s ability to transfer personal data to a portable storage device and upload it to a website is an indication of a “security vulnerability”. Further, as it took the Game Company nearly two years after the incident to identify the data breach, the Board concluded that the Game Company did not regularly carry out security controls, and thus the technical and organisational measures taken by the data controller were inadequate. In its decision, the Board also highlighted that data controllers are obliged to make adopt all employees the principle of “everything which is not forbidden is allowed”.
Requests of Turkish citizens to stop the transfer of their personal data abroad are denied
The Board also made a public announcement in August concerning the numerous requests it has received from Turkish citizens residing outside of Turkey to prevent the transfer of their personal data to institutions and organisations in other countries, especially EU member countries.
In its announcement, the Board rejects these requests and states that data subjects must make an application to data controllers regarding their rights as the first step.. After the first procedural requirement, if a data subject does not provide a response within 30 days or if the response does not satisfy the data subject, the data subject has the right to apply to the Board.
The Board also stated that the competent authority in this area is the Revenue Administration, which is affiliated to the Ministry of Treasury and Finance, in terms of the implementation of the provisions of the “Multilateral Competent Authority Agreement on the Automatic Exchange of Financial Account Information” in Turkey. In this respect, the application under the above-mentioned Agreement must be submitted to the competent authority. From the date of its public announcement, the Board has not assessed any application or provided any further response in this regard.
The Board announced the following data breach notifications in August
| Data Controller | Affected Data Subjects | Affected Personal Data | Number of Data Subjects |
| MNG Kargo Yurtiçi ve Yurtdışı Taşımacılık AŞ | Cargo Recipients | Name-surname, address, phone number | N/A |
| Sinoz Kozmetik Sanayi Ticaret AŞ | Customers/Potential Customers | Name, surname, e-mail, and mobile phone information | 1,352,358 |
| Pied Piper Fansub (piedpiperfb.com) | Users and Subscribers/Members | Identity, communication, location, personnel, transaction security, professional experience, political thought, philosophical belief, religion, sect and other beliefs, sexual life, genetic data, and other data | 50,000 |
| Subway International B.V. | Users/Subscribers | Name, surname, e-mail address, password of remote order account, phone number, address, and information about previous orders | 51,295 |
| Oriflame Kozmetik Ürünleri Ticaret Limited Şirketi | Employees and Customers | Name, surname, e-mail, and phone information | 21,655 |
| Motor Trend Group LLC | Users and Members/Subscribers | Identity, gender, date of birth, email address, identification data (e.g., usernames and passwords), general information about the estimated geographical location, and information on answers to password reset security questions for approximately five people | 2,977 |
| Timurlar Sigorta Aracılık Hizmetleri Ltd. Şti. | Customers/Potential Customers | Name, surname, identity number, telephone number, date of birth, address, and occupation information | N/A |
For more information please contact Ceren Ceyhan, Associate, at cceyhan@gentemizerozer.com, and Ertuğrul Keçeli, Legal Intern, at ekeceli@gentemizerozer.com.