Technical data

The Personal Data Protection Board has published a public announcement on the technical and administrative measures recommended by data controllers regarding user security – Data Protection

To print this article, all you need to do is be registered or log in to

After the publication of the guide on technical measures, the Personal Data Protection Commission (“Plank“) also published a public announcement on the technical measures to be taken by data controllers and their reasons.

The most important provisions of the February 15, 2022 announcement are as follows:

  • The data breach notifications recently submitted to the Board have been assessed against the controllers’ obligation to take all necessary technical and administrative measures to ensure the appropriate level of data security in accordance with Article 12 of the personal data protection law number 6698.

  • User account information (username and password) used to log in to the websites of data controllers operating in industries such as finance, e-commerce, social media and gaming is publicly available at some websites.

  • As a result of obtaining user account information from third parties, the following issues have been determined:
  • Active access to the websites of data controllers without the knowledge of users,

  • Access to end users’ computers without their consent using system and security vulnerabilities of data controllers and the personal data obtained is offered for sale for economic value,

  • This data is archived and remarketed as datasets by malicious third parties.
  • The council stated that the risk to data subjects can be minimized by preventing possible data breaches through the technical and administrative measures to be taken by the institution’s controllers and processors within the framework of the responsibility Datas.

  • The committee recommended that data controllers take the necessary technical and administrative measures by conducting risk assessments to prevent common data breaches and reduce the possibility of harm to the data subject in the event of a data breach.

The measures recommended by the Council are listed below:

  • Establish two-factor authentication systems and introduce them to their users as an alternative security measure from the membership application stage.

  • If logging in on different devices other than devices that provide frequent access to user accounts, ensure that login information is transmitted to the contact addresses of the data subjects via email/SMS or other similar methods .

  • Protect applications with HTTPS (Hypertext Transfer Protocol Secure – Hypertext Transfer Secure Protocol) or in a way that provides the same level of security.

  • Using secure and up-to-date hashing (hash) algorithms to protect user passwords from cyberattack methods.

  • Limiting the number of failed login attempts from the Internet Protocol Address (IP).

  • Ensure data subjects can see their information about at least the last five successful and unsuccessful login attempts.

  • Remind those concerned that the same password should not be used on more than one platform.

  • Create a password policy by data controllers and ensure that user passwords are changed periodically or remind relevant people of this issue.

  • Prevent newly created passwords from being identical to old passwords (at least the last three passwords), using technologies such as security codes (such as CAPTCHA, four processes) that distinguish computing behaviors and humans when logging into user accounts, by limiting the IP addresses that are permitted to be accessed.

  • Ensure that the length of passwords entered into data controller systems is at least ten characters, and strong passwords are created for the use of upper and lower case letters, numbers and special characters whole.

  • If third-party software or services are used to access the controllers’ systems, perform regular security updates of such software and services and perform the necessary checks.

The full decision is available at this link. (Only available in Turkish).

Information first published in the MA | Gazette, a bimonthly legal newsletter produced by Moroglu Arseven.

The content of this article is intended to provide a general guide on the subject. Specialist advice should be sought regarding your particular situation.

POPULAR ARTICLES ON: Privacy from Turkey