The Data Protection Authority Reminded Data Controllers of their Duty to Notify Data Subjects for Data Breaches and Clarified the Requirements for Due Notification

On 15 October 2019, the Turkish Data Protection Authority (“TDPA”) published its decision on "Minimum Requirements for Data Breach Notifications to be made to Data Subjects" (dated 18 September 2019 and numbered 2019/271) reminding data controllers their duties to notify the data subjects along with the Data Protection Board and setting out the minimum requirements for due notification to the data subjects.

This came after two recent decisions (2019/254 and  2019/255) of the TDPA this October, where the data controllers were fined for failure to notify the breach. The decision numbered 2019/254  was especially important as the TDPA imposed a fine of TRY 30,000 for failure to notify data subjects despite the breach was found by the controller and notified to the TDPA. In the second decision numbered 2019/255 the TDPA imposed a total fine of TRY 100,000 for failure to notify the TDPA within the shortest time possible as well as for failure to notifying the data subjects.

As you might recall, the procedures for data breach notifications to the TDPA were issued back in February 2019 with its decision "Principles and Procedures of Personal Data Breach Notification" (dated 24 January 2019 and numbered 2019/10). See our article for a detailed explanation on breach reporting to the TDPA. In a nutshell, the TDPA said back then that data controllers must notify the TDPA latest by “72 hours” of becoming aware of the breach. Additionally, data controllers are required to use the Data Breach Reporting Form when notifying the TDPA .

Now, with its new decision, the TDPA aims to clarify the procedures for the necessary notifications to data subjects. This seemed to be necessary as some data controllers had doubts about how to handle the notifications to the data subjects. The TDPA listed the following as the minimum information required for due notification of the data subjects:

  • Time of breach
  • Categories of data affected (with distinction between sensitive and normal personal data)
  • Possible consequences of the breach,
  • Measures taken or recommended measures to be taken by to reduce the negative consequences of the breach
  • Name-surname and contact information of the person providing information to related data subjects on the breach or information on the full website address of data controller, call center and similar communication channels.

There is no doubt that, in order to act as promptly as required by the law the data controllers must have a data breach response plan, policies in place for data breach reporting, must have an up-to-date data inventory. An effective data breach response plan could help the data controllers to effectively comply with the regulatory requirements and reduce the reputational damage associated with a breach.