Consideration Points Regarding a Data Breach Notification Has Been Determined With The Decision No 2019/271
In the Paragraph 5 of the Article 12 of the Turkish Personal Data Protection Law (“KVKK”) No.6698, in the event that the personal data processed is obtained by third parties by illegal means as a result of a data breach, the data controller shall inform the data subject and the Board as soon as possible. In case it is found necessary, the Board may announce the details of the breach on its website and/or in any other way that is considered appropriate.
In the Board decision dated 24.01.2019 and numbered 2019/10, it was concluded that in case of a data breach caused by the data controller, the affected persons should be specified and the data subjects should be subsequently informed by appropriate methods within the shortest possible time.
In the same decision, the criteria for the shortest period was determined as 72 hours; it was decided to notify the data subjects within 72 hours following the identification of the affected persons.
Since the purpose of reporting the data breach to the affected data subjects within the scope of the related provision and the Board's decision is to ensure that measures are taken to prevent or minimize the negative consequences that may arise about such persons, the Board has announced the minimum elements that should be included in the notification for this purpose with the decision no. 2019/271.
Accordingly; the data breach notification to be made by the data controller to the data subject should be in a clear and simple language and include at least following elements:
- When the data breach has occurred,
- Which personal data is/are affected by the breach in terms of personal data categories (by distinguishing between personal data / sensitive personal data),
- Possible consequences of personal data breach,
- Measures taken or proposed to be taken to reduce the negative effects of data breach,
- Ways of contact such as the name and contact details of the contact persons who will provide information to the data subjects about the data breach or the full address of the data controller's web page, call center etc.
The details of the Decision can be accessed via here.