Data Breach Notification Procedure for the Data Controllers Has Been Published
An announcement (the “Announcement”) regarding the personal data breach notification procedures, has published with the 2019/10 numbered decision of Personal Data Protection Institution on 24.01.2019. The “Personal Data Breach Notification Form” is also shared within this Announcement, you may reach the sample form here.
The Announcement mentions about the obligations of the Data Controller stated in the Art. 12 of the Personal Data Protection Law ("KVKK") and Data Controllers should inform the institution as soon as possible in case of any data breach. The institution has expressed that this notification process aims to prevent negative conclusions or to minimize risks that arise from these breaches on data subjects and others.
Under this scope, the Institution has taken below mentioned decisions to create a ground parallel with European General Data Protection Regulation (GDPR) which constitutes basis for the KVKK:
- The “as soon as” statement in the clause 5 of the Art. 12 of KVKK that follows “in case a processing data will be obtained by third parties in unlawful ways, the data controller should inform the one that concerns and the institution as soon as possible…” should be interpreted as 72 hours as of learning the breach and also the data subject should be informed via contact information or (unless a contact info is not provided) an announcement should be made on the data controller’s own web-page;
- If no notification with a valid reason will be made to the institution within 72 hours, the data controller should provide delay reasons to the institution along with the notification;
- The Personal Data Breach Notification Form should be submitted with the notification made to the Institution and information should be provided one by one if it is not possible to provide all information at the same time;
- The Data Controller should save information, affects and preventions regarding the data breach and should keep them for the investigation of the Institution;
- If the data breached has actualized with data possession of third party from the data processor, the data processor should inform data controller as soon as possible,
- If data breach takes place in a data controller resident abroad and this situation affects the ones in Turkey or the service/good to be provided is benefitted in Turkey, then same procedure applies for the notification to the Institution;
- Data controller should prepare “data breach intervention plan” and should review this plan regularly; this plan should include:
- The ones to be reported,
- The notification to be made under the Law and the evaluation of probable affects,
- The authority to be responsible in the data controller.
You may reach the full text of the decision here.