Pursuant to the Law on the Protection of Personal Data No.6698 (“the Law“), data controllers are obliged to ensure data security. Breach notification obligation of data controllers is stipulated for the events that affect the security, confidentiality and integrity of personal data (data breaches). Below you may find our explanations on data breach notification obligation under the Law.
· What is a personal data breach?
It is the illegal seizure of or access to personal data by others. For example, events such as accessing/attacking information systems containing personal data by unauthorized third parties, disclosure of customer personal data to unauthorized third parties by a company employee are personal data breaches.
· What must be done legally in case of a data breach?
In case of a data breach, it is obligatory to notify the Personal Data Protection Authority (“Turkish DPA“) and the data subjects (real persons whose personal data is processed).
· Who is obliged to notify a data breach?
Personal data breach notification obligation must be fulfilled by data controllers.
The law does not stipulate notification obligation for data processors. However, in order for the data controller to fulfill its notification obligation, the data processor must inform the data controller about the breach.
· Are data controllers abroad also obliged to notify a data breach?
If the breach affects the data subjects residing in Turkey and these persons benefit from products/services within the Turkey, the data controllers abroad shall be under the notification obligation.
· Who must be notified?
In case of a data breach, Turkish DPA and the data subjects must be notified. It may be necessary to notify other regulatory authorities in accordance with some industry specific regulations.
· What is the time frame for notification?
The notification to be made to Turkish DPA must be made without delay and within 72 hours at the latest from the date the data controller learns about the breach.
The notification to be made to the data subjects must be made as soon as reasonably possible time period after the persons affected by the breach are determined.
· How will the notification be made?
The notification to Turkish DPA can be made in two ways:
1- Online Notification System
Data breach can be notified to Turkish DPA through ihlalbildirim.kvkk.gov.tr.
Explanations on how to make an online notification can be found in the notification guide (only in Turkish).
2- Data Breach Notification Form
Data breach can be notified to Turkish DPA via e-mail by filling out the data breach notification form. The form must be sent to firstname.lastname@example.org. The data breach notification form can also be sent to Turkish DPA by post.
Notifications to be made to Turkish DPA must be in Turkish.
Notification to the data subjects:
– If the contact address of the data subject can be found, it should be made directly to the contact address of the data subject.
– If the contact address cannot be found, it should be done by appropriate methods such as announcing on the data controller’s website.
· What must the notification include?
The notification to be made to Turkish DPA should include the issues specified in the data breach notification form (only in Turkish). Turkish DPA may request additional information/documents after the notification.
The notification to be made to the data subjects must include the following:
– Time of the data breach,
– Information on the personal data affected from the breach based on personal data categories (by distinguishing personal data and special categories of personal data),
– Possible consequences of the data breach;
– Measures taken or proposed to reduce the negative effects of the breach,
– The name and contact details of the data protection contact person who will provide information to the data subjects regarding the breach or the data controller’s website, call center and any other communication methods.
· What if the notification is not made at all or within the stipulated time?
If the notification is not made at all or in time, administrative fines may be imposed in accordance with Art. 18/1-b of the Law (as of 2021, the upper limit of the fine is TRY 1.966,861 – appx. USD 257.806,84).
Turkish DPA imposed administrative fines ranging from TRY 100.000 – 350.000 to the data controllers who did not fulfill the notification obligation in its decisions regarding data breaches in 2019-2020.
Those fines were imposed solely for non-compliance with the notification obligation. Additional (and higher) fines were imposed for failing to take data security measures.