01 May, 2021

How Should Personal Data Breach Notification Be Made?

What is Personal Data Breach?

Data Violation is regulated in Article 12 of the Law on the Protection of Personal Data as “Acquisition of processed personal data by others through unlawful means”.

Data breaches; Sending personal data to wrong recipients, theft or loss of documents/devices, storing data in insecure environments, malicious software, social engineering, sabotage, accident/negligence may occur.

Data breaches on the persons concerned; Effects such as loss of control over personal data, identity theft, discrimination, restriction of rights, fraud, financial loss, loss of reputation, loss of security of personal data may occur.

How Should Personal Data Breach Notification Be Made?

Personal Data breach notification should be made by the data controller with the data breach form on the website of the personal data protection agency. A notification can be created, queried and updated via the form.

While filling out the data breach form can be done by the real or legal person where the data breach occurred, lawyers, consultants, etc. on behalf of the data controller. It can also be done by attaching a certifying contract and power of attorney.

Care should be taken to indicate the source of the data breach and to be detailed and detailed. For example; If the data breach occurred with the installation of ransomware, which is one of the Cyber ​​Attack methods, it should be detailed what this ransomware is, how it is infected, and which systems it affects.

The impact of the data breach needs to be evaluated under 3 main headings;

  • Evaluation of the personal data privacy of the persons affected by the breach
  • Evaluation of the personal data integrity of the persons affected by the breach
  • Evaluation of access to data of relevant persons affected by the breach

How and by whom the data breach was detected should be specified in detail, and sample documents should be included, if any. For example, if the data controller was exposed to the installation of ransomware and received e-mails from the attackers, this detection should be written in the relevant field on the data breach form.

The most important issue is that the data controller must notify the person concerned and the Personal Data Protection Board, without delay and within 72 hours at the latest, from the moment he/she learns about the data breach.

If necessary, the Personal Data Protection Board may announce this situation on its website or by any other method it deems appropriate.

If the period from the detection of the violation to the notification of the violation to the Board exceeds 72 hours, the reasons for this should be stated in the data violation form.

The breach notification to be made by the data controller to the person concerned must be made in clear and plain language.

The following information should be included when reporting a violation:

  • Time of violation
  • Which personal data are affected by the breach on the basis of personal data categories (personal data / special quality personal data distinction)
  • Possible consequences of data breach,
  • Measures taken or proposed to be taken,
  • Contact information that will enable the relevant persons to receive information about the data breach
  • Evidence of how the breach occurred
  • Technical and administrative measures taken

Why Is It Important to Make a Correct Personal Data Breach Notification?

Data controllers must report the data breach to the board within 72 hours at the latest and take the necessary measures, otherwise, there is an administrative fine from 39.000 TL to 1,966,000 TL for not complying with the data breach notification forms and duration.

There are many institutions and organizations in the world and in Turkey that do not comply with the data breach notification formats and periods and receive large amounts of administrative fines.

According to the news of the European Data Protection Board; Booking.com received a fine of 475,000 Euros for late reporting of the data breach to the Dutch Data Protection Authority.

In the Decision of the Personal Data Protection Board in Turkey, dated 16.05.2019 and numbered 2019/143, about a company;

In accordance with the Personal Data Protection Law No. 6698, 1.100.000 TL for not taking the necessary technical and administrative measures to ensure data security, 350.000 TL for the company due to late notification It was decided to impose an administrative fine of 1,450,000 TL in total.

Protection of personal data is as important for individuals as it is for institutions and organizations. Data breaches must be reported to the Personal Data Protection Authority within 72 hours at the latest, the notification must be made correctly and the relevant persons must be informed clearly and understandably.
In order for data breaches to be handled in a healthy and timely manner, automatic incident response technologies can be used that allow 24/7 collection of evidence, even from distributed locations in the work-from-home setup, and remote response within minutes.

Source
kvkk.gov.tr
edpb.europa.eu
kvkk.gov.tr
kvkk.gov.tr

To request a quotation for the following: Cyber Security, Digital Transformation, MSSP, Penetration Testing, KVKK, GDPR, ISO 27001 and ISO 27701, please click here.

Request a Quotation

About Content:
Share on Social Media:
Facebook
Twitter
LinkedIn
Telegram

Related Articles