kvkk & gdpr - verisistem · professional approach for your kvkk compliance processes . t: +90...

APRIL 2020

KVKK & GDPR NEWSLETTER

2 www.cottgroup.com [email protected] T: +90 212 244 92 22 www.verisistem.com 30 April 2020

APRIL NEWSLETTER NO:2020-04

APRIL NEWSLETTER NO:2020 - 04

DECISION SUMMARIES OF THE MONTH

In the case subject to the decision, it is claimed that the complainant's WhatsApp correspondence was illegally obtained by the owner of the company where he works and transferred to third parties.

As a result of the investigation made on the subject, in the case subject to the decision, it has been decided that, the incident, which took place by one of the members of the WhatsApp group by saving the screenshots through the employee's computer at work, will be evaluated within the scope of the Article 136 of the Turkish Penal Code; in accordance with the ex officio investigation clause regulated in the Article 15 of the Law No. 6698, the Authority filed a criminal complaint to Prosecutor's Office and the process is continuing; in this context, the relevant application cannot be evaluated under the Law No. 6698.

Board Decision About Obtaining Employee's WhatsApp Messages Unlawfully

Decision No: 2019/138 Date of Decision: 16.05.2019 Summary of the Topic: Decision about a company owner who illegally obtained his employee's WhatsApp correspondences

Decision About Processing of Personal Data as a Service Requirement Failure to Fulfill Disclosure Obligation Duly

Decision No: 2019/206 Date of Decision: 08.07.2019 Summary of the Topic: Decision about the data controller who requests the processing of personal data on the website as a condition of service and the claims about the data controller that he has not fulfilled the disclosure obligation duly

As a result of the notice sent to the Authority, in the case where the Authority ex officio initiated an investigation; on the website where the data offers services, it has been claimed that there is a field where the e-mail address must be entered for the transition to the homepage and the legal reasons in the disclosure text on the website are not clearly presented.

As a result of the investigation of the claim made by the Board



• That the services are based on the explicit consent; with the determination that the provision of products and services is not based on the explicit consent requirement due to the fact that the website subject to the investigation not provided to users directly with a product or service, and only because it is an intermediary company that allows the purchase of various product services and the possibility of non-members to purchase products and services is not eliminated, there is no action to be taken in the scope of Law No. 6698;

• As a result of the investigation of the disclosure text on the website; it has been determ ined that some expressions in the text caused the impression that the personal data processing activity was carried out primarily and only on the basis of the explicit consent of the data subjects and it has been emphasized that if one of the other data processing conditions of personal data processing is based on the explicit consent requirement, it will be deceptive and abuse of the right; from this point of view, it has been decided that the company to be instructed to arrange the text on the website in accordance with the Communiqué on the Procedures and Principles to be Followed in Fulfilling the Disclosure Obligation, and to carry out the explicit consent and to perform the disclosure separately.

In the application of the dead person's spouse to the Authority, it is stated that; being his/her legal inheritor, the spouse of the dead person has first requested health information of the dead person from the clinic where he had treatment by registered mail, then by e-mail; however, in the clinic's reply to the e-mail to the dead person's spouse, it is stated that the data cannot be shared via informal ways; the spouse of the dead person requested access to the said data from the Authority.

As a result of the investigation made on the subject by the Authority, it has been decided that,

• There is a provision in the Turkish Civil Code stipulating that the personality ends with death;

• In Law No. 6698, the data subject is identified as a natural person, whose personal data is processed;

• According to the Article 11 of the Law No. 6698, by referring to the issues that the data subject can request information about his personal data, and there is no action to be taken under the Law. No. 6698.

Board Decision Regarding the Access Request of Dead

Person's Relatives to His Data

Decision No: 2019/273 Date of Decision: 18.09.2019 Summary of the Topic: Regarding the access request of dead person's relatives to his data



In the case subject to the decision, message with advertising purposes was sent to the data subject by the data controller, based on the reason that his data was without explicit consent, the data subject applied to data controller. However, since the response of the data controller was not satisfactory for the data subject, he made a complaint to the Authority.

By evaluating the concrete event with information and documents, the Authority has decided that,

• The explicit consents obtained in accordance with the law before the enforcement of the Law No. 6698 will be accepted in accordance with the Law, unless there is a declaration of will in contrary in one year,

• The databases consisting of the e-mail addresses received for the provision of goods and services directly between the service provider and the buyer before the enforcement of the Regulation on Commercial Communication and Commercial Electronic Messages are considered approved,

• In the case subject to the decision, there was a relationship between the data controller and the data subject regarding the provision of goods and services and that the data subject admitted that he was contacted,

• Referring to the fact that the data controller presents evidence and documents in the defense of the complaint;

• There is no action to be taken under Law No. 6698 on the complaint.

In the case subject to the decision, the data subject made a complaint to the Authority due to the fact that invoices of another person have also been sent to him due to name similarity by his operator telecommunications company and the error is not corrected although the data subject sent e-mail to the company in regards.

Decision About the Short Messages Sent by the Data

Controller to the Data Subject for Advertising Purposes

Decision No: 2019/297 Date of Decision: 01.10.2019 Summary of the Topic: About the short messages sent by the data controller to the data subject for advertising purposes

Decision Regarding the Transmission of the Data of the

Relevant Person to Another Person Due to Name-Surname Similarity

Decision No: 2019/333 Date of Decision: 07.11.2019 Summary of the Topic: Board decision on the transfer of the invoicing information of another subscriber by the data controller operating in the telecommunications sector, whose name and surname is similar, to the complainant by e-mail.



As a result of the defense requested by the Authority from the data controller, it has been stated by the data controller that;

• In accordance with the Consumer Rights Regulation of the Information and Communication Technologies Authority, invoices of the people are sent to the e-mail addresses declared by them, who wish to receive their invoices by e-mail,

• When the e-mail addresses declared by the subscriber with the same name as the complainant have been examined, both people declared the same e-mail address,

• Sending invoices to the e-mail address in order to fulfill the obligation to send invoices is carried out in accordance with the legislation,

• In addition, the person with the same name as the complainant was tried to be contacted to resolve the situation and then the wrong e-mail address is removed from the system to prevent sending e-mails to the complainant,

• Since the complainant did not make his application in accordance with the Communiqué on the Procedures and Principles of Application to the Data Controller, he informed the Authority that no identification could be made and therefore no response was given to the application.

With the investigation made by the Authority on the subject;

• It was determined that as a result of the investigation made on the subscription agreements with both customers, it was determined that the e-mail addresses in the contracts are same,

• It is a lack of technical measure that there is no mechanism to prevent the re-entry of an existing e-mail address in the system while registering the subscription of the customer,

• The defense of the data controller that the identity could not be confirmed is unjustifiable since the data of the person was already registered in the system and the application conditions have been reminded to the data subject that the confirmation of identity is possible,

• For this reason, based on the issues that the defense of the application is not in accordance with the Communiqué, does not comply with the rule of law and integrity;

• It has been decided to impose an administrative fine of 50.000 TL on the data controller telecommunication company,

• In addition, the data controller is to be instructed to pay attention of compliance with the Communiqué on the Procedures and Principles of Application to the Data Controller and to take all administrative and technical measures regarding data security.

PROFESSIONAL APPROACH FOR YOUR KVKK COMPLIANCE PROCESSES



Board Decision on the Use of the Information Given to the Call Center for Magazine Subscription by a Food Company for

Advertising Purposes

Decision No: 2020/34 Date of Decision: 16.01.2020 Summary of the Topic: About the phone number given by the data subject to a call center for magazine subscription transactions being called by the said call center for the purpose of advertising a food company

In the case subject to the complaint, the data subject stated that he was called by a food company, that he tried to reach them through the contact section of the company's website; however, he made application to the company in writing as he was unable to reach them; upon that, he made a complaint to the Authority by sending the letter of response he received from the call center, as his data was used outside the intended purpose.

In the responsive letter, the responsible person of the call center stated that;

• They are operating to carry out the transactions of the subscribers of the magazine with the authorization granted by a sports club;

• Since the data subject is the subscriber of the sports magazine his information was included in the call center records; that the data subject was called as a result of the error due to the system used by the data controller and that the data was irreversibly destroyed after the mistake.

As a result of the investigation made on the subject by the Authority, by drawing attention to the general principles to be followed in the processing of personal data, it has been decided that, referring to the articles of the law on the conditions of the processing of personal data, destruction and compliance of the processes, although it was declared by the data controller that the phone number of the data subject was deleted and that the person was called as a result of an error, an administrative fine of 18,000 TL to be imposed on the data controller on the grounds that the deletion was not done properly.

Failure of a Bank to Meet the Compensation of the Data

Subject Due to the Unlawful Processing of Personal Data

Decision No: 2020/41 Date of Decision: 16.01.2020

Summary of the Topic: About the data subject whose compensation request was not met by the data controller bank within the scope of the claim that the personal data were illegally processed

In the case subject to the decision, the bank called the workplace of the data subject who did not pay his loan debt, asked the family information of the person and asked the secretary of the workplace multiple times whether the person would perform a payment or not. Upon this, the data subject requested an immaterial compensation of 100.000 TL from the bank; however, the bank did not respond to this request. Thereupon, the data subject applied to the Authority based on the Article 11 of the Law.



As a result of the investigation made on the subject by the Authority; it has been decided that even if the data subject has the right to demand compensation for damages in case of damage in the scope of the Article 11 of the Law, the requests of immaterial compensation are not included in this scope, according to the following provision "Compensation rights of the ones whose personal rights are violated are reserved." stated in the Article 14 of the Law, stating that the data subject should his request in the presence of the general courts and there is no action to be taken under Law No. 6698.

In the case subject to the decision, the data subject applied to the bank to remedy his moral damages because his data was shared with his father; as data controller bank did not respond to the request within 30 days, the data subject applied to the Authority.

In the letter of defense sent to the Authority by the bank on the subject, it is stated that;

• As a result of the intelligence inquiry of the related branch, the bank customer residing in the same residence with the father, the data subject is in the risk group according to the Banking legislation and that the father of the bank customer was verbally informed by obligation why the loan application was not accepted,

• The mentioned data processing activity has been carried out under the condition of “explicitly prescribed in the laws” in the Law No. 6698,

• The persons who are in the risk group have been informed via disclosure text available on the bank's website that their data can be processed even if they are not bank customers,

• Therefore, it has been stated that it is not against the Law No. 6698 to inform the bank customer father that the data subject is disrupted in credit payments without giving further details.

As a result of the investigation, the Board has decided that;

• That the use of the data of the persons in the risk group within the scope of banking activities for the bank's own use and transfer to the risk center is within the scope of the fulfillment of the legal obligation under the terms of the Article 5 of the Law;

• It is regulated in the Article 12 of the Law that the data controller and data processors are not able to disclose personal data to anyone else in violation of the provisions of the Law and that they cannot use them for purposes other than processing,

• That the bank sharing the information of the data subject with its customer cannot be considered within the scope of fulfilling the obligation to inform the customers about the service regulated in the Article 76 of the Banking Law,

Sharing the Data of the Relevant Person with the Third Parties Without His Consent by a Bank

Decision No: 2020/43 Date of Decision: 16.01.2020 Summary of the Topic: About the compensation request of the data subject from the Bank on account of the fact that his data has been shared with his father without his consent.



• In the same Law, it is regulated that criminal sanctions will be imposed on people who disclose the secrets of the bank and customers; in the event that these crimes are committed within the framework of the legal person's activity, security measures will be applied specific to legal persons as per the Turkish Penal Code,

• If the relevant data is shared with third parties, by drawing attention that disclosure of the customer secret within the scope of the Article 136 and the Article 239 of the Turkish Penal Code,

• That the data subject should exercise his right to demand moral damages in the presence of the general courts and that there is no action to be taken by the Board in this regard;

• The said activity is a violation of the Article 12 of the Law and action to be taken about those who caused the violation in the presence of the data controller within the scope of Law No. 6698,

• Since sharing the debt information of the data subject with third parties without consent also contradicts the Banking Law and the Turkish Penal Code, the subject is to be passed to the Banking Regulation and Supervision Agency for an action to be taken within the scope of these laws.

In the notice made to the Authority, it has been stated that the insurance agency shared the data of its customers with the purpose of advertising in its social media accounts and that there is no permission from the customers on the subject; in addition to the petition of notice, proof documents have been submitted.

In the letter of defense sent by the insurance agency to the Authority in this regard, it has been stated that;

• It was attempted to mask the personal data of customers while sharing them on their social media account; however, in some posts, masking was overlooked by carelessness or haste;

• These posts were deleted from their social media accounts after the letter sent by the Authority,

• Posts containing identity numbers have never been shared,

• The lack of knowledge on the subject is caused by ignorance and necessary corrections will be made.

As a result of the investigation made on the subject, the Board has decided that,

• In the social media posts of the data controller insurance agency, following data of the customers were included: names, surnames, masked other identification information, license plate numbers, colour and model of vehicles and financial information,

• The related posts were made through personal social media accounts and the insurance agency's social media accounts,

Decision about an Insurance Agency Regarding Sharing the Data of the Relevant Person in Its Social Media Accounts for

Advertising Purposes

Decision No: 2020/58 Date of Decision: 27.01.2020 Summary of the Topic: About an Insurance Agency sharing personal data of its customers on its public social media platforms without notifying its customers on the advertising purposes



Decision About the Personal Data Processed by the

Transportation Service Company within the Scope of Mobile Application

Decision No: 2020/65 Date of Decision: 27.01.2019 Summary of the Topic: Application made to the Authority about personal data processed in the scope of a mobile application.

• It is determined that the data controller shared personal data without the explicit consent of the data subjects and did not comply with the obligations regarding the protection of personal data,

• An administrative fine of 22.500 TL to be imposed on the data controller.

In the case subject to the decision, the journeys of the drivers serving in the company that provides transportation services, are scored through the mobile application; however, the data subjects do not reach these scores. In addition, this point is not included in the disclosure text provided by the company via mobile application. The data subject made a complaint to the Authority; since he has not been given any response to the application that he made to the data controller. Upon this, the data controller stated that the data belonging to the user is only related to the establishment and performance of the membership agreement and a written response has been made afterwards, even if it is not within the period of time that the data subject applied to the data controller.

As a result of the investigation made on the subject, the Board has decided that;

• The data controller to be instructed to respond to the requests of the data subject in a timely, absolute and complete manner;

• In addition, as a result of the evaluation that whether the scoring of the data subjects is directly related to the establishment or performance of the contract, an administrative fine of 100,000 TL to be imposed on the company on the grounds that this activity is not a founding element for the performance of the contract and is not based on one of the data processing conditions in the Article 5 of the Law;

• In the investigation regarding the claim of the data subject that there is no information in the disclosure text regarding the scoring, as the terms of use and data processing purposes in the disclosure text the personal data processed do not include this point; an administrative fine of 10,000 TL to be imposed on the data controller, since he did not fulfill his obligation to make disclosure in this context;

• In order to continue the scoring activity, the data controller should be instructed to update the disclosure text and submit documents and records regarding the completion of the counted issues to the Board within 30 days.



In the defense made to the Board by the data controller, who sent advertising message to the data subject without his consent, it has been stated that;

• Only names, surnames and mobile numbers are kept in the records,

• The data is processed solely for the purpose of communicating with the person for advertising, campaign and promotion purposes,

• The data is obtained from a public source on the internet; but these resources are not currently available, and the links are not active,

• As a result of the application of the data subject, it is stated that his data is deleted from the system immediately and that he is not contacted.

As a result of the investigation the Board has decided that;

• With the defense made by the data controller, personal data is obtained through a publicly available source, not with the explicit consent of the data subject,

• In accordance with the principle of publicization in the second paragraph of the Article 5 of the Law, when processing data, it is necessary to look at the will of the data subject to publicize; because a data is in a place that everyone can see, it will not comply with the law to use this data except for the purpose of publicization,

• In the concrete case, an administrative fine of 50.000 TL will be given to the data controller on the grounds that the data is processed without the explicit consent of the data subject and that there are no other conditions available stated in the Article 5.

Decision about a Real Estate Company Regarding Sending

Advertising Message Without the Consent of the Data Subject

Decision No: 2020/67 Date of Decision: 27.01.2020 Summary of the Topic: About the advertisements and notifications sent to the data subject via SMS by a real estate company without his consent

YOUR TIME IS RUNNING OUT! HAVE YOU COMPLETED YOUR VERBIS REGISTRATION YET?

Click Here…

https://www.verisistem.com/en/services/verbis-record-registery-turkish-data-protection-regulation
























In the case subject to the decision, the data subject made two complaints about the same data controller.

In his first application, the data subject asked for the update of the e-mail address among the membership information on the website of the data controller, and the data controller stated that no updates can be made and that the data subject should apply for a new membership with his current e-mail address. As a result of the application of the data subject to the Board on the relevant subject; the data controller company made a defense to the Board that the data subject did not make the application in the procedure set out in the communiqué.

As a result, with the Decision numbered 2019/48 the Board decided that,

• As a result of the application, which was not made as compliant with the legislation, there is no action to be taken against the action of the data controller since the identity of the data subject could not be determined;

• In addition, it has been notified to the data subject and the data controller that the company in its response showed the reason that no changes can be made on the membership e-mail, in other words, it was pointed out that the request of the data subject was not rejected due to the inability to determine the identity, the company was instructed to take any kind of administrative and technical measures to conclude the application made by the data subject in accordance with the integrity rule.

In the second complaint of the data subject regarding the same data controller, that the data subject forwarded his previous request to the data controller via registered e-mail services ("KEP") again; however, despite the e-mail has been read on the same day the e-mail was sent, it was notified to the Board that the data controller did not respond to the data subject within 30 days.

In the defense of the data controller, he briefly stated that the application was overlooked due to workload, but when it was noticed, the e-mail address was updated at the request of the data subject and he shared with the Board that it was notified to the data subject.

As a result of the investigation made on the subject, the Board decided that;

• Although with the Communiqué on the Procedures and Principles of Application to the Data Controller, the right to apply to the Board has been granted to the data subject in case the application is not responded or the response is inadequate, an administrative sanction has not been stipulated in the Law solely for not responding to the application.

• However, in the concrete case, the complaint is the second complaint the data subject made to the Board about the data controller and in its first decision No. 2019/48, the Board instructed the data controller to take all administrative and technical measures to conclude the applications made by the data subjects effective, in accordance with the law and the rule of integrity.

Decision About A Flight Ticket Sales Company Due to Incompliance of the Board Decisions

Decision No: 2020/86 Date of Decision: 06.02.2020 Summary of the Topic: The decision regarding a data controller flight ticket sales company for the reason of not complying with the Board Decisions.



In the case subject to the decision, as a result of the complaint made to the Authority that an account was opened in 2016 in a bank branch in spite of the absence of the relevant person's application and great volume of information kept in the bank including the mother’s maiden name of the data subject;

Data controller bank stated that a customer number was created for the data subject with the information they obtained from third parties for potential customer acquisition; however, the account was not activated since the service contract has not been signed.

As a result of that, although the Law No. 6698 was not in force in January 2016 when the customer number was created, with the answer given by the bank in 2018, the Board determined that the information of the data subject is still retained in the bank and as this is a data processing activity carried out without one of the conditions stated in the Article 5 of the Law; in addition, as this data processing activity is in violation of the general principle stated in the Article 4 of the Law on the destruction of personal data, the Board decided to impose an administrative fine of 210,000 TL on the bank.

Decision about the Bank that Processes Personal Data

Unlawfully in Order to Acquire Potential Customers

Decision No: 2020/103 Date of Decision: 06.02.2020 Summary of the Topic: Board Decision on the application to the Board regarding a bank that opened an account for the purpose of acquiring potential customers by processing the data of the relevant person unlawfully.

• Considering the evidence that the e-mail presented with the second complaint was read on the same day and the defense of the data controller, the data controller has not taken the necessary administrative and technical measures to effectively conclude the application of the data subject; in order words, an administrative fine of 50.000 TL to be imposed on the data controller due to the violation of the Board decision set out in Article 15 of the Law.




NEWS

Polish Data Protection Authority (UODO) Fines the Company that Could Not Be Found at Its Address on the Date of Inspection

In the case subject to the decision, Polish Data Protection Authority decided that an investigation should be carried out on the protection of personal data due to the findings obtained while conducting the liquidation process review of a firm that operates in telemarketing. No one was found at the address on the date reported to the company for the inspection; the company, whose lawyer was contacted later, declared that an inspection could not be carried out through its lawyer. Thereupon, the Data Protection Authority, imposed an administrative fine of 20,000 PLN on the company that violated the GDPR and the Polish data protection legislation, and filed a complaint with the Prosecutor's Office about the authorized person of the company due to the fact that the company does not want to cooperate to conduct the inspection; it does not comply with the obligations and intentionally avoids being subject to inspection by the supervisory authority.

It has been addressed that, in the remote education platforms which are also widely used in the remote education model applied due to Covid-19, it is seen that personal data such as the names and surnames of the students and some sensitive personal data which can be evaluated within the scope of biometric data such as sound and image are processed and that personal data should be processed in accordance with the processing conditions of personal data in the Article 5 of the Law No. 6698 on the Protection of Personal Data and / or the processing of special personal data, including biometric data in the Article 6.

In addition, it is also stated that most software used for remote education services are provided through cloud service providers and it is observed that the data centers of these software are mostly abroad, Since platforms with data centers abroad are used, data transfer to abroad will be in question, it should be kept in mind that transfers that do not comply with the conditions specified in the Article 9 of KVKK may mean the violation of the law.

Public Announcement from Turkish Data Protection Authority About Remote Education Platforms



In this context, regarding whether these platforms used for the purpose of remote education service are taking necessary data security measures, Personal Data Security Guide (Administrative and Technical Measures) prepared by the Personal Data Protection Board, and the Decision of the Personal Data Protection Board dated 31/01/2018 and numbered 2018/10 titled “Adequate Measures to be Taken by Data Controllers in the Processing of Sensitive Personal Data” should be taken into consideration.

The "Pandemic Isolation Tracking Project", which aims to observe the movements of quarantined people and regions, has been announced by the Presidency Of The Republic Of Turkey; in the announcement, it is stated that the aim of the project is to make analysis to prevent further spread of the epidemic.

In the project, which will be carried out in cooperation with the Ministry of Health, Information Technologies and Communications Authority and all GSM operators, it has been realized that the location information of the individuals will be monitored by GSM operators, which may violate personal data security and privacy.

By publishing an announcement regarding the subject on 09.04.2020, the Personal Data Protection Authority has declared that the processing of the location data by the authorized institutions and organizations in order to prevent further spread of the pandemic will be considered under the exception of the Article 28 of KVKK, as the epidemic disease threatens public safety and public order; in other words, that the Law shall not be applied for this activity.

In other words, although it is not yet to be clarified how the process will be carried out, it is not possible to carry out analysis studies such as providing effective isolation of people who have or are likely to be contacted by the disease through location information monitored by mobile applications or network data, conducting analysis studies such as mapping the further spreading of the disease or identifying crowded places; there is no legal obstacle to legitimate processing, especially in terms of the legislation on the protection of personal data.

However, although the said application is subject to the exemption clause of KVKK, considering the Paragraph 3 of the Article 20 of the Constitution and the Article 8 of the European Convention on Human Rights, it is clear that the authorization of public institutions is not unlimited in this sense; they must comply with the principle of proportionality and take the necessary measures to ensure data security.

Regarding this subject, the Authority emphasized that data security should be taken into consideration in the methods used to ensure public order and public security; and declared that the relevant institutions and organizations should take all necessary technical and administrative measures regarding the protection of personal data. In addition, the Authority explicitly stated that the personal data should be destroyed if the reasons requiring the processing of this data no longer exist.

Public Announcement by the Turkish Personal Data

Protection Authority on the Processing of Location Data in Fighting Against Covid-19 Pandemic and Monitoring the Mobility of Persons



As it is known, procedures and principles of transfer of personal data to abroad are regulated in Article 9 of the Personal Data Protection Law ("KVKK") No.6698. However, the said regulation is not sufficient for multinational group companies and poses some difficulties in implementation of the regulation. For this reason, on 10.04.2020, the Authority announced that a parallel application to Binding Corporate Rules (BCR) institution that European Union countries have long been subject to will be implemented in Turkey and published the documents Binding Corporate Rules Application Form for Data Controllers and Auxiliary Document Regarding the Main Points to be Included in Binding Corporate Rules for Data Controllers.

Details regarding the subject can be accessed from our article published in our website.

Binding Corporate Rules

Considerations for the Protection of Children's Personal Data

Turkish Personal Data Protection Authority has made an announcement on 23 April 2020, on “Considerations for the Protection of Children's Personal Data”.

In the announcement published, it is stated that besides the various benefits of continuous development and widespread use of technology, it also brings some risks; at the beginning of these risks there are aggrievements such as harassment, cyberbullying, access to inappropriate material and possible negative effects of direct marketing that children may encounter.

Issues such as the widespread use of new technologies among children, their inability to predict the consequences of sharing their personal data due to their level of perception and age, not being aware of the risks, not knowing their legal rights and how to use these rights, and poor family surveillance in digital areas make children vulnerable to such risks in the online medium.

In the announcement, it is emphasized that while measures such as social distancing and isolation and remote education are being implemented in the process of fighting epidemic disease, on the other hand there is a significant increase in the time spent by children online, and therefore, parents have more duties and responsibilities than ever before in terms of protecting their personal data.

In addition, in the brochures presented with the announcement, the subject has been classified in three main headings.

https://www.cottgroup.com/en/legislation/item/binding-corporate-rules



NEC

ESSA

RY

PO

INTS

TO

BE

CO

NSI

DER

ED B

Y A

DU

LTS

NEC

ESSA

RY

PO

INTS

TO

BE

CO

NSI

DER

ED B

Y C

HIL

DR

EN

NECESSARY POINTS TO BE CONSIDERED BY PRODUCT AND SERVICE DEVELOPERS

• In case their own information is

requested by a person or an application,

they must first be informed about it,

• Before the personal data are shared,

the informative texts should be read

and they should have information about

the fate of their data,

• If they realize that their personal data

is used by others without their

knowledge, they must notify an elder,

• Since the shared data may cause

harm, things that are desired and

undesired to be shared should be

selected carefully,

• It should be considered very well

before sharing information such as

photos, videos, addresses, school

names with people met through social

media or applications,

• Search engines that would be

appropriate for their ages should be

used,

• Websites for adults should not be

browsed,

• Adjustments should be made in the

search settings in the internet browser

used and a trusted elder should be

notified when faced with an unforeseen

situation on the internet,

• Their children should be informed about personal data, online privacy, spam and junk e-mails and it is to be ensured that this is part of the daily conversation, • Time should be taken to engage in their online activities while respecting children's privacy and they should be informed about online safety, • They should be aware that the dangers in online mediums are not different from the dangers in the real world, • It should be explained to their children that if they do not wish their personal data to be used by people they do not want, they should not share their data online, • It should be explained to their children that people in the online mediums may be lying about their true identity, and it is to be ensured that their children always know that they have to get permission before deciding to meet someone new, • Informative texts of products and services that process personal data for their children should be read, • Internet browser settings should be checked, • Permissions given to the downloaded applications should be considered, • They should be careful while sharing the personal data of children, especially the photos should not be shared publicly, • Secure passwords should be used, and children should be given advice in this direction, • It is to be ensured that their children use appropriate privacy settings if they use social media, • It should be remembered that personal data of children can be accessed via toys with internet connection, game consoles, smart televisions, watches, etc. and that the danger is also directed towards adults in the use of common devices, • It should be noted that internet filtering and monitoring software can be used for computers, mobile phones or game consoles owned or used by their children

• If the personal data of children are to be processed in products and services, they should show maximum care in compliance with the Law No. 6698, • Personal data of children should be processed at minimum level in accordance with the principle of data minimization, • Informative texts suitable for children's perception level should be prepared by providing customized disclosure for them, • Technological systems should be used to verify the age of the child, • An approach to take the technical and administrative measures at the highest level should be adopted in cases where the data of children are processed, • They should develop appropriate policies and mechanisms to ensure that children know and exercise their rights by respecting the right to protection of personal data.



Stating that mobile applications can become one of the recommended measures to empower individuals in the fight against the pandemic and welcomes the initiative to develop with a coordinated approach, EDPB Chairwoman has repeatedly stated that the application of data protection principles and respect for fundamental rights and freedoms is not only a legal obligation, but also a necessity to strengthen the effectiveness of any data-based initiative to combat the spread of COVID-19.

EDPB stated that no solution suitable for a single pattern is valid for the said situation, and it is necessary to consider many factors, including the existing options and the health of individuals, so that the proposed technical solutions should be examined on a case-by-case basis.

It is stated in the letter that the development of the applications should be done in an accountable manner by documenting them with design and confidentiality with all hidden default mechanisms implemented with data protection impact assessment, and the source code should be made public for the widest possible examination by the scientific community.

EDPB Chairwoman has stated that at this stage, based on the information provided by the Commission, EDPB can only focus on the overall objective of the envisaged applications to verify their suitability for data protection, she stated that, in any case, EDPB will examine this issue in further detail in its future guides.

EDPB Chairwoman, stating that the enactment of national laws that encourage voluntary use of the application without any negative consequences for those who do not use the application may be a legal basis for the use of the applications, also pointed out that it should be designed as a tool for the compulsory adoption of such legal interventions and that individuals should be able to install and remove the application whenever they want. She also stated that applications for tracking individuals do not require the individual location tracking of users and gathering the person's movements in the context of applications for tracking individuals will violate the principle of data minimization and doing so will create major security and privacy risks.

Finally, EDPB Chairwoman stated in her letter that EDPB strongly recommends that direct identifying data should not be stored on the users' device and such data should be deleted as soon as possible. It is also noted that when this crisis is over, this emergency system should not be used and, as a general rule, the data collected should be deleted or anonymized.

Letter of the EDPB Chairwoman about her views on mobile applications planned to be used as part of the Covid-19

outbreak measures



According to the data breach notification made by Turkon Holding A.Ş. and group companies, which are Turkon Konteyner Taşımacılık ve Denizcilik A.Ş., Turkon Demiryolu Taşımacılık A.Ş., Turkon Lojistik A.Ş., Turkon Taşımacılık A.Ş., Anadolu Turizm Yatırımları A.Ş., Kanlıca Denizcilik ve Ticaret A.Ş. and Kaşif Denizcilik A.Ş., in the breach that took place on 05.04.2020 and determined on 06.04.2020, it has been notified to the Authority on 13.04.2020 that the servers and backup systems in the local network of Turkon are encrypted as a result of a phishing attack under which a user on the terminal server is exposed, the estimated number of persons and records affected by the breach has not been determined yet, the categories of affected personal data are the details of identity, contact, legal transaction, customer transaction, finance, marketing and audiovisual records. The said data breach was published on the website of the Authority on 16.04.2020 and the investigation on the subject is continuing.

Turkon Holding A.Ş. and Group Companies – Data Breach

Notification

Marriott – Data Breach Notification

In one of the Marriott's franchise facilities, it was determined that by using the login credentials of 2 employees at the end of February 2020, an unexpected volume of guest information could be accessed by using the application used to serve the guests in hotels operated and franchised under the Marriott brand. Considering that the breach started in mid-January 2020, Marriott reported that login credentials were disabled, initiated an investigation immediately, conducted high monitoring, and resources were set up to inform and assist guests.

Marriott stated that the matter is still under investigation and there is no reason to indicate that the relevant information includes Marriott Bonvoy account passwords or PINs, payment methods (i.e. credit card information), passport information, national IDs or driver's license numbers.

Pointing out that not all of the collected data belong to guests, Marriott stated that the data obtained included communication, identity data, loyalty account information, accommodation, room and language preferences and on March 31, 2020, Marriott sent e-mails to the guests at [email protected] and expressed that special call center resources are set up for the guests to get further information.



Binding Corporate Rules Undertaking Agreement

It is a set of rules that are formed in a way to be binding for the group companies where transfer is performed in the group companies of multinational organizations.

It is a set of rules that are binding for data controllers such as suppliers, customers, business partners or third parties that are entitled as data processors.

Binding Corporate Rules must be followed by all group companies reported to the Authority.

It is an agreement in which the parties determine the data protection procedures and principles.

It is the method to be applied in case the data transfer country is not counted among the adequate countries.

It is the method to be applied in case the data transfer country is not counted among the adequate countries.

Binding Corporate Rules must be submitted to the Authority and permission of the Authority must be obtained.

Permission should be taken from the Authority by submitting the undertaking agreement.

In addition to Binding Corporate Rules, Binding Corporate Rules Application Form for Data Controller published by the Authority should be submitted while obtaining permission from the Authority.

There is no other application from available. The issues that the parties must declare to the Authority are presented to the data subjects with the sample text of undertaking agreement.

Group companies are considered as a whole within the scope of the Binding Corporate Rules. They have responsibilities as a group to the Authority.

The authority and responsibilities of the parties are specified in the undertaking agreement according to their title. The parties are jointly responsible to the Authority.


INFORMATION GUIDE

As it is known, the principles of transfer of personal data abroad are regulated in the Article 9 of the Personal Data Protection Law No. 6698. According to this regulation, in transfers to countries that are not counted among adequate countries, data controller in the relevant foreign country must undertake adequate protection in writing and obtain permission from the Board.

There are two methods to be preferred under certain conditions in order for the data controller in the foreign country to undertake adequate protection. You can find a comparison of these two methods from the table below:

Administrative Measure: Comparison of Binding Corporate

Rules and Undertaking Agreements envisaged in the

Transfer of Personal Data to Inadequate Countries



Technical Measure: Intrusion Detection and Prevention

Systems

Organizations need to ensure protection to avoid cyber-attacks which are becoming widespread today, in addition to ensuring physical security with factors such as entrance and exit controls, cameras, and security personnel. IDP and IPS systems are systems that are used to protect organizations against cyber-attacks from malicious activities and to prevent attackers from accessing networks. Besides, they can detect the network's information gathering activities and stop the attackers at this early stage.

Intrusion Detection Systems (IDS)

It is a system the main purpose of which is identification and logging and it also detects malicious network movements or connections related to attack. Any activity or breach detected is reported to an administrator or centrally collected using a security information and event management (SIEM) system. The SIEM system combines output from various sources and uses alarm filtering techniques to isolate malicious alarms from false alarms. The main task of IDS is to identify malicious activities and report the type of attack. IDS monitor traffic and reports its results to an administrator but cannot automatically take action to prevent a detected attack from taking over the system.

Intrusion Prevention Systems (IPS)

IPS are complementary to IDS; because they monitor both network traffic and system activities for malicious activity. While IDS provide the opportunity to view computer networks; IPS provides intervention and control. Intrusion prevention systems can take actions such as sending an alarm, releasing detected malicious packets, resetting the connection, or blocking traffic flow from disruptive IP address. Besides, an intrusion prevention system can also fix CRC errors, consolidate packet streams, reduce TCP sequencing issues, and clear undesired transfer and network layer options.

The main difference between IDS and IPS is that intrusion detection systems only detect and report attacks, when attack prevention systems are capable of preventing attacks.

Comparison with Firewall

While IDS evaluate and issues an alarm signal as soon as a suspected attack occurs, firewalls limit access between networks to prevent attacks and do not signal an incoming attack from the inside of the network. Although firewalls can restrict the passage of packets, they are not capable of reprogramming themselves automatically in the event of an attack. However, with the integrated security systems technology developing over time, the new generation firewalls have the ability to analyze network traffic with IDS and IPS features.



Follow Us on Social Media…

Notification! Contents provided on this article serve to informative purpose only. The article is confidential and property of CottGroup® and all of its affiliated legal entities. Quoting any of the contents of this notification without credit being given to the source is strictly prohibited. Regardless of having all the precautions and importance is put in the preparation of this article, CottGroup® and member companies cannot be held liable of the application or interpretation of the information provided. It is strictly advised to consult a professional for the application of the above-mentioned subject. Prior to taking any action in regards the above, please consult your client representative if you are a customer of CottGroup® or consult to a relevant party.

https://www.facebook.com/CottGroup

https://twitter.com/cottgroup

https://www.linkedin.com/company/cottgroup

https://www.instagram.com/cottgroupsocial

https://www.cottgroup.com/en/cottgroup-members

kvkk & gdpr - verisistem · professional approach for your kvkk compliance processes . t: +90...

Documents