We know that there have been serious personal data
breaches recently. Unfortunately, very serious personal data breaches continue
to occur in Turkey. Finally, it was reported to the Personal Data Protection
Board (the Competent Authority on Personal Data in Turkey, “the Board”)
that a food and grocery products supplier company, operating across, Turkey was
the data controller, and that the personal data of more than 22 million people were
captured illegally.
The magnitude of the recent breaches is pushing the
personal data authority to be much more careful about this issue. All these
recent data breaches are forcing the competent authority to be much
uncompromising to impose penalties on personal data breaches. Therefore, data
controllers should now be very careful about data breaches, and they should
carry out the "notification of the violation process to the Board",
which will be carried out after the data breach, very carefully and quickly to eliminate
such data breaches with the least damage.
Another important consideration point for the companies
established in the EU is that in case of a data breach, it will not be
sufficient for them to file their applications with the EU personal data
authority, only. Because it is stated by the Turkish Data Protection Authority
that even a minor data breach, experienced by a company established abroad,
should be reported to them in some cases as per the Turkish Law on Protection
of Personal Data, and all related applicable regulations.
A.) DOES THE CONCEPT OF A DATA BREACH HAVE THE SAME MEANING UNDER GDPR AND TURKISH REGULATIONS?
The concept of “personal data breach” is defined by
the European General Data Protection Regulation (“GDPR”) as follows: “transmitted,
stored or otherwise processed personal data in ways the accidental or unlawful
destruction, loss, alteration, unauthorized disclosure or access, that led to a
security breach”.
According to the Section 12 of the Law on Protection of
Personal Data, the applicable law across Turkey, data breach is defined as “the
acquisition of personal data processed by others by illegal means”. In other
words; as per the applicable Turkish regulations, any personal data must be
seized by others in breach of the law for a data breach to occur. Therefore,
not every data breach needs to be reported to the Board under the GDPR.
B.) IN WHAT CASES SHOULD A FOREIGN COMPANY NOTIFY THE
TURKISH PERSONAL DATA AUTHORITY?
The 5th Paragraph of the 12th
Section of the Law nr. 6698 on Protection of Personal Data, which is the applicable
law on protection of personal data in Turkey, sets out that in case of
obtainment of the processed personal data through illegal means, the data
controller is required to notify the concerned person(s) and the Personal Data
Protection Board thereof as soon as possible.
Furthermore; the Personal Data Protection Board, which
is the competent authority in Turkey, issued the Decision dated 24.01.2019 and
numbered 2019/10 in order to ensure that the process, to be followed in Turkey
in case of any breach of data, is in compliance with the General Data
Protection Regulation (GDPR).
It has also been indicated, under the said Decision,
by the Board that in case of breach of data at the internationally-based data
controller, the data controller is required to report the case to the Board in
accordance with the same principles if outcomes of such breach would affect the
real persons who are the “data owners” and resident in Turkey, and the
concerned persons make use of the respective products and services in Turkey.
C.) AFTER HOW MUCH TIME DOES THE BOARD NEED TO BE
NOTIFIED AFTER THE DATA BREACH OCCURS?
It has been indicated, under the Decision, by the Board
that the data controller is required to report the case to the Board in maximum
72 hours after being aware of the data breach. In case of any failure to report
the case in 72 hours after being aware of the data breach, the valid reasons
for such late reporting should also be included in the notification to be
served after 72 hours. It has also been indicated, under the Decision, that the
affected concerned persons (data owners) should be contacted directly and
informed of such data breach as soon as possible, and if it is not possible,
the data breach should be announced through a publication to be posted on the
website.
The board does not provide a separate time for foreign
companies or Turkish companies about the notification period. Foreign companies
must also be notified within this 72-hour period. But it will take a serious
time for a company that does not have a board in Turkey to learn that it must
report this violation to the authority in Turkey and conduct the notification
process. Therefore, foreign companies should definitely indicate these issues
as the reason for the delay in their notifications after 72 hours.
D.) HOW IS A
DATA BREACH NOTIFICATION SERVED AND WHAT SHOULD BE SPECIFIED UNDER THE
NOTIFICATION?
Such notification for data breach may be served by
sending the “breach notification form” to the Board electronically by e-mail or
physically by mail, or making use of the data breach notification platform
available on the official website of the Board.
As per the Data Breach Notification Form, as requested
to be filled-in by the Board; the below-listed details should be disclosed to
the Board, and if it is not possible to report all these details completely,
the Board may be gradually notified thereof subsequently.
1. Trade name/Full name of the data controller
2. Address of the data controller
3. Details of the person who issues the said
notification for and on behalf of the data controller (contract/power of
attorney if any person other than the data controller serves the notification)
4. Date and time of commencement of the breach
5. Date and time of commencement of the breach
6. Date and time of ending of the breach
7. Date and time of detection of the breach
8. If the breach has been reported to the data
controller by the data processor, details of such notification and data
processor (A copy of the notification form such as letter- e-mail message,
etc.)
9. Detailed information on the source of breach, and
how it has occurred
10.Detailed information on the effects of breach
11. Detailed information on how breach has been
detected, and supporting documents, if any
12.All categories of the affected personal data (Data
such as ID, medical data, ethnic origin, etc. should be listed separately)
13.Number of affected persons, and of records thereof
14.Groups of affected persons, and effects thereof
(Affected persons should be classified as employees, subscribers, customers,
etc., and possible effects of breach on such persons should be indicated)
15.If the notification is reported to the Board after
72 hours, the reason for such late notification
16.Detailed information on that whether the affected
persons have been notified, or not, and if not, the reason(s) therefor, and
when such notification will be reported to the same
17.Date of notification served/to be served to the
concerned persons
18.Detailed information on the method of notification
served/to be served to the concerned persons
19.Means of communication to enable the concerned
persons to get information about the data breach (web site, etc.)
20.Whether any other national organizations or
institutions have been/will be informed, or not (law enforcement officers,
supervisory institutions, etc.)
21.Whether any other international data protection authorities
or concerned institutions have been/will be informed about the breach, or not?
22.Probability of exposure of the concerned persons to
material adverse effects due to breach (It is required to assess the extent of
the potential effects on the concerned persons in determination of the level of
the data breach. Nature of the breach, reason therefor, type of breached data,
measures taken to decrease the effects of the breach, and categories of the
affected concerned persons should be considered while assessing the said
potential effects. Consequently; such effects should be classified as very
high, high, moderate, low, or not known.)
23.Effects of breach on your organization (Such
effects should be classified as very high, high, moderate, low, or not known.)
24.What kinds of trainings have the employees received
regarding the breach in the last one year? (Proving documents should be
submitted)
25.What kinds of technical and administrative measures
have you taken to prevent such kind of breaches before occurrence of the
respective breach (Proving documents should be submitted)
26.Technical and administrative measures you have
taken or plan to take after occurrence of the respective breach, and
information on the estimated time of completion of such measures (Please
indicate the measures you have taken to solve the problem and eliminate the
adverse effects. For example; accidental disposal of date, ensuring security of
passwords, data security training planning, etc. Proving documents should also
be submitted.)
FINALLY…
If any company established outside the EU or Turkey
has suffered a personal data breach, if persons resident in Turkey are also
affected by this breach in some way, it will not be enough for the company to
report this breach to the personal data authority in the country where it is established,
and it will also need to report it to the Turkish personal data authority. If
possible, this notification should be served within 72 hours with most of the
details as of the time of occurrence of the breach, and if the notification is served
after 72 hours, the reasons for this delay should be explained in detail.
Att. Serdar Darama