If an action such as the destruction or alteration of data in the information systems of Yemeksepeti has been committed, how will the criminals be punished? According to the TCK, we look at all the details together.
Article 243 of the Turkish Penal Code (TCK) regulates the crime of ‘entering the information system’. By gaining access to Yemeksepeti’s data, hackers gained access to their information systems. The penalty for this crime is imprisonment for up to one year or a judicial fine. If an action such as the destruction or alteration of data in the information systems of Yemeksepeti is carried out while this action is being taken, the crime regulated in the second paragraph of the relevant article will be committed, this time. ‘Six months to two years in prison’ will be faced with.
Hackers claim that they have information about more than 20 million users’ names, surnames, phone numbers, full addresses, address directions and the first and last four digits of credit cards, and that the data is up-to-date as of November. Considering the data claimed to have been obtained as a result of this hacking and the data of 20 thousand people shared on the internet, there is also the data set in Article 134 of the TCK. “violation of privacy” The crime of “recording personal data” regulated in Article 135 of the TPC, and the crimes of “unlawfully giving or obtaining data” regulated in article 136 of the TPC are also high. In such a case, it may be possible to impose a separate penalty for each crime or to increase this penalty by imposing a penalty for a single crime within the scope of the articles of chain crime and intellectual aggregation regulated in our current penal code.
Before we start, we recommend you to watch the following video, in which we explain the subject with all the details:
Does Yemeksepeti have any responsibility for leaking this data?
Similar to Yemeksepeti example, the obligations of data controllers who have been cyber-attacked are numbered 6698. In the Law on the Protection of Personal Data (KVKK) are held. The obligation to protect the security of personal data is regulated in Article 12 of the KVKK. According to the relevant article, natural or legal person data controllers are obliged to take all necessary technical and administrative measures to ensure the appropriate level of security within their bodies in order to prevent unlawful access to personal data and to ensure the preservation of personal data.
What sanctions may Yemeksepeti face due to leaked data?
The Personal Data Protection Board started an investigation on March 29, 2021 on the grounds of a data breach after the first cyber attack of Yemeksepeti, which was stated to have affected 21 million 504 thousand 83 people. However, by hackers A ransom was demanded from Yemeksepeti, Upon the news that the personal data of 20 thousand users were shared because this was not fulfilled, the board announced on 29/11/2021 that it started an investigation ex officio.
If the allegations are correct as a result of the examination to be made by the Board, as a data controller in accordance with Article 18 of the KVKK, for the year 2021 due to the violation of ensuring the appropriate security level in Article 12 of the KVKK. Between 29,503 ₺ and 1,966,862 ₺ will face a penalty. Considering the previous penalty given by the Personal Data Protection Board for Facebook, and considering the size of personal data and the large number of people affected, if the allegations are true as a result of the investigation, the maximum penalty that can be given will be 1,966,862 ₺, which is the upper limit. In addition, considering the statement made by Yemeksepeti that “no data theft could be detected”, if data theft is detected as a result of the investigation, a separate penalty will be imposed for not fulfilling the obligation to notify the institution as soon as possible of the data breach in paragraph 5 of Article 12 of the KVKK. more can be given.
How Can Leaked Data Be Used?
The primary use of data captured by hackers is in advertising and marketing activities. However, when we consider the categories of leaked data, fake identities are created on behalf of individuals, withdrawing credit, establishing a company, phone line hacking and malware It is possible to face actions such as blackmail and blackmail.
These data can also be used for fraudulent activities, which have increased frequently in recent years. Finally, the people who appeared recently, due to not receiving the cargo with payment at the door These leaked data can also be used in fraudulent activities claiming to be in debt. For this reason, people need to be careful.
What legal remedies can people affected by the Yemeksepeti data breach take? First of all, the persons whose data are processed have the right to apply to the data controller, that is, the natural or legal person who processes your data, within the scope of Article 11 of the Personal Data Protection Law No. 6698. Individuals can apply to the data controller and ask the following questions or requests:
- Asking whether personal data is processed, what data is processed in what way and for what purpose, whether personal data is used in accordance with the purpose
- To whom personal data is transferred, making changes on this data and notifying the transferred persons of the change
- Deletion, destruction of personal data, notification of this situation to the persons to whom the data is transferred
- Objecting to situations where data processing has a negative effect on the person
- Unlawful processing of personal data – removal of damage in case of disposition
The data controller can be contacted free of charge with these questions or requests. To respond to the application received by the data controller 30-day period are available. At the end of 30 days at the latest, the data controller responds to the application or may leave it unanswered. If it is left unanswered, this time the applicant has the right to complain to the Personal Data Protection Board. If the answer given by the data controller somehow does not satisfy the applicant, he/she still has the right to apply to the Board. However, since the board initiated an ex officio investigation in the Yemeksepeti data breach, there is an ongoing review process by the board at this stage.
Another way is compensation in general courts. Personal Data Protection Board In its decision numbered 2020/41 dated 16/01/2020 As he emphasized, people; In case of loss due to the violation of his personal data and there is a claim for compensation, “The right of compensation according to the general provisions of those whose personal rights are violated is reserved.” within the framework of the provision, the compensation claims will be able to be used before the general courts. In other words, persons whose data have been violated will be able to file a lawsuit for compensation in the general courts for the pecuniary and non-pecuniary damage suffered as a result of this violation.