The Law on the Protection of Personal Data (“LPPD”) and its secondary legislation is a living law that is frequently updated since its effective date. Many procedures and principles related to data protection are determined not only by the Law, Regulation and Communiqué, but also by the Board Decisions, Principle Decisions and Board Decision Summaries. Therefore, our monthly bulletins aim to inform those concerned about the practices of the Personal Data Protection Board (“Board”) and to keep them up-to-date.

In October, Data Breach Notifications were published by the Personal Data Protection Board.

The Board announced on 19 October 2022 that the 44th Global Privacy Conference will be hosted by Turkey. The Global Privacy Assembly – Global Privacy Conference, which was first convened in 1979, is a comprehensive conference hosted by a member country every year with the participation of more than 130 data protection authorities, and its main purpose is to provide a forum between data protection authorities around the world to share information and experience and to carry out joint studies.


Article 12/5 of the LPPD titled “Obligations regarding data security” states that “In the event that the processed personal data is obtained by others through unlawful means, the data controller shall notify the relevant person and the Board as soon as possible. If necessary, the Board may announce this situation on its website or by any other method it deems appropriate.”

In October 2022, three data breach notifications were published on the website of the Personal Data Protection Authority,

Quick Sigorta Anonim Şirketi

In summary, in the data breach notifications submitted to the Board by Quick Sigorta Anonim Şirketi; it was stated that the URL containing images of material vehicle damages in the damage management programme managed by the software company contracted by the data controller was captured by unauthorised persons, and that the breach occurred by accessing the images by trying various notification ID numbers by these persons.

It is understood that the attacker’s attempts to log in to the system were successful on 18.08.2022 and that he started data extraction attempts on 21.08.2022, that the programme mostly consists of images of damaged vehicles involved in accidents, and that although the investigation on the subject is ongoing, within the scope of the information contained in the damage file: (i) In case the drivers transmit identity images; name, surname, T. C identification number, place of birth, date of birth, mother’s name, father’s name, gender and photograph, (ii) If the drivers provide a driver’s licence image, name, surname, date of birth, place of birth, Turkish ID number, blood type and photograph, (iii) Address information within the scope of the traffic accident report.

It is stated that the efforts to determine the number of relevant persons affected by the violation are ongoing and that the group of persons are customers/potential customers and parties involved in the traffic accident.

Denizli Private Egekent Hospital

In the data breach notification submitted to the Board by Denizli Private Egekent Hospital, in summary; as a result of the data controller being exposed to a ransomware attack on 10.10. 2022, employees, users, subscribers, students, customers, patients, patients, children, adults in need of protection; personal data categories are identity, contact, location, personal data, legal transaction, customer transaction, physical space security, transaction security, risk management, finance, professional experience, marketing information and audio and visual records, and the estimated number of people affected by the breach is 295.

İnfomag Reklam ve Özel Dergi Yay. Hiz. Tic. A.Ş (Harvard Business Review / HBR Turkey)

Infomag Reklam ve Özel Dergi Yay. Hiz. Tic. A.Ş., it was stated that the breach was detected on 07.09.2022 as a result of the warning message sent by the web server and the messages sent by the web editors that the access to the site was interrupted, and that the data in the database of the website of the data controller was deleted by unauthorised persons and a ransom message was left in the unauthorised accessed database folder.

It is stated that the relevant groups of people affected by the breach are users and subscribers / members, personal data are the name, surname, e-mail information of users who have created a free membership, name, surname, e-mail, TR ID number, address and telephone information of users who have paid subscriptions, the number of people and records affected by the breach is uncertain, and that the relevant persons can obtain information about the data breach from the e-mail address