NOTIFICATION FORM IN CASE OF COMPLAINT/VIOLATION
(THIS FORM IS PREPARED TO NOTIFY THOSE CONCERNED IN CASE OF VIOLATION)
Decision of the Personal Data Protection Board dated 18.09.2019 and numbered 2019/271 regarding the minimum elements that should be included in the data breach notification made by the data controller to the data subject
As it is known, in paragraph (1) of Article 12 of the Law No. 6698 on the Protection of Personal Data (Law), it is stated that the data controller
a) To prevent unlawful processing of personal data,
b) To prevent unlawful access to personal data,
c) To ensure the protection of personal data
In paragraph (5), it is stipulated that in the event that the processed personal data is obtained by others through unlawful means, the data controller shall notify the relevant person and the Board as soon as possible, and the Board may, if necessary, announce this situation on its website or by any other method it deems appropriate.
With the decision of the Personal Data Protection Board (Board) dated 24.01.2019 and numbered 2019/10, it was decided that the data breach notification “Following the determination of the persons affected by the data breach by the data controller, it is decided to notify the relevant persons as soon as reasonably possible, directly if the contact address of the relevant person can be reached, and if not, by appropriate methods such as publishing it on the data controller’s own website.”
In the process of evaluating the data breach notifications received by the Authority within the scope of the aforementioned provision and the Board decision; Considering that the purpose of the data controller’s notification of this situation to the Board and the persons affected by the breach in the event that personal data is obtained by others illegally is to ensure that measures are taken to prevent or minimize the negative consequences that may arise for these persons due to the breach, it has become necessary to clearly regulate which elements should be included in the notifications to be made by the data controllers to the relevant persons regarding the breach in question.
In this context, with the decision of the Personal Data Protection Board dated 18.09.2019 and numbered 2019/271;
The breach notification to be made by the data controller to the data subject must be made in a clear and plain language and at least;
- When the breach occurred,
- Which personal data is affected by the breach on the basis of personal data categories (by making a distinction between personal data / special categories of personal data),
- Possible consequences of a personal data breach,
- Measures taken or proposed to be taken to mitigate the negative effects of the data breach,
- It has been decided that the name and contact details of the contact persons who will enable the data subjects to receive information about the data breach or the full address of the data controller’s web page, call center, etc. should be included.
Respectfully announced to the public.
……………………………………..A.Ş./LTD ŞTİ
DATA CONTROLLER:
THE ORGANIZATION/PERSON CARRYING OUT PROCESS FOLLOW-UP ON BEHALF OF THE DATA CONTROLLER:
CONTACT INFORMATION:
CONTACT PERSON:
SUBJECT: Pursuant to paragraph (5) of Article 12 of the Law No. 6698 on the Protection of Personal Data (Law) regarding the personal data breach that occurred on ………….,
SUMMARY OF THE EVENT: On the date of …………, the personal data of ………………. of you by the person …….. on the date of …….. was unlawfully shared with ………….. persons, and the process is closely monitored by notifying the judicial authorities and the Personal Data Protection Authority on …../…./……. Negative consequences of the data breach in question for you;
………………… The following measures have been taken to prevent this violation from happening again;
……………………………
You can get detailed information from …………. or …………… …/…/……
APPENDICES
- Criminal Complaint
- KVKK Notification Form (Notification Form of the Data Subject to the Data Controller in Case of Breach)
- Workplace Incident Report
- Violation Relevant Person Application Form