Pursuant to Law No. 6698 on the Personal Data Protection Law (“Law”), the data controller, which means the person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data filing system, has certain obligations such as to inform, regarding data security, to respond to applications made by data subjects, to fulfill the decisions of the Personal Data Protection Board (“Board”), to register with the Data Controllers Registry and to notify the Board in case of a data breach.
The obligation regarding data security, one of the obligations of the data controller, is regulated in Article 12 of the Law. According to the relevant article, the data controller is obliged to take all necessary technical and organizational measures to provide an appropriate level of security to prevent the unlawful processing of personal data, prevent unlawful access to personal data, and ensure the protection of personal data. In addition, the data controller is obliged to carry out or have the necessary audits carried out in its own institution or organization to ensure the implementation of the provisions of the Law.
Nowadays, many data controllers receive services to meet their information technology needs from data processors, defined as natural or legal persons who process personal data on behalf of the data controller based on the authorization granted by the data controller under the Law. Data controllers are required to ensure that the data processors in charge provide at least the same level of security for personal data as they provide when receiving services. Although only the data controller comes to mind when it is mentioned as an obligation, it is undisputed that the data processor also has obligations under the Law. According to paragraph 2 of Article 12 of the Law regulating the obligations regarding data security, data processors are also held jointly responsible with the data controller for ensuring the security of personal data. In other words, data processors are also legally obliged to take all necessary technical and organizational measures to provide an appropriate level of security to prevent the unlawful processing of personal data, prevent unlawful access to personal data, and ensure the protection of personal data.
The General Data Protection Regulation (“GDPR”) regulates explicitly the data processor’s responsibility for data security. According to Article 28 of the GDPR, if any data processing activities are carried out upon a controller’s instruction, the data processor must implement appropriate organizational and technical measures to meet the guidelines under the GDPR. Furthermore, processors must have their own security masures in place as they are obliged to ensure that the data subject’s rights are protected. If any data breaches are detected, as per Article 83 of the GDPR, a fine is imposed according to the degree of responsibility of the processor and the controller, taking into account all of the technical and organizational measures implemented by the controllers and processors.
Under the national legislation, paragraph 2 of Article 18 of the Law regulates that the administrative fines stipulated in the relevant article shall be imposed on natural and private legal entities that are data controllers. Therefore, in the violation decisions of the Board regarding the joint responsibility of data processors and data controllers for ensuring the security of personal data, administrative fines are imposed on the data controller. However, the data processor’s responsibility is considered a matter affecting the degree of fault of the data controller.
Regarding this issue, in the complaint subject Board’s decision dated 07.1.2021 and numbered 2021/1021, the personal data of the data controller’s customer was attempted to be sold by third parties on a forum site. In the relevant decision, it was stated that according to the screenshots submitted to the Personal Data Protection Authority (“Authority”) it was seen that the user who put the personal data belonging to the customers of the data controller on sale also put the data belonging to the customers of other data controllers on sale on the same forum site and the same date; that the aforementioned data controllers also received/are receiving services from the same data processor. In this sense, it cannot be considered a coincidence that the personal data belonging to the customers of different data controllers receiving services from the same data processor are put on sale by the same user on the same website and on the same date and that the data constitute the basis for the claim that the data were obtained from the data processing systems. In the aforementioned decision, the Board stated that the provision of the Law stating that the data processor and the data controller are jointly responsible for taking all necessary technical and administrative measures to ensure the appropriate level of security does not eliminate the data controller’s provisions regarding data security. In addition, it is stated that the data processor is also obliged to take all necessary technical and administrative measures to ensure the appropriate level of security and that the data processor did not take the supervision measure to ensure that the data processor ensures the appropriate level of security for the protection of personal data. In the meantime, the data controller should have taken the necessary initiatives to destroy of the personal data stored by the data processor following the termination of the commercial relationship between them, but did it so after the breach. In the decision, noting that the violations of the data processor also have consequences, an administrative fine of 450,000 TL was imposed on the data controller in proportion to its fault. In another decision of the Board dated 12.08.2021 and numbered 2021/799 a person who took the exam organized by the relevant accredited institution on an internationally recognized language exam stated that their visual record (biometric photograph) and fingerprint, which are their sensitive personal data, were taken before this exam without any data processing conditions and in this context, he/she applied to the institution mentioned above, and requested information about his rights under Article 11 of the Law and how their personal data was destroyed when the retention period expired, but that this application was rejected on unfair and groundless grounds filed a complaint to the Authority. In the relevant decision, the Board stated that the accredited institution organizing the exam is the data processor. In the decision, it was stated that the requests of the data subject to obtain information within the scope of the Law were responded to in a manner that is not in accordance with Communiqué On The Principles And Procedures For The Request To Data Controller (“Communiqué”) with content that is not requested, in this sense, the requests of the data subject were left unanswered, however, considering that the data processor can answer the requests of the data subject in the application on behalf of the data controller, the data processor did not show the necessary attention and care to comply with the relevant provisions of Law and the Communiqué while responding to the applications made to it within the scope of the Law. With this, it is stated that the data processor does not show the necessary care to comply with its legal obligations. As a result of the decision, while an administrative fine was imposed on the data controller, the data processor was only ordered to instruct the data controller to use an alternative identity verification system to the practice of taking finger scan records from candidates for identity verification in order to enter the exam in Turkey, to ensure that the authorized test centers in Turkey, especially the data processor, comply with this system and to inform the Board about the result.In light of all this information, in cases where data controllers receive services from data processors, it should be ensured that the contracts to be signed with the data processor are in writing and contain a provision that the data processor will act only in line with the instructions of the data controller, in accordance with the purpose and scope of data processing specified in the contract and compliance with the personal data protection legislation, and by the personal data storage and destruction policy. In addition, it is essential to include in the relevant contract that the data processor will be subject to an indefinite confidentiality obligation regarding the personal data it processes. In the Personal Data Security Guide published by the Authority, it is also stated that it would be beneficial for the data controller to fulfill its obligation to immediately notify the Board and the data subject in case of any data breach in the contract in question.
To see our other articles, you may follow the NSN Bulletin via the link.
Authors: Bilge Derinbay, Hande Ülker Pehlivan, Bengisu Çakırca
Contact: bilge.derinbay@nsn-law.com