HUK203 IT Law

12. Week
DATA BREACHES
(VERİ İHLALLERİ)
Personal Data Breaches
GDPR Art. 4/11
‘personal data breach’ means a breach of security leading to the
accidental or unlawful destruction, loss, alteration, unauthorised
disclosure of, or access to, personal data transmitted, stored or
otherwise processed
 Personal Data Breaches
qDuty on all organisations to report certain types of personal data breach to the
relevant supervisory authority (eg. in Turkey KVKK-Turkish Data Protection Authority).
qDEFINITION: A personal data breach is a breach of security leading to the accidental
or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to,
personal data.
qincludes breaches that are the result of both accidental and deliberate causes. It also
means that a breach is more than just about losing personal data.
qThe data controller has to have a process to notify the breach within 72 hours of
becoming aware of it, even if they do not have all the details yet.
qIf the breach is likely to result in a high risk of adversely affecting individuals’ rights
and freedoms, those individuals without undue delay shall be informed.
qBreach detection, investigation and internal reporting procedures shall be ensured.
qA record of any personal data breaches shall be kept, regardless of whether the data
processor is required to notify.
 Personal Data Breaches
Personal data breaches can include:
üaccess by an unauthorised third party;
üdeliberate or accidental action (or inaction) by a controller or processor;
üsending personal data to an incorrect recipient;
ücomputing devices containing personal data being lost or stolen;
üalteration of personal data without permission; and
üloss of availability of personal data.
A personal data breach can be broadly defined as:
a security incident that has affected the confidentiality, integrity or availability of personal data.

In short, there will be a personal data breach whenever any personal data is lost, destroyed,
corrupted or disclosed; if someone accesses the data or passes it on without proper authorisation;
or if the data is made unavailable, for example, when it has been encrypted by ransomware, or
accidentally lost or destroyed.
Personal Data Breaches
What breaches shall be notified to Turkish Data Protection Authority (KVKK)?
When a personal data breach has occurred, the likelihood and severity of the resulting
risk to people’s rights and freedoms shall be established. If it’s likely that there will be a
risk then the data controller must notify the Authority; if it’s unlikely then reporting is
not necessary. However, if you decide you don’t need to report the breach, you need to
be able to justify this decision, so you should document it.
In assessing risk to rights and freedoms, it’s important to focus on the potential negative
consequences for individuals:
A personal data breach may, if not addressed in an appropriate and timely manner,
result in physical, material or non-material damage to natural persons such as loss of
control over their personal data or limitation of their rights, discrimination, identity theft
or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to
reputation, loss of confidentiality of personal data protected by professional secrecy or
any other significant economic or social disadvantage to the natural person concerned.
 Personal Data Breaches
A breach can have a range of adverse effects on individuals, which include
emotional distress, and physical and material damage.
Some personal data breaches will not lead to risks beyond possible
inconvenience to those who need the data to do their job. Other breaches can
significantly affect individuals whose personal data has been compromised.
Example
The theft of a customer database, the data of which may be used to commit
identity fraud, would need to be notified, given the impact this is likely to have
on those individuals who could suffer financial loss or other consequences. On
the other hand, you would not normally need to notify, for example, about the
loss or inappropriate alteration of a staff telephone list.
 Personal Data Breaches
GDPR Art. 33 Notification of a personal data breach to the supervisory
authority
In the case of a personal data breach, the controller shall without undue
delay and, where feasible, not later than 72 hours after having become
aware of it, notify the personal data breach to the supervisory authority
competent in accordance with Article 55, unless the personal data breach is
unlikely to result in a risk to the rights and freedoms of natural persons.
Where the notification to the supervisory authority is not made within 72
hours, it shall be accompanied by reasons for the delay.
The processor shall notify the controller without undue delay after becoming
aware of a personal data breach.
 Personal Data Breaches
GDPR Art. 33
The notification referred to in paragraph 1 shall at least:
• describe the nature of the personal data breach including where possible,
the categories and approximate number of data subjects concerned and the
categories and approximate number of personal data records concerned;
• communicate the name and contact details of the data protection officer or
other contact point where more information can be obtained;
• describe the likely consequences of the personal data breach;
• describe the measures taken or proposed to be taken by the controller to
address the personal data breach, including, where appropriate, measures to
mitigate its possible adverse effects.
 Personal Data Breaches
GDPR Art. 33
The controller shall document any personal data breaches, comprising the
facts relating to the personal data breach, its effects and the remedial action
taken. That documentation shall enable the supervisory authority to verify
compliance with this Article.
Factors to consider when assessing risk, caused by
the data breach:
üWhen assessing the risk that is likely to result from a breach, the controller
should consider a combination of the severity of the potential impact on the
rights and freedoms of individuals and the likelihood of these occurring.
üWhere the consequences of a breach are more severe, the risk is higher and
similarly where the likelihood of these occurring is greater, the risk is also
heightened. If in doubt, the controller should err on the side of caution and
notify.
üIn case of high risk, the breach shall be notified !!!!!
ü1) The type of breach
The type of breach that has occurred may affect the level of risk presented to
individuals. For example, a confidentiality breach whereby medical information
has been disclosed to unauthorised parties may have a different set of
consequences for an individual to a breach where an individual’s medical details
have been lost, and are no longer available.
 Factors to consider when assessing the risk
caused by the data breach:
2) The nature, sensitivity, and volume of personal data
When assessing risk, a key factor is the type and sensitivity of personal data that has been
compromised by the breach. Usually, the more sensitive the data, the higher the risk of harm will be
to the people affected, but consideration should also be given to other personal data that may already
be available about the data subject. For example, the disclosure of the name and address of an
individual in ordinary circumstances is unlikely to cause substantial damage. However, if the name and
address of an adoptive parent is disclosed to a birth parent, the consequences could be very severe for
both the adoptive parent and child.
Breaches involving health data, identity documents, or financial data such as credit card details, can all
cause harm on their own, but if used together they could be used for identity theft. A combination of
personal data is typically more sensitive than a single piece of personal data.
Some types of personal data may seem at first relatively innocuous, however, what that data may
reveal about the affected individual should be carefully considered. A list of customers accepting
regular deliveries may not be particularly sensitive, but the same data about customers who have
requested that their deliveries be stopped while on holiday would be useful information to criminals.
Similarly, a small amount of highly sensitive personal data can have a high impact on an individual, and
a large range of details can reveal a greater range of information about that individual. Also, a breach
affecting large volumes of personal data about many data subjects can have an effect on a
corresponding large number of individuals.
Factors to consider when assessing the risk
caused by the data breach:
3) Ease of identification of individuals
An important factor to consider is how easy it will be for a party who has access to compromised
personal data to identify specific individuals, or match the data with other information to identify
individuals. Depending on the circumstances, identification could be possible directly from the personal
data breached with no special research needed to discover the individual’s identity, or it may be
extremely difficult to match personal data to a particular individual, but it could still be possible.
Under certain conditions, Identification may be directly or indirectly possible from the breached data,
but it may also depend on the specific context of the breach, and public availability of related personal
details. This may be more relevant for confidentiality and availability breaches.
As stated above, personal data protected by an appropriate level of encryption will be unintelligible to
unauthorised persons without the decryption key. Additionally, appropriately-implemented
pseudonymisation (defined in Article 4(5) as “the processing of personal data in such a manner that the
personal data can no longer be attributed to a specific data subject without the use of additional
information, provided that such additional information is kept separately and is subject to technical and
organisational measures to ensure that the personal data are not attributed to an identified or
identifiable natural person”) can also reduce the likelihood of individuals being identified in the event of
a breach. However, pseudonymisation techniques alone cannot be regarded as making the data
unintelligible.
Factors to consider when assessing the risk
caused by the data breach:
4) Severity of consequences for individuals
Depending on the nature of the personal data involved in a breach, for
example, special categories of data, the potential damage to individuals
that could result can be especially severe, in particular where the breach
could result in identity theft or fraud, physical harm, psychological distress,
humiliation or damage to reputation. If the breach concerns personal data
about vulnerable individuals, they could be placed at greater risk of harm.
Factors to consider when assessing the risk
caused by the data breach:
5) Special characteristics of the individual
A breach may affect personal data concerning children or other vulnerable
individuals, who may be placed at greater risk of danger as a result. There
may be other factors about the individual that may affect the level of
impact of the breach on them.
 Factors to consider when assessing risk,
caused by the data breach:
6) Special characteristics of the data controller
The nature and role of the controller and its activities may affect the level
of risk to individuals as a result of a breach. For example, a medical
organisation will process special categories of personal data, meaning that
there is a greater threat to individuals if their personal data is breached,
compared with a mailing list of a newspaper.
 Factors to consider when assessing risk,
caused by the data breach:
7) The number of affected individuals
A breach may affect only one or a few individuals or several thousand, if
not many more. Generally, the higher the number of individuals affected,
the greater the impact of a breach can have. However, a breach can have a
severe impact on even one individual, depending on the nature of the
personal data and the context in which it has been compromised. Again,
the key is to consider the likelihood and severity of the impact on those
affected.
Examples of personal data breaches and who to
notify
Examples of personal data breaches and who to
notify
Examples of personal data breaches and who to
notify
Examples of personal data breaches and who to
notify
Examples of personal data breaches and who to
notify
• Linkedin Credential Stuffing Case (2012)
https://blog.linkedin.com/2016/05/18/protecting-our-members

• French Data Protection Authority (CNIL) Credential Stuffing Case

https://www.huntonprivacyblog.com/2021/01/29/cnil-fines-a-data-
controller-and-its-processor-225000-euros-for-security-violation-in-
connection-with-credential-stuffing/
Advisable Measures for Case 3.3.
Veri İhlali
Veri İhlali
Veri İhlali: Fibabanka Kararı
Bilindiği üzere, 6698 sayılı Kişisel Verilerin Korunması Kanununun “Veri güvenliğine ilişkin
yükümlülükler” başlıklı 12 nci maddesinin (5) numaralı fıkrası “İşlenen kişisel verilerin kanuni
olmayan yollarla başkaları tarafından elde edilmesi hâlinde, veri sorumlusu bu durumu en kısa
sürede ilgilisine ve Kurula bildirir. Kurul, gerekmesi hâlinde bu durumu, kendi internet sitesinde ya
da uygun göreceği başka bir yöntemle ilan edebilir.” hükmünü amirdir.
Veri sorumlusu sıfatını haiz olan Fibabanka AŞ tarafından Kuruma gönderilen kişisel veri ihlali
bildiriminde özetle;
Banka personelinin yapmış olduğu Kredi Kayıt Bürosu (KKB) sorguları neticesinde ulaştığı kişisel
verileri kendi iletişim yolları (telefon, elektronik haberleşme programı vs.) aracılığı ile üçüncü
kişilere 1 Ocak 2019 ve 16 Şubat 2019 tarihleri arasında ilettiği,
• İhlalin Banka çağrı merkezine gelen ihbar nitelikli arama sonrasında Banka Teftiş Kurulu Başkanlığı
tarafından yapılan incelemeler sonucunda tespit edildiği,
• İhlalden kimlik ve finans verilerinin etkilendiği,
• İhlalden tahmini olarak 13500 kişinin etkilendiği
ifade edilmiştir.
Veri İhlali

KVKK Veri İhlalini Veri İhlali

Anlamında KVKK’na Nedeniyle
Bir Veri İhlali Bildirecek Para Cezası
Var Mı? Miyiz? Alır Mıyız?
Veri İhlali
KVKK m. 12/5
İşlenen kişisel verilerin kanuni
İşlenen Kanuni
olmayan yollarla başkaları
Kişisel Olmayan tarafından elde edilmesi hâlinde,
Verilerin Yollarla veri sorumlusu bu durumu en kısa
sürede ilgilisine ve Kurula bildirir.
Kurul, gerekmesi hâlinde bu
Başkaları durumu, kendi internet sitesinde
Tarafından Elde
Edilmesi ya da uygun göreceği başka bir
yöntemle ilan edebilir.
Veri İhlali
Kazara veya Hukuka Aykırı Olarak
(accidental or unlawful)
İşlenen Kanuni Veri sorumlusunun veya veri
Kişisel Olmayan işleyenin yanlışlıkla veya kasıtlı bir
Verilerin Yollarla
fiili ile gerçekleşebilir.

Başkaları
Tarafından Elde
Edilmesi
Veri İhlali
üİmha (Destrcution)
üKayıp (Loss)
üDeğiştirilme (Alteration)
İşlenen Kanuni
üYetkisiz Olarak İfşa (Disclosure)
Kişisel Olmayan üYetkisiz Olarak Erişim (Access)
Verilerin Yollarla
-------------------
Başkaları tarafından: Şirket içinden de
Başkaları bir çalışanın yetkisiz olarak verilere
Tarafından Elde
Edilmesi erişmesi halinde veri ihlali kabul
edilebilir mi?
Veri İhlali Bildirimi Formu
 Veri İhlali: Credential Stuffing?
Sistemde bir açık olması/ veri sorumlusunun kusuru veya tedbirsizliği ile
gerçekleşmiş olması şartı var mı? (Ör. Credential Stuffing?)
- Gratis Kararı (https://kvkk.gov.tr/Icerik/6691/Kamuoyu-Duyurusu-Veri-Ihlali-
Bildirimi-Gratis-Ic-ve-Dis-Tic-A-S-)
- Vatan Bilgisayar (https://www.kvkk.gov.tr/Icerik/6821/Kamuoyu-Duyurusu-
Veri-Ihlali-Bildirimi-Vatan-Bilgisayar-Sanayi-ve-Ticaret-AS)
……İhlalin; başka bir kaynaktan elde edildiği değerlendirilen kullanıcı adı (e-
posta) ve şifrelerin veri sorumlusunun internet sitesinde geçerli olup olmadığının
denenmesi sonucu, başarılı olan kullanıcı adı ve şifrelerin bir web sitesinde
yayınlanması şeklinde gerçekleştiği,………….
 Veri İhlalini Bildirmeli Miyiz?
Veri Sorumlusu, Veri İhlalini durumu öğrendiği tarihten itibaren
1) En kısa sürede ilgili kişiye
2) 72 Saat içinde Kurula
bildirir.
Veri İhlali gerçek kişilerin hak ve özgürlükleri için RİSK teşkil ediyor mu?
 Veri İhlalini Bildirmeli Miyiz?
Hastane Kararı: https://www.kvkk.gov.tr/Icerik/6860/2020-787
Veri İhlalini Bildirmeli Miyiz?
Hastane Kararı: https://www.kvkk.gov.tr/Icerik/6860/2020-787
SAVUNMA:
- İhlal ile ilgili olan çalışanların son bir yıl içerisinde aldığı eğitimler
- İhlalden önce alınmış olan idari ve teknik tedbirler
- İhlalden sonra alınmış idari ve teknik tedbirler
SONUÇ:
• İhlalin veri sorumlusunun tedbir eksikliğinden kaynaklanmayıp yaygın kullanılan bir uygulamadan
kaynaklandığı; bu duruma veri sorumlusunun müdahale edemeyeceği,
• Veri sorumlusunun ihlali kısa zamanda fark etmiş olduğu,
• İhlalden etkilenen kişisel verilerin şahıs şirketi kaşelerinden ve kamuya açık kaynaklardan rahatlıkla
elde edilebileceği,
• Veri sorumlusunun ihlalden etkilenen kişilere üç iş günü içerisinde bildirim gerçekleştireceğini
belirttiği,
• İhlalin ilgili kişiler açısından olumsuz sonuçlar doğurma riskinin düşük olduğu,
• Veri sorumlusunun makul teknik ve idari tedbirleri almış olduğu