Recent Decisions of Turkish Personal Data Protection Board on Technical and Organizational Measures02 July, 2020
On June 23, 2020, summaries of new Turkish Personal Data Protection Board (“Board”) decisions on technical and organizational measures to be put in place by data controllers were published on the Turkish Personal Data Protection Authority’s (“Authority”) website. Those address the importance of long avoided essentials regarding data protection in Turkey, technical and organizational measures and highlight and underline that data controllers in Turkey have to fulfil the requirements stipulated in the Guideline of the Authority on Personal Data Security (Technical and Organizational Measures) to avoid any penalties in this respect.
Summary of Decisions numbered 2020/191, 2020/192, 2020/193, and 2020/194 dated March 3, 2020 (“Decision on Risk Center”) on the complaint against factoring companies regarding data breaches related to the personal data transferred to the Risk Center
One of the common data breaches in recent days, transfer of personal data collected through the Risk Center to legally unauthorized individuals and use of such personal data for the purposes other than its collection purposes, is handled by the Board following a complaint in the Decision on Risk Center. In this respect, the Board underlines and highlights regulations regarding the processing of personal data collected through the Risk Center in context of recent disputes and its decisions to impose penalties on factoring companies due to misuse of personal data collected from the Risk Center.
According to the Banking Law No. 5411 and related regulations, the Risk Center is an information system which has been established as a part of the Banks Association of Turkey to collect information on customers, mostly on credibility, from crediting and financial institutions which are acknowledged by the Banking Regulation and Supervision Board.
The Board mainly tackles rules and regulations applicable to the Risk Center and, accordingly, applicable to transfer of personal data stored in the Risk Center. According to the applicable regulations, all information on the Risk Center is confidential and the relevant institutions are under the confidentiality obligation in this regard. Therefore, risk information of an individual shall only be transferred to third parties on its explicit consent. Even though transfer of risk information between financial institutions is allowed under several circumstances for only specific purposes on condition that necessary confidentiality agreements are executed between parties, any unlawful disclosure or transfer of such information of the individuals on the Risk Center is subject to prison sentence as per the Article 159 of the Banking Law No. 5411. In the Decision on Risk Center, the Board states that any processing of personal data for purposes other than its original specific purposes shall be subject to confidentiality obligation stipulated by the Banking Law No. 5411 and shall violate such obligation. Moreover, as per the Banks Association of Turkey Risk Center Regulation all members of the Risk Center are under the obligation to provide all necessary measures to ensure confidentiality as in line with the Law No. 6698.
With reference to the compatibility of obligations of financial institutions as per the Banking Law No. 5411 and obligations of data controllers as per the Law No. 6698, the Board concludes that all personal data processed and collected through the Risk Center has to comply with the requirements of the Law No. 6698, especially principles of data processing as regard to the Article 4 of the Law No.6698. Financial institutions and, accordingly, factoring companies shall be responsible for their employees’ unlawful data processing activities as a data controller under the Law No. 6698. In this sense, factoring companies’ inability to provide and ensure access limitation for its employees is penalized by the Board as a major lack of necessary technical and organizational measure.
Summary of the Decision dated April 16, 2020 numbered 2020/286 (“Decision No. 2020/286”) on the data breach notification made by a game company
In the Decision No. 2020/286, the Board penalizes a data controller, the game company, for non-fulfilment of its obligation to provide data security by not providing necessary measures to prevent any malicious access to its databases and not establishing warning systems in real time to identify any unauthorized access as soon as possible, and also its obligation to notify the personal data breach to the Authority without undue delay, not later than 72 hours after having become aware of it.
According to the Decision No. 2020/286, the related game company’s inadequate measures have enabled malicious hackers to access the database of the company in which all personal data of gamers (such as name, surname, contact information, picture, address, nickname, password, location data) is stored.
In its reasoning the Board states that the game company’s actions in order to put in place necessary measures after the occurrence of the breach reveals that the game company was not prepared for such breach beforehand. Furthermore, the Board also states that the occurrence of such breach is an indication of the inefficiency of penetration tests conducted by the game company.
Summary of the Decision dated May 5, 2020 numbered 2020/344 (“Decision No. 2020/344”) on the data breach notification made by a bank
In the Decision No. 2020/344, the Board penalizes a data controller, the bank, which has failed to provide necessary technical and organizational measures to prevent any misuse regarding credibility information of data subjects.
According to the Decision No. 2020/344, several bank employees have accessed to the information system provided by the Risk Center in order to learn credibility information of not only the bank’s customers but also other individuals in contrary to the bank’s data security procedures and policies. Number of 25.288 individuals (17.582 bank customers and 7.706 non-customer individuals) have been affected from such continuous data breaches in period of almost two years without the data controller’s awareness.
In its reasoning, the Board states that the bank’s incapability to provide necessary measures to prevent unauthorized access to individuals’, especially non-customer individuals, personal data through the information system provided by the Risk Center have caused such breaches. Furthermore, the Board also states that it can be deduced from the length of time period which the data controller was unable to identify such unauthorized accesses that the data controller has failed to control its security software warnings, access control log information, and other kind of reporting tool on a regular basis. Moreover, in the reasoning malicious acts of employees who performed data breaches is also linked to the inability of the data controller to identify roles and obligations of its all employees regardless of their position in the company’s organization. It is stated that the data controller was unable to ensure all of its employees’ awareness on their roles and obligations regarding data protection by referring to the measures stipulated under the Guideline of the Authority on Personal Data Security.
As in the Decision No. 2020/286, the Board also states that the access limitation on the information system provided by the Risk Center and other technical and organizational measures put in place after the occurrence of the breach reveals that the data controller was not prepared for such breach beforehand in the Decision No. 2020/344.
Aslı Naz Ünlü