FAQ: On Making Data Breach Notifications In Turkey

This FAQ Note on Making Data Breach Notifications in Turkey sets forth the most frequently asked questions and their answers regarding data breach notifications to be made in accordance with Turkish data protection legislation.

1.          What is considered as a “data breach”?

Under Article 12 of the Law on Protection of Personal Data no. 6698 (“DP Law”), any incident which results in the personal data processed to be acquired by 3rd parties through unlawful means are considered as a data breach. 

2.          Do data processors need to make a notification should they found out a breach have had happened in their organization?

Data processors are not explicitly obliged to make the data breach notifications, but the Data Protection Authority (“Authority”) expects data processors to notify the data controller that they were processing personal data on behalf of.

Data breach notification obligations is brought for data controllers under the DP Law; therefore, it is not applicable directly to data processors – but in its decision regarding data breach notifications the Personal Data Protection Board (“DP Board”) declared that “If the personal data held by the data processor is obtained by others by unlawful methods, the data processor shall notify the data controller without any delay”. However, should the breached data include personal data processed in a data controller status, the notification should be made in this regard.

3.          Who should be notified?

Under the DP Law, it is mandatory to notify the DP Board and the data subjects whose data have been affected by the data breach.

4.          When the notification should be made?

The DP Law states the notifications to be made ‘as soon as possible’ upon becoming aware of the breach. Nevertheless, in one of its binding decisions, the DP Board declared expression of “as soon as possible” should be interpreted as within 72 hours after becoming aware of the breach.  In case of a data breach, the data controllers are expected to notify the DP Board within 72 hours after becoming aware of the breach and notify the data subjects whose data have been affected within a reasonable time.

In its decision regarding data breach notification procedure, the DP Board have granted the data controllers an option to make gradual notifications if full information regarding the breach is unable to be provided (e.g. an investigation is still ongoing regarding the breach). Also, data controllers can also make late notifications on the condition that they are able to provide legitimate reasons for the delay along with the notification.

5.          What is the due procedure for making notifications? What information is necessary to be provided?

The notification to the DP Board shall be made via the prescribed form that the Authority published on its website which can be found in English here. The form can be sent to the DP Board via an online data breach notification portal (currently only in Turkish).

There are no specific instruments to be used for notification to be made to data subjects. However, according to a decision published by the Authority, notification to be made by the controller to the data subject should be made in a clear and simple language and should consist at least the followings;

-      Time of the data breach,

-      Personal data categories (by distinguishing between personal data / special categories of personal data) affected by the breach

-      Possible consequences of personal data breach,

-      Measures taken or proposed to reduce the negative effects of data breach,

-      The name and contact details of the contact persons or contact addresses such as the website of the data controller, call, center etc. to provide information about the data breach to data subjects.

The data controllers are expected to notify such data subjects directly if it can reach their contact address. Otherwise, through appropriate methods such as via web page of the data controller within the reasonably shortest time.

6.          Do foreign data controllers are subjected to notification procedure under Turkish data protection law?

If the breach affects data subjects in Turkey, yes. In its binding principle decision concerning personal data breach notifications, the DP Board have stated foreign data controllers shall be under the obligation to make notifications should the breach affects data subjects residing in Turkey and the these data subjects are benefitting from the goods and services offered by the data controller, in Turkey.

Furthermore, in its previous case-law of the Authority , there have been cases where the DP Law have been applied to data controllers that are not resident in Turkey but processing personal data or data subjects located in Turkey. For example, in some of the recent enforcement decisions of the DP Board concerning data breaches happened at data controllers who are foreign entities but processing personal data of Turkish citizens, the DP Board have applied separate fines for late notification of the breaches.

7.          What are the risks of notifying/not notifying a data breach?

Monetary fines may be applicable. As per Article 18 of the DP Law, should data controllers not satisfy the obligations set out under Article 12 (governing both the obligation to notify breaches and the obligations relating to data safety and security), the Authority may administer the data controller an administrative fine up to 1.802.640 TRY (approx. 263.000+ USD at time of writing). The Turkish DP Law also states that should data subjects have suffered any damage due to unlawful use of their data by the data controller they will also be able to file a legal claim for the compensation.

Based on previous published enforcement decisions of the DP Board, failure for notification often results in double fining of the controllers; one for not notifying (or notifying late) the breach and the other for not taking necessary measures to prevent the breach itself. Therefore, should a data breach have been occurred and such breach is not notified to the Authority, upon its inspection, the authority may sanction the data controller in question for its failure to comply with both requirements. 

Additionally, it should be stated that pursuant to Article 12/5 of the DP Law it is stated that where necessary, the DP Board may announce such breach at its official website or through in any other way it deems appropriate. Although such authority of the DP Board is not a statutory requirement, the DP Board’ approach in this respect is using mentioned authority frequently and announcing data breaches at its official website.