For foreign groups with operations in Turkey, a personal data breach is not just an IT problem – it is a regulatory event under both KVKK (Turkey’s Personal Data Protection Law) and, often, GDPR as well.
The most critical window is the first 72 hours after becoming aware of a breach. In that time, foreign management must make fast, defensible decisions – usually across multiple jurisdictions, languages and time zones.
This article explains, in practical legal terms, what foreign executives should do in those first 72 hours when a Turkish subsidiary or branch suffers a personal data breach, and how to build a response plan that actually works in real life.
1. Why 72 Hours Matter Under Turkish Law
Under KVKK practice and Board guidance, controllers are expected to notify the Turkish Data Protection Authority of a personal data breach within 72 hours of becoming aware of the incident, and to inform affected data subjects “as soon as possible” when the breach may result in harm.
This 72-hour standard mirrors GDPR’s approach and is repeatedly referenced by the Authority in breach announcements and guidance. It is applied to both Turkish and foreign data controllers when the breach affects data subjects in Turkey.
For foreign management, the practical consequence is clear:
Once your Turkish entity (or your group as controller) becomes aware of a personal data breach, the 72-hour clock starts – not when the incident is fully investigated or confirmed beyond doubt.
2. Hour 0–6: Detection, Escalation and “Are We Really Aware?”
The first problem in any multinational group is awareness. A breach often starts as a vague IT ticket: “We think an account was compromised”, “We found an unusual export of customer data”, “A laptop with employee information was stolen”.
Step 1 – Define “awareness” in your incident policy
Foreign management should define, in advance, what counts as awareness for the purpose of the 72-hour period. Typically, this is the moment when:
- The Turkish entity’s designated incident team (or top management) receives credible information that a security incident involving personal data has occurred, and
- There is a reasonable belief that confidentiality, integrity or availability of personal data may have been compromised.
It is dangerous to wait for a full forensic report. The law expects action when you should reasonably understand that a breach is likely, not when every technical detail is clear.
Step 2 – Trigger your Turkish incident response plan
Within the first few hours:
- Activate the incident response team for Türkiye (IT, legal, HR, security, business functions).
- Ensure foreign HQ is informed through clear escalation channels – but do not delay local action waiting for HQ approval.
- Secure evidence: log files, systems snapshots, emails, access records. Instruct staff not to delete or overwrite anything related to the incident.
At this stage, the main question is:
“Do we have a plausible personal data breach affecting individuals in or from Turkey?”
If yes, treat the clock as already running.
3. Hour 6–24: Containment and Initial Legal Qualification
Once the incident is confirmed as likely impacting personal data, the focus shifts to two parallel tracks: technical containment and legal qualification.
Technical containment
- Isolate compromised systems or accounts.
- Change credentials, revoke tokens, disable suspicious APIs or remote access.
- If physical devices are involved (lost laptop, USB, paper files), identify whether encryption or other safeguards were in place.
Legal qualification under KVKK (and possibly GDPR)
Foreign management must quickly understand:
- Who is the data controller?
- The Turkish subsidiary?
- A foreign group company?
- A joint controller structure?
- Whose data is affected?
- Customers, users, employees, suppliers?
- Individuals located in Türkiye only, or also in the EU/EEA or elsewhere?
- What data is involved?
- Basic identification data (names, contact details)?
- Financial data (IBANs, card tokens)?
- Health, biometric or other sensitive categories?
- Credentials (passwords, authentication data)?
- What are the likely risks to individuals?
- Identity theft, fraud, discrimination, embarrassment, loss of confidentiality, physical security risks, etc.
The answers will drive whether notification is mandatory, how urgent it is, and what level of detail is required.
4. Hour 24–48: Decision to Notify the Turkish DPA and Data Subjects
Within the first 24–48 hours, foreign management should be able to make three key decisions:
Decision 1 – Do we notify the Turkish Data Protection Authority?
Under KVKK, notification is expected when the breach may result in a violation of rights and freedoms of data subjects. For example:
- Leaks of large volumes of customer information,
- Exposure of health data, biometric data or financial records,
- Account takeover that could lead to misuse of services,
- Any situation where individuals could reasonably suffer harm (financial, reputational, psychological).
Given the Authority’s enforcement track record, it is usually safer to err on the side of notification when in doubt, particularly for foreign groups with a visible footprint in Türkiye.
Decision 2 – Do we notify data subjects?
Informing affected individuals is required when the breach is likely to result in material or moral harm. In practice, if you would notify the Authority, you will often also need to notify data subjects, unless the risk is clearly minimal and data was, for example, strongly encrypted and remained inaccessible.
The content of these notices should be:
- Clear and simple,
- In Turkish (and possibly another language if your customer base is international),
- Focused on what happened, what data was affected, what risks exist and what individuals can do to protect themselves (change passwords, monitor accounts, etc.).
Decision 3 – Do we also have obligations under GDPR or other regimes?
If the incident concerns EU data subjects or an EU establishment, foreign management must concurrently assess GDPR notification duties:
- Notify the relevant EU supervisory authority within 72 hours where feasible,
- Notify EU data subjects when the risk is high,
- Ensure consistency in information provided across jurisdictions.
A single incident can therefore require multiple notifications: Turkish DPA, one or more EU DPAs, and possibly sectoral regulators (telecoms, banking, insurance).
5. Hour 48–72: Drafting, Approvals and Formal Notification
Once the decision to notify is made, the last part of the 72-hour window is about execution.
Draft the notification to the Turkish DPA
The notification to the Authority should typically cover:
- Identity and contact details of the data controller and its Turkish contact person or representative,
- Date and time when the breach occurred and when it was detected,
- Type of breach (confidentiality, integrity, availability),
- Categories and approximate number of data subjects affected,
- Categories and approximate number of records involved,
- Nature of the personal data (basic data, sensitive data, financial data, credentials, etc.),
- Likely consequences of the breach for data subjects,
- Measures taken or proposed to address the breach and mitigate possible negative effects.
If some details are not yet known, the controller should:
- Provide the best information available at that moment, and
- Indicate that a follow-up notification will supply missing details once the investigation progresses.
Draft communications to data subjects
Notifications to individuals should be written from the perspective of a reasonable non-lawyer recipient:
- Avoid technical jargon and legalese.
- Be honest about what is known and what is still under investigation.
- Provide specific steps they can take (e.g., password changes, fraud alerts, contacting customer support).
Foreign management should resist the temptation to downplay the incident. Turkish practice favours clear and transparent communication; minimising or hiding the problem tends to make regulatory exposure worse in the long run.
Obtain internal approvals without losing time
In multinational groups, internal review loops (legal, PR, management, information security) can easily consume the entire 72-hour period. To avoid this:
- Pre-approve templates for breach notifications to the Turkish Authority and to data subjects.
- Agree internal fast-track sign-off rules: for example, local Turkish management and the global DPO can approve urgent notifications, with later reporting to the board.
- Train executives in advance that speed is a legal requirement, not just a PR choice.
6. After 72 Hours: Investigation, Remediation and Lessons Learned
The 72-hour mark is the end of the initial emergency phase, but not the end of your obligations. Over the following days and weeks, foreign management should supervise:
- Deep forensic investigation
- Confirm root cause, attacked systems, compromised accounts.
- Determine exactly which data was accessed, altered or exfiltrated.
- Document all steps taken, as this may later be requested by regulators or courts.
- Follow-up notifications
- Provide the Turkish Authority with updated or corrected information as soon as new facts emerge.
- If the risk assessment changes (for example, you initially believed data was encrypted, but find out keys were also compromised), consider additional notifications to individuals.
- Internal accountability and sanctions
- Evaluate whether internal policies were followed.
- Decide on disciplinary measures or contractual consequences for those who ignored or violated security procedures.
- Improvement of technical and organisational measures
- Update security controls, access rights, encryption policies.
- Enhance training programmes for local staff in Turkey.
- Documentation for future audits
- Keep a complete file: incident logs, decisions, risk assessments, communications, technical reports.
- This file will be crucial if the Turkish Authority opens an investigation or if affected individuals bring claims.
7. Building a 72-Hour Playbook for Turkish Operations
Foreign management cannot improvise a compliant response in the heat of a crisis. The right approach is to build a 72-hour playbook specifically for Turkish operations:
- Map systems in which personal data relating to individuals in Turkey is stored or processed.
- Identify all cross-border flows from Türkiye to other jurisdictions and cloud providers.
- Clarify role allocations: Turkish entity, foreign parent, joint controllers, processors.
- Nominate and train a Turkish breach response team, with clear contacts in foreign HQ.
- Prepare bilingual templates for:
- DPA notifications,
- Data subject notices,
- Press statements (if needed).
- Integrate KVKK duties into the global incident response policy, alongside GDPR and any sector-specific rules.
The more detailed and realistic this playbook is, the easier it will be to meet the 72-hour deadline without panic.
8. Conclusion
For foreign management, a personal data breach in a Turkish company is a test of governance. The law does not expect incidents to be impossible; it expects them to be handled promptly, transparently and responsibly.
The first 72 hours after becoming aware of a breach are critical:
- You must decide quickly whether to notify the Turkish Data Protection Authority and affected data subjects.
- You must coordinate local and global teams, often under intense time pressure.
- You must balance legal, technical and reputational concerns while demonstrating to regulators that your organisation takes data protection seriously.
With preparation and a clear 72-hour playbook tailored to KVKK, foreign management can turn a data breach from a potential regulatory disaster into a controlled, manageable event – one that strengthens, rather than destroys, trust in the company’s commitment to privacy.
Yanıt yok