Follow us

Notification of Breaches in Personal Data Protection

The Principles and Procedures Applicable In Case of Breach of Personal Data have been determined through the resolution of Data Protection Board (“Board”) dated 24 January 2019 and numbered 2019/10 (“Resolution”) (in Turkish, “Kişisel Veri İhlali Bildirim Usul ve Esaslarına İlişkin Karar”).

The Code of Protection of Personal Data numbered 6698 (“Code”) requires the data controllers to notify the data subjects and the Board as soon as possible in the event that the processed personal data are accessed by unathorized third parties through unlawful means.

The Resolution in this respect aims to standardize the requirements of such notification and the following steps to be taken. Accordingly, as per the Resolution :

  • The expression “as soon as possible” mentioned in paragraph 5 of article 12 of the Code should be interpreted as 72 (seventytwo) hours beginning as of the date that the data controller becomes aware of unlawful access. In other words, the data controller should notify the Board without any delay within 72 hours and also after determining the data subjects who have been affected from the subject breach, should notify these data subjects within the soonest period reasonable. The notification to data subjects should be made directly to their contact addresses if possible or if the contact information is not available, it should be made through other available means such as announcing on the website of the data controller.
  • The reason of delays exceeding 72 hours should be clarified to the Board within the notification to be given to the Board after the expiry of 72 hours.
  • Personal Data Breach Notification Form – a newly issued template form-(“Form”) should be used during the data breach disclosures to the Board.
  • In cases when it is not possible to provide all the required information in the Form at once, not to give rise to any delay, such information should be provided gradually.
  • The data controller should keep the records of the breaches and their consequences together with the precautions taken against these breaches and make them available for the inspection of the Board.
  • If the data processed by the data processor are obtained by the third parties through unlawful means, the data processor should immediately notify the relevant data controller/s about this unlawful access.
  • If the data held under possession of a data controller residing abroad are subject to breach, such breaches should also be notified to the Board in accordance with the same rules and procedures provided that the results of such breaches affect data subjects residing in Turkey, and the products and services procured are used in Turkey by these data subjects.
  • The data controller should prepare and periodically review a data breach intervention plan determining the internal reporting system, the responsible indviduals for disclosure of the data breaches and assesment of their possible outcomes.

Our Law Firm remains at your disposal for any further information and assistance you may require.

by
2019, Hukuk Bülteni
0
Copyright© Cailliau & Colakel