As per the 1st paragraph of Article 12 of the Personal Data Protection Law No. 6698 (“DP Law”), the data controller must take all necessary technical and organizational measures for the following purposes:
· To prevent the unlawful processing of personal data,
· To prevent unlawful access to personal data,
· To ensure the protection of personal data.
The technical and organizational measures are set forth in detail within the scope of the Personal Data Security Guide published on the official website of the Personal Data Protection Authority ("Authority").
As per the 5th paragraph of Article 12 of the DP Law, in case the data breach, the data controller is obliged to notify (i) the data subjects affected by the data breach and (ii) the Personal Data Protection Board (“Board”) “within the shortest time”. Regarding the interpretation of the "within the shortest time" phrase set forth as per the provision, the Board made the following statements in its Decision dated 24.01.2019 and numbered 2019/10 to avoid any inconsistency between the Board decisions and to ensure the standardization in practice:
· First of all, the Board decided that the “within the shortest time” phrase must be interpreted as 72 hours for notification to the Board. Unless the notification can be made to the Board within 72 hours with a justified reason, it has decided that the reasons for the delay must be notified to the Board along with the notification to be made without any further delay.
· As for the notification to be made to the data subjects affected by the data breach; upon the identification of them, if the contact addresses of the data subjects are known, the notification must be directly made via these contact addresses “in the shortest reasonable time” / otherwise, the notification must be made by appropriate methods such as announcement through the data controller's own website, “in the shortest reasonable time”. (In the notifications to be made to the data subjects affected by the data breach; in addition to the issues stated in other decisions regarding data breach notifications, the Board decision dated 18.09.2019 and numbered 2019/271, which specifically clarifies the minimum requirements for the data breach notifications, must also be considered.)
· The Board also decided the obligation of the data processor to notify the data controller "without any delay" in case of data breach occurred under the responsibility of the data processor. (However, it must be noted that the data controller cannot evade responsibility also on the grounds of intentional belated notification from the data processor without prejudice to the right of recourse. Also, when the data controller aware of the breach, must initiate the data breach notification process herein.)
· In addition, the Board stated that the information regarding the data breaches, the effects and the measures taken must be recorded and that the Personal Data Breach Notification Form on the official website of the Authority must be used in the notifications to be made.
· Finally, the Board decided that in case of the data breach, the data breach response plan (including the matters such as evaluation of the possible consequences of the data breach and determination of the person who is responsible for the data breach cases) must be prepared and reviewed periodically.
After all, in the decision, the Board decided that the data breach notification must be made within the scope of the above principles by also the data controller residing abroad, in cases;
i. Where the consequences of the data breach affect the data subjects residing in Turkey, and
ii. When the data subjects benefit from the products and services offered in Turkey.