info@srp-legal.com
Şakayıklı Sokak No:10 | Levent 34330 | Istanbul | Turkey
 

Legal AlertTurkey – Legal & Regulatory Updates Regarding March 2019

11 April 2019

Turkey

  • Data breach at Optimum continues to impact.

The Personal Data Protection Authority (“Authority”) issued several data breach notifications on its website in March 2019. The notifications of data breaches by small and large scale companies including ING Bank A.Ş. reveal the importance of the issue. The data breach notification made by ING Bank A.Ş. created a tremendous impression and therefore it is examined in detail under the subtitle.

As a result of the personal data breach at Optimum Otomotiv Satış Sonrası Çözümleri Tic. A.Ş. (“Optimum”), companies which have a business relationship with Optimum and were affected by the data breach thereof, continued to notify data breaches this month. The further information is as follows:

  • In the data breach notification made by Turmobil Turizm Rent a Car Taşımacılık ve Nakliyat San. Tic. Ltd. Şti. (“Turmobil”) to the Authority on March 7, 2019, it is stated that a data breach took place between December 22 – December 29, 2018. According to the announcement published on the website of the Authority, access to the system was made available with the unauthorized web interface user, and the customer image files and personal data were leaked. Identity information, contact information, vehicle licence information, traffic insurance policy as well as personal data of special nature such as health data were affected by the data breach.
  • In the data breach notification made by Özen İnşaat Taah. En. Turz. Tic. ve San. A.Ş. to the Authority on March 1, 2019, by accessing the systems with the use of unauthorized web interface in Optimum, the image files of the customers were leaked. 750 individuals were affected by the data breach and it was stated that 5700 individuals were present in the current registration system.
  • In the data breach notification made by Kaya Seyahat Turizm San. ve Dış. Tic. Ltd. Şti. to the Authority on March 13, 2019, it is stated that a data breach took place between December 22 – December 29, 2018. It is stated that a wide range of personal data, such as identity information, accident reports, vehicle licence information, and more than 1000 individuals were affected by the breach.
  • In the data breach notification made by ASF Otomotiv A.Ş. to the Authority on March 13, 2019, it is stated that a data breach took place between December 22 – December 29, 2018 and image files and personal data of customers were leaked through unauthorized access. Personal data such as ID and vehicle information as well as personal data of special nature such as medical reports were also affected by the data breach.
  • In the data breach notification made by Hunko Motorlu Araçlar San. ve Tic. Ltd. Şti. to the Authority on March 13, 2019, it is stated that a data breach took place between December 22 – December 29, 2018 and as a result of the data breach by unauthorized access, customer’s image files and personal data were leaked. It was identified that a wide range of personal data, including personal data of special nature and 697 individuals were affected by the breach.
  • ING Bank reports a noticeable data breach.

A noticeable data breach notification published on the Personal Data Protection Authority’s (“Authority”) website on March 2, 2019. A data breach at ING Bank was reported to the Authority by ING Bank (“Bank”) which acts as data controller on February 21, 2019.  In the course of works carried out by Risk Center of the Banks Association of Turkey (“BAT”) regarding information security, suspicious inquiries rendered by an ING Bank employee were detected. In order to determine whether these operations caused a possible data breach, the General Directorate of ING Bank was notified that an investigation should be carried out by the inspection teams in the presence of ING Bank. An investigation was carried out for any kind of operations which was considered to be a data breach that the employee of the Bank performed with the relevant devices. As a result of the investigation, it was determined that the Bank employee performed unauthorized access to certain database of Risk Center of BAT. In this way, the employee made inquiries about some companies that are mostly non-Bank customers by unauthorized access through systems of TBB Risk Center and took the data he reached out of the bank by means of electronic communications in the course of 2018.  The Bank’s employee reached not only the personal loan records that can provide the individual credibility information, but also the KRM records which can only query individuals who are real person traders and legal entity traders. According to the information in the KRM reports, IDs and names of 19,055 real persons were leaked outside of the bank. In the official letter sent to the Authority by the Bank, it is stated that the audit, determination and awareness raising factors for the areas that can be controlled by the Bank were taken into consideration, the method used to deactivate the authorization control was blocked and the works related to the notifications to the real persons affected by the leak were carried out in coordination with the TBB Risk Center.

  • The Personal Data Protection Authority published Guideline on Retention and Destruction of Personal Data.

As per Article 5 of the Regulation on Deletion, Destruction or Anonymization of Personal Data, the data controllers responsible for registering to the Data Controllers Registry became obliged to prepare a personal data retention and destruction policy (“destruction policy”) in accordance with the personal data processing inventory. In this context, the “Personal Data Protection Law Personal Data Retention and Destruction Policy” prepared by the Authority shared publicly on the website in order to guide the data controllers who are obliged to prepare a destruction policy. The destruction policy issued by the Authority is a best practice example on the destruction of personal data processed by the Authority. When the institution’s destruction policy is examined, the following points are particularly noteworthy:

  • The duties and distribution of work of the units and employees within the structure of Authority as part of destruction policy are given in detail.
  • The legal reasons (the relevant legal regulations) that require the storage of personal data, as well as the processing purposes that require storage, are discussed separately.
  • The techniques for the destruction of personal data and the recording mediums where these technical methods will be applied are explained.
  • The retention period required for each personal data process and destruction periods are clarified.

Thus, it would be appropriate to review the destruction policies prepared by data controllers in accordance with the policy published by the Authority.

  • The Personal Data Protection Authority shared its new publications publicly.

The Personal Data Protection Authority (“Authority”) published three separate guidelines on the obligation of controller to inform, data controllers registry system and the glossary of terms for personal data protection in order to provide data controllers with examples of good practice and to eliminate confusion in the implementation of the legislation. The Authority set forth the procedure and principles to be followed by data controllers to comply with the obligation to inform data subjects with the “Guideline on the Fulfillment of the Obligation to Inform” published on its website. Secondly, the Authority shed light on the process of registering to the Data Controller Registry System (VERBIS) with the “VERBIS Q&A” handbook. Finally, the rights and responsibilities regulated by the Law No. 6698 and the explanations of the terms which are frequently encountered by the data subjects and data controllers are clarified in the “Articles and Preamble of the Law on the Protection of Personal Data (Annotation) and Glossary of Terms for the Protection of Personal Data” published on the website. These guidelines and other related handbooks published by the Authority are important for data controllers to make their processes for personal data comply with the personal data protection legislation.

  • The transition period for ensuring compatibility with the Turkish Competition Authority’s Group Exemption Regulations in motor vehicles sector ended.

The Block Exemption Communiqué on Vertical Agreements in the Motor Vehicles Sector numbered 2017/3 (“Communique numbered 2017/3”), which revoked the Block Exemption Communique in the Motor Vehicles Sector numbered 2005/4, entered into force upon its publication in the Official Gazette dated 24.02.2017 and numbered 29989. Following the entry into force of the Communiqué No. 2017/3, the two-year transition period, which was determined for the players in the motor vehicles sector to comply with the new regulations, ended at the end of last month as of February 24, 2019. The Communiqué No. 2017/3, which includes regulations that allow providers to establish a more flexible distribution network for the distribution of motor vehicles, also includes amendments regarding provisions of multi-branding and establishing additional point-of-sale. In particular, the enterprises providing the purchase, sale or resale of new motor vehicles, spare parts and providing maintenance and repair services were required to review their practices under the Communiqué No. 2017/3.

  • The Information and Communication Technologies Authority decided upon the cooperation between Türksat and other telecommunication operators.

Türksat Uydu Haberleşme Kablo TV ve İşletme A.Ş. (“Türksat”), with the application made to the Information and Communication Technologies Authority (“ICTA”), requested to provide access to other operators’ networks and to sell/market mobile services through the method of sub-brand management. The ICTA decided that Türksat was able to provide its services based on Cable TV infrastructure, with the bit-scream access to other operators’ cabled infrastructure such as xDSL, xPON, FTTX etc. and as well as by accessing to other operators’ infrastructure with the wholesale buy/sell and other similar models. It is also decided that the sales and marketing of mobile services by Türksat through the sub-brand method should be carried out in compliance with the Article 19 of the Authorization Regulation Regarding Electronic Communication Sector. According to the decision, Türksat shall not use the sales and marketing methods which give the impression that Türksat provides these services and should also clearly state the mobile network operator which provides services in all kinds of sales and marketing activities. Resale of mobile services shall not be made with a business model such as buy-sell method in any way and it is obliged to comply with the provisions of the other relevant legislation.

  • The Turkish Competition Authority has published the 2019-2023 Strategic Plan.

The Competition Authority (“Authority”) prepares five-year strategic plans dating from 2014, in accordance with the set mission and vision together with an understanding of conducting activities in a planned and scheduled manner. 2019 – 2023 Strategic Plan (“Plan”) published on the website of the Authority on March 12, 2019. The plan includes assessments regarding the extent to which the Agency’s objectives for policy development, competition advocacy, supervision and regulatory activities were achieved and opinions are provided in the context of the situation analysis. As the Strategic Plan is put into practice, it will be periodically evaluated and revised as required under current conditions. In order to make monitoring and evaluation activities easier, performance criteria related to the objectives and targets stated in the plan are also included. Besides, it is stated that the developments regarding the realization of the objectives included in the Strategic Plan would be reported on an annual basis.

<<<
Turkey - Legal & Regulatory Updates Regarding February 2019
>>>
Turkey - Data Protection Regulation Amendments