The Personal Data Protection Board ("Board") published a principle decision (No. 2018/63) on the prevention of processing of personal data beyond its purpose ("Decision") in the Official Gazette of July 4, 2018.

The Decision states that the Board received complaints regarding the processing of personal data by individuals who had access to the complainants' personal data, and who exceeded the means of their authorization and processed personal data outside of its intended purpose. The Decision further states that such data processing, exceeding the limits of authorizations by individuals who have access to personal data, or sharing personal data with third parties violates Article 12 of the Law on the Protection of Personal Data ("DP Law"), and that data controllers should be informed of the need to employ all necessary technical and administrative measures to ensure the appropriate security standards are implemented to prohibit and prevent such actions.

In other words, under Article 12/1 of the DP Law, data controllers are required to take all necessary technical and organizational measures to provide an appropriate level of security in order to (a) prevent the unlawful processing of personal data, (b) block unlawful access to personal data, and (c) properly safeguard and protect personal data. The Board has also published a separate Personal Data Security Guidance ("Guidance")[1] explaining the specifics of these measures.

In the Guidance, the proposed organizational measures include the following: (i) determining current risks and threats, (ii) training employees, (iii) carrying out awareness/alertness drills, (iv) establishing personal data security policies and procedures, (v) minimizing the usage of personal data, and (vi) managing the organization's relationships with data processors. With regards to the suggested technical measures, the Guidance recommends the following: (i) cyber security measures that employ one or more cyber security programs, (ii) strong firewalls, (iii) continual updating of security tools, (iv) limiting access to systems that contain personal data, (v) regular security tests of the relevant systems, (vi) maintaining log records of all users, (vii) taking physical security measures in order to protect data centers containing personal data and backups of personal data. The Guidance also underlines that storing personal data on cloud facilities (i.e., on the servers of other companies) might also create security vulnerabilities and weaknesses.

Article 32 of the General Data Protection Regulation ("GDPR") states that appropriate technical and organizational measures must be taken in order to ensure that the requirements of the GDPR are fulfilled. Furthermore, unlike the DP Law, the GDPR provides concrete examples of such appropriate security measures and procedures, such as "the pseudonymisation and encryption of personal data," "the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services," "the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident, " and "a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing."

Additionally, regarding a recent data breach incident, the UK Information Commissioner's Office ("ICO") has also made an important declaration, which is in line with the Decision of the Board. In its declaration, the ICO declared that "organizations have a legal duty to ensure that people's personal information is held securely. We have been made aware of an issue concerning (the platform) and will be making enquiries."[2] The ruling of the ICO is related to a very recent case, which occurred after the GDPR had come into force, and the ICO's ruling might play an important role in shaping the future of this field. Although the DP Law is not based directly on the GDPR, the ICO's ruling in this case might serve as a valuable example and provide beneficial guidance for regulators and judges in future incidents that occur in the Turkish jurisdiction.


[1] See Personal Data Security Guidance, Personal Data Protection Board, available at https://www.kvkk.gov.tr/SharedFolderServer/CMSF iles/7512d0d4-f345-41cb-bc5b-8d5cfl25e3al.pdf

[2] See https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2018/06/ico-response-to-ticketmaster-cyber-incident/


This article was first published in Legal Insights Quarterly by ELIG Gürkaynak Attorneys-at-Law in September 2018. A link to the full Legal Insight Quarterly may be found here.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.