Insights

The Turkish Personal Data Protection Authority ("The Authority") issued an important decision regarding procedure and principles to be followed regarding 'data breach notifications' on its website on 15 February 2019.

The Law on Protection of Personal Data numbered 6698 ("DP Law") provides that in case of a data breach, the Authority and the affected data subjects shall be notified of the relevant breach as soon as possible. Considering that the term "as soon as possible" is vague and created confusion among data controllers with regards to the timing of the notification, the Authority decided to make the notification period clearer and more limited.

According to the decision, the Authority decided; with a reference to the notification term included under the General Data Protection Regulation ("GDPR"), that in case of a data breach, the data controllers shall notify the Authority within 72 hours of becoming aware of the breach. The data controllers will also have to notify the affected data subjects as soon as possible after determining their identities. If possible, the controller should reach the affected data subjects directly. If this is not possible (e.g. if the controller does not have a direct contact information of the affected data subjects), the data controller should take other appropriate measures to inform the affected individuals, such as publishing the breach on its website. Where the notification to the Authority is not made within 72 hours, it shall be accompanied by reasons for the delay.

Another important point in the decision of the Authority concerns foreign data controllers. The Authority decided that, even if the data breach occurred outside of Turkey, the related foreign data controller shall notify the Authority within 72 hours if data subjects residing in Turkey (and receiving the goods or services of the data controller from Turkey) are affected due to the breach. This means that data controllers, which are not established in Turkey, are nevertheless under the obligation to notify the Authority and the affected data subjects of the data breach if data subjects residing in Turkey are affected due to the breach.

In the decision, the Authority stated that it will accept partial notifications made within 72 hours valid if it is not be possible for the data controller to fully cover all aspects of the relevant the data breach, so long as the controller provides reasonable justifications for such notification. Therefore, it is advisable for a data controller to notify the Authority within 72 hours with the limited information at hand in case of a data breach, and provide additional information, which may surface after a thorough investigation, at a later time.

The Authority also published a template Data Brach Notification Form on their website. The form is expected to be used when making data breach notifications to the Authority.

Lastly, it will be beneficial to briefly mention two key differences between the GDPR and the DP Law with regards to data breaches.

1. According to the DP Law, changes in the integrity or availability of data are not regarded as data breaches. The Turkish Act specifies that a data breach that triggers a notification obligation only occurs if the data is accessed or seized by third parties without authorization (thus affecting confidentiality of personal data).
2. Secondly, the DP Law also does not distinguish data breaches to be notified to the Authority based on the impact of the breach or the number of affected individuals. Accordingly, the Authority and the data subjects should be notified of all data breaches even if very few data subjects are affected or the impact of the breach is considered to be low by the data controller.