EN
FR TR




DATA BREACH RESPONSE PLAN

1. INTRODUCTION

1.1 Purpose

Pursuant to Article 12(5) of Law No. 6698 on the Protection of Personal Data (“Law”), in the event that personal data processed by any data controller is obtained by others through unlawful means, the data controller is obliged to notify the data subject and the Personal Data Protection Board (“Board”) as soon as possible. The Board may, if deemed necessary, announce this breach on its website or through any other appropriate method.

This Plan has been prepared in accordance with the obligations set forth in the “Announcement on Personal Data Breach Notification Procedures and Principles” published following the Board’s Decision dated 24.01.2019 and numbered 2019/10.

1.2 Scope

This Plan outlines the procedures and principles regarding the internal reporting of a personal data breach, notification to data subjects and the Board, and the completion of the Personal Data Breach Notification Form in the event of unlawful access to personal data processed by the Company.

2. DEFINITIONS OF LEGAL AND TECHNICAL TERMS & ABBREVIATIONS

  • Data Subject: The natural person whose personal data is processed.
  • Form: The “Personal Data Breach Notification Form” attached to this Plan, used for notification to the Board.
  • Relevant User: Persons who process personal data within the organization of the data controller or based on the authority and instructions received from the data controller, excluding those responsible for the technical storage, protection, and backup of data.
  • Decision: Decision of the Personal Data Protection Board dated 24.01.2019 and numbered 2019/10.
  • Board: Personal Data Protection Board of Türkiye.
  • Policy: The Personal Data Retention and Destruction Policy.
  • Company: Ahşap Ürün Sanayi A.Ş.

Any undefined terms in this Plan shall have the meanings given in the Personal Data Retention and Destruction Policy.

3. INTERNAL REPORTING OF DATA BREACHES

  • Potential data breach risks must be reported to the relevant department manager as soon as possible.
  • The IT officer shall continuously monitor and report risks of malicious software and cyber-attacks.
  • Any access of personal electronic devices of employees to the corporate network shall be monitored and managed by the IT officer.
  • Breaches caused by user negligence (e.g., opening a malicious email attachment, sending emails to the wrong recipient) must be immediately reported by the user to their manager and the IT officer.
  • In case of theft or loss of devices containing personal data (laptop, mobile phone, flash drive, etc.), the user must promptly report the incident to the IT officer.

4. NOTIFICATION TO THE PERSONAL DATA PROTECTION BOARD

4.1 General

The Personal Data Protection Board must be notified of any data breach within 72 hours from the time of its discovery using the “Personal Data Breach Notification Form” attached.
 If the notification cannot be made within 72 hours due to justifiable reasons, the reasons for the delay shall be clearly stated in the relevant section of the form.

4.2 Completion and Submission of the Form

  • The Notification Form shall be signed by the Company’s authorized representative based on the draft information prepared by the IT officer and the data protection contact person.
  • All records and evidence used to fill in the details of the breach, its impact, and remedial actions must be retained and made available for inspection by the Board.
  • After approval from management, the form shall be submitted to the Board by the data protection contact person.
  • The completed form can be sent via encrypted corporate email to ihlalbildirimi@kvkk.gov.tr with the subject “Personal Data Breach Notification” or submitted through the online portal:
    https://ihlalbildirim.kvkk.gov.tr/

5. NOTIFICATION TO DATA SUBJECTS

Once the individuals affected by the data breach are identified, they shall be notified as soon as reasonably possible, either directly via their contact details or, if unreachable, via appropriate public methods such as announcements on the Company’s website.

Such notification must be made in clear and plain language and must include at minimum:

  • The date and time of the breach,
  • Which personal data (categorized as general or special categories of personal data) were affected,
  • Possible consequences of the breach,
  • Measures taken or recommended to mitigate negative impacts,
  • Contact details of persons or departments who can provide further information (e.g., website, call center, email, etc.).

6. PUBLICATION AND STORAGE OF THE PLAN

This Plan shall be stored in both hard copy and electronic formats.

7. PLAN REVIEW AND UPDATES

The Plan shall be reviewed annually and updated when necessary.

8. EFFECTIVENESS AND TERMINATION OF THE PLAN

This Plan enters into force upon approval by the Company’s management. If replaced by a new version, the original signed copies shall be invalidated, signed, and archived for at least five years.

Annexes:

  1. Link to the Personal Data Breach Notification Form:
     https://www.kvkk.gov.tr/SharedFolderServer/CMSFiles/617f166c-24e1-42b5-a9cb-d756d6443af9.pdf
  2. Online breach notification submission portal:
     https://ihlalbildirim.kvkk.gov.tr/