Data Breach Notification and Legal Processes
A data breach is a situation that jeopardises the security of personal data. These breaches are an issue that data controllers and data processors should be careful about. Here are the things to do in case of data breach and legal processes:
- What is a Data Breach? A data breach occurs when personal data is accidentally or unlawfully destroyed, lost, altered or disclosed in an unauthorised manner. The EU General Data Protection Regulation (GDPR) and the Personal Data Protection Law (KVKK) regulate these breaches.
- Notification Obligation In the event of a data breach, data controllers are required to notify the Personal Data Protection Board (Board) within 72 hours. If the notification is not made within this period for a justifiable reason, the reason for the delay must be explained to the Board.
- Content of Notification The following information must be included in the data breach notification:
- If the breach has been notified to the controller by the data processor, this notification and the data processor’s information (e.g., an example of a written or e-mail notification document).
- The content and method of notifications to persons affected by the breach.
- Measures taken and the consequences of the breach.
- Board Review The Board reviews the infringement notifications and first assesses whether there is a violation. Then, it checks whether the notification obligation has been duly fulfilled. Penalties may be imposed as a result of breach notifications.
- Example Situation As a result of an error in the e-mails containing the payrolls of a pharmaceutical company, the payrolls of the employees were sent to the wrong persons, which was reported as a data breach. The Board analysed this breach and stated that the notification should be more careful.
In the event of a data breach, it is important that data controllers act quickly and effectively. Breach notifications are vital to protect the rights of data subjects and minimise negative consequences.