The Personal Data Protection Board (“Board“) published its decision (“Decision”) dated September 18, 2019 and No. 2019/271 on its website. The Board ruled that data breach notifications made to data subjects must include certain information such as the time the data breach occurred, the likely consequences of the data breach and the measures the data controller will take regarding the data breach.
What Does the Decision Say?
Pursuant to Article 12/5 of Law No. 6698 on Personal Data Protection, if other parties acquire processed personal data through unlawful means, data controllers must notify the data subject and the Board of this situation as soon as possible. In its decision, the Board states that data breach notifications to data subjects must be in clear and plain language and must include at least:
The Decision is available here (in Turkish).
The Board continues to provide guidance on data controllers’ obligations under the Data Protection Law. Considering that failure to comply with the data security obligations may be subject to administrative fines, data controllers must re-evaluate their processes in terms of the Decision and take the necessary steps to comply with it.