The data controller has made a data breach notification, detailed below, to the Personal Data Protection Authority (“Authority”);
· While sending an e-mail to a group of 400 recipients by the data controller employee; it was indicated that the e-mail addresses of 43 customers were mistakenly added to the subject part of the e-mail instead of being added to the BCC part of the e-mail, and 43 recipient information was shared with a group of 400 recipients.
· It has been reported that the contact information (e-mail) and identity information (name and surname information in the e-mail addresses) data of 43 related persons were affected by this breach.
· It has been stated that, as soon as the e-mail was sent, the mistake has been noticed by the employee, although it was not possible to recall the e-mails, the contacts affected by the breach have been informed within 48 hours and their level of exposure of the breach has been minimized.
Upon this breach notification, in the Decision dated 01/10/2020 and numbered 2020/763;
· The Personal Data Protection Board (“Board”) stated that 400 customers to whom mistaken e-mails were sent have been requested to destroy the e-mail in breach and that the risk of negative consequences of the breach was low.
· In addition, the Board stated that the notification to the persons affected by the breach and the Authority was made "as soon as possible" (obligation to notify within the 72-hour period specified in the Board decision dated 24.01.2019 and numbered 2019/10) as per the 5th paragraph of the 12th article of the Personal Data Protection Law No. 6698 ("Law").
Accordingly, it has been decided that there was no action to be taken within the scope of Article 12 of the Law.
Author: Hakan Zeren