Don't forget Turkish DPA in your Personal Data Breach Reporting Checklist

By now, we all know that the GDPR introduces a duty on all organisations to report certain types of personal data breach to the relevant supervisory authority. Controllers must notify the authorities within 72 hours of becoming aware of the breach, where feasible. If the breach is likely to result in a high risk of adversely affecting individuals' rights and freedoms, the controller must also inform those individuals without undue delay.

As a controller, you are required to have a robust breach detection, investigation and internal reporting procedures in place. This means that, if you are a global organization, you would also need to consider jurisdictions outside of EU to determine whether or not you need to notify the relevant non-EU supervisory authority and the affected individuals in those jurisdictions.

In fact Turkey is one of those jurisdictions that have strict personal data breach reporting requirements and failure to inform the Turkish Data Protection Authority ("TDPA") under Turkish Data Protection Law ("DPL"), on time (or without undue delay) is subject to monetary fines varying from TRY 7,352 to TRY 1,470,583. Although a latecomer to the privacy party, the Turkish DPA has already imposed monetary fines to international and Turkish controllers for delayed data breach reporting.

What is a personal data breach in Turkey? How is it different from GDPR?

"Data breach" is defined under GDPR as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. Thus, GDPR's definition of data breach is quite broad compared to the DPL.

Like the Data Protection Directive (95/46/EC) ("Directive"), DPL does not specifically define "data breach". But article 12 which deals with data security, obliges processors to notify the TDPA and the data subject, as soon as possible, in case processed personal data are acquired by others through unlawful means. The TDPA, if necessary, may announce such data breach on its website or by other means which it deems appropriate.

Thus, it is fair to say that data breach reporting obligations under DPL is limited to unlawful acquisition of data by others. Acquisition (elde edilme) would presumably include access, receipt, transmission, use or otherwise making available of personal data.

A second difference is that unlike GDPR, currently, there are no exemptions for reporting of data breaches. In other words, the criterion of "degree of effect" has not been assumed by the TDPA and in principle every breach should be notified to the TDPA and data subjects.

What procedures must be followed for reporting to the TDPA?

Although the provision in the DPL regarding data breach reporting was not detailed, on 24 January 2019 the TDPA issued its decision about the procedures to be followed by the data controllers after a cybersecurity incident. Accordingly,

  • The phrase "as soon as possible" in the DPL for reporting of a breach should be evaluated as 72 to follow GDPR application and necessary explanation be made to the TDPA if such 72 hrs rule could not have been abided by the data controller
  • The TDPA prepared a form for data breach reporting (similar to ICO's form) and required for such form be filled in and sent to it in case of an incident
  • Data controllers are further required to inform data subjects within a reasonable time communicating the data breach directly to the contact address of the affected individuals. If this is not possible, communication must be made via other means, eg. by announcement via the data controller's web site etc.
  • The data controllers are also required to document and create a register of documents of data breach, its effects and taken measures and make it ready for the TDPA's inspection
  • In case the breach happens within the processes of a data processor, such data processor without delay should inform the data controller
  • A breach incident remedy plan to be prepared by data controllers and reviewed periodically

In case the breach incident is experienced by a foreign data controller, with the condition that such breach affects data subjects residing in Turkey or such data subjects who benefit from products and services in Turkey then such data controller should inform the TDPA and data subject to the same principles.

What is the Data Breach Reporting Form?

As per the TDPA's Decision dated and numbered 2019/10, controllers must use the form prepared by the TDPA for breach reporting. Should the information requested in the form cannot be provided at once, the reporting must be made in instalments without any delay. Updates must be given when more information is available. Any documentation supporting the information provided in the form must be attached to the report.

TDPA's reporting form is very extensive (similar to the GDPR reporting forms) and requires the controller to have very high-level comprehension of the breach as well as its effects.

It would be fair to say that, from a technical point of view, some information requested in the form are rather for a "GDPR-level breach reporting" and goes beyond the DPL.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.