PDPL BULLETIN – MAY 2025
Data Protection Law, the Personal Data Protection Law No. 6698 (“KVKK” or “Law”) and its secondary regulations constitute a constantly evolving and updating field of law. Practices in this field are not limited to the Law and relevant regulations; they are shaped and concretised by the decisions, principles, and summaries of the Personal Data Protection Board (“Board”). In this context, the KVKK Bulletins prepared on a monthly basis serve as a resource for those who wish to follow current developments in the field of data protection, with the aim of providing up-to-date information and keeping interested parties informed.
In May 2025, the Personal Data Protection Authority (“Authority”) published four data breach notifications on its website at www.kvkk.gov.tr.
DATA BREACH NOTIFICATIONS
In accordance with Article 12/5 of the KVKK, if personal data processed is obtained by third parties through unlawful means, the data controller is obliged to notify the relevant person and the Board immediately.
Within the framework of the aforementioned provision, the Board may, if it deems necessary, announce the data breach to the public through its website or by other means it deems appropriate. This regulation has been introduced to ensure the effective management of data breaches and the timely notification of the relevant persons.
Tourama Tourism Travel and Trade Joint Stock Company
According to the data breach notification submitted to the Board by Tourama Tourism Travel and Trade Joint Stock Company, which acts as the data controller, the breach occurred on 29 April 2025 and was detected on the same day. The breach occurred as a result of unauthorised access to emails sent to hotels for informational purposes, exploiting a security vulnerability in a web application belonging to the data controller, and was detected by an email sent to the data controller by an unauthorised person indicating that they had gained access to the system. The investigation determined that the personal data affected by the breach consisted of names and surnames. It was reported that the exact number of individuals and records affected by the breach could not be determined, but the investigation revealed that some of the files on the email server were leaked without authorisation and that the names and surnames of approximately 8,200 individuals were estimated to be included.
Atakaş Steel Industry and Trade Inc. and Atakaş Port Operations and Trade Inc.
In the data breach notifications submitted to the Board by Atakaş Çelik Sanayi ve Ticaret A.Ş. and Atakaş Liman İşletmeciliği ve Ticaret A.Ş., which act as data controllers, it was stated that threatening and blackmailing emails containing the identity and contact information of some employees and former employees were received. It was noted that these emails were initially blocked by the firewall and therefore detected late; upon clicking on a link in an email sent on 08.05.2025, it was determined that information such as photos, ID numbers, addresses, mother’s name, and father’s name of employees were contained. During the investigation, it was determined from log records that unauthorised access to the system had occurred starting from 03.05.2025. The group of individuals affected by the breach includes current and former employees, with approximately 1,080 individuals affected at Atakaş Çelik Sanayi ve Ticaret A.Ş. and approximately 135 individuals affected at Atakaş Liman İşletmeciliği ve Ticaret A.Ş. The personal data leaked as part of the breach includes: name, surname, passport photo, telephone number, date of birth, email address, mother’s name, father’s name, address information, marital status, gender, date of employment, job title and company information.
Christian Dior Couture SA
In the data breach notification submitted to the Board by Christian Dior Couture SA, acting as the data controller, it was stated that on 26 January 2025, unauthorised access was gained to personal data belonging to active, inactive, and potential customers stored in the data controller’s global CRM database, and that the malicious unauthorised individual demanded a ransom by threatening to disclose the data they had extracted. The group of individuals affected by the breach includes customers, potential customers, sales consultants, and customer assistants; however, the number of affected individuals has not yet been determined. The breach includes the following data: name, gender, date of birth, age, postal or email address, landline or mobile phone number, password, customer number, passport information, identity documents, general preference data (food, activities, hobbies, etc.), purchase history data (segments, final monetary amount, etc.), purchase preference and measurement data (colour, size, measurements, etc.), professional information, fraud suspicion and numbers subject to international sanctions, tax numbers required by law in some countries, signatures and identity verification data belonging to customer service personnel. It has been stated that unauthorised access has been blocked but the risk of improper use or disclosure of data still exists and that investigations are ongoing by the data controller.
Adidas Sports Equipment Sales and Marketing Inc.
In the data breach notification submitted to the Board by Adidas Sports Equipment Sales and Marketing Inc., which acts as the data controller, it was stated that the breach was detected on 17 May 2025 when the data controller was informed about a cyber security incident related to the Adidas AG (Adidas) group infrastructure. The breach was discovered when an Adidas employee forwarded an email belonging to a third party to the Adidas Cyber Security Incident Response Team; the email in question claimed that the third party had access to Adidas customer data, and an investigation by Adidas concluded that the shared file most likely contained Adidas customer data and that Turkish customers were also affected by the breach. It was stated that the investigation into the source of the breach and how it occurred is ongoing, and that the number of people affected by the breach is 544,395. The personal data affected by the breach includes names, email addresses, gender, dates of birth and telephone numbers; however, it was noted that not all of this data was affected for all customers.
GRC LEGAL Comment
When reviewing the data breach notifications submitted to the Board in May, it is evident that companies from various sectors and scales, including tourism, industry, retail, and luxury consumption, are facing serious data security threats. This situation once again highlights the critical importance of timely and effective administrative and technical measures to protect personal data.
The relevant reports indicate that unauthorised access to systems was achieved through various methods, and that the personal data of thousands of individuals, including identity, contact, location, preference, and customer information, fell into the hands of unauthorised persons. Such breaches clearly demonstrate that personal data poses significant risks not only in terms of its numerical scope but also due to the nature of the information it contains, and can lead to serious consequences.
In this context, it is of great importance that data controllers fulfil their obligations under the KVKK not only for the purpose of compliance with the legislation but also with a sense of corporate responsibility. Potential security vulnerabilities should be assessed in a multidimensional manner, not only in terms of legal sanctions but also in terms of protecting corporate reputation and maintaining customer and stakeholder trust.
Recent violations have highlighted that the protection of personal data is not merely a temporary compliance process for organisations of all sizes, but a critical area requiring a continuous, dynamic, and strategic management approach.