Articles 12
The Board Decision No. 2019/10 ('the Decision') Guidance on Data Protection (technical and organizational measures)
The controller must take all necessary organizational and technical measures to fulfill the obligation stated under LPPD. Turkey has issued a Personal Data Security Guide to clarify the technical and organizational measures for the secure processing of personal data.
Under Article 12 of LPPD, the Data controller’s responsibility is to ensure personal data retention, prevent unlawful processing of personal data, and prevent illegal access to personal data.
In cases where other persons unlawfully collect the processed personal data, the data controller shall notify the same to the data subject and the Board of the KVKK within the shortest time.
As per the Decision, the data controller must notify the Board of the KVKK without delay and not later than 72 hours after becoming aware of any data breach.
Under the LPPD, there are no exemptions to the obligation to notify the unlawful collection of personal data to the Board of the KVKK and the data subject.
Articles 5, 24, 32-34 Recitals 74-77, 83-88
The GDPR requires organizations to take appropriate technical and organizational measures to ensure personal information processing security. These measures may include the following:
- Encryption and pseudonymization of personal data
- Ensuring integrity, confidentiality, and availability of processing systems
- Restoring the availability and access to personal data promptly.
- Assessing and evaluating the effectiveness of technical and organizational measures.
Under GDPR, organizations must notify supervisory authorities of any personal data breach that is likely to result in a risk to natural persons’ rights and freedoms without undue delay and not later than 72 hours after becoming aware of the breach. The information may also be provided in phases, and a justification must accompany any delay. The communication of the breach to data subjects, however, must take place without undue delay.