Turkey: Two-minute Recap Of Recent Developments In Turkish Data Protection Law – June 2021

In June 2021, the Turkish Personal Data Protection Board (the "Board") published in total three decisions and announced two data breach notifications. The Board also approved the letter of undertaking for cross-border data flows prepared by Decathlon Turkey. As evidenced by the increasing number of decisions regarding cross-border data flows, the Board has sped up the process of evaluating the applications of data controllers for letters of undertaking.   

The Board also organised two e-seminars in June: "Processing of Personal Data in Labour Relations" and "Technical and Administrative Measures in Ensuring Data Security." Videos of these e-seminars (in Turkish only) are available here.

Turkish Data Protection Board re-evaluates Data Controllers' Registry exemptions

On 25 June 2021, the Board announced its decision to narrow the exemption previously introduced for associations, foundations and unions concerning the obligation to register with the Data Controllers' Registry ("VERBIS").

In its latest decision, the Board has re-evaluated and narrowed the VERBIS registration exemption for associations, foundations, and unions. In line with the Board's new ruling, associations, foundations and unions that also have a commercial enterprise are obliged to register with VERBIS by 31 December 2021. Such entities are responsible to notify VERBIS of their data processing activities limited to their commercial activities only. (See our detailed analysis of the announcement here).

Confidentiality agreements are not sufficient after a data breach

A separate Board decision issued in June stems from an ex officio investigation conducted by the Board ofan e-commerce site (i.e., data controller) upon a data breach notified by a partner company providing help-desk services to the e-commerce site. As a result, the Board imposed a total administrative fine of TRL 800,000 (approximately  EUR 77,670) on the e-commerce site.

In a nutshell: the e-commerce site has the nature of a marketplace. Accordingly, the e-commerce site provides a user name and password for partner companies to log in to the marketplace. However, the above-mentioned partner company discovered a security gap and that it had accessed the information of third parties. Afterward, the e-commerce site and the partner company concluded a confidentiality agreement in order to ensure the security of the data acquired due to security gaps in the site. The parties agreed that this confidentiality agreement had entered into force on the date that the partner company accessed the information of third parties.  

In its decision, the Board states that:

• The data breach occurred by providing access to all notifications in the search tool to the partner company. This incident constitutes unauthorised access.
• Executing a confidentiality agreement by the parties does not retroactively eliminate the data breach.
• The underlying cause of the data breach was the failure of the data controller to provide regular audits regarding unauthorised access and that the e-commerce site did not take the necessary technical and organisational measures.
• Accordingly, the Board in it decision imposed an administrative fine of TRL 600,000 (approxiamtely EUR 58,250) for inadequate technical and organisational measures relating to the unauthorised accesses, and TRL 200,000 (approximately EUR 19,420) for failing to notify the Board of the data breach within 72 hours.

The Board announced the following data breach notifications in June

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.