The Data Protection Law requires data controllers to notify the relevant data subject and the Board as soon as possible when being made aware of such data breach. In its decision dated January 24, 2019 and numbered 2019/9, the Board clarified the rules and procedures to be applied in data breach incidents.
The Board takes the GDPR approach in terms of timing of breach notifications, and clarified that the term of “as soon as possible” within the Data Protection Law must be interpreted as 72 hours from becoming aware of a data breach.
The Data Protection Law also requires data controllers to make notification to data subjects once they identify the data subjects being affected by the data breach, regardless of the fact of whether or not the risk of being negatively exposed is low.
The decision of the Board requires data controllers to prepare a road map in the event of data breaches, in advance, and to clarify internal reporting mechanisms and procedures to be followed, in advance. Data controllers are obliged to keep record of data breaches and measures taken.
The data breach notification obligation also applies to data controllers residing abroad. If data controllers abroad experience a data breach incident, and such data breach affects data subjects residing in Turkey, and the services/goods are used by data subjects in Turkey, then the data controllers abroad must also follow the data breach notification procedures announced by the Board.
The Board also published a “Data Breach Notification Template Form” for data controllers to complete while notifying the DPA. The DPA has also recently announced the online system to be used for notification of data breaches.
This subject has been a hot topic for privacy practitioners in Turkey. It has been observed that the DPA mostly issues fines upon the notifications of breaches made by companies. Some of the European Data Protection Authorities may take a more lenient approach towards breach notifications but, in Turkey, in most cases, the DPA issues a relevant fine upon receipt of notification.