- Criminal Law
- Foreigners and International Law
- Insurance Law
- Labor and Social Security Law
- Family Law
- Commercial and Corporate Law
- Tax Law
- Enforcement and Bankruptcy Law
- Administrative Law
- Real Estate Law
- Information Technology Law and KVKK
- Intellectual and Industrial Property Law
- Inheritance Law
- Consumer Law
Vaka Çalışmaları
A popular e-commerce platform, “https://www.google.com/search?q=H%C4%B1zl%C4%B1Al.com,” is subjected to a sophisticated cyber attack on its servers. As a result of the attack, a database containing the names, surnames, email addresses, phone numbers, and address information of approximately 500,000 customers is captured by hackers.
The company’s IT department detects the leak on the morning of May 10th at 09:00 and closes the system vulnerabilities. The situation is immediately reported to the CEO. The CEO, fearing that it would negatively affect the “Great Spring Sale” campaign starting that weekend and damage the company’s reputation, instructs the IT department and legal unit to “Not leak this event to the outside, fix the situation quietly, and do not notify KVKK.”
Two weeks pass. A technology journalist notices that the database belonging to “https://www.google.com/search?q=H%C4%B1zl%C4%B1Al.com” customers is put up for sale on a hacker forum and reports the issue. The news spreads rapidly on social media, and thousands of customers panic. Upon the spread of the news, the Personal Data Protection Authority (the Authority/Board) initiates an ex officio investigation into the event.
Legal Evaluation This case constitutes one of the most severe violations of the Law on the Protection of Personal Data No. 6698 (KVKK). The company (data controller) has heavily violated two fundamental obligations in this event:
1. Violation of the Obligation to Ensure Data Security (KVKK Article 12/1) Firstly, the occurrence of the cyber attack indicates that the company may have shown weakness in taking the necessary “technical and administrative measures” to protect the data. The Board will examine whether the company’s firewalls, encryption policies, and penetration tests were sufficient.
2. Violation of the Obligation to Notify Data Breach (KVKK Article 12/5) This is the most critical and severe violation. KVKK Article 12/5 imposes a clear obligation on the data controller:
-
Notification to the Authority: In the event that processed personal data is obtained by others through unlawful means, the data controller (company) must notify the Personal Data Protection Authority within 72 hours at the latest from the date it learns of the situation.
-
Notification to Data Subjects: The company must also directly notify the persons (customers) affected by the breach “as soon as reasonably possible.”
Although “https://www.google.com/search?q=H%C4%B1zl%C4%B1Al.com” management learned of the breach on May 10th at 09:00, they intentionally violated the 72-hour legal period and made no notification.
Legal Result As a result of the ex officio investigation initiated by the Authority, “https://www.google.com/search?q=H%C4%B1zl%C4%B1Al.com” will face very heavy sanctions:
-
Heavy Administrative Fines:
-
The Board will issue a high administrative fine for deficiencies in data security measures (Article 12/1).
-
More importantly, it will issue a much higher separate administrative fine (which can amount to millions of TL) for failing to fulfill the notification obligation (Article 12/5) within 72 hours. The Board views “failure to notify” as one of the most serious violations.
-
-
Compensation Lawsuits from Victims: Each of the 500,000 customers whose data was leaked will have the right to file a moral compensation lawsuit against the company due to the anxiety, panic, and potential damages they experienced because their personal data was not protected and they were not informed of this leak. This means a massive litigation burden for the company.
-
Loss of Reputation: Trying to hide the leak and having this situation revealed through news will cause the company to be branded as “unreliable” and lead to a mass loss of customers.
Conclusion and Advice This case shows that in the event of a data breach, “hiding the crisis” is much more destructive than the crisis itself. The “72-hour” countdown begins the moment a data leak is noticed. The first thing company management should do is not to panic or try to hide it, but to immediately inform the legal department and KVKK consultants to prepare the official notification to be made to the Authority. Transparency and compliance with the law are the only way to protect reputation in the long run.