Open menu
16October2019

Consideration Points Regarding a Data Breach Notification Has Been Determined With The Decision No 2019/271

Consideration Points Regarding a Data Breach Notification Has Been Determined With The Decision No 2019/271

In the Paragraph 5 of the Article 12 of the Turkish Personal Data Protection Law (“KVKK”) No.6698, in the event that the personal data processed is obtained by third parties by illegal means as a result of a data breach, the data controller shall inform the data subject and the Board as soon as possible. In case it is found necessary, the Board may announce the details of the breach on its website and/or in any other way that is considered appropriate.

In the Board decision dated 24.01.2019 and numbered 2019/10, it was concluded that in case of a data breach caused by the data controller, the affected persons should be specified and the data subjects should be subsequently informed by appropriate methods within the shortest possible time.

In the same decision, the criteria for the shortest period was determined as 72 hours; it was decided to notify the data subjects within 72 hours following the identification of the affected persons.

Since the purpose of reporting the data breach to the affected data subjects within the scope of the related provision and the Board's decision is to ensure that measures are taken to prevent or minimize the negative consequences that may arise about such persons, the Board has announced the minimum elements that should be included in the notification for this purpose with the decision no. 2019/271.

Accordingly; the data breach notification to be made by the data controller to the data subject should be in a clear and simple language and include at least following elements:

  • When the data breach has occurred,
  • Which personal data is/are affected by the breach in terms of personal data categories (by distinguishing between personal data / sensitive personal data),
  • Possible consequences of personal data breach,
  • Measures taken or proposed to be taken to reduce the negative effects of data breach,
  • Ways of contact such as the name and contact details of the contact persons who will provide information to the data subjects about the data breach or the full address of the data controller's web page, call center etc.

The details of the Decision can be accessed via here.

Author CottGroup Hukuk ve Mevzuat Ekibi, Category Personal Data Protection Law

  • Notification!

    The content in this article is for general information purposes only and belongs to CottGroup® member companies. This content does not constitute legal, financial, or technical advice and cannot be quoted without proper attribution.

    CottGroup® member companies do not guarantee that the information in the article is accurate, up-to-date, or complete and are not liable for any damages that may arise from errors, omissions, or misunderstandings that the information may contain.

    The information presented here is intended to provide a general overview. Each specific case may require different assessments, and this information may not be applicable to every situation. Therefore, before taking any action based on the information provided in the article, it is strongly recommended that you consult a competent professional in the relevant fields such as legal, financial, technical, and other areas of expertise. If you are a CottGroup® client, do not forget to contact your client representative regarding your specific situation. If you are not our client, please seek advice from an appropriate expert.

    To reach CottGroup® member companies, click here.

About The Author

/tr/mevzuat/item/veri-ihlal-bildirimi-yapilirken-dikkat-edilecekler-belirlendi

Other Legislation

Lets start
Get a quote for your service requirements.

Would you like to know more
about our services?