Board Decision on Minimum Elements that Should be Included in the Communication of the breach by the Data Controller to the Data Subject
The Board Decisions No. 2019/271 of 18.09.2019 regarding minimum elements that should be included in the communication of the breach by the data controller to the data subject
As known, pursuant to paragraph (1) of article 12 of the Personal Data Protection Law No. 6698 the data controller is obliged to take all necessary technical and organisational measures to ensure the appropriate level of security, so as to:
a. Prevent unlawful processing of personal data,
b. Prevent unlawful access to personal data,
c. Ensure protection of personal data.
According to Article 12(5), in case the data processed are obtained by third parties by unlawful means, the data controller shall communicate the breach to the data subject (natural person concerned) and notify it to the Board within the shortest time. Where necessary, the Board may announce such breach on its official website or through in any other way it deems appropriate.
The decision of the Personal Data Protection Board (Board) of 24.01.2019 and No. 2019/10 states that “Data subjects should be communicated about breach in the shortest reasonable period of time. If the contact address of the data subject can be reached, notification should be made directly, or if it cannot be reached, notification should be made by appropriate methods such as the publication on the data controller’s website”
During assessment process of the data breach notifications submitted to the Authority within the scope of the stated provision and Board decision; Considering the purpose of the notification to the Board and to persons affected by the breach is to ensure that measures are taken to prevent or mitigate the adverse consequences of such violations, it is necessary to clearly state which elements should be included in the notifications of the data controller to the data subjects.
Within this scope , Personal Data Protection Board Decision No. 2019/271 of 18.09.2019 states that;
The communication of the breach to be made by the data controller to the data subject should be made in a clear and plain language and include at least;
- Time of the data breach occurred,
- Categories of personal data that are affected by the breach (by distinguishing between personal data / special categories of personal data)
- Possible consequences of personal data breach,
- Measures that have been taken or advised to be taken by the data subject after the breach to mitigate the negative effects of data breach,
- The contact ways to provide information to the data subjects about the data breach such as the name and contact details of the contact persons, or the link of the data controller's web page, call center number and so on.
Respectfully announced to the public.