The Personal Data Protection Board (“Board“) published its decision (“Decision”) dated September 18, 2019 and No. 2019/271 on its website. The Board ruled that data breach notifications made to data subjects must include certain information such as the time the data breach occurred, the likely consequences of the data breach and the measures the data controller will take regarding the data breach.
What Does the Decision Say?
Pursuant to Article 12/5 of Law No. 6698 on Personal Data Protection, if other parties acquire processed personal data through unlawful means, data controllers must notify the data subject and the Board of this situation as soon as possible. In its decision, the Board states that data breach notifications to data subjects must be in clear and plain language and must include at least:
- The time the data breach occurred
- Categories of data (personal data/special categories of personal data) concerned
- Likely consequences of the personal data breach
- Measures taken or proposed to be taken by the data controller to address the personal data breach to mitigate its possible adverse effects
- The name and contact details of the contact points where data subjects may obtain more information or means of communication such as the data controller’s website, call center, etc.
The Decision is available here (in Turkish).
The Board continues to provide guidance on data controllers’ obligations under the Data Protection Law. Considering that failure to comply with the data security obligations may be subject to administrative fines, data controllers must re-evaluate their processes in terms of the Decision and take the necessary steps to comply with it.