Two-Minute Recap of Modern Developments in Turkish Private Facts Safety Regulation

September 2021 – In August 2021, the Turkish Particular Info Protection Board (the “Board”) printed a full of 20 choices and announced seven info breach notifications. The Board obviously continued its emphasis on facts breaches, as all but one of its conclusions announced for the duration of August relate to data breaches.

The Board also declared that the Initially Global Particular Info Protection Congress on “Developments in the Environment and Turkey” will be held on 12–14 November 2021. You can obtain detailed info about the congress, which will be held on the internet in Turkish and English, here (in Turkish only).

The Board penalises a recreation firm

In August, the Board revealed a final decision concerning a details breach of a laptop or computer match firm. As a result, the Board imposed a complete high-quality of TRL 130,000 (around EUR 13,237) on the Recreation Company—TRL 100,000 (roughly EUR 10,183) for failure to acquire the essential specialized and organisational steps to be certain facts stability, and TRL 30,000 (somewhere around EUR 3,054) for failure to fulfil the obligation to notify the Board within just 72 hours.

In its defence, the Video game Organization stated that through a schedule security command it uncovered that a folder that contains supply code and data files had been uploaded to a web-site with no authorisation by a previous world-wide-web developer personnel, straight away following the individual’s work relation experienced been terminated by the Game Firm.

In its decision the Board ruled that the former employee’s ability to transfer particular facts to a transportable storage system and add it to a site is an indicator of a “stability vulnerability”. More, as it took the Recreation Firm practically two several years right after the incident to establish the facts breach, the Board concluded that the Game Corporation did not frequently carry out security controls, and consequently the specialized and organisational measures taken by the facts controller have been insufficient. In its choice, the Board also highlighted that facts controllers are obliged to make adopt all workers the basic principle of “everything which is not forbidden is allowed”.

Requests of Turkish citizens to prevent the transfer of their private knowledge overseas are denied

The Board also produced a general public announcement in August about the numerous requests it has obtained from Turkish citizens residing exterior of Turkey to reduce the transfer of their particular data to establishments and organisations in other nations around the world, particularly EU member international locations.

In its announcement, the Board rejects these requests and states that knowledge subjects will have to make an application to information controllers pertaining to their rights as the initially phase.. Right after the 1st procedural need, if a facts topic does not present a response in 30 days or if the response does not satisfy the info subject matter, the information matter has the proper to utilize to the Board.

The Board also said that the competent authority in this place is the Revenue Administration, which is affiliated to the Ministry of Treasury and Finance, in conditions of the implementation of the provisions of the “Multilateral Competent Authority Arrangement on the Automatic Trade of Economic Account Data” in Turkey. In this respect, the application under the previously mentioned-stated Settlement will have to be submitted to the competent authority. From the day of its general public announcement, the Board has not assessed any software or provided any additional reaction in this regard.

The Board announced the following knowledge breach notifications in August

Info Controller

Affected Details Topics

Impacted Private Knowledge

Variety of Info Subjects

MNG Kargo Yurtiçi ve Yurtdışı Taşımacılık AŞ

Cargo Recipients

Identify-surname, tackle, cellular phone selection


Sinoz Kozmetik Sanayi Ticaret AŞ

Buyers/Possible Prospects

Identify, surname, e-mail, and cell telephone info


Pied Piper Fansub (

People and Subscribers/Members

Identity, conversation, site, personnel, transaction stability, qualified expertise, political imagined, philosophical perception, religion, sect and other beliefs, sexual lifestyle, genetic details, and other facts


Subway Intercontinental B.V.


Identify, surname, e-mail handle, password of remote purchase account, phone amount, tackle, and facts about previous orders


Oriflame Kozmetik Ürünleri Ticaret Confined Şirketi

Staff and Clients

Name, surname, e-mail, and cell phone information and facts


Motor Trend Group LLC

Customers and Users/Subscribers

Identity, gender, date of delivery, e-mail address, identification information (e.g., usernames and passwords), basic information about the approximated geographical location, and details on responses to password reset stability queries for close to 5 individuals


Timurlar Sigorta Aracılık Hizmetleri Ltd. Şti.

Clients/Probable Consumers

Name, surname, identity range, telephone number, day of start, handle, and occupation information