Principle Decision on Data Transmission to Third Parties
Article 12 of the Turkish Data Protection Law (“Law”) regulates the legal obligations of data controllers regarding data security. Accordingly, data controllers must take all technical and administrative measures to ensure that an appropriate level of security is established to prevent unlawful access to personal data. Subsection 5 of Article 12 further obliges data controllers to notify the data subject and the Turkish Data Protection Board (“Board”) “as soon as possible” in cases of unlawful access to personal data by third parties.
When the Law was first enacted, the timeframe referred to in the term "as soon as possible" was not clear. However, as data protection law in Turkey is an area that continues to develop through the rulings and principle decisions of the Board, this uncertainty has been clarified by a principle decision regarding the procedures and principles of a personal data breach notification on 24 January, 2019 (“Decision No. 2019/10”).
According to the Decision No. 2019/10, the term "as soon as possible" stipulated in Article 12(5) of the Law regarding data breach notifications made in cases of any unlawful access to personal data by third parties, should be considered to be “72 hours”.
On 2 August 2021, the Board published a summary of its decision dated 15 December 2020 and numbered 2020/957 (“Recent Decision”) regarding a data breach notification made by a company operating in the pharmaceutical industry (“Company”) and evaluated the issue within the scope of Article 12 of the Law.
In the event subject to the Recent Decision emails, including current payroll information for 337 employees, were automatically sent to the wrong employees within the Company as a result of an error in the monthly payroll notification system. The Company also reported that the error has occurred due to the fact that the Company's server parameters had not yet been optimized during the transition process to a new server that was being made in order to increase the Company’s security level.
The data breach, which took place on November 27 2020, came to light as a result of an employee of the Company, to whom another employee's payroll information was sent, informing the human resources department via email on the same day. Subsequently, the Company stated that the necessary administrative and technical measures had been immediately taken by deleting the emails that caused the data breach and by issuing a warning to the employees, to whom the wrong emails were sent.
As a result of their examination following the notification of the data breach, the Board did not impose an administrative fine, even though the Company had not notified the Board within the 72-hour period determined by Decision No. 2019/10. The Board took into account that the Company had notified the Board about the data breach, and it had documented its efforts to prevent negative consequences by taking all the possible remaining administrative and technical measures following the data breach.
The grounds for the Board’s decision were:
As a result, the Board concluded to instruct the Company (i) to be more careful about notifying the Board in due time, and (ii) to submit documents to the Authority proving that the Company had notified the data subjects who were affected by the data breach, and also that they had warned the recipients of the emails to delete them.
In a previous Board decision dated 9 October 2020 (“Decision No. 2020/787”), the Board examined whether a company operating in the health sector had fulfilled its obligation to “take the necessary reasonable technical and administrative measures” in accordance with Article 12, Sub-Article 1 of the Law, upon the company’s data breach notification.
After its examination, the Board did not impose an administrative sanction relying on similar points of justification to its Recent Decision. The Board stated that:
Both the Board’s Recent Decision and Decision No. 2020/787 are of great importance in terms of the Board's positive approach towards data controller companies that notify the Board without delay in cases of an unlawful access to data.
As can be seen, in the event that personal data within a company is accessed unlawfully by third parties, the Board is likely to adopt a more constructive and moderate attitude rather than one that directly imposes administrative sanctions on companies that can prove that they have taken the necessary administrative and technical measures with definitive documents and records and can show in their efforts that they have eliminated the negative consequences of a breach as soon as possible.
Therefore, it can be stated in the light of settled Board decisions that the Board definitely takes into account the efforts of companies that establish an “Action Plan” for possible data breaches and that can prove that the necessary measures have been taken immediately, in accordance with their Action Plan when such data breaches occur.