DATA BREACH NOTIFICATION FROM A CIVIL INITIATIVE (ADIM ADIM OLUŞUMU)

15.03.2021

 

In a public announcement published on the website of the Turkish Data Protection Authority, it was was shared that the Adım Adım Oluşumu (a civil initiative) was faced a cyber attack.

In accordance with paragraph[1] (5) of Article 12 of the law on the protection of personal data No. 6698 entitled “obligations related to data security”, the violation in question was reported to the data protection authority by the data controller within the scope of the notification obligation.

In summary, in the written notification sent to the Turkish Data Protection Authority by the data controller;

  • The breach occurred as a result of illegal access to personal data by cyber attackers by gaining unauthorized access to the ipk.adimadim.org web page database,
  • The breach was detected by noticing the publication of data belonging to the data controller on a website as a result of social media shares and initiating an investigation in the database,
  • The data affected by the breach are identity, communication, customer transaction, transaction security, professional experience, other information (information about the training information, size of the form and the Civil Society Organization that the relevant persons run on behalf),
  • The group of people affected by the breach is users and subscribers / members,
  • The number of affected people has not yet been fully determined, and examination on this issue is ongoing, the estimated number of affected records is 733.000,
  • It has been stated that the relevant persons can obtain information regarding the data breach from the www.adimadim.org website, iyilikpesindekos@adimadim.org e-mail address, social media accounts and phone number 0532 623 39 02.

Although the investigation on this issue continues, it has been decided that the data breach notification in question will be announced on the website of the Authority by the decision of the Personal Data Protection Board dated 09.03.2021 and numbered 2021/222.

You can find the public announcement (in Turkish) here

Should you have any queries and/or remarks, please do not hesitate to contact us. 

 

Kind regards,

Zumbul Attorneys-at-Law

info@zumbul.av.tr


[1] Obligations regarding data security

ARTICLE 12- (1) Data controller;

a) To prevent unlawful processing of personal data,

b) To prevent unlawful access of personal data,

c) To ensure the protection of personal data,

has to take all necessary technical and administrative measures in order to ensure the appropriate level of security.

(2) In case personal data is processed by another natural or legal person on her behalf, the data controller is jointly responsible with these persons for taking the measures specified in the first paragraph.

(3) The data controller is obliged to carry out the necessary audits or have them done in it institution or organization in order to ensure the implementation of the provisions of this Law.

(4) Data controllers and data processors cannot disclose the personal data they have learned to anyone in violation of the provisions of this Law and cannot use it for purposes other than processing. This obligation continues even after they leave the job.

(5) In case the processed personal data is obtained by others illegally, the data controller shall notify the relevant person and the Board of this situation as soon as possible. The Board, if necessary, may announce this on its website or by any other method it deems appropriate.