Article 12 paragraph 5 of the Law on the Protection of Personal Data numbered 6698 stipulates that if processed data are collected by other parties using unlawful methods, the data controller shall notify the data subject and the Personal Data Protection Board (“Board”).
In the Board’s decision on “the Procedures and Principles of the Personal Data Breach Notification” dated 24 January 2019 and numbered 2019/10, data controllers have been obliged to prepare a data breach response plan. As no one has been excluded from the scope of the mentioned decision, every data controller must fulfill the respective obligation.
The Data Breach Response Plan shall regulate matters such as to whom the incident would be reported in the presence of the data controllers themselves, how the work division would be, and how the notification to be made to the Board would be prepared in case of a breach.