TR: Does your company operate in the EU and in Turkey? Then pay attention to different data breach notification rules

2B Advice
After a long period the Turkish Personal Data Protection Law, numbered 6698 (TDPL) took effect on 7 April 2016 and the process of adaptation concluded on April 2018.

At the end of April 2018, the Turkish Data Protection Board (DPB) has announced eight decision-summaries in its official web page trying to explain some violation types and providing some references concerning administrative fines.

Although the TDPL is mostly based on the EU Data protection Directive (95/46/EC) and seems to comply with the European Data Protection Regulation (GDPR), it should be taken into consideration that still some differences exist especially in the view of practice and for its execution.

Article 12/5 TDPL states that in case of any unlawful acquisition of personal data by third parties, the data controller should notify the data subject and the Board concerning such situation as soon as possible.

At this point, it is difficult to interpret what to understand from the annotation “as soon as possible”. Neither in TDPL nor in DPB decisions there is no clear definition regarding notification periods.

Although the board evaluated in its decision that the notification to the board after 10 months and to the data subject after 17 months should be accepted as an “overdue”, they did not determine any exact period yet but also applied an administrative fine.

Similar regulation arranged in Art. 33 and 34 GDPR rules that the notification shall be made without undue delay and, where feasible, not later than 72 hours. In this respect, the definition of breach, notification periods and notification requirements to the data subjects are quite different from TDPL and can be different in practice.

Therefore, companies, which are subject to GDPR but are also operating in Turkey should consider these notification period differences.

Further information:

Photo: © ilro - Fotolia

Rating: 0 (0)
Wildcard SSL Certificates

© 2003 - 2019 | 2B Advice GmbH - the privacy benchmark | Company Registration No.: Bonn HRB 12713
Joseph-Schumpeter-Allee 25 | D-53227 Bonn | Germany | 
Phone +49 228 926165-100 | Fax_+49 228 926165-109 | Email 
No responsibility for the accuracy of the information. Please also note: Privacy Notice | Legals
2B Advice GmbH Italy | 2B Advice LLC USA | 2B Advice s.r.o.Slovakia
United States of America | Slovakia | Germany |
Bonn | Berlin | München | San Diego | Brezno | Verona | Vienna