The Personal Data Protection Board ("Board") published its decision ("Decision") dated January 24, 2019 and numbered 2019/10 on its website. The Decision concerns the principles and procedures regarding data breach notification. Accordingly, data controllers must notify the Board of data breaches within 72 hours at latest and without any delay.
What Does the Decision Say?
Pursuant to Article 12/5 of Law No. 6698 on Personal Data Protection, incase processed personal data is acquired by others through unlawful means, data controllers must notify the data subject and the Board of this situation as soon as possible. In its decision, the Board states that the term "as soon as possible" should be construed as "within 72 hours". In this respect, data controllers must notify the Board of a data breach within 72 hours at latest and without any delay. Data controllers must use "The Personal Data Breach Notification Form", available on the Board's website, to notify the Board. Additionally, data controllers must notify the affected data subjects directly or, if this is not possible, by other appropriate means such as publishing information regarding the data breach on its website.
The Decision is available here (in Turkish).
The Board continues to provide guidance on data controllers' obligations under the Data Protection Law. Considering that failure to comply with the data security obligations may be subject to administrative fines ranging from TRY 15,000 to 1,000,000, data controllers must carefully follow the Board's guidance and decisions on data controllers' obligations and take the necessary steps to ensure compliance.