+90 212 244 9222


Consideration Points Regarding a Data Breach Has Been Determined With The Decision No 2019/271s

Consideration Points Regarding a Data Breach Has Been Determined With The Decision No 2019/271s

In the Paragraph 5 of the Article 12 of Turkish Personal Data Protection Law (KVKK) No.6698, in the event that the personal data processed is obtained by others by illegal means due to a data breach, the data controller shall inform the data subject and the Board as soon as possible.

In case it is found necessary, the Board may announce the details of the breach on its website and/or in any other way that is considered appropriate.

In the Board decision dated 24.01.2019 and numbered 2019/10, it was decided that in case of data breach by the data controller, the affected persons should be specified and subsequently informed by appropriate methods within the shortest possible time.

In the same decision, the criteria for the shortest period was determined as 72 hours; it was decided to notify the person concerned within 72 hours following the identification of the affected persons.

Since the purpose of reporting the data breach to the affected persons within the scope of the related provision and the Board's decision is to ensure that measures are taken to prevent or minimize the negative consequences that may arise from such persons , the Board has announced the minimum elements that should be included in the notification for this purpose with the decision no. 2019/271.

Accordingly; the data breach notification to be made by the data officer to the person concerned in clear and simple language and at least include following elements:

  • When the data breach has occurred,
  • Which personal data is affected by the breach in terms of personal data categories (by distinguishing between personal data / sensitive personal data),
  • Possible consequences of personal data breach,
  • Measures taken or proposed to be taken to reduce the negative effects of data breach,
  • Ways of contact such as the name and contact details of the contact persons who will provide information about the data breach or the full address of the data officer's web page, call center etc.

The details of the Decision in Turkish can be accessed via here.

Written by Şeyma Nur Kaplan, Posted in Personal Data Protection Law

  • Notification!

    Contents provided on this article serve to informative purpose only. The article is confidential and property of CottGroup® and all of its affiliated legal entities. Quoting any of the contents of this notification without credit being given to the source is strictly prohibited. Regardless of having all the precautions and importance is put in the preparation of this article, CottGroup® and member companies cannot be held liable of the application or interpretation of the information provided. It is strictly advised to consult a professional for the application of the above-mentioned subject. Prior to taking any action in regards the above, please consult your client representative if you are a customer of CottGroup® or consult to a relevant party.

About The Author

Şeyma Nur Kaplan

Legal Consultant Attorney
This website is using cookies.
In this website, we use cookies to develop your user experience, obtain efficient work and track statistical data. You are agreeing to our use of cookies by browsing our website. Please review Çerezler (Cookies) page for detailed information of how we manage the cookies. This choice is valid for 30 days until you delete the cookies in your web browser.
Hizmetlerimiz devam ediyor.

Due to the Covid-19 Coronavirus pandemic to secure the health of our employees our business operations are held remotely until further notification. CottGroup® will have its business processes carried out efficiently and smoothly thanks to our BCP plans and strong technological infrastructure. As always, our customers and business partners will be able to reach us via our phones and e-mails.