The Turkish Personal Data Protection Board (“Board”) published a resolution dated 24.01.2019 and numbered 2019/10 concerning the detailed procedure to be followed by the data controllers for the notification of data breach.
As is known, in accordance with the related provisions of the Law on the Protection of Personal Data numbered 6698 (“Law”), data controllers are obliged to take any kind of technical and administrative measure and inform data subjects and the Board within the shortest time in the event of data breach. Considering the detailed provisions of the EU General Data Protection Regulation related to the matter, in order to avoid any non-compliance with the decisions to be taken by the Board and achieve a standard in practice, the period and the procedure to be followed by the data controller in the data breach notification processes are discussed in detail in the resolution. Accordingly:
- A possible data breach must be notified as soon as possible and at the latest within 72 hours of becoming aware of such breach. Once data controllers identify the data subjects affected from the data breach, the relevant data subjects must be notified by appropriate methods immediately.
- Unless notified within 72 hours, the reasons for the delay must be explained along with the notification to the Board.
- For data breach notification, “Data Protection Breach Notification Form” provided on the official web site of the Turkish Personal Data Protection Authority (“Authority”) can be used.
- Unless the information in the mentioned form completely provided, the related information must be provided incrementally to the Authority without any delay.
- The information relating to the data breach, the effects of the data breach and the measures taken accordingly must be recorded. Besides, mentioned records must be kept available for the Board’s investigation.
- If the personal data under the responsibility of data processor is also affected by the breach, data processor must inform data controller immediately.
- If the data breach does occur regarding the data under the responsibility of data controller residing abroad, data controller is obliged to make a notification to the Board. If the consequences of the data breach affect data subjects residing in Turkey and data subjects make use of services and products in Turkey, data controller residing abroad must also make data breach notification in compatible with the same procedure.
- The Board imposed an obligation to prepare an action plan for data controllers in the event of data breach. As part of the said plan to be prepared and revised periodically, the matters such as the recipients of the reporting by the data controller in the event of a possible data breach, the notifications to be made by law and the appointment of liability for the evaluation of the possible effects of data breach are mentioned.
In this sense, it is quite important to make notification to the Board and data subjects within the periods determined by the Board and compatible with the conditions set out under the resolution.
Should you need any further information, please contact us.