Data Breach Notification Process: A Short Comparison Between EU and Turkish Law
The General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”) and Law No. 6698 on Protection of Personal Data (“DPL”) of Turkey are the key pieces of legislation applied in the relevant jurisdictions.
DPL is similar to the EU Data Protection Directive (Directive 95/46/EC), which the GDPR replaced; and is based on the same general data protection principles. Still, certain differences between legislations arise, and one of the most prominent differences is the process for notifying data breaches.
Data Breach Definition.
GDPR defines data breach as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed”. In contrast, DPL does not have a specific definition for data breach; however, “the acquisition of personal data illegally by unauthorized parties” triggers notification obligations for the data controllers. Thus, there are three specific aspects of a data breach under DPL:
- illegality,
- the acquisition of personal data, and
- involvement of unauthorized individuals.
Notification to the Authority.
GDPR requires data controllers to notify "personal data breaches" to the relevant supervisory authority within 72 hours of becoming aware of the breach, unless there is likely to be no harm to the individuals concerned.
DPL requires data controllers to inform the Data Protection Authority (“DPA”) about any personal data breaches within 72 hours, regardless of whether such breach is likely to cause harm to the individuals concerned, by using the official form published by DPA.
This means that in the event of a data breach, while data controllers subject to GDPR must make an assessment about the risks to the rights and freedoms of natural persons resulting from the breach; for the data controllers subject to DPL, there are no specific thresholds or risk assessments required for making a notification to DPA and a notification is the natural consequence of a breach.
When it comes to the content of the notification, the GDPR allows the data controllers to provide information in phases if it is not possible to provide it at the same time. Similarly, the DPL also enables data controllers to make an initial notification with the available information to meet the 72-hour deadline, and provide further information with a follow-up notification to provide the remaining information.
Notification to Data Subjects.
The GDPR requires data controllers to notify data subjects if the data breach poses a high risk to individuals affected, unless there are effective technical and organizational protection measures that have been put in place, or other measures that ensure that the risk is no longer likely to materialize. The supervisory authority may also order the data controller to inform individuals about the breach.
The DPL, on the other hand, requires data controllers to notify data subjects if the data breach affected them, regardless of the level of risk or measures taken. Further, if the data controller has the affected data subjects’ contact information, the notification must be sent to their electronic or physical address. If not, data controllers may announce the breach on their own website. Additionally, DPA may inform the public about the breach as well and in practice the DPA choses to publish the data breach notification on its website (www.kvkk.gov.tr) if the number of data subjects that are affected are over a certain threshold.
Extra-Territorial Affect.
Data controllers that are not established in the EU but offer goods or services and/or monitor the behavior of data subjects in EU, are still bound by the data breach notification obligations under GDPR and the breach will need to be notified to every supervisory authority for which affected data subjects reside in their Member State[1].
Similarly, data controllers that are not resident in Turkey, but their processing affects data subjects residing in Turkey, are also bound by the data breach notification obligations under DPL and the breach must be notified to DPA and affected data subjects.
Examination by the Authority.
When determining the type and level of fine to be imposed, supervisory authorities in EU must take a series of factors into account; such as the nature, gravity and duration of the infringement, the categories of personal data affected, whether it had an intentional or negligent character; and the controller’s action to mitigate the damages along with the manner the authority to learn the infringement.
Further, under the GDPR, all supervisory authorities are competent to initiate ex officio investigations[2]. However, concepts of what constitutes an ex officio investigation may vary between the Member States, for instance based on national law.
In Turkey, based on DPA’s decisions, administrative fine may still be imposed for a data breach incident even if it does not create a high risk on individuals. Even though DPA accepts that the hundred percent protection is not possible when considering the ever-developing technology, its approach is constituting from the evaluation of whether the data controller could have taken additional technical and organizational measures or whether there was any action that the data controller could have taken to prevent the breach.
Further, if DPA becomes aware of an unnotified data breach incident through a complaint or other means, DPA may initiate an ex officio investigation. In this scenario, the data controller can also be held liable for failing to notify DPA, in addition to its obligations to provide an appropriate level of security.
Conclusion.
The evaluation of data breaches is very important for data controllers, given the sensitivity of the process. Therefore, the evaluation of data breach incidents on a country-by-country basis plays a crucial role for data controllers. Considering the given differences between GDPR and DPL, especially in the data breach notification process, the required actions should be taken immediately in data breach incidents affecting Turkish residents.
Authors: Burak Özdağıstanli, Sümeyye Uçar, Bensu Özdemir, Göksu Tuğrul
[1] EDPB - Guidelines 9/2022 on personal data breach notification under GDPR, https://edpb.europa.eu/system/files/2023-04/edpb_guidelines_202209_personal_data_breach_notification_v2.0_en.pdf
[2] EDPB - Overview on resources made available by Member States to the Data Protection Authorities and on enforcement actions by the Data Protection Authorities 2021 - https://edpb.europa.eu/system/files/2021-08/edpb_report_2021_overviewsaressourcesandenforcement_v3_en_0.pdf
Turkish Data Protection Authority’s Recommendations on Sending Verification Codes in Stores
Turkish Personal Data Protection Authority (“Authority”) published an announcement on November 13, 2023, regarding personal data processing activities where a verification code is sent to data subjects via SMS while shopping in stores (“Announcement”). The Announcement focuses on the data controllers’ non-compliant data processing practices during face-to-face shopping and provides several recommendations.
In this regard, the Authority highlights numerous complaints about data controllers that send commercial electronic messages to data subjects without their prior consent, after obtaining their phone numbers by sending a verification code via SMS at the register, on the grounds that it is necessary for completing the payment, creating invoices, transmitting invoices to the buyer’s contact address or updating information.
As the main problem with the complaints is the lack of obtaining explicit consent for sending commercial messages, the Authority evaluates data controllers’ practices in line with the provision of the Personal Data Protection Law No. 6698 (“DPL”) by reminding data controllers the elements of explicit consent:
- Explicit consent must be about a specific subject. Data controllers must clearly identify the subject for which the explicit consent is obtained. Where explicit consent is obtained for the processing of multiple categories of data, it is imperative that the explicit consent must cover different aspects of the processing, such as which data will be processed, for what purposes and potential consequences.
- Explicit consent must be freely given. Data subjects must be aware of their decisions and not be under the influence of force, threat, mistake and deception that may impair their will. In this context, an explicit consent is not considered valid if it is provided as a prerequisite for the provision of a product/service, since the element of free will would be damaged.
- Explicit consent must be based on an informed decision in line with the data controllers’ obligation to inform. Data controllers must inform data subjects regarding (i) their and if any, their representative’s identity, (ii) the purpose for which personal data will be processed, (iii) to whom and for what purpose the processed personal data may be transferred, (iv) the method and legal ground for collecting personal data, and (v) rights of data subjects, before obtaining data subjects’ explicit consent. Moreover, data controllers must perform the obligation to inform and obtain explicit consent separately.
Accordingly, the Authority provides the following recommendations for lawful processing of personal data by sending a verification code via SMS to data subjects during store transactions:
- The authorized personnel in stores must inform the data subjects in a clear and understandable manner regarding (i) the purpose of the SMS and (ii) the potential outcomes of sharing the verification code. The necessary information channels must also be provided in the content of the SMS, in line with the obligation to inform.
- Data controllers must cease the practices of obtaining explicit consent for different processing activities with a single action. In this regard, explicit consent of the data subjects must be obtained separately for different data processing activities.
- Data controllers must carry out the procedures for obtaining explicit consent and fulfilling the obligation to inform separately.
- Requesting explicit consent to process personal data for the purpose of sending commercial messages should not be presented to customers as a mandatory element for completing a purchase. Otherwise, such practices may compromise the elements of "informed decision-making" and "free will" which are essential components of explicit consent.
- Data controllers must request explicit consent to process personal data for the purpose of sending commercial messages after the purchase is completed. Thus, provision of explicit consent for commercial messages will not be perceived as a necessary element for shopping.
Authors: Burak Özdağıstanli, Sümeyye Uçar, Begüm Alara Şahinkaya
Reklam Kurulu Yapay Zeka ile Oluşturulan Reklamları İnceliyor
Gündelik yaşamı etkileyen teknolojik ilerlemeler ile ticari reklamların oluşturulma ve tüketicilere sunulma şekilleri de çeşitlilik göstermeye başladı. Bunun neticesinde ortaya çıkan sonuçlardan bir tanesi de yapay zeka ile oluşturulan ticari reklamlardır. Ticaret Bakanlığı, 13 Eylül 2023 tarihinde yayınladığı duyuru ile yapay zeka kullanılarak oluşturulan reklamları Reklam Kurulu’nun gündemine ilk defa almış bulunduğunu kamuoyu ile paylaşmıştır. Yapılan açıklamada, oluşturulma şekli ya da yayımlandığı mecradan bağımsız olarak, tüketicilerin satın alma kararlarını doğrudan veya dolaylı olarak etkileyen, yapay zeka tarafından oluşturulan bu içeriklerin Reklam Kurulu tarafından incelemeye alındığı bildirilmiştir.
Bu kapsamda, 337 sayılı Reklam Kurulu toplantısında, “ChatGPT” adlı yapay zeka uygulaması tarafından oluşturulan, rakip ürün veya firmalara göre üstünlük algısı içeren ifadelere yer verilen ve nesnel araştırma sonuçlarına dayanmayan tanıtımlarla ilgili dosyalar hakkında yapılan incelemeler sonucunda idari yaptırım uygulanmıştır. İncelemede objektif bir araştırmanın gerçekleştirilip gerçekleştirilmediği araştırıldığı gibi, aynı zamanda reklamların doğrulanmasında yapay zeka da kullanılmıştır.
Reklam Kurulu’nun 337 sayılı toplantısında alınan kararda yer aldığı üzere, gerçekleştirilen inceleme ve değerlendirmeler şu şekildedir:
- “ChatGPT’ye göre de Türkiye’nin en büyük moda perakende markası …” şeklinde ifadelerle reklam ve tanıtım yapıldığı; ancak reklamda yer alan ifadeleri doğrular nitelikte araştırma sonuçlarına yer verilmediği anlaşılmıştır. Ayrıca ChatGPT'ye sorulduğunda "Özür dilerim son verilerim 2021 yılına kadar olduğu için mevcut durumu tam olarak bilemiyorum. 2021 yılında …, Türkiye'nin en büyük moda perakendecilerinden biriydi. Ancak, moda sektöründe rekabetin hızlı bir şekilde değiştiği bir alan olduğunu unutmamak önemlidir. Dolayısıyla en güncel bilgilere ulaşmak için güncel kaynaklardan doğrulama yapmanızı öneririm" şeklinde cevap verdiği görülmüştür. Dolayısıyla, uygulamanın verdiği cevapların güncellik ve kesinlik taşımadığı ve rakip ürün veya firmalara göre üstünlük algısı içeren ifadelere yer verilen söz konusu tanıtımların tüketicileri yanıltıcı nitelikte olduğu değerlendirilmiştir.
- “ChatGPT'ye sorduk, tek doğru cevap aldık! Dünyanın her noktasına hızlı, güvenli ve uygun maliyetli tüm lojistik işlemleriniz için siz de hemen … ile tanışın” şeklinde ifadelerle reklam ve tanıtım yapıldığı; ancak reklamda yer alan ifadeleri doğrular nitelikte araştırma sonuçlarına yer verilmediği anlaşılmıştır. Ayrıca ChatGPT'ye sorulduğunda "Dünyanın her noktasına hızlı, güvenli ve uygun maliyetli lojistik hizmeti sağlayan birçok firma bulunmaktadır. Bu nedenle, belirli bir firmanın adını belirtmek zordur. DHL, UPS, FedEx, TNT, Maersk, DB Schenker gibi büyük lojistik şirketleri, küresel çapta yaygın olarak bilinen ve geniş hizmet ağlarına sahip firmalardır. Ancak, hızlı, güvenli ve uygun maliyetli lojistik hizmeti sağlayan firmaların sayısı oldukça fazladır ve piyasada sürekli değişiklikler olabilir. Bu nedenle, en güncel ve en uygun firmanın adını öğrenmek için yerel ve uluslararası lojistik hizmet sağlayıcılarının web sitelerini veya kaynaklarını araştırmanızı tavsiye ederim" şeklinde cevap verdiği görülmüştür. Dolayısıyla, uygulamanın verdiği cevapların güncellik ve kesinlik taşımadığı ve rakip ürün veya firmalara göre üstünlük algısı içeren ifadelere yer verilen söz konusu tanıtımların tüketicileri yanıltıcı nitelikte olduğu değerlendirilmiştir.
- “Yapay zekaya dayalı en popüler sohbet robotu olan ChatGPT'ye göre Türkiye'nin en ikonik özel televizyon kanalı…!” şeklinde ifadelerle reklam ve tanıtımlar yapıldığı; ancak reklamda yer alan ifadeleri doğrular nitelikte araştırma sonuçlarına yer verilmediği anlaşılmıştır. Ayrıca ChatGPT'ye sorulduğunda "Türkiye'nin televizyon kanalları arasında en ikonik özel televizyon kanalı olarak pek çok farklı görüş bulunabilir" şeklinde kesinlik içermeyen cevap verebildiği görülmüştür. Dolayısıyla, söz konusu tanıtımların tüketicileri yanıltıcı nitelikte olduğu değerlendirilmiştir.
İlgili kararlar değerlendirildiğinde, Reklam Kurulu’nun yapay zeka ile oluşturulan ticari reklamların doğruluğunu ve güvenirliği incelerken yapay zeka tarafından verilen cevapları da göz önünde bulundurduğu görülmektedir. Yapay zeka ile oluşturulan bu reklamlar, aynı yapay zeka programı ile dahi doğrulanabilir nitelikte olmadığı için, söz konusu reklamların Ticari Reklam ve Haksız Ticari Uygulamalar Yönetmeliği’nin (“Yönetmelik”) doğruluk ve dürüstlük ilkelerini düzenleyen 7. maddesine, karşılaştırmalı reklamlara dair ilkeleri düzenleyen 8. maddesine aykırılık teşkil ettiği tespit edildiği gibi; üniversitelerin ilgili bölümlerinden veya akredite ya da bağımsız araştırma, test ve değerlendirme kuruluşlarından alınmış araştırma sonuçlarına yer verilmediği için reklam verenin ispat külfetini yerine getirememesinden dolayı Yönetmelik’in 9. maddesine de aykırı olduğuna karar verilmiştir.
Değişen tüketici alışkanlıkları neticesinde ticari reklamların da değişime uğraması sonucunda ortaya çıkan yeni tarz reklamların da Reklam Kurulu’nun gündemine girdiği gözlemlenmektedir. Bu durum, güncel gelişmelerin Reklam Kurulu tarafından takip edildiğini ve Reklam Kurulu’nun incelemelerinin değişen koşullara adapte olduğunu göstermektedir.
Yazarlar: Hatice Ekici Tağa, Sümeyye Uçar, Bensu Özdemir
Turkish Advertisement Board Examines Ads Created with AI
As technological advances affect everyday life, the ways the commercial advertising is created and presented to consumers began to change as well. One of the results of this change is the emergence of commercial advertising created with artificial intelligence. On September 13, 2023, Ministry of Commerce informed the public with an announcement that for the first time on the Advertisement Board’s (“Board”) agenda, they had advertisements created using artificial intelligence. The statement reported that the Board reviewed the AI-generated contents that directly or indirectly influence consumers' purchasing decisions, regardless of how they are created or the medium in which they are published.
In this context, at the meeting numbered 337, the Board imposed administrative sanctions after examining the promotions created by the artificial intelligence application called "ChatGPT". While the Board examined if there is objective research for advertisements containing statements that create the perception of superiority over competing products or companies, they have also used artificial intelligence to verify the statements used in the relevant advertisements.
As set out in the decision taken in the Board's meeting with no. 337, the Board found that advertisements and promotions using the expressions such as:
- "… is also the Turkey's largest fashion retail brand according to ChatGPT", did not include research results that confirming these statements. Additionally, when the Board asked ChatGPT, the answer was that "I'm sorry, I don't know the exact current situation because my latest data is until 2021. In 2021, ... was one of the largest fashion retailers in Turkey. However, it is important to remember that the fashion industry is an area where competition is changing rapidly. Therefore, I recommend that you check with current sources to obtain the most up-to-date information". As a result, the Board considered that the responses provided in the application were not up to date and accurate and that the promotions in question, which contained expressions suggesting superiority over competing products or companies, were misleading to consumers.
- “We asked ChatGPT and got the only right answer! For all your fast, secure and cost-effective logistics operations to any point in the world, meet ... right now", did not include research results confirming these statements. In addition, when the Board asked ChatGPT, the answer was "There are many companies that provide fast, reliable and cost-effective logistics services to any point in the world. It is therefore difficult to single out any one company. Large logistics companies such as DHL, UPS, FedEx, TNT, Maersk, DB Schenker are well known worldwide and have extensive service networks. However, the number of companies offering fast, secure and cost-effective logistics services is quite large and the market may be constantly changing. Therefore, I recommend that you research the websites or resources of local and international logistics service providers to find out the name of the most up-to-date and suitable company". Therefore, the Board considered that the responses provided in the application were not up to date and accurate and that the promotions in question, which contained expressions suggesting superiority over competing products or companies, were misleading to consumers.
- "Turkey's most iconic private television channel ... according to ChatGPT, the most popular artificial intelligence based chatbot”, did not include research results confirming the statements made in the advertisement. When the Board asked, ChatGPT provided uncertain answers such as "There can be many different opinions as to the most iconic private television channel among Turkey's television channels". Therefore, the Board considered that the promotions in question were misleading to consumers.
Analysis of the above-mentioned decisions shows that the Board examined the answers provided by artificial intelligence in order to verify the accuracy and reliability of commercial advertisements created by artificial intelligence. Since these AI-generated advertisements cannot be verified even by the same AI program, the Board found these advertisements to breach the principles of accuracy and honesty, and the principles of comparative advertising of the Regulation on Commercial Advertising and Unfair Commercial Practices (“Regulation”.) Additionally, the Board decided the advertisements to be in breach of Article 9 of the Regulation, since the advertisers could not fulfill the burden of proof by not providing any research result obtained by relevant university departments or accredited or independent research, testing and evaluation organizations.
It seems that new types of advertising have entered the Board's agenda, as commercial advertising changes as a result of change in consumer habits. This situation shows that the Board is following recent developments and that the Board’s investigations adapts to the changing conditions.
Authors: Hatice Ekici Tağa, Sümeyye Uçar, Bensu Özdemir