Data breach notification obligation under turkish data protection law
In Turkey, the Law on Protection of Personal Data numbered 6698 (the “Law”) imposes data controllers to take all necessary technical and administrative measures to ensure the appropriate level of security to prevent unlawful processing of personal data, unlawful access to personal data, and to maintain safeguarding of personal data. Further, if the data processed is obtained/ accessed by third parties through unlawful means, the data controller is obliged to inform the relevant persons that are affected by the breach and notify the Board of Turkish Data Protection Authority (Board) “as soon as possible”. The Board may then, if necessary, declare the breach on its website or by any other method it deems appropriate.
Data breach notification requirement is regulated under the European General Data Protection Regulation (GDPR) which is the source of the Law to a certain extent. The Board takes into account the rules regarding data breach notifications provided under the GDPR on how to interpret ”as soon as possible”. In order to avoid any inconsistency between the decisions to be taken by the Board and to provide a standardized practice; Board has stated in its decision dated 24.01.2019 and numbered 2019/10 that “as soon as possible” must be understood as within “72 hours” as ruled under the GDPR and within this scope, the data controller must; notify the Board within "72 hours” at the latest as of the date of learning of the breach, determine and notify the persons affected by the data breach as soon as possible within reasonable time. If the contact address of the person can be reached, such persons will be informed directly, and if not, the notification will be made by appropriate methods such as the publication of the breach on data controllers’ website.
If the Board cannot be notified within 72 hours with justifiable explanation by the data controller, the reasons for the delay must be explained to the Board along with the notification.
An administrative fine of up to TL 1,4 m can be imposed as per the Law in case of non-fulfillment of such notification obligation. Unlike the GDPR, the Law requires notification of each and every data breach to the Board and to the affected data subjects. It is therefore expected that the data controller will report any and all events without having to assess whether the affected data subject will be exposed to risks as a result of the breach. However, this procedure seems to be contrary to the normal flow of life considering that even sending an e-mail to the wrong address is considered as a data breach, but not all cases are considered to be subject to notification when it causes no risks to the data subject under the GDPR.
While determining the administrative fines to be applicable to breach of notification obligation, without doubt, certain criteria are taken into account in determining the fine, such as for how long the violation has not been reported, and the risks attached to the breach of data security, number of persons affected by the breach, but the Board has not yet issued a guideline specifically on this.
In recent decisions, the Board has imposed an administrative fine for late notification upon receipt of data breach notification from the data controller and it has also issued fines for not taking the sufficient measures to protect data. In addition, following the complaints made to the Board by data subjects or investigations made ex officio, administrative fines have also been imposed due to the failure of the data controller to take sufficient technical and administrative measures to ensure data security.
In the event of any data breach, the extent of which countries are affected by such breach, especially in terms of global companies, may not be determined easily, or the process, research and technical analysis may take a long time. This may also lead data controllers to be exposed to fines for late reporting of the breach, but the important thing is to explain how the process is carried out in a transparent manner in the notification to the Board, to explain the actions taken and to cooperate with the Board. On the other hand, close communication with the Board may also be effective in determining whether the Board publishes the breach directly on its website and make it public. Undoubtedly, each data breach notification may be always subject to a separate administrative fines for not taking the necessary administrative and technical measures, as well as the sanction of administrative fine for late breach. Until now, we got the impression that in most cases the Turkish DPA tends to announce data breach notifications on its web site and makes them public and upon notification, it has issued a monetary fine due to late notification.
Last, it is seen from the summary decisions issued by the Board that the Board generally concludes in cases of data breaches that the data controller has not taken sufficient technical and administrative measures to ensure the data security, and that it is decided without going through a specific technical review. In particular, even the way of being aware of the violation gives the Board a perspective to reach a conclusion on the matter and conclude whether sufficient measures are taken or not. However, the Law imposes an obligation on the data controller to take all necessary technical and administrative measures to prevent unauthorized access to personal data and to maintain the appropriate level of security in order to protect personal data and it should be understood from this provision that the Board must examine separately whether these measures have been taken in each violation. It is seen that the Board has broadly interpreted all the necessary technical and administrative measures to ensure the appropriate level of security. Turkish DPA’s approach to data breach cases indicates that the liability of the data controller for data security is at the highest level and must be diligently observed. It is also advised that data controllers to fill in the data breach form provided by the Turkish DPA in detail and if possible, prefer to have a meeting with the Turkish DPA to explain the incident and the measures taken in detail at first hand. We believe that such an approach would be more effective in convincing the Turkish DPA otherwise, merely filling in the relevant form with minimal information will not be helpful and most probably the breach will be announced on the web site right after notification.
Article provided by: Begüm Yavuzdoğan Okumu (Gün+Partners, Turkey)
Dr. Tobias Höllwarth (Managing Director INPLP)