The Data Protection Authority (the “Authority”) published the Guidelines on Personal Data Security (the “Guidelines“) on January 19, 2018.
The Guidelines aim to shed light on technical and administrative security measures data controllers should take in accordance with Article 12 of the Law No. 6698 on the Protection of Personal Data (the “Data Protection Law“), and to set best practice examples in that regard.
The Guidelines are not legally binding and are supplementary to the Data Protection Law; therefore, the Guidelines do not impose any sanctions. It is, however, important for data controllers to adhere to the Guidelines because the Personal Data Protection Board (the “Board“) and the courts are expected to resort to the Guidelines in enforcing personal data security rules.
What the Guidelines Say
The administrative security measures to ensure personal data security include; providing employees with trainings to raise awareness on personal data protection issues; preparation of personal data security policies and running periodic checks; deletion of obsolete personal data; and obtaining contractual undertakings from data processors in relation to data security.
To prevent unauthorized access to personal data, the Authority recommends personal data that are only kept for archiving purposes and that do not require frequent access be retained in secure environments.
The Guidelines recommend contracts executed with data processors include, among others, confidentiality obligation, an exhaustive list of transferred personal data categories, and the audit right granted to the data controller.
Technical security measures include implementation of cybersecurity measures such as firewall, access authorization and control matrixes; evaluating security measures taken by cloud service providers prior to procuring cloud service; and personal data backups.
According to the Guidelines, the preparation of personal data processing inventory and personal data retention and deletion policy qualify as administrative measures. It is important to note that under the Regulation on the Data Controllers’ Registry, data controllers that must be registered with the data controllers’ registry are obliged to prepare personal data processing inventory and personal data retention and deletion policy.
Actions to Consider
The Guidelines are not legally binding. However, administrative fines ranging from TRY 15,000 to TRY 1,000,000 can be imposed in case of non-compliance with the data security obligations provided in Article 12 of the Law.
In cases of personal data security breaches heard before the Board or the courts, the data controllers’ implementation of the security measures provided in the Guidelines could be crucial in arguing that the appropriate security measures were taken.