Özgün Law Firm

Özgün Law Firm

ABOUT THE OBLIGATION OF COMPANIES, NOT ESTABLISHED IN TURKEY, TO REPORT A PERSONAL DATA BREACH TO THE TURKISH AUTHORITY

ABOUT THE OBLIGATION OF COMPANIES, NOT ESTABLISHED IN TURKEY, TO REPORT A PERSONAL DATA BREACH TO THE TURKISH AUTHORITY

We know that there have been serious personal data breaches recently. Unfortunately, very serious personal data breaches continue to occur in Turkey. Finally, it was reported to the Personal Data Protection Board (the Competent Authority on Personal Data in Turkey, “the Board”) that a food and grocery products supplier company, operating across, Turkey was the data controller, and that the personal data of more than 22 million people were captured illegally.

The magnitude of the recent breaches is pushing the personal data authority to be much more careful about this issue. All these recent data breaches are forcing the competent authority to be much uncompromising to impose penalties on personal data breaches. Therefore, data controllers should now be very careful about data breaches, and they should carry out the "notification of the violation process to the Board", which will be carried out after the data breach, very carefully and quickly to eliminate such data breaches with the least damage.

Another important consideration point for the companies established in the EU is that in case of a data breach, it will not be sufficient for them to file their applications with the EU personal data authority, only. Because it is stated by the Turkish Data Protection Authority that even a minor data breach, experienced by a company established abroad, should be reported to them in some cases as per the Turkish Law on Protection of Personal Data, and all related applicable regulations.

A.) DOES THE CONCEPT OF A DATA BREACH HAVE THE SAME MEANING UNDER GDPR AND TURKISH REGULATIONS?

The concept of “personal data breach” is defined by the European General Data Protection Regulation (“GDPR”) as follows: “transmitted, stored or otherwise processed personal data in ways the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access, that led to a security breach”.

According to the Section 12 of the Law on Protection of Personal Data, the applicable law across Turkey, data breach is defined as “the acquisition of personal data processed by others by illegal means”. In other words; as per the applicable Turkish regulations, any personal data must be seized by others in breach of the law for a data breach to occur. Therefore, not every data breach needs to be reported to the Board under the GDPR.

 

B.) IN WHAT CASES SHOULD A FOREIGN COMPANY NOTIFY THE TURKISH PERSONAL DATA AUTHORITY?

The 5th Paragraph of the 12th Section of the Law nr. 6698 on Protection of Personal Data, which is the applicable law on protection of personal data in Turkey, sets out that in case of obtainment of the processed personal data through illegal means, the data controller is required to notify the concerned person(s) and the Personal Data Protection Board thereof as soon as possible.

Furthermore; the Personal Data Protection Board, which is the competent authority in Turkey, issued the Decision dated 24.01.2019 and numbered 2019/10 in order to ensure that the process, to be followed in Turkey in case of any breach of data, is in compliance with the General Data Protection Regulation (GDPR).

It has also been indicated, under the said Decision, by the Board that in case of breach of data at the internationally-based data controller, the data controller is required to report the case to the Board in accordance with the same principles if outcomes of such breach would affect the real persons who are the “data owners” and resident in Turkey, and the concerned persons make use of the respective products and services in Turkey.

 

C.) AFTER HOW MUCH TIME DOES THE BOARD NEED TO BE NOTIFIED AFTER THE DATA BREACH OCCURS?

It has been indicated, under the Decision, by the Board that the data controller is required to report the case to the Board in maximum 72 hours after being aware of the data breach. In case of any failure to report the case in 72 hours after being aware of the data breach, the valid reasons for such late reporting should also be included in the notification to be served after 72 hours. It has also been indicated, under the Decision, that the affected concerned persons (data owners) should be contacted directly and informed of such data breach as soon as possible, and if it is not possible, the data breach should be announced through a publication to be posted on the website.

The board does not provide a separate time for foreign companies or Turkish companies about the notification period. Foreign companies must also be notified within this 72-hour period. But it will take a serious time for a company that does not have a board in Turkey to learn that it must report this violation to the authority in Turkey and conduct the notification process. Therefore, foreign companies should definitely indicate these issues as the reason for the delay in their notifications after 72 hours.

 

D.)  HOW IS A DATA BREACH NOTIFICATION SERVED AND WHAT SHOULD BE SPECIFIED UNDER THE NOTIFICATION?

Such notification for data breach may be served by sending the “breach notification form” to the Board electronically by e-mail or physically by mail, or making use of the data breach notification platform available on the official website of the Board.

As per the Data Breach Notification Form, as requested to be filled-in by the Board; the below-listed details should be disclosed to the Board, and if it is not possible to report all these details completely, the Board may be gradually notified thereof subsequently.

1. Trade name/Full name of the data controller

2. Address of the data controller

3. Details of the person who issues the said notification for and on behalf of the data controller (contract/power of attorney if any person other than the data controller serves the notification)

4. Date and time of commencement of the breach

5. Date and time of commencement of the breach

6. Date and time of ending of the breach

7. Date and time of detection of the breach

8. If the breach has been reported to the data controller by the data processor, details of such notification and data processor (A copy of the notification form such as letter- e-mail message, etc.)

9. Detailed information on the source of breach, and how it has occurred

10.Detailed information on the effects of breach

11. Detailed information on how breach has been detected, and supporting documents, if any

12.All categories of the affected personal data (Data such as ID, medical data, ethnic origin, etc. should be listed separately)

13.Number of affected persons, and of records thereof

14.Groups of affected persons, and effects thereof (Affected persons should be classified as employees, subscribers, customers, etc., and possible effects of breach on such persons should be indicated)

15.If the notification is reported to the Board after 72 hours, the reason for such late notification

16.Detailed information on that whether the affected persons have been notified, or not, and if not, the reason(s) therefor, and when such notification will be reported to the same

17.Date of notification served/to be served to the concerned persons

18.Detailed information on the method of notification served/to be served to the concerned persons

19.Means of communication to enable the concerned persons to get information about the data breach (web site, etc.)

20.Whether any other national organizations or institutions have been/will be informed, or not (law enforcement officers, supervisory institutions, etc.)

21.Whether any other international data protection authorities or concerned institutions have been/will be informed about the breach, or not?

22.Probability of exposure of the concerned persons to material adverse effects due to breach (It is required to assess the extent of the potential effects on the concerned persons in determination of the level of the data breach. Nature of the breach, reason therefor, type of breached data, measures taken to decrease the effects of the breach, and categories of the affected concerned persons should be considered while assessing the said potential effects. Consequently; such effects should be classified as very high, high, moderate, low, or not known.)

23.Effects of breach on your organization (Such effects should be classified as very high, high, moderate, low, or not known.)

24.What kinds of trainings have the employees received regarding the breach in the last one year? (Proving documents should be submitted)

25.What kinds of technical and administrative measures have you taken to prevent such kind of breaches before occurrence of the respective breach (Proving documents should be submitted)

26.Technical and administrative measures you have taken or plan to take after occurrence of the respective breach, and information on the estimated time of completion of such measures (Please indicate the measures you have taken to solve the problem and eliminate the adverse effects. For example; accidental disposal of date, ensuring security of passwords, data security training planning, etc. Proving documents should also be submitted.)

 

FINALLY…

If any company established outside the EU or Turkey has suffered a personal data breach, if persons resident in Turkey are also affected by this breach in some way, it will not be enough for the company to report this breach to the personal data authority in the country where it is established, and it will also need to report it to the Turkish personal data authority. If possible, this notification should be served within 72 hours with most of the details as of the time of occurrence of the breach, and if the notification is served after 72 hours, the reasons for this delay should be explained in detail.

Att. Serdar Darama

MAKALEYİ PAYLAŞIN
MAKALEYİ YAZDIRIN