August 2021 – In July 2021, the Turkish Personal Data Protection Board (the "Board") published nine decisions and announced five data breach notifications. The Board was clearly focused on data breaches in July, as all its decisions last month relate to data breaches. The insurance industry came under particular scrutiny, as four of the nine published decisions relate to insurance companies.
Another important data protection development in July was the publication in the Official Gazette of the Constitutional Court's decision on an individual application regarding the right to request the protection of personal data. In the case in question, the applicant's personal data was shared on the Twitter social media platform by another user. The Constitutional Court concluded that the right to request the protection of personal data had been violated, as the applicant did not provide consent to share her personal information on Twitter.
Insurance companies "under the microscope"
In July, the Board highlighted the technical and organisational measures specified under the Guidelines on Personal Data Security and imposed administrative fines on investigated insurance companies that do not take the necessary technical and organisational measures. The Board stated that the following measures should be taken to ensure data security:
- In the event that a system error causes a data breach due to the application software, the data controller should reconsider its security requirements by determining the needs for the supply, development, or improvement of existing systems. Application systems must be checked before taking them live.
- The Board highlighted the importance of using a data loss protection (DLP) system for data security and stated that it is possible to prevent the sending of documents containing more than a certain amount of personal data via e-mail outside the company through the DLP system. In the specific case under investigation, the Board found that the data controller's DLP system could not prevent the sending of e-mails outside the company, and that a former employee had sent the personal data of company customers to his e-mail address.
- The Board underlined that data controllers are required to provide training on basic issues to comply with Turkish Data Protection Law.
- In another decision, a data breach was determined to have occurred at a third-party data processor under contract with an insurance company (data controller). The Board underlined that data controllers should ensure that data processors provide at least the same level of security provided by the insurance company (as the data controller).
- In cases where personal data has been damaged, destroyed, stolen, or lost for any reason, data controllers should rectify the situation as soon as possible by using backed-up data.
- The most up-to-date version of all software and operating systems used must be used, and anti-virus software must be used to protect against harmful software.
- Data controllers should be aware that some widely used software has documented vulnerabilities, especially in older versions. Data controllers should also use products such as antivirus and anti-spam software to protect against malware. It is necessary to determine if there has been an infiltration or any unauthorised movement in the information networks. In addition, a formal reporting procedure should be established for employees to report security vulnerabilities in systems and services.
- Data controllers are required to regularly check applications and perform vulnerability scans to prevent data breaches within the scope of its data security policies and procedures. Security requirements should be considered when determining the needs for the improvement of existing systems.
- In cases where sensitive personal data is processed, stored, and/or accessed through electronic platforms, the data should be kept by using cryptographic methods and cryptographic keys. Data controllers should protect sensitive personal data much more strictly than general personal data.
The Board announced the following data breach notifications in July
Data Controller |
Affected Data Subjects |
Affected Personal Data |
Number of Data Subjects |
|
Dentapoint Dental Health Clinic |
Patients, customers, potential customers |
Identity, contact, location, customer transaction, transaction security, financial, audio-visual recordings, race and ethnicity, and health data |
Approximately - 14,000 |
|
Düzen Biyolojik Bilimler Araştırma Geliştirme ve Üretim A.Ş. |
Patients |
Name, surname, date of birth, gender, diagnosis result data |
N/A |
|
Webhosting Bilişim Teknolojileri AŞ |
Employees, users and customers, potential customers |
Identity, contact, customer transaction, finance, and other data such as details of services provided to customers, e-mail contents containing some passwords related to services, documents such as identity, company documents, authorised signatures list, tax certificate related to .tr domain name registrations and data from 3,027 credit cards due to mistakenly leaving the log records open between 15 November 2020 and 27 December 2020. |
N/A |
|
T. Garanti Bankası AŞ |
Non-customers of the relevant branch and various customers |
Finance data |
8,356 |
|
Cosmolog Kozmetik Sanayi ve Ticaret AŞ |
Customers |
Identity (name-surname), contact (e-mail and address) data |
36,116 |
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
