To write this post, all you need is to be registered or password on Mondaq.com.
Cyber-attacks and data breaches pose major risksto corporations, with financial and reputational effects. Making sure data protection requires both responsibility and sophisticated technology. Take a look at the necessary steps required by the PDPL and TPC on January 28 to protect personal data and reduce risks in the digital world.
Cyber-attacks are a major priority for businesses today because they can result in significant financial and reputational damage. These problems can take various forms, including AI-driven problems, hacking, ransom, and nation-state cyber-attacks. InTürkiye, the protection of personal data affected bycyber-attacks is primarily regulated by the Personal DataProtection Law ( “PDPL” ). Companies can take specific actions to defend themselves against these attacks and counteract their effects, as recommended by the PDPL. Additionally, theTurkish Penal Code ( “TPC” ) prescribessanctions for the unlawful acquisition of personal data. This article provides an overview of cyber-attacks and the necessary actions businesses should get in response to information breaches.
Current Cyber Problems
According to the IBM Cost of a Data Breach Report20241, the average price of a data breach is then up to4.88 million USD. Among industries most affected by information breaches, thehealthcare business ranks first, followed by the banking sector. Thenumber of cyber-attacks has been steadily increasing, withsignificant injury to businesses. According to the Report of Centerof Strategic &, International Studies2 ( “CSIS” ), notable incidents from 2024include:
- October 2024: Egyptian agentstargeted UAE state firms, using a secret to stealsensitive credentials.
- September 2024: Russian cyberspies attacked Mongolian state sites, stealing browsercookies.
- July 2024: A faulty Windowsupdate by CrowdStrike caused a global IT outage, disruptingairlines and hospitals, and costing Fortune 500 companies$ 5.4billion.
- March 2024: Microsoftreported that Russian hackers accessed its source code and internalsystems, targeting senior managers.
Restrictions imposed by the TPC
Cyber-attacks usually result in significant information vulnerabilities. These offenses fall under the purview of the TPC, including unlawfully recording or obtaining personal data ( Article 136), unlawfully destroying or destroying data ( Article 138 ), and other offenses. These acts are punishableby incarceration:
- Unjustly storing and storing private information
According to TPC Article 135, unjustly recording personal data is punished by one to three years in prison, with a half-timing penalty for delicate categories of data.
- Unjustly Collecting or Giving Data
Content 136 addresses the unconstitutional giving, transmission orobtaining of private data. A person who unjustly gives, conveys, or obtains personal data may face prison of 2to 4 years. The penalty to get imposed may be increased if the crime involves theinsertion of an organ or other object into the body recorded during the stage of the criminal investigation. The victim of the crime of physical abuse will receive statements and images of the victim of the crime of sexual abuse.
- Non-Destruction of Data
Companies may preserve personal data in accordance with relevantlegislation, and while they can build loyalty periods intheir policies, this interval may reach six months, as perArticle 11 of the Rules on Deletion, Destruction, orAnonymization of Personal Data. Failure to destroy data after the constitutionally mandated period has expired is punished by imprisonment in the range of one to two years, with additional penalties if the data may be deleted or destroyed in accordance with the Criminal Procedure Law.
Public officials or those who use their job to commit a crime are subject to harsher sanctions under Article 135 and 136. Inaddition, under Article 140 of the TPC, legitimate companies may besubject to certain security measures are imposed on as a result ofthe above-mentioned crimes.
Steps to Take When Data is Breached
The data controller must inform the affected data subjects and the Personal Data Protection Board (” Board” ) when personal data is compromised. According to the Board ‘sdecision3 dated 24.01.2019 ( Decision No. The information controller must contact the Board by Friday, April 10th, 2019, within 72 hrs of the breach’s discovery, and information content must also be notified as soon as possible. The notification to the Board must besubmitted using the Personal Data Breach Notification Form, whichcan be accessed online at https ://ihlalbildirim.kvkk .gov.tr/.
In cases where full information is not immediately available, the data controller may provide data slowly, withoutundue delay. The Board has recently assessed a bank for breaking the 72-hour date, citing factors like uncertainty regarding the information being shared and inadequate understanding of the incident. The lender had consulted important departments, privately assessed the necessity of notification, and used these factors in its defense for the delay. The Board affirmed that these factors did not constitute true justifications for the delay, pointing out that notification can be made gradually as the situation becomes more clear. 4 Thus, the 72-hournotification period begins when the fear of a data breacharises.
The reasons for the delay may be explained to the Board if the information controller is unable to contact the Board within 72 hours for a reasonable explanation.
Making a data warehouse that includes information on the root cause of the breach and the actions taken is essential to keeping track of all findings relating to the data breach. The Board may request this history.
Data Breach on the Part of the Data Processor
If the data breach occurs on the information computer’s area, thedata controller may be informed immediately. Given the short72-hour period, quick action is important for businesses. Thedata computer may contact the data controller as soon as possible, as the information controller is responsible for the breachnotification.
Data Breach by a foreign files controller
The Board’s decision specifies that the data controller must contact the Board if the breach affects data subjects who reside in Turkey or if the data subjects receive goods and services from those in Turkey. The guidelines for local controllers should be the same.
Financial and Moral Restrictions
Following a data breach, failing to notify the Board and the information subjects can result in fines ranging from 204, 285 Test to 13, 620, and 402 Test. 5 Beyond monetary fines, companies may sufferreputational destruction, as the Board does submit the details of thebreach on its website.
According to Article 15/5 of the PDPL, the Board may establish an operational fine and a directive decision, requiring the company to take remedial steps within 30 days. The context of its investigation may be expanded when the Board examines a data breach alert beyond the notification itself. For example, it does exofficio observe all control activities of the company, notlimited to the subject matter of the warning. If the companyfails to comply, it may face additional fines ranging from 340, 476TRY to 13, 620, 402 TRY6 for failure to fulfil thedecisions taken by the Board and from 204, 285 TRY to 13, 620, 402TRY7 for failure to fulfil the obligations regardingdata security.
What Actions Are Required Under the PDPL?
The data controller must take all necessary technical and administrative measures to stop unlawful processing and access to personal data in order to ensure the protection and security of personal data. Data processors and datacontrollers must make sure that personal information is not used or disclosed for purposes outside of those permitted by the PDPL.
To minimize the risk of data breaches, companies should conductregular internal audits, risk analyses, and maintain personal dataprocessing inventories. Employees should be trained to handle databreaches, and corporate policies should be developed to addressthese situations. For managing data breaches and protecting the company’s reputation, effective corporate communication and crisis management are also necessary.
Conclusion
Cyber-attacks result in significant data breaches that not onlyaffect a company’s finances but also its reputation. The data controller is required to provide the necessary documentation in the event of a data breach in order to prepare this information for the Board’s review. Timely notification to the Board ( within 72 hours ) and to affected data subjects ( as soon aspossible ) is essential for maintaining both security andreputation. Companies can mitigate the impact of data breaches byimplementing regular audits, risk analyses, personal dataprocessing inventories, employee training, and effective crisismanagement strategies, all while complying with PDPL and TPCrequirements.
Footnotes
1. ( Cost of a Data Breach Report 2024, 2024 )
2. ( Significant Cyber Incidents Since 2006, 2024 )
3. ( Announcement Regarding the PersonalData Protection Board Decision Dated 24.01.2019 and Numbered 2019/10Regarding the Procedures and Principles of Personal Data BreachNotification ( Only in Turkish ), n. d. )
4. ( Summary of the Decision of the Personal DataProtection Board dated 07/05/2020 and numbered 2020/359″ Abouta bank’s data breach notification” ( Only in Turkish ), n. d. )
5. The annual changes based on the revaluation rate are subject to the fines mentioned in this article for violations. Theamounts provided are based on the 2025 rate.
6. The annual changes based on the revaluation rate are subject to the fines mentioned in this article for violations. Theamounts provided are based on the 2025 rate.
7. The annual changes based on the revaluation rate are subject to the fines mentioned in this article for violations. Theamounts provided are based on the 2025 rate.
This article’s content is intended to serve as a general guide for the subject matter. Specialist advice should be soughtabout your specific circumstances.