The Personal Data Protection Board (" Board") rendered a decision dated 24.11.2020 and numbered 2020/905 (" Decision") regarding a data controller insurance company's (" Data Controller") failure to take the necessary technical and administrative measures to ensure data security and to fulfill the obligation to notify data breach. In the data breach notification submitted by the Data Controller, it is stated that, (i) the data breach has occurred due to a cyber-attack imposed upon the test server of the website and was detected the same day; (ii) the access efforts directed to the login page of the website which were attempted from abroad and made