Ertuğrul Can Canbolat LL.M., S. İrem Akin and Baran Can Yildirim, LL.M. write:
Under Article 12/5 of the Turkish Data Protection Law, the data controllers are obliged to inform the Turkish Data Protection Authority (“DPA“) in case the personal data processed on their behalf is acquired by others unlawfully. In line with this provision, ING Bank A.Ş. (“ING Bank“) notified the DPA that personal data of almost 20 thousand people were unlawfully transmitted to third parties. Accordingly, the DPA on March 2, 2019 made an announcement on its website providing the details of the incident1.
The data breaches are generally occurred as a result of the cyber-attacks of third parties. ING Bank’s notification, however, reveals that the breach was caused by one if its -now former- employees who accessed unauthorizedly to certain databases of Risk Center of the Banks Association of Turkey (“TBB“) containing personal data belonging to mostly other banks’ customers.
Read more on Mondaq