25 June 2019

The Turkish Data Protection Authority (“TDPA”) published three new data breach notifications on their official website on 18.06.2019. The notifications were made in accordance with Article 12(5) of the Turkish Data Protection Law numbered 6698 which stipulates that data controllers are obliged to notify data subjects and/or the TDPA in case of data breaches[1].

First of all, Metro Grosmarket Bakırköy Alışveriş Hiz. Tic. Ltd. Şti. notified the TDPA that; they have shared the credentials of 658 non-MetroCard users via e-mail with third parties by mistake. Since the company does not posses their contact info, they could not inform the data subjects.

Secondly, Bartu Turizm Yatırımları A.Ş. reported that they have been hacked and the personal data belongs mostly to the company’s employees have been compromised.

Lastly, Vodafone Telekomünikasyon A.Ş. notified the TDPA that one of their semi-exclusive agency’s employee leaked the client’s personal data to third parties. It has been reported that approximately 5-6 thousand people have been affected by the breach. However, they have not been notified yet since the investigations regarding the incident still continue.

The TDPA states that their investigation is still in progress regarding above-mentioned breaches.

You can find the notifications (in Turkish) here.

Should you have any queries and/or remarks, please do not hesitate to contact us. 

Kind regards,

Zumbul Attorneys-at-Law




[1] In case the processed data are collected by other parties through unlawful methods, the controller shall notify the data subject and the Board within the shortest time. Where necessary, the Board may announce such breach at its official website or through other methods it deems appropriate.


* gerekli alanlar

__ (0)