1.1 In the event of a data breach affecting residents of your country, is there any legal obligation or requirement to notify either a) affected individuals; or b) a regulator such as a data protection authority (DPA)?
Yes, pursuant to the Turkish Data Protection Law No. 6698 ("TDPL"), in the event of a data breach, data controllers have a legal obligation to notify both the affected individuals and the Turkish Data Protection Board ("DPB").
1.2 Under what conditions must such notification(s) be given, including a) what types of data must be breached to trigger notification; and b) whether the entity must be a data controller or data processor in your country for such obligations to apply?
Article 12(5) of the TDPL states that the data controllers are required to notify the affected individuals and the DPB if "the data processed is acquired by others through unlawful means".
The legislation does not specify the types of data that must be affected by the breach to trigger the notification requirement. Therefore, presumably data breaches relating to all personal data categories trigger the notification requirement if they are acquired by others through unlawful means.
We should note that unlike the EU General Data Protection Regulation, there are no exemptions to the notification requirement.
The TDPL imposes the notification requirement on data controllers as they are primarily responsible to ensure data security. That being said, if there is a data breach at the level of the data processor, data controllers are still under the obligation to notify the DPB and the affected data subjects. Therefore, even though the TDPL does not impose the breach notification obligation on data processors, in practice, data controllers generally require data processors to notify them in the occurrence of a data breach as a contractual obligation. Further, under its decision dated 24 January 2019 and numbered 2019/10 ("Decision No. 2019/10"), the DPB advises that if the data processed by the data processor is acquired by others through unlawful means, the data processors should inform the data controller of this incident without undue delay.
1.3 For such notification(s), is there any required or suggested a) content of the notice; b) time period in which notice must be given; or c) method of giving notice, such as regular mail, email, web-posting or publication?
Content of the Notice
The TDPL is silent as to the content of the breach notice. The DPA sheds light on what the content of the notice to the DPB should be in the Decision No. 2019/10 and the template notification form published on its website on 15 February 2019. The content of the said notification form is similar to the ICO’s data breach reporting form and includes the following subjects:
- Details on the Data Controller
- Title/name and address of the data controller.
- Name and contact details of third parties preparing the notification on behalf of the data controller (if any).
- Details on the Data Breach
- Notification type (i.e., whether it is an initial notification or a follow-up notification).
- Beginning, ending and detection date and time of the data breach.
- If the breach has been notified to the data controller by the data processor, then the data processor’s name and address, the date and time of the data processors’ detection, and notification of same to the data controller.
- Sources of the data breach and details on how the data breach happened.
- Security aspects affected by the data breach (i.e., the data confidentiality, data integrity and/or data availability/accessibility) and details of same.
- Information on how the data breach was detected.
- Categories of personal data affected by the data breach.
- Number of persons and records affected by the data breach (and if the numbers provided are estimated, explanations on the reasons for the failure to detect the exact number of affected persons and records).
- Data subject groups affected by the data breach.
- Impact of the data breach on data subjects.
- Details on the Notifications Made
- The reasons for delay, if the notification to the DPB could not be made within 72 hours commencing from the detection of the data breach.
- Details of the notification made to the data subjects (data and method of notification, communication methods that will be enable the data subjects to obtain further information on the data breach).
- Details on the breach notifications made/to be made to any other domestic or international organizations/institutions.
- Potential Consequences of the Data Breach
- Severity of the potential impact of the data breach on the data subjects.
- Severity of the potential impact of the data breach on the data controller’s organization.
- Details on the Measures Taken
- Information on the trainings received during the past year by employees involved in the violation.
- Details of technical and organizational measures taken by the data controller to prevent such breaches prior to the occurrence of the breach in question.
- Details on the technical and organizational measures taken or planned to be taken by the data controller after the occurrence of the breach in question.
- Time estimation for completion of the technical and organizational measures planned to be taken by the data controller after the occurrence of the breach in question.
If a data controller cannot provide the information requested in the form at once, the DBP requires the data controllers to make an initial notification with the information they have without any delay and provide more information when available at a later stage.
On the other hand, the DPA also sheds light on the content of the notice to the affected data subjects by publishing the DPB’s decision dated 18 September 2019 and numbered 2019/271 ("Decision No. 2019/271"). According to Decision No. 2019/271, the notices to data subjects should include at a minimum the following subjects:
- Date and time of the data breach
- Categories of personal data affected by the data breach (e.g., personal data / special categories of personal data)
- Possible outcomes of the data breach
- Measures taken or advised to be taken in order to mitigate/compensate the negative effects of the data breach
- Details of the channels from where the affected data subjects can obtain further information regarding the data breach (e.g., name and contact details of the contact person, address of data controller’s relevant website, telephone number of the call center, etc.)
It is noteworthy to state that the DPB underlined the importance of using clear and plain language while notifying the data subjects on the data breach under Decision No. 2019/271.
Timing of the Notice
Article 12(5) of the TDPL states that the notification should be made "within the shortest time". The DPB further elaborated the time period under the Decision No. 2019/10 by stating that the term "within the shortest time" should be interpreted to mean within 72 hours. The DPB further elaborated in the aforementioned decision that the data controllers should notify (i) the DPB without delay and no later than 72 hours after having become aware of it and (ii) the affected data subjects within the shortest possible time after the affected persons are identified.
Method of the Notice
The TDPL is silent on the method of the notice and this is elaborated under the DPB decisions.
The method for notifying the DPA and the affected individuals are different. Data controllers planning to make a breach notification to the DPA should fill in the notification form and submit the completed form to the DPB together with the documentation supporting the information provided under the form.
There are several options for filing the form to the DPB. Previously, a data controller could fill in the template form published on DPA’s website then send the form either (i) in an e-mail to the DPA’s relevant e-mail address (i.e., firstname.lastname@example.org) with the subject of "Personal data breach notification", or (ii) by post. As of 6 January 2020, the DPA also established an online portal designated for data breach notifications (https://ihlalbildirim.kvkk.gov.tr/) and data controllers can fill in the form and submit the completed forms to the DPB through the aforementioned online portal. Yet, for the time being, data controllers are free to choose one of the three methods for delivering the breach notification to the DPA.
On the other hand, the method for notifying the affected data subjects is not rigidly regulated. According to Decision No. 2019/10, if a data controller has the contact details of the affected data subjects, then it should directly contact the data subject. However, if a data controller does not have the contact details of the affected data subjects, then it should notify them through other appropriate methods, such as publishing an announcement on its website.
1.4 What are the penalties, fines or risks in failing to notify, either by the DPA or in litigation?
Pursuant to Article 18 of the TDPL, failure to notify and comply with the data breach notification obligation may result in an administrative fine from TRY 27,025.23 to TRY 1,801,901.70 (up to app. EUR 273,000).
1.5 Even if there is no current legal obligation to do so, or if there is no "data controller" or "data processor" located in your country, is notification to individuals recommended in the event of a data breach affecting residents in your country (such as in credit card data breaches)?
As explained above, there is indeed a legal obligation to notify the DPB and the individuals in case of a data breach. Further, as per Decision No. 2019/10, if the breach in question affects data subjects residing in Turkey and the data subjects benefit from the products and services in Turkey, data controllers abroad are also under the obligation to notify the DPB just as data controllers located in Turkey are. In practice, there are also various cases where foreign data controllers have notified data breaches that occurred in their business or on the level of the data processors.
1.6 What are the applicable data protection laws or guidelines within your country?
The primary piece of legislation for the protection of personal data is the TDPL. It was adopted on 24 March 2016 as the first comprehensive data protection law of the Republic of Turkey as part of Turkey’s long lasting efforts to align its national legislation with the European Union and most of its provisions came into force on 7 April 2016.
Following to enactment of the TDPL and the establishment of the DPA, secondary legislation has also been published. As of today, the DPA has published seven regulations. The majority of the said regulations were issued to regulate the internal administration of the DPA and the DPB and there are two regulations mainly regulating the rules on data controllers, namely the Regulation on the Registry of Data Controllers and the Regulation on the Deletion, Destruction, or Anonymization of Personal Data. In addition to the DPA, the Ministry of Health has also issued the Regulation on Personal Health Data. There are also sector specific regulations for processing personal data in regulated sectors such as the Regulation on the Protection and Processing of Personal Data in the Electronic Communications Sector issued by the Information and Communication Technologies Authority.
In addition to the regulations, the DPA has also published several communiques and the DPB’s principal decisions governing various issues relating to the protection of personal data, as well as several guidelines on the practice of the rules under the legislation. Although these guidelines are not on the same level as legislation, they are valuable as they provide insight on the interpretation of the DPA regarding the TDPL and the secondary legislation thereunder.
Although the TDPL is the law primarily regulating data processing, the Constitution of the Republic of Turkey also protects data protection rights of the individuals. Article 20(3) of the Constitution, as amended in 2010, ensures that every person has the right to protection of his/her personal data. This right also includes the right to be informed about the processing of their personal data, the right to access, the right to rectification or deletion, and the right to be informed about whether their personal data is being used in accordance with its processing purposes. The Constitution also states that personal data may be processed in cases allowed under the law or on the basis of the data subject’s explicit consent.
Further, the Turkish Criminal Code No. 5237 names certain criminal offences relating to personal data (namely, the unlawful recording of personal data, the unlawful sharing, publication, or retrieval of personal data, and failure to erase or anonymize data within the time limit contemplated for such data by the applicable law) and the relevant sanctions.
Notwithstanding the foregoing, the different pieces of legislation under Turkish law, including inter alia, the Turkish Code of Obligations, the Turkish Commercial Code, the Labor Law, the Banking Law, the Law on Bank Cards and Credit Cards, the Law on Electronic Commerce, the Electronic Communications Law, and their secondary legislation also include provisions relating to the processing of personal data.
1.7 Contact information for Data Protection Authority:
Turkish Data Protection Authority
Nasuh Akar Mahallesi 1407. Sok. No:4, 06520 Çankaya/Ankara Turkey
+90 312 216 50 00
For more information, contact:
Kayra Üçer, Deniz Tuncel, Melike Gençalp, Onur Sümer
Hergüner Bilgen Özeke Attorney Partnership
Büyükdere Caddesi 199, Levent 34394, Istanbul, Turkey
+90 212 310 1800
+90 212 310 1899