On 30 October 2018, the Turkish Data Protection Board (“Board”) designated a breach of the Law on the Protection of Personal Data (“LPPD”), constituting the first such case announced by the Board after the enactment of the LPPD earlier this year.

Legal background:

According to Article 12 of the LPPD, data controllers must notify the relevant data subjects and the Board immediately upon becoming aware that any processed personal data has been acquired by third parties through unlawful means. Furthermore, the Board, if it deems necessary, may announce the situation on its website or through other means at its discretion.

Details of the breach:

At the first stage, the Board has received a notification from the Hong Kong-based Cathay Pacific Airways Limited Company (the “Company”) and following issues have been discovered:

  1. On 13 March 2018, unauthorized access to the information systems (which contain passenger information) took place through the computer networks.
  2. The issue was discovered by the Company on 7 May 2018 following an internal investigation.
  3. The personal data not only of the Company’s own customers, but also those of its subsidiaries Hong Kong Dragon Airlines Limited and the Marco Polo Club, are affected by the data breach.
  4. The investigation revealed that 1,286 data subjects have been affected by the data breach, including 155 data subjects in Turkey.
  5. The accessed data includes the name, nationality, date of birth, phone number, e-mail address, passport number, ID number, “frequent flyer” membership details as well as the customer services notes and previous travel information of each passenger.

After reviewing this notification, the Board has decided to announce the abovementioned particulars of the breach on its website. At the second stage, the Board will decide whether the Company is liable for this breach and whether the sanctions dictated under the LPPD apply. These include:

  1. The administrative fines set out under Article 18 of the LPPD may be imposed in case of a breach. For more information, please see our Law-Now dated 06.11.2018.
  2. The chief public prosecutor’s office may be notified of the non-compliance. Potential sanctions include, without limitation, imprisonment for data controllers obtaining or sharing personal information in breach of the LPPD.

Conclusion:

This decision of the Board is not only important in respect to the sanctions of the breach, but also in respect to the cyber-security measures of the data controllers. Data controllers may face sanctions, not only if they don’t comply with the provisions under LPPD, but also if they don’t take the required measures to prevent cyber-attacks. In upcoming days this decision will have an importance to enlighten the obligations of the data controllers with regards to cyber security measures.