One of most undesirable things to happen in an organization is a personal data breach. But, nevertheless, they may happen. Under many data protection legislations, including GDPR and Turkish Law on Protection of Personal Data, the data controller organizations are expected to make certain notifications to data protection authorities and, under certain conditions, to data subjects in such cases. When making such notifications, there are often rules to be followed by the controllers in order to lawfully comply with their notification obligation.

We have compiled the most frequently asked questions and their answers regarding data breach notifications to be made under Turkish data protection laws.

  1. What is considered as a "data breach"?

Under Article 12 of the Law on Protection of Personal Data no. 6698 ("DP Law"), any incident which results in the personal data processed to be acquired by 3rd parties through unlawful means are considered as a data breach. 'Unlawful means' does not only include actions carried out with criminal purposes; accidental disclosure (e.g. sending an e-mail containing personal data to wrong recipient) or disclosure due to technical problems (e.g. a marketplace that causes its users inadvertently to log into accounts of others) will be considered as data breaches.

Please note that, unlike under GDPR, alteration or destruction of processed personal data is not regarded as personal data breach under Turkish Law. Such incidents will not be expected to be notified.

  1. As a data processor, do we need to make a notification should we found out a breach have had happened in our organization?

Data processors are not explicitly obliged to make the data breach notifications, but Authority expects data processors to notify the data controller that they were processing personal data on behalf of.

Data breach notification obligations is brought for data controllers under the DP Law; therefore, it is not applicable directly to data processors – but in its decision regarding data breach notifications the Personal Data Protection Board declared that "If the personal data held by the data processor is obtained by others by unlawful methods, the data processor shall notify the data controller without any delay".

However, should the breached data include personal data that you were processing in a data controller status, you will be obligated to make the notification in relation to this data. For example, should the employee data of a cloud data storage provider be breached, the cloud provider would be expected to notify the board and its employees regarding the breach.

  1. What kind of breaches should be notified to Board and data subjects?

Any incident which results in the personal data processed to be acquired by 3rd parties through unlawful means considered as a data breach and is expected to be notified.

The DP Law and secondary legislation do not provide any exceptions, thresholds or limitation for a breach to trigger the notification obligation. Consequently, the DP Law would require the notification of such a breach even if it involves the personal data of a single data subject.

As opposed to the GDPR, the DP Law does not make any distinctions between high-risk and low-risk breaches or the number of individuals affected by the data breach.

  1. Who should be notified?

Under the DP Law, it is mandatory to notify the Authority and the data subjects whose data have been affected by the data breach.

  1. When the notification should be made?

Within 72 hours of becoming aware of the breach.

The DP Law states the notifications to be made 'as soon as possible' upon becoming aware of the breach. Nevertheless, in one of its binding decisions, the Authority declared that in case of a data breach, the data controllers are expected to notify the Authority within 72 hours after becoming aware of the breach.

In its decision regarding data breach notification procedure, the Board have granted the data controllers an option to make gradual notifications if full information regarding the breach is unable to be provided (e.g. an investigation is still ongoing regarding the breach). Also, data controllers can also make late notifications on the condition that they are able to provide legitimate reasons for the delay along with the notification.

  1. What is the due procedure for making notifications? What information is necessary to be provided?

The notification to the Authority shall be made via the prescribed form that the Authority published on its website which can be found in English here. The form can be sent to the Authority via an online data breach notification portal (currently only in Turkish).

There are no specific instruments to be used for notification to be made to data subjects. However, according to a decision published by the Authority, notification to be made by the controller to the data subject should be made in a clear and simple language and should consist at least the followings;

- Time of the data breach,

- Personal data categories (by distinguishing between personal data / special categories of personal data) affected by the breach

- Possible consequences of personal data breach,

- Measures taken or proposed to reduce the negative effects of data breach,

- The name and contact details of the contact persons or contact addresses such as the website of the data controller, call, center etc. to provide information about the data breach to data subjects.

The data controllers are expected to notify such data subjects directly if it can reach their contact address. Otherwise, through appropriate methods such as via web page of the data controller within the reasonably shortest time.

  1. We are a foreign data controller. Are we subjected to notification procedure under Turkish data protection law?

If the breach affects data subjects in Turkey, yes.

In its binding principle decision concerning personal data breach notifications, the Board have stated foreign data controllers shall be under the obligation to make notifications should the breach affects data subjects residing in Turkey and the these data subjects are benefitting from the goods and services offered by the data controller, in Turkey.

Furthermore, in its previous case-law of the Data Protection Authority ("Authority"), there have been cases where the DP Law have been applied to data controllers that are not resident in Turkey but processing personal data or data subjects located in Turkey. For example, in some of the recent enforcement decisions of the Board concerning data breaches happened at data controllers who are foreign entities but processing personal data of Turkish citizens, the Board have applied separate fines for late notification of the breaches.

  1. What are the risks of notifying/not notifying a data breach?

You may face monetary fines.

As per Article 18 of the DP Law, should data controllers not satisfy the obligations set out under Article 12 (governing both the obligation to notify breaches and the obligations relating to data safety and security), the Authority may administer the data controller an administrative fine up to 1.802.640 TRY (approx. 300.000+ USD at time of writing). The Turkish DP Law also states that should data subjects have suffered any damage due to unlawful use of their data by the data controller they will also be able to file a legal claim for the compensation.

Based on previous published enforcement decisions of the Board, failure for notification often results in double fining of the controllers; one for not notifying (or notifying late) the breach and the other for not taking necessary measures to prevent the breach itself. Therefore, should a data breach have been occurred and such breach is not notified to the Authority, upon its inspection, the authority may sanction the data controller in question for its failure to comply with both of these requirements.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.