Minimum Requirements in Data Breach Notifications Addressing Data Subjects
Updated: Oct 30, 2019
On October 15, 2019 The Turkish Personal Data Protection Authority ("the Authority") published a new decision numbered 2019/271 regarding the minimum requirements that must be included in data breach notifications that address data subjects.
According to the subparagraph 1 of Article 12 of the Law on Protection of Personal Data w.no.6698 (“the Law”), the data controllers are obliged to take all necessary technical and administrative measures to provide a sufficient level of security in order to:
a) Prevent unlawful processing of personal data,
b) Prevent unlawful access to personal data,
c) Ensure the retention of personal data.
In paragraph 5 of the same article; it is stipulated that if unauthorized persons get a hold of the processed data through unlawful methods, the data controller shall notify the data subject and the Authority as soon as possible. Where necessary, the Authority may announce such breach at its official website or through other methods it deems appropriate. Further, under the Authority’s decision on the same issue dated January 24,2019, the Authority stated that the person affected by the data breach should be informed of this situation as soon as possible. If the contact address of the person can be reached, it will be notified directly, and if not, this notification should be made by publishing the details of the breach on its website. In this context, the Authority has determined the minimum elements to be included in the notification.
Firstly, according to the said decision of the Authority, the notification of breach should be made in a clear and simple language. At the same time, the notification shall at least have the following elements;
● Time of the data breach,
● Which personal data is affected by the breach (personal data or personal data of special nature)
● Possible consequences of the personal data breach,
● The measures which are taken or proposed to take in order to reduce the negative effects of the data breach,
● Name and contact details of the contact persons to ensure that the related persons receive information on the data breach or the full address of the data controller's web page, and call center, etc. contact ways.
The necessary measures should be taken by the data controller as soon as possible to minimize the harm of the person affected by the data breach. The related person must be informed of such data breach within a reasonable time and this notification shall contain minimum elements in order for these measures to be taken as soon as possible.
According to the subparagraph 5 of Article 12 of the Law, if the data breach is not notified, the Authority may apply administrative fine. Although it is regulated for cases where no notification is made, the same penalty may also be encountered in case of incomplete notification. Therefore, the notification of the data breach should be made as soon as possible with minimum elements.