The Law on the Protection of Personal Data (“LPPD”) and its secondary legislation is a living law that is frequently updated since its effective date. Many procedures and principles related to data protection are determined not only by the Law, Regulation and Communiqué, but also by the Board Decisions, Principle Decisions and Board Decision Summaries. Therefore, our monthly bulletins aim to inform those concerned about the practices of the Personal Data Protection Board (“Board”) and to keep them up-to-date.


Article 12/5 of the LPPD titled “Obligations regarding data security” states that “In the event that the processed personal data is obtained by others through unlawful means, the data controller shall notify the relevant person and the Board as soon as possible. If necessary, the Board may announce this situation on its website or by any other method it deems appropriate.”

In March 2022, two data breach notifications were published on the website of the Personal Data Protection Authority,

Yonca Sağlık Hizmetleri Ltd. Şti.

In the data breach notification sent to the Board by Yonca Sağlık Hizmetleri Ltd. Şti. which has the title of data controller, in summary; it was stated that a cyber attack was carried out on the systems of the data controller, the attack was not a typical Ransomware, dDos, etc. attack, investigations are continuing to determine the type of attack, the breach started on 15 March 2022 and was detected on 16 March 2022, the breach was learned by an e-mail sent to the personnel working as the information processing manager within the data controller.

It is documented that the attacker has documented that he has captured the database and many documents by transmitting the list of all folders in a text file to the data controller, that the consultancy company continues to investigate whether the attacker or attackers have access to the contents of the folders, that the relevant groups of people affected by the breach are employees and patients, the estimated number of people is 500. 000 and the estimated number of records is 2.500.000, the personal data affected by the breach are identity, contact, personal, financial, professional experience, marketing information, and the sensitive personal data affected by the breach are health, information on criminal convictions and security measures, and genetic data.

Martı İleri Teknoloji A.Ş.

In the data breach notification submitted to the Authority by the data controller, in summary; it is stated that the data breach occurred by unauthorised person(s) accessing the data controller’s systems, the breach was detected on 27.02.2022 upon the e-mail sent by the unauthorised person(s), the relevant groups of people and the number of people and personal data categories affected by the breach have not yet been determined, and the investigations regarding the source and method of the breach are ongoing.