PROCEDURE OF PERSONAL DATA BREACH
1. Purpose
Pursuant to paragraph (5) of article 12 of the Personal Data Protection Law No. 6698, in case the processed data are obtained by third parties by unlawful means, AKADEMİ BANT VE FİLM SANAYİ TİCARET LİMİTED ŞİRKETİ (“Company”) shall communicate the breach to the data subject and notify it to the Personal Data Protection Board (“Board”) within the shortest time.
Herein the Procedure is drawn up with the object of enlightening employers regarding how to interference the crisis and what steps shall be taken in the event of the processed data are obtained by others by unlawful means, in other words, in case of a personal data breach.
2. Liability
All employers are liable of implementing of this Procedure. The ones acting contrary to the Procedure shall be subject to the provisions of “Disciplinary Regulations”.
3. Personal Data Breach
Personal data breach occurs in cases such as obtaining personal data unlawfully, providing unauthorized access to personal data unlawfully, accidental/deliberate disclosure of personal data to unauthorized persons, illegal destruction, alteration or lose of integrity of personal data.
The situations that are generally assumed as personal data breach are stated below:
• Loss or theft of physical documents or electronical devices,
• The account name and passwords are obtained by unauthorized people,
• Unlawful disclosure of the confidential info
• Accidental forwarding or sending the e-mails containing personal data and/or confidential info to unrelated people outside of the company
• Unlawful access to personal data through a virus or other attacks (i.e., cyber-attack) to IT equipment, system, or networks.
In case of above stated or similar situations, action shall be appropriate to the way determined in the Procedure.
4. Crisis Intervention Team
Crisis Intervention Team (“CIT”) is constituted with the determined participants of the below stated departments due to intervene the crisis situation occurred or potentially could occur in case of the personal data breach and fulfill obligations determined within the scope of the Code:
• Data Controller Contact Person 1
• Data Controller Top Manager (General Manager)
• The Manager of the department which the breach occurred in
• Personal Data Protection Consultative Group
• The Top Managers Authorized by Data Controller on Personal Data Protection (Personal Data Protection Top Managers)
5. Crisis Intervention Process
According to the Personal Data Protection Board’s Decision (Decision) dated 24.01.2019 and numbered 2019/10 of the Personal Data Breach Notification Procedures and Principles, the Company shall notify the Board of the personal data breach without delay and within maximum 72 hours of becoming aware of the breach. From the date following the identification of persons affected by such data breach, data subjects shall be notified about breach in the shortest reasonable period. If the contact address of the data subject can be reached, notification should be made directly, or if it cannot be reached, notification should be made by appropriate methods such as the publication on the data controller’s website.
In the event of a data breach, Company shall follow a plan due to aforementioned liabilities are fulfilled:
• Preliminary Crisis Assessment,
• Conducting Prevention and Rescue Activities,
• Risk Assessment,
• Notification,
• Evaluation and Improvement
5.1. Preliminary Crisis Assessment
In the event of a real or potential data breach before the company, all relevant employees are obliged to notify the Data Controller Contact Person immediately and without delay. At this stage, the relevant employee prepares a report that includes the following issues and reports the data violation to the Data Controller Contact Person.
• Date and time of occurrence of personal data breach,
• Detection date and time of personal data breach,
• Explanations regarding the personal data breach incident,
• If known, the number of persons and records affected by the personal data breach,
• Explanations regarding the steps taken and the measures taken, if any, on the date the personal data breach was detected,
• Name, surname, contact information and date of the report of the employee (s) who prepared the report.
Data Controller Contact Person considering the issues specified in the Report makes a preliminary assessment. During this assessment made, Contact Person initiates a comprehensive investigation with CIT with intent to investigate the data breach considering whether the data breach occurred or not, the scope of the breach, the effects of the breach.
5.2. Conducting Prevention and Rescue Activities
Since reducing the effects of the data breach on the Company and the relevant people, the prevention and rescue activities are carried out under the supervision of the CIT. In this context, primarily departments that need to be informed of the data breach are determined and these people are guided on the steps to be taken to control the violation, prevent it if possible, and reduce the damages.
Subsequently, it is attempted to determine the persons and records that will be affected by the data breach, and the contact information of these persons, if any, is determined. Simultaneously, it is evaluated whether there are other institutions or organizations that need to be notified due to the data breach.
5.3. Risk Assessment
Personal data breaches can cause many negative impacts on the people affected by those breaches such as identity theft, financial loss, loss of reputation, loss of the security of personal data, discrimination. Henceforth, it is important to carefully evaluate the possible impacts of the potential results of personal data breach on the Company and the people affected by the breach and reveal the risk.
While evaluating the risks by the team, the qualification, sensitivity and volume of personal data, the number of individuals affected by the breach and who the person groups are, the impact of the data breach on the Company’s activities and reputation, the measures taken to reduce the impact and the possible consequences of the breach shall be evaluated one by one. Thereby, the data breach is qualified as a “low, medium or high risk”:
• Low risk: The violation does not cause any negative impact on the relevant people or this effect remains negligible.
• Moderate risk: The violation may have negative effects on the relevant people, but the impact is not large.
• High level of risk: The violation causes serious negative effects on the affected people.
CIT informs the Data Controller Top Managers about data breaches that are defined as medium and especially high risk.
5.4. Notification
Data breach shall be reported to third parties outside the Company within the scope of legal obligation and by means of taking measures about the data breach and reducing the possible impacts of the data breach.
5.4.1. Board Notification
The Data Controller Contact Person is primarily obliged to notify the Board of this situation within 72 hours at the latest and without delay from the moment they become aware of the personal data breach. Hence, it is remarkable for all employees within the Company to immediately notify the Data Controller Contact Person of any data breach situation so that the Company does not face any sanctions.
Through notification made to the Board, the Personal Data Breach Application Form published on the website of the Personal Data Protection Board (“Board”) is used. If it is not possible to provide the information in the form at the same time, this information may be provided gradually with the avoidance of delay.
In case of failure to notify the Board within 72 hours with a justifiable justification, the reasons for the delay are explained to the Board with the notification to be made.
5.4.2. Data Subject Notification
From the date following the identification of persons affected by such data breach, Company shall notify about breach in the shortest reasonable period the relevant people, if the contact address of the data subject can be reached, directly or if it cannot be reached, notification should be made by appropriate methods (i.e., an announce made through website)
In accordance with the decision of the Personal Data Protection Board dated 18.09.2019 and numbered 2019/271, regarding the minimum components that shall be found in the data breach notification made by the data controller to the relevant person, the Company’s violation notification to be made to the relevant person in a clear and simple language and the as a minimum, the following elements must contain:
• The date-time of the breach,
• Based on personal data categories (by separating personal data / special quality personal data), which personal data are affected by the breach,
• Possible results of a personal data breach,
• Measures taken or suggested to be taken to reduce the negative effects of data breaches,
• The names and contact details of the contact persons who will provide information about the data breach or the communication ways such as full address of the data controller’s website, call center, etc.
5.4.3. Other Notifications
Besides the notifications that are legally required by the company, it may be necessary to notify third parties, considering the nature and size of the data breach, whether the breach constitutes a crime or not. These persons may be other data controllers or data processors, external consultants, judicial authorities, banks. CIT separately evaluates whether there is such a requirement and makes the notifications if necessary.
5.5. Evaluation and Improvement
All information regarding personal data breaches by the company, their effects and the measures taken must be recorded and kept ready for the Board’s review. The Data Controller Contact Person and CIT make an assessment to determine whether the steps taken regarding data breach are appropriate and what could be developed / improved in case of a possible data breach. Thus, CIT prepares an assessment and improvement report that includes the issues stated below.
• Which steps shall be taken to mitigate the impacts of the potential personal data breaches
• Whether an improvement in policies, procedures or reports due to the personal data breach
• Whether it is necessary to take additional administrative and / or technical measures to prevent the repetition of personal data breaches,
• A Personnel Awareness Training as preventing the recurrence of breach
• Whether additional investment to the resources/infrastructure is needed to reduce exposure to breaches and cost impacts
6. Relevant Policy and Procedures
This Procedure shall be implemented with all the policy and procedures in force regarding the protection and processing of personal data by Company.
7. Update
This procedure will have been recorded with a revision for every 3 years regardless of the necessity of change in its institutional or legal content. Even if the Procedure were not updated, the changes in legislation shall be implemented immediately.