Open menu

Consideration Points Regarding a Data Breach Notification Has Been Determined With The Decision No 2019/271

Consideration Points Regarding a Data Breach Notification Has Been Determined With The Decision No 2019/271

In the Paragraph 5 of the Article 12 of the Turkish Personal Data Protection Law (“KVKK”) No.6698, in the event that the personal data processed is obtained by third parties by illegal means as a result of a data breach, the data controller shall inform the data subject and the Board as soon as possible. In case it is found necessary, the Board may announce the details of the breach on its website and/or in any other way that is considered appropriate.

In the Board decision dated 24.01.2019 and numbered 2019/10, it was concluded that in case of a data breach caused by the data controller, the affected persons should be specified and the data subjects should be subsequently informed by appropriate methods within the shortest possible time.

In the same decision, the criteria for the shortest period was determined as 72 hours; it was decided to notify the data subjects within 72 hours following the identification of the affected persons.

Since the purpose of reporting the data breach to the affected data subjects within the scope of the related provision and the Board's decision is to ensure that measures are taken to prevent or minimize the negative consequences that may arise about such persons, the Board has announced the minimum elements that should be included in the notification for this purpose with the decision no. 2019/271.

Accordingly; the data breach notification to be made by the data controller to the data subject should be in a clear and simple language and include at least following elements:

  • When the data breach has occurred,
  • Which personal data is/are affected by the breach in terms of personal data categories (by distinguishing between personal data / sensitive personal data),
  • Possible consequences of personal data breach,
  • Measures taken or proposed to be taken to reduce the negative effects of data breach,
  • Ways of contact such as the name and contact details of the contact persons who will provide information to the data subjects about the data breach or the full address of the data controller's web page, call center etc.

The details of the Decision can be accessed via here.

Author CottGroup Hukuk ve Mevzuat Ekibi, Category Personal Data Protection Law

  • Notification!

    Contents provided in this article serve to informative purpose only. The article is confidential and property of CottGroup® and all of its affiliated legal entities. Quoting any of the contents without credit being given to the source is strictly prohibited. Regardless of having all the precautions and importance put in the preparation of this article, CottGroup® and its member companies cannot be held liable of the application or interpretation of the information provided. It is strictly advised to consult a professional for the application of the above-mentioned subject.

    For each concrete situation, it is strongly advised to seek guidance from a professional advisor. If you are a customer of ours, please consult with your customer representative before taking any action related to the announcement. If you are not a customer, seek advice from an expert.

About The Author


Other Legislation