- Turkish Personal Data Protection Board's Decision dated November 26, 2019 with number 2019/352

Turkish Personal Data Protection Board ("Board") published its decision regarding a personal data breach occurred at a bank on the Personal Data Protection Authority's ("DPA") website on January 8, 2020. The decision was issued by the Board on November 26, 2019 with number 2019/352 ("Decision") upon data breach notification of the bank whose name was not disclosed. Even before the Decision, many data breach notifications1 made by various banks have been published on DPA's website within the scope of Article 12 of Law No. 6698 on Personal Data Protection ("DPL"). These notifications and decisions emphasize on the importance of personal data protection and technical and administrative measures that should be taken in banking sector; especially when taking into account the substantiality and criticality of the personal data processed by banks such as identity, contact, customer operation and financial information.

The data breach subject to the Decision is due to a data leakage within the bank. The Decision states that the employees of the bank forwarded three customers' personal data to their private e-mail addresses, viewed the information of three other customers and withdrew money from a customer's account with forged documents. It was concluded that the employees were instrumental in fraud of large amount through unlawful processing personal data of at least 6 customers. The bank also reported that, as a result of the employees' misconduct, their employment contracts were terminated and a criminal complaint was filed for fraud and embezzlement.

In the Decision, the Board stated that the bank already took some technical and administrative measures to prevent data leakage with data loss prevention systems (i.e., if an employee try to send an e-mail including credit card numbers above a certain number outside of the bank, the e-mail is quarantined and cannot be sent). However, as stated in the Decision, the technical and administrative measures taken by the bank could easily be overcome by malicious people and could not prevent withdrawal of large amount without the knowledge and consent of the customers and forgery.

Consequently, the Board imposed an administrative fine of TRY 70,000 on the bank due to its failure to take all necessary technical and administrative measures for an appropriate level of security as per Article 12 of DPL and an administrative fine of TRY 30,000 since the Board was not notified of the data breach within the shortest time2.

- Amendments to the Banking Law No. 5411

Since the entry into force of DPL, the published decisions and data breach notifications pointed out the sensitivity that should be shown to personal data of bank customers. Correspondingly, amendments regarding customer secrets were introduced to the Banking Law No. 5411 ("Banking Law") with Law No. 7222 published in the Official Gazette on February 25, 2020 and entered into force on the same date.3 The amendments affect the data processing and transferring activities of banks and impose a stricter data protection regime. 

As per the Banking Law, a customer secret is all information relating to real persons or legal entities in respect to banking activities after customer relationship is established. Considering that personal data is defined as all information relating to an identified or identifiable real person under the DPL, customer secret has an extensive definition including legal persons information. Banking Law regulates that even though the explicit consent of customers is obtained in accordance with the DPL; customer secrets shall neither be disclosed nor transferred to third parties in Turkey or abroad without a request or instruction of customers unless otherwise regulated in mandatory provisions. Thus, the conditions to disclose and transfer customer secrets have been made stricter. However, with the involvement of the obligation to obtain "request" or "instruction" of customers which are not defined in the Banking Law, there is a possibility of encountering bureaucratic procedures more than before which are yet unclear.

The Banking Law also states that as a result of its assessment on economic security, the Banking Regulatory and Supervisory Board is authorized to prohibit the disclosure and transfer of customer or bank secrets to any third parties abroad and to render a decision on retention of information systems and their backups in Turkey. The Board is also authorized to determine and limit the scope, method, principles and procedures in relation to the disclosure and transfer of customer secrets. In spite of data localization tendencies in many sectors including banking sector, the relevant amendment might be deemed as challenging since cloud based technologies are increasingly preferred.

Moreover, customer and bank secrets shall only be disclosed and transferred provided that the disclosure and transfer is limited and proportionate to the specified purposes, even if the disclosure and transfer is made based on the exemptions regulated under Banking Law. The relevant provision introduced by Banking Law might be considered in line with the data processing principles set out in Article 4 of the DPL.

In conclusion, the protection of personal data and customer secrets and technical and administrative measures to be taken will apparently remain on the agenda of many banks in the upcoming days with the data protection regime introduced by the Banking Law.

This article was first published in Legal Insights Quarterly by ELIG Gürkaynak Attorneys-at-Law in June 2020. A link to the full Legal Insight Quarterly may be found here

Footnotes

https://www.kvkk.gov.tr/Icerik/6690/Kamuoyu-Duyurusu-Veri-Ihlali-Bildirimi-Turk-Ekonomi-Bankasi-A-S-; https://www.kvkk.gov.tr/Icerik/6580/Kamuoyu-Duyurusu-Veri-Ihlali-Bildirimi-T-Garanti-Bankasi-A-S- ; https://www.kvkk.gov.tr/Icerik/5526/Kamuoyu-Duyurusu-Veri-Ihlali-Bildirimi-Turkiye-Is-Bankasi-A-S- ; https://www.kvkk.gov.tr/Icerik/5516/Kamuoyu-Duyurusu-Veri-Ihlali-Bildirimi-DenizBank-A-S- ; https://www.kvkk.gov.tr/Icerik/5492/Kamuoyu-Duyurusu-Veri-Ihlali-Bildirimi-Turk-Ekonomi-Bankasi-A-S- ; https://www.kvkk.gov.tr/Icerik/5375/Kamuoyu-Duyurusu-Veri-Ihlali-Bildirimi-ING-Bank-A-S-  (Last Access Date March 26, 2020)

https://www.kvkk.gov.tr/Icerik/5362/Veri-Ihlali-Bildirimi (Last Access Date March 26, 2020)

https://www.resmigazete.gov.tr/eskiler/2020/02/20200225-12.htm (Last Access Date March 26, 2020)

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.