The Board Decision No. 2019/10 of 24.01.2019 about Procedures and Principles of Personal Data Breach Notification
As known, pursuant to paragraph (1) of article 12 of the Personal Data Protection Law No. 6698 the data controller is obliged to take all necessary technical and organisational measures to ensure the appropriate level of security, so as to:
- a. Prevent unlawful processing of personal data,
- b. Prevent unlawful access to personal data,
- c. Ensure protection of personal data.
According to Article 12(5), in case the processed data are obtained by third parties by unlawful means, the data controller shall communicate the breach to the data subject (natural person concerned) and notify it to the Board within the shortest time. Where necessary, the Board may announce such breach at its official website or through in any other way it deems appropriate.
The purpose of the notification to the Board and to persons affected by the breach is to ensure that measures are taken to prevent or mitigate the adverse consequences of such violations. On the other hand, in respect of data breach notifications, European General Data Protection Regulation, which repeals Directive 95/46 / EC of the European Union which is the source of Law No. 6698, includes detailed arrangements contrary to the Directive. In order to ensure that there is no inconsistency between the decisions to be taken by the Board and that standardization can be achieved in practice; the Board adopted following decisions;
- The Board interpreted the provision of “the shortest time” in Article 12 (5) of the Law (In case the processed data are obtained by others by unlawful means, the data controller shall communicate the breach to the data subject and notify to the Board within the shortest time…) as 72 hours and within this scope the data controller shall notify the Board without delay and not later than 72 hours after having become aware of the breach. From the date following the identification of persons affected by such data breach, data subjects should be communicated about breach in the shortest reasonable period of time. If the contact address of the data subject can be reached, notification should be made directly, or if it cannot be reached, notification should be made by appropriate methods such as the publication on the data controller’s website,
- Where such notification cannot be achieved within 72 hours, the reasons for the delay should be attached to the notification to be made to the Board without undue further delay.
- The following “Personal Data Breach Notification Form” shall be used in the notification to the Board,
- In cases where it is not possible to provide the information in the form simultaneously, this information shall be provided gradually, without delay.
- The controller shall document all personal data breaches, including the facts relating to the personal data breach, its effects and the measures taken. That documentation shall be available for Board to examine.
- If the personal data held by the data processor is obtained by others by unlawful methods, the data processor shall notify the data controller without any delay.
- If data breach occurs in the presence of data controller established abroad, in case this breach affects data subject residing in Turkey and Data Subjects benefit from the products and services provided within Turkey, data controller shall notify the Board within the same principles,
- In case of a data breach, data controller shall prepare a data breach response plan to be reviewed periodically including issues such as to whom the report will be provided by the controller and determination of who has the responsibility regarding the notification to be made under The Law as well as the assessment of potential consequences of the data breach.
The following “Personal Data Breach Notification Form” shall be used in the notification to the Board.
For data breach notification the following link shall be used.
Respectfully announced to the public.