The Law requires data controllers to notify the relevant data subject and the Board as soon as possible after becoming aware of a data breach. In its decision dated January 24, 2019, and numbered 2019/9, the Board clarified the rules and procedures applicable to data breach incidents.
The Board took the GDPR approach regarding the timing of breach notifications and clarified that “as soon as possible” within the Law must be interpreted as 72 hours from becoming aware of a data breach.
The Law also requires data controllers to notify data subjects once they identify the data subjects affected by the data breach, regardless of whether the level of risk they are exposed to.
The Board’s decision requires data controllers to prepare a road map in the event of data breaches in advance and clarify internal reporting mechanisms and procedures to be followed in advance. Data controllers are obliged to record data breaches and measures taken in response.
The data breach notification obligation also applies to data controllers residing abroad. If data controllers abroad experience a data breach incident that affects data subjects residing in Turkey, and the services/goods used by data subjects in Turkey, then the data controllers abroad must also follow the data breach notification procedures announced by the Board.
The Board also published a “Data Breach Notification Template Form” for data controllers to complete while notifying the Board.
This subject has been a hot topic for privacy practitioners in Turkey. It has been observed that the Board primarily issues fine upon the notifications of breaches made by companies. However, it should also be noted that the Board has passed recent decisions wherein no administrative fines were imposed based on the number of persons affected by the data breach, and whether the violation in question has adversely affected the data subject, the data controller could intervene, data exposed by the breach is deleted, the data controller has notified the breach within the legal deadline, and whether reasonable administrative and technical measures have been taken or not.