Under Turkish data protection rules, data controllers (including foreign data controllers) must notify the data subjects and the Data Protection Authority (the “DPA”) as soon as possible if personal data has been obtained by others through unlawful means. The DPA may announce the breach on its website or through other means.
With its decision dated January 24, 2019, the DPA, in line with the General Data Protection Regulation (GDPR), imposed a 72-hour window for data breach notifications made to the DPA. No specific timeframe has been set for notification to data subjects: they must be notified as soon as reasonably possible.
Formal requirements, content of notification
When notifying the DPA, data controllers must use the “Personal Data Breach Notification Form” available on the DPA’s website and send it to the DPA’s designated email address (email@example.com) or deliver a physical copy to the DPA’s address. In addition, the DPA has recently announced that the notification may also be made online by filling out the aforementioned form through the notification system at ihlalbildirim.kvkk.gov.tr.
The form consists of the below:
- Information about the data controller
- Information about the breach
- Potential consequences
- Consequences of the breach
- Measures taken
If all information cannot be provided at the same time, then remaining information can be provided if and when available, without delay.
For notification to data subjects, there is no formal requirements but in accordance with the DPA’s decision dated September 18, 2019, should include:
- Date/time of the breach
- Type of data affected (regular personal data and sensitive data to be specified)
- Possible outcomes of the breach
- Measures that should be taken or have been taken in order to reduce the impact of the breach
- Contact information for any queries
Data controllers may reach out to data subjects through their contact information, if known by the data controller, and/or announce the above listed information on their websites.