Pursuant to Article 12 of the Turkish Personal Data Protection Law No. 6698, “In case the processed data is collected by third parties through unlawful methods, the data controller shall notify the data subject and the Board within the shortest time.”
In early 2019, the Turkish Personal Data Protection Board (the “Board”) published decision no. 2019/10 of 24 January 2019 on its official website in order to set out the main principles and procedures for such notifications of personal data breaches. According to this decision, the only methods to notify a personal data breach were either by mail or e-mail.
With the announcement made on 6 January 2020 by the Board, data controllers may now also submit “Personal Data Breach Forms” to the Board online through the website https://ihlalbildirim.kvkk.gov.tr/.
In addition, a “Guide on the Notification of Personal Data Breach” has been published on the Board’s website that explains how notifications should be made to the Board.
The public announcement and the Guide in Turkish are available here: https://www.kvkk.gov.tr/Icerik/6644/Kisisel-Veri-Ihlali-Bildirimlerinin-Elektronik-Ortamda-Kurula-Iletilmesine-Iliskin-Duyuru