The General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”) and Law No. 6698 on Protection of Personal Data (“DPL”) of Turkey are the key pieces of legislation applied in the relevant jurisdictions.
DPL is similar to the EU Data Protection Directive (Directive 95/46/EC), which the GDPR replaced; and is based on the same general data protection principles. Still, certain differences between legislations arise, and one of the most prominent differences is the process for notifying data breaches.
Data Breach Definition.
GDPR defines data breach as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed”. In contrast, DPL does not have a specific definition for data breach; however, “the acquisition of personal data illegally by unauthorized parties” triggers notification obligations for the data controllers. Thus, there are three specific aspects of a data breach under DPL:
- illegality,
- the acquisition of personal data, and
- involvement of unauthorized individuals.
Notification to the Authority.
GDPR requires data controllers to notify “personal data breaches” to the relevant supervisory authority within 72 hours of becoming aware of the breach, unless there is likely to be no harm to the individuals concerned.
DPL requires data controllers to inform the Data Protection Authority (“DPA”) about any personal data breaches within 72 hours, regardless of whether such breach is likely to cause harm to the individuals concerned, by using the official form published by DPA.
This means that in the event of a data breach, while data controllers subject to GDPR must make an assessment about the risks to the rights and freedoms of natural persons resulting from the breach; for the data controllers subject to DPL, there are no specific thresholds or risk assessments required for making a notification to DPA and a notification is the natural consequence of a breach.
When it comes to the content of the notification, the GDPR allows the data controllers to provide information in phases if it is not possible to provide it at the same time. Similarly, the DPL also enables data controllers to make an initial notification with the available information to meet the 72-hour deadline, and provide further information with a follow-up notification to provide the remaining information.
Notification to Data Subjects.
The GDPR requires data controllers to notify data subjects if the data breach poses a high risk to individuals affected, unless there are effective technical and organizational protection measures that have been put in place, or other measures that ensure that the risk is no longer likely to materialize. The supervisory authority may also order the data controller to inform individuals about the breach.
The DPL, on the other hand, requires data controllers to notify data subjects if the data breach affected them, regardless of the level of risk or measures taken. Further, if the data controller has the affected data subjects’ contact information, the notification must be sent to their electronic or physical address. If not, data controllers may announce the breach on their own website. Additionally, DPA may inform the public about the breach as well and in practice the DPA choses to publish the data breach notification on its website (www.kvkk.gov.tr) if the number of data subjects that are affected are over a certain threshold.
Extra-Territorial Affect.
Data controllers that are not established in the EU but offer goods or services and/or monitor the behavior of data subjects in EU, are still bound by the data breach notification obligations under GDPR and the breach will need to be notified to every supervisory authority for which affected data subjects reside in their Member State[1].
Similarly, data controllers that are not resident in Turkey, but their processing affects data subjects residing in Turkey, are also bound by the data breach notification obligations under DPL and the breach must be notified to DPA and affected data subjects.
Examination by the Authority.
When determining the type and level of fine to be imposed, supervisory authorities in EU must take a series of factors into account; such as the nature, gravity and duration of the infringement, the categories of personal data affected, whether it had an intentional or negligent character; and the controller’s action to mitigate the damages along with the manner the authority to learn the infringement.
Further, under the GDPR, all supervisory authorities are competent to initiate ex officio investigations[2]. However, concepts of what constitutes an ex officio investigation may vary between the Member States, for instance based on national law.
In Turkey, based on DPA’s decisions, administrative fine may still be imposed for a data breach incident even if it does not create a high risk on individuals. Even though DPA accepts that the hundred percent protection is not possible when considering the ever-developing technology, its approach is constituting from the evaluation of whether the data controller could have taken additional technical and organizational measures or whether there was any action that the data controller could have taken to prevent the breach.
Further, if DPA becomes aware of an unnotified data breach incident through a complaint or other means, DPA may initiate an ex officio investigation. In this scenario, the data controller can also be held liable for failing to notify DPA, in addition to its obligations to provide an appropriate level of security.
Conclusion.
The evaluation of data breaches is very important for data controllers, given the sensitivity of the process. Therefore, the evaluation of data breach incidents on a country-by-country basis plays a crucial role for data controllers. Considering the given differences between GDPR and DPL, especially in the data breach notification process, the required actions should be taken immediately in data breach incidents affecting Turkish residents.
Authors: Burak Özdağıstanli, Sümeyye Uçar, Bensu Özdemir, Göksu Tuğrul
[1] EDPB – Guidelines 9/2022 on personal data breach notification under GDPR, https://edpb.europa.eu/system/files/2023-04/edpb_guidelines_202209_personal_data_breach_notification_v2.0_en.pdf
[2] EDPB – Overview on resources made available by Member States to the Data Protection Authorities and on enforcement actions by the Data Protection Authorities 2021 – https://edpb.europa.eu/system/files/2021-08/edpb_report_2021_overviewsaressourcesandenforcement_v3_en_0.pdf