The Institution of Personal Data Protection has shared an announcement on the Application to the Data Controller and the Period Calculation of the Claims made to the Institution, on 13.02.2019. The issue of interpretation of the claim durations within the Law has become clear with the said announcement for the Data Subjects who exhaust application avenues to the Data Controller. You may reach the full text of the announcement here.

The subjects to be covered with the announcement are as follows:

An announcement (the “Announcement”) regarding the personal data breach notification procedures, has published with the 2019/10 numbered decision of Personal Data Protection Institution on 24.01.2019. The “Personal Data Breach Notification Form” is also shared within this Announcement, you may reach the sample form here.

The Announcement mentions about the obligations of the Data Controller stated in the Art. 12 of the Personal Data Protection Law ("KVKK") and Data Controllers should inform the institution as soon as possible in case of any data breach. The institution has expressed that this notification process aims to prevent negative conclusions or to minimize risks that arise from these breaches on data subjects and others.

Under this scope, the Institution has taken below mentioned decisions to create a ground parallel with European General Data Protection Regulation (GDPR) which constitutes basis for the KVKK:

Within the scope of the Personal Data Protection Law numbered 6698 which has been announced in the 29677 Numbered Official Gazette dated April 7, 2016, it is highly crucial for the natural persons and legal entities to meet all the legal compliancy requirements in dealing with the personal data that they obtain, use, store, process to avoid the administrative penalty fines and possible incompliancy sanctions.