The Data Protection Law No. 6698 ("DPL") requires data controllers to notify data subjects and the Data Protection Board ("Board") as soon as possible in the event that processed personal data is accessed by third parties through unlawful means. The Board, when necessary, may announce such breach on its official website, or through other means that it deems appropriate.
The rules and procedures in case of a breach have been clarified with a resolution of the Board dated 24 January 2019 and numbered 2019/10, which was published by the Data Protection Authority on 15 February 2019 ("Resolution"). A summary of the Resolution is as follows:
1- The Timeline for Disclosing Breaches
Although it is stated in the DPL that notifications of breaches should be made "as soon as possible," there was no explanation as to the exact timeline of such notification. The Board has decided that the expression "as soon as possible" should be interpreted to mean within 72 hours.
Therefore, data controllers must notify the Board as soon as possible and at the latest within 72 hours of becoming aware of such breach. The Resolution also stipulates that data controllers failing to notify the Board within 72 hours must also disclose the reasons for the delay when they eventually notify the Board of the breach.
2- An Application Form for Data Breach Disclosures
The Resolution also states that notifications of data breaches must be made using a newly-issued template form entitled "Personal Data Breach Notification Form" ("Form"). The Form is provided on the website of the Data Protection Authority. Applicants are requested to provide information regarding breaches under a number of headings in the Form, such as (i) details about the breach (e.g., whether it is a first disclosure or submitted to provide follow up information; date, information and source of the breach; the event that caused the breach; personal data categories affected; estimated number of affected data subjects and records; the reasons for any delays in notification); (ii) possible outcomes and effects on data subjects and the data controller; (iii) details and results of any cyber-attacks that may have occurred; and (iv) any precautions that may have been taken.
Documents evidencing the facts disclosed under the From should also be attached to the form.
3- Notification of Affected Data Subjects
The DPL obliges data processors to notify the relevant data subjects of the breach as well. The Resolution holds that once data controllers identify the data subjects affected from the data breach, the relevant data subjects must be notified immediately. If the affected subjects' contact information is not available, the notification should be made through other available methods, such as making an announcement on the data controller's website.
4- Obligation to Keep Records of Breaches
The Resolution also states that data controllers must keep records of breaches and their consequences together with any precautions taken against such breaches, and must make these records readily available to the Board for inspection.
5- Obligation to Prepare a Data Breach Intervention Plan
As per the Resolution, data controllers must prepare and review periodically a data breach intervention plan, determining issues such as the internal reporting line in case of a data breach, and responsible persons for disclosures and assessments of possible outcomes of data breaches.
6- Notification by Foreign Data Controllers
The Resolution also states that breaches of data held under possession of a data controller residing abroad must also be disclosed to the Board in accordance with the same rules and procedures if the results of such breach affect data subjects residing in Turkey, and the products and services provided are used by data subjects in Turkey.
7- Reporting Obligations of Data Processors
In line with other guidelines and explanations published earlier by the Board, it is clearly stated in the Resolution that unlawful thirdparty access to personal data kept by data processors should be disclosed to the affected data controllers without delay. It must be noted that the obligation to make the necessary notifications lies with the data controllers; therefore, the data controller will also need to notify the Board and the relevant data subjects of breaches occurring under the responsibility of data processors.