The Personal Data Protection Authority ('KVKK') published, on 23 June 2020, its decision ('the Decision') of 16 April 2020, fining a gaming company a total of TRY 1,100,000 (approx. €142,980) for data breach notification violations. In particular, the Decision concerns a data breach suffered by the gaming company in which hackers were able to gain access to the company’s player data affecting 39,995 individuals in Turkey. Specifically, the Decision highlights that the company was fined 1,000,000 TRY (approx. €129,980) for violations of Article 12 of the Law on Protection of Personal Data No.6698 ('the Law') and not having taken the necessary technical and administrative measures to ensure the appropriate level of security. Furthermore, the Decision notes that the gaming company was fined an additional TRY 100,000 (approx. €13,000) for failures to report the breach within the 72-hour period required.

You can read the Decision, only available in Turkish, here.