Data Breach Notification Requirement
The Turkish Personal Data Protection Authority ("The Authority") issued an important decision regarding procedure and principles to be followed regarding 'data breach notifications' on its website on 15 February 2019.
The Law on Protection of Personal Data numbered 6698 ("DP Law") provides that in case of a data breach, the Authority and the affected data subjects shall be notified of the relevant breach as soon as possible. Considering that the term "as soon as possible" is vague and created confusion among data controllers with regards to the timing of the notification, the Authority decided to make the notification period clearer and more limited.
According to the decision, the Authority decided; with a reference to the notification term included under the General Data Protection Regulation ("GDPR"), that in case of a data breach, the data controllers shall notify the Authority within 72 hours of becoming aware of the breach. The data controllers will also have to notify the affected data subjects as soon as possible after determining their identities. If possible, the controller should reach the affected data subjects directly. If this is not possible (e.g. if the controller does not have a direct contact information of the affected data subjects), the data controller should take other appropriate measures to inform the affected individuals, such as publishing the breach on its website. Where the notification to the Authority is not made within 72 hours, it shall be accompanied by reasons for the delay.
Another important point in the decision of the Authority concerns foreign data controllers. The Authority decided that, even if the data breach occurred outside of Turkey, the related foreign data controller shall notify the Authority within 72 hours if data subjects residing in Turkey (and receiving the goods or services of the data controller from Turkey) are affected due to the breach. This means that data controllers, which are not established in Turkey, are nevertheless under the obligation to notify the Authority and the affected data subjects of the data breach if data subjects residing in Turkey are affected due to the breach.
In the decision, the Authority stated that it will accept partial notifications made within 72 hours valid if it is not be possible for the data controller to fully cover all aspects of the relevant the data breach, so long as the controller provides reasonable justifications for such notification. Therefore, it is advisable for a data controller to notify the Authority within 72 hours with the limited information at hand in case of a data breach, and provide additional information, which may surface after a thorough investigation, at a later time.
The Authority also published a template Data Brach Notification Form on their website. The form is expected to be used when making data breach notifications to the Authority.
Lastly, it will be beneficial to briefly mention two key differences between the GDPR and the DP Law with regards to data breaches.