Recent Development

The Turkish Data Protection Board ("Board") published three decisions regarding its approach to personal data breaches on its website on July 3, 2019.

What Are the Decisions?

The Board's first decision concerns a data breach in a transportation company's systems. The data controller did not take the necessary measures to prevent the breach and did not conduct the required system checks and controls, resulting in the unauthorized access of the personal data of 67,519 individuals residing in Turkey. The personal data includes genders, names, surnames, ID numbers, dates of birth, phone numbers, e-mail addresses, payment keys and information on the earlier travels of the customers. The company took two months to identify the breach. In addition, the breach occurred on November 21, 2018 but the company notified the Board about the breach on February 25, 2019. The decision further states that the breach caused malicious access to the source code of the data controller enabling the data to be altered. The Board imposed a fine on the company for TRY 450,000 for failing to take the necessary technical and administrative measures and TRY 100,000 for failing to notify the Board about the breach in the shortest time possible.

The Board's second decision concerns a breach in the systems of a hotel chain. As a result of the breach, information such as names, surnames, e-mail addresses, phone numbers, dates of birth, credit card numbers and security numbers were leaked for approximately four years. The company discovered the breach on August 8, 2018 and notified the Board on December 3, 2018. The Board considered this a serious breach and decided to impose a fine TRY 1,100,000 for failing to take the necessary technical and administrative measures and TRY 350,000 for failing to notify the Board about the breach in the shortest time possible.

The Board's third decision concerns the breach of an airway company's customer loyalty systems. The breach resulted in the disclosure of their customers' names, nationalities, dates of birth, passport numbers, ID numbers and travel information. The Board held that the necessary technical and administrative measures were not taken considering that the airway company was informed about the suspicious activity on its servers on March 2018, but the company took almost two months to identify the breach. In addition, the company notified the Board about the breach seven months after identifying the breach. The Board decided to fine the company TRY 450,000 for failing to take the necessary technical and administrative measures based on its delay in identifying the breach. Further, the Board held that the airway company did not inform the Board within the shortest time, since it took the company approximately seven months and decided on a fine in the amount of TRY 100,000.

Conclusion

The Board's recent decisions shed light on its practice and set forth its ground rules for evaluating cases concerning personal data breaches. When determining whether the necessary administrative and technical measures were taken, the Board gives importance to the time period between the actual time of the breach and the time it is detected, and imposes a fine if the breach identification took longer than the time period the Board prescribes. As per the foregoing decisions, if a company takes two months to determine a breach, the Board does not consider the company to have taken the necessary administrative and technical measures and can impose fines ranging from TRY 450,000 to 1,100,000. In addition, all three decisions show that the Board interprets the "shortest time" to be 72 hours; notifications submitted after 72 hours will be fined. The Board can penalize companies with different fine amounts for the same violations, indicating that the Board considers multiple factors when deciding the fine amounts.