ELIG Gürkaynak Attorneys-at-Law | View firm profile
According to Article 12 of the Law No. 6698 on Protection of Personal Data (“Law”) , data controllers are obliged to prevent unlawful processing of personal data, unlawful access to personal data, to ensure the protection of personal data, and to take all necessary technical and administrative measures to ensure the appropriate level of security. In case the data is obtained by others through illegal means, data controllers are obliged to notify the data subjects and the Personal Data Protection Board (“Board”) as soon as possible, and the Board may announce this situation on its own website or by any other method it deems appropriate, if necessary. The purpose of notifying the Board and the persons affected by the breach is to ensure that measures are taken to prevent or minimize the negative consequences that may arise about those persons due to the breach.
The Board stated in its decision of January 24, 2019 with number 2019/10  that in the event that the processed personal data is obtained by others illegally, data controller notifies the relevant person and the Board as soon as possible. The expression “as soon as possible” in the provision is interpreted as 72 hours, and in this context, data controller informs the Board without delay and within 72 hours at the latest from the date of learning of this situation, to make a notification through appropriate methods such as directly, if the contact address of the data subject can be reached, or via the website of the data controller, if it cannot be reached within a period of time.
The notifications to be made to the Board should be made with the use of the “Personal Data Violation Notification Form”  in a PDF format, which is can be found in Data Protection Authority’s (“DPA”) website and the information regarding the data breaches, their effects and the measures taken should be recorded and made ready for the examination of the Board. In the event that the data breach is experienced by a data controller residing abroad, in case the consequences of this breach affect the data subjects residing in Turkey and the data subjects benefit from the products and services offered in Turkey, the data controller should also notify the Board within the framework of the same principles. Additionally, the Board’s public announcement  of January 6, 2020 states that it is possible to transmit the “Personal Data Violation Notification Form” to the Board online .
Considering the purpose of informing the data controller to the Board and the persons affected by the violation, the Board stated the necessity of a clear regulation showing the elements that should be included in the notifications to be made to the relevant persons regarding the said violation. In this context, the Board stated in its decision of September 18, 2019 with number 2019/271  that the breach notification to be made by the data controller to the relevant person should be made in a clear and plain language, and as a minimum should include the following information on (i) when the breach occurred, (ii) which personal data is affected by the breach on the basis of personal data categories (by distinguishing between personal data / sensitive personal data), (iii) possible consequences of the personal data breach, (iv) measures taken or proposed to be taken to reduce the negative effects of the data breach, and (v) the name and contact details of the contact persons that will enable the persons to receive information about the data breach, or the communication paths such as full address of the web page of the data controller, the call center, etc.
Information on the document published by the DPA
On November 23, 2022, DPA has published a document named “Personal Data Protection Authority in its 5th Year”  (“Document”) on its website. The Document which consists of 222 pages provides information of the DPA’s activities and the work conducted by the DPA within the past 5 years. The Document mainly includes the information on the number of applications submitted to DPA, number of data breach notifications submitted to DPA and the number of these notifications which have been shared with the public and the number of legal opinions given by the DPA regarding the Law No. 6698. Document says that last year was recorded as the year with the highest number of applications (4513 applications).
In addition, the Document can be considered as a reference document in terms of regulations and statistical data, including laws, regulations, communiqués, policy decisions and public announcements regarding the protection of personal data.
Number of data breach notifications between the years 2017 and 2022
The Document includes the number of data breach notifications made to the Board between the years 2017 and 2022 and in this context, it is stated that 779 data breach notifications were made to DPA until March 31, 2022. It is also stated that 448 of them were finalized and 181 of them were published on DPA’s website. The statistics of the data breach notifications are listed by year in the table below.
|Year||Data Breach Notifications||Finalized||Published Notifications|
DPA’s approach on the breach notifications
According to Article 18 of the Law No. 6698, violating the obligation of notification may be subject to administrative fine of TRY 53,572 to TRY 2,678,863 (approximately USD 2,872 to USD 143,610 as of December 2022) for the year 2022. It is worth noting that the Board is evaluating whether the minimum elements specified in its decision of September 12, 2019 with number 2019/271 are included in the data breach notifications provided by the data controllers to the affected data subjects and generally imposes administrative fines for the notifications that have been made after 72 hours.
Below is a breakdown of the administrative fines over the last 5 years, imposed due to data breach notifications:
(i) The administrative fines imposed by DPA regarding data breach notifications in 2017: 0
(ii) The administrative fines imposed by DPA regarding data breach notifications in 2018: 200,000 Turkish Liras (approx. USD 10,721 as of December 2022)
(iii) The administrative fines imposed by DPA regarding data breach notifications in 2019: 11,200,828 Turkish Liras (approx. USD 600,458 as of December 2022)
(iv) The administrative fines imposed by DPA regarding data breach notifications in 2020: 9,893,000 Turkish Liras (approx. USD 530,348 as of December 2022)
(v) The administrative fines imposed by DPA regarding data breach notifications in 2021: 15,395,000 Turkish Liras (approx. USD 825,301 as of December 2022)
(vi) The administrative fines imposed by DPA regarding data breach notifications in 2022: 2,580,000 Turkish Liras (approx. USD 138,310 as of December 2022)
It is seen that the administrative fines imposed by DPA regarding data breach notifications have decreased in 2020, however increased sharply in 2021.
In light of the foregoing, it can be concluded that there is an increase in data breach notification numbers from 2017 to 2021. Accordingly, one might say that this increase in data breach notification numbers shows that the data controllers have started to become more conscious about their notification obligations and follow the notification process as required by the DPA.
Authors: Gönenç Gürkaynak, Esq., Ceren Yıldız, Noyan Utkan and Derya Başaran, ELIG Gürkaynak Attorneys-at-Law
 https://www.mevzuat.gov.tr/mevzuat?MevzuatNo=6698&MevzuatTur=1&MevzuatTertip=5 (Last accessed on December 10, 2022).
 https://kvkk.gov.tr/Icerik/5362/Veri-Ihlali-Bildirimi (Last accessed on December 10, 2022).
 https://www.kvkk.gov.tr/SharedFolderServer/CMSFiles/8217d07e-5af7-43f0-ad02-a48cb1e23cd7.pdf (Last accessed on December 10, 2022).
 https://www.kvkk.gov.tr/Icerik/6644/Kisisel-Veri-Ihlali-Bildirimlerinin-Elektronik-Ortamda-Kurula-Iletilmesine-Iliskin-Duyuru (Last accessed on December 10, 2022).
 https://ihlalbildirim.kvkk.gov.tr/ (Last accessed on December 10, 2022).
 https://kvkk.gov.tr/Icerik/5547/2019-271 (Last accessed on December 10, 2022).
 https://www.kvkk.gov.tr/SharedFolderServer/CMSFiles/b5731c6c-540b-45eb-a2d8-d7cef57cf197.pdf (Last accessed on December 10, 2022).