The protection of the personal data has become more of an issue day by day with the development of internet technologies and personal data stored digitally. In this manner, the Institution of Personal Data Protection (the “Institution”) is developing the national legislation and publishing additional sources for the practice to sustain both domestic information security needs and integration with the European Union.

The Institution of Personal Data Protection has shared an announcement on the Application to the Data Controller and the Period Calculation of the Claims made to the Institution, on 13.02.2019. The issue of interpretation of the claim durations within the Law has become clear with the said announcement for the Data Subjects who exhaust application avenues to the Data Controller. You may reach the full text of the announcement here.

The subjects to be covered with the announcement are as follows:

An announcement (the “Announcement”) regarding the personal data breach notification procedures, has published with the 2019/10 numbered decision of Personal Data Protection Institution on 24.01.2019. The “Personal Data Breach Notification Form” is also shared within this Announcement, you may reach the sample form here.

The Announcement mentions about the obligations of the Data Controller stated in the Art. 12 of the Personal Data Protection Law ("KVKK") and Data Controllers should inform the institution as soon as possible in case of any data breach. The institution has expressed that this notification process aims to prevent negative conclusions or to minimize risks that arise from these breaches on data subjects and others.

Under this scope, the Institution has taken below mentioned decisions to create a ground parallel with European General Data Protection Regulation (GDPR) which constitutes basis for the KVKK: