April 28th, 2022
 

     Subject: About the Importance of Training of Employees and Conducting Awareness Studies at Regular Periods in Terms of Data Processing and Storage Processes within the Scope of the "The Law on the Protection of Personal Data" numbered 6698.

     Introduction

     In accordance with the Law on the Protection of Personal Data numbered 6698 (“Law”), which came into force after being published in the Official Gazette on April 7th, 2016, personal data is defined as all sorts of data belonging to an identified and identifiable natural person. In addition to attacks aimed at violating personal data security, circumstances such as unlawful disclosure or sharing of personal data are among the main personal data security violations. For all sorts of data that can be considered to fall into this context, the Law has imposed certain obligations with respect to the data processing and storage processes on legal entities. The Law also regulates the sanctions to be applied in case of failure to fulfill these obligations.

     1. Obligations and Penalties Introduced by the Law

     Accordingly, for real and private law legal entities, administrative fines and with respect to public institutions and organizations as well as public professional organisations, for civil servants working for relevant public institutions and organizations and other public officials as well as those working for professional organizations with public institution status, a disciplinary proceeding have been envisaged. According to Article 12 of the Law, “in order to ensure the protection of personal data, to prevent the unlawful processing of personal data, to prevent unlawful access to personal data,” the Data Controller “is obliged to take all necessary technical and administrative measures to ensure the appropriate level of security.” An administrative fine between TRY 40.179.- and TRY 2,678,863.- (for 2022) is envisaged for data controllers who do not fulfill this obligation specified in Article 18 of the Law. In the decisions it made upon complaint applications, the Commission ruled on Administrative Fines for data violations caused by new employees who did not receive training and for data violations caused by employees who do not have up-to-date and sufficient knowledge on the Protection of Personal Data Security.

     2. Training to be Provided on the "Protection of Personal Data Security" and the Issue That the Trainings Should Be Continued at Regular Intervals

     In the guides published by the Personal Data Protection Authority (“Authority”) and in the decisions made by the Personal Data Protection Board (“Board”), the limits of the liability stipulated in the Law are drawn, and data controllers are informed about the scope of the measures they should take. However, employees are not notified or adequate training is not provided with respect to the "Protection of Personal Data Security." As can be frequently seen in the Board Decisions, data violations are usually caused by employees' lack of adequate training and awareness in this regard. The Board stated in its Resolution dated 31.01.2018 and numbered 2018/10 related to the “Adequate Precautions That Must Be Taken by Data Controllers in the Processing of Sensitive Personal Data,” that with the Law and related regulations, employees must be provided with regular trainings on sensitive data security issues. Accordingly, among the "Administrative Measures" that must be taken by the Data Controller, ensuring that employees receive regular training on the Protection of Personal Data Security and keeping the level of awareness at a high level through awareness activities occupy an important place. The Personal Data Protection Agency has included a separate section under the title of "Training of Employees and Awareness Works" in the Personal Data Security Guide regarding the technical and administrative Measures to be taken by the data controller, which was published in January 2018. In this section, the Agency explains the importance of regular training of employees as follows: “In order to ensure personal data security, it is of great importance that employees take the first action, even if they have limited information about attacks that will damage personal data security and cyber security.” Therefore, in case of significant changes in the policies and procedures regarding the protection of personal data security, it should be ensured that employees are informed of such changes through new trainings to be provided and that their knowledge on threats to personal data security are kept up-to-date. These statements make it clear that the Agency includes the trainings of employees and the regular repetition of these trainings in the administrative measures to be taken within the scope of Article 12 of the Law and attributes significant importance to it.

     Conclusion

     For the abovementioned reasons, it is very important for employees to receive training on issues such as not disclosing and not sharing personal data unlawfully, awareness works carried out for employees and creating an environment where security risks in terms of ensuring personal data security can be identified. The Data Controller must specify the roles and responsibilities of all employees with respect to personal data security in their job descriptions, regardless of their positions, and employees must be aware of their roles and responsibilities in this regard. In this context, all Data Controllers are required to provide each new employee with the training on the Protection of Personal Data Security. In addition to that, Supplementary Training needs to be provided in order to keep the employees up-to-date about the developments and changing procedures and to raise awareness to the highest level. It is recommended to repeat these trainings twice a year.