ARTICLE
8 March 2022

Data Protection Newsletter - March 2022

EA
Esin Attorney Partnership

Contributor

Esin Attorney Partnership logo
Esin Attorney Partnership, a member firm of Baker & McKenzie International, has long been a leading provider of legal services in the Turkish market. We have a total of nearly 140 staff, including over 90 lawyers, serving some of the largest Turkish and multinational corporations. Our clients benefit from on-the-ground assistance that reflects a deep understanding of the country's legal, regulatory and commercial practices, while also having access to the full-service, international and foreign law advice of the world's leading global law firm. We help our clients capture and optimize opportunities in Turkey's dynamic market, including the key growth areas of mergers and acquisitions, infrastructure development, private equity and real estate. In addition, we are one of the few firms that can offer services in areas such as compliance, tax, employment, and competition law — vital for companies doing business in Turkey.
Explore
In February, the significant developments in the field of personal data protection are the Personal Data Protection Authority's ("Authority") announcements on the technical and organizational...
European Union Privacy
Photo of Ilay Yilmaz
Photo of Can Sozer
Photo of Ecem Elver
Photo of Aybüke Gündel Solak
Photo of Yigit Acar
Photo of Berfu Oztoprak
Photo of Ayça Doğu Öztürk
Photo of Ecenur Etiler
Photo of Gizem Nur Giacomini
Authors
To print this article, all you need is to be registered or login on Mondaq.com.

In February, the significant developments in the field of personal data protection are the Personal Data Protection Authority's ("Authority") announcements on the technical and organizational measures to be taken by data controllers and administrative fines to be applicable in 2022, a decision on publishing the exam results of a data subject on a news website and the Procedures and Principles Regarding the Certificate of Participation.

We set out summaries of the developments in February in Turkey and from the world below.

Decision: Decision on publishing the exam results of a data subject on a news website

In the complaint submitted to the Authority, the data subject claimed that their exam results were published on a local news website without their explicit consent and that the data controller did not respond to their information request.

In Decision No. 2022/13 dated 6 January 2022, the Personal Data Protection Board ("Board") determined that the data subject's name, surname, photograph, information on the higher education program and exam score were published on the data controller's website. The Board assessed that the exam score and higher education program information are personal data on the grounds that they may reflect the knowledge, competence, intelligence and judgment of the data subject in a particular field and that they provide information about the data subject's profession or interests. The Board then evaluated the element of public interest based on two conflicting concepts: the freedom of the press and the right to the protection of personal data.

Accordingly, the Board determined that the exam result of the data subject was ordinary information in nature and, therefore, publication did not serve the public interest.

Accordingly, the Board decided to impose an administrative fine of TRY 30,000, considering that the data controller had removed the news from the website before its investigation was completed.

The decision is available online here (in Turkish).

Announcement: Public announcement on the technical and organizational measures to be taken by data controllers

On 15 February 2022, the Authority published a public announcement regarding the technical and organizational measures to be taken by data controllers, following the increase in data breaches due to the publication of data subjects' usernames and password information on publicly available websites.

The Authority noted that the violations were due to a lack of technical and organizational measures. It recommended that data controllers take the following measures to prevent unauthorized access to personal data:

  • Establishing two-stage authentication systems and presenting them as an alternative security measure
  • Sending login information to the data subjects' contact addresses via email or text message, in cases where users log in to their accounts from different devices
  • Using HTTPS or another tool with the same security level
  • Using secure and up-to-date hashing algorithms
  • Limiting the number of unsuccessful login attempts from an IP address
  • Ensuring that data subjects can view information about at least five successful and unsuccessful login attempts
  • Reminding data subjects that the same password should not be used on more than one platform
  • Creating a password policy
  • Ensuring that passwords are changed periodically or reminding data subjects to do this, and preventing new passwords from being the same as old passwords (at least the last three passwords)
  • Using technologies such as security codes (CAPTCHA, four processes, etc.) that distinguish between computer and human behavior during logins
  • Limiting IP addresses that are allowed to be accessed
  • Ensuring that passwords entered into the systems contain at least 10 characters, uppercase and lowercase letters, numbers and special characters
  • Updating and controlling systems regularly if thirdparty software or services are being used to log in to the systems

Further information on the announcement is available in our legal alert here. The announcement is available online here (in Turkish).

Procedures and principles: Procedures and Principles Regarding the Certificate of Participation

The Authority previously published the Communiqué on the Procedures and Principles Regarding the Personnel Certification Mechanism ("Communiqué") on 6 December 2021; the Communiqué entered into force on the same date. Recently, the Authority determined the procedures and principles ("Procedures and Principles") for obtaining such certificate in the scope of the Communiqué as well as its Decision No. 2021/1296 dated 23 December 2021.

According to the Procedures and Principles, individuals who want to become a data protection officer must undertake a total of 40 hours of training. Following the training, the participants take the exam. Those who score above 70% will be deemed successful. Those who successfully pass the exam will receive a training report and a certificate of participation approved by the Authority.

Further information on the Communiqué is available in our legal alert here. Further information on the Communiqué is available in our legal alert here. The Procedures and Principles are available online here (in Turkish).

Announcement: Administrative fines for 2022

On 17 February 2022, the Authority published the amounts of the administrative fines set forth under Article 18 of the Personal Data Protection Law, which were increased by the revaluation rate pursuant to the Repeated Article 298 of Tax Procedure Law No. 213.

The administrative fines to be applicable in 2022 are as follows:

  • From TRY 13,391 to TRY 267,883 in case of the failure to fulfill the obligation to inform
  • From TRY 40,179 to TRY 2,678,863 in case of the failure to fulfill the obligations regarding data security
  • From TRY 66,965 to TRY 2,678,863 in case the Board's decisions are not fulfilled
  • From TRY 53,572 to TRY 2,678,863 in case of a breach of the obligation to register on and notify the Data Controllers' Registry

The announcement is available online here (in Turkish).

Significant developments from the world

  • EU: The draft Data Act has been published

    On 23 February 2022, the European Commission proposed the draft Data Act. The Data Act is a part of the European Data Strategy, together with the Data Governance Act (DGA). With the Data Act, the European Commission aims to increase access to data and provide a fair environment for the use of data.

    As part of the European Data Strategy, the DGA that was agreed upon on November 2021 aims to increase the use of data in various fields such as artificial intelligence, scientific research and the production of goods and services by regulating data sharing among different actors. In the meantime, the Data Act regulates the actors that can access data and generate value from the data.

    Further information on the draft Data Act is available in our legal alert here. The draft Data Act is available online here.
  • EU: Online consultation platform on European Digital Identity Wallets

    In June 2021, the European Commission proposed a trusted and secure digital identity for all Europeans, including digital identity wallets. These personal digital wallets will enable citizens to digitally identify themselves, and store and manage identity data as well as official documents in an electronic format. Through this wallet, citizens will be able to prove their identity when necessary to access online services, share digital documents or simply prove a specific personal attribute, such as age, without revealing their identity or any other personal details that are irrelevant to the transaction in question.

    The European Commission recently launched an online platform, which will remain open to comments throughout the legislative negotiations and work by member states on the toolbox that addresses the technical aspects of the future system, to make European Digital Identity Wallets a practical tool for all.

    The press release of the European Commission is available here.
  • UK: International Data Transfer Agreement (IDTA), UK Addendum and transitional provisions will enter into force in March

    On 2 February 2022, the Information Commissioner's Office (ICO) announced that the IDTA, the UK Addendum and transitional provisions would now appear before the UK Parliament and enter into force on 21 March 2022.

    The IDTA, the UK Addendum and transitional provisions will replace the EU Standard Contractual Clauses under the UK General Data Protection Regulation (UK GDPR). With this development, companies must update the contracts concluded on or before 21 September 2022 that are based on the EU Standard Contractual Clauses by 21 March 2024. On the other hand, new contracts involving data transfers from the UK are required to be based on the UK Addendum and the IDTA.

    The statement is available online here.
  • UK: ICO publishes guidance on video surveillance

    The ICO has developed video surveillance guidance to help organizations in the public and private sectors that use video surveillance systems to collect and process personal data, and to stay within the legal requirements of the UK GDPR and the Data Protection Act 2018. The guidance explores emerging capabilities that can assist human decision-making, such as the use of facial recognition technology and machine learning algorithms. The recommendations in the guidance are based on the principles of UK data protection law, and they are set out to follow the life cycle and practical operation of surveillance systems.

    You may access the guidance here.
  • Luxembourg-EU: The European Data Protection Board's (EDPB) first consistency opinion on certification criteria

    On 2 February 2022, the EDPB announced its consistency opinion on the GDPR-Certified Assurance Report-Based Processing Activities (CARPA) certification scheme of the Luxembourg supervisory authority.

    As stated by Andrea Jelinek, the EDPB chair, the certification scheme allows data controllers and processors to demonstrate their compliance with the EU General Data Protection Regulation. The EDPB set forth certain amendments on the draft certification criteria to ensure their correct and consistent application by the data protection authorities in the European Economic Area.

    The announcement is available online here.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Ilay Yilmaz
Ilay Yilmaz
Photo of Can Sozer
Can Sozer
Photo of Ecem Elver
Ecem Elver
Photo of Aybüke Gündel Solak
Aybüke Gündel Solak
Photo of Yigit Acar
Yigit Acar
Photo of Berfu Oztoprak
Berfu Oztoprak
Photo of Ayça Doğu Öztürk
Ayça Doğu Öztürk
Photo of Ecenur Etiler
Ecenur Etiler
Photo of Gizem Nur Giacomini
Gizem Nur Giacomini
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More