DATA BREACH RESPONSE PLAN
Purpose, Scope, and Definitions
Purpose
This Plan aims to define roles and responsibilities within ANT Lojistik Limited Şirketi (‘Company’) as the data controller in order to fulfill obligations to ensure an appropriate level of security to protect fundamental rights and freedoms—particularly the privacy of private life—prevent unlawful processing, prevent unlawful access, and ensure the preservation of personal data; and to set out procedures and principles regarding who will report to whom within the Company in the event that personal data processed is obtained by others through unlawful means, notifications to be made under the Law, assessment of possible consequences of the data breach, and who holds responsibility within the Company.
Scope
The scope of this Plan includes employees tasked with processing personal data by the Company in physical or electronic environments.
Definitions
For the purposes of this Plan:
- Explicit consent: Consent that is related to a specific subject, based on information, and declared with free will.
- Data subject: The natural person whose personal data is processed.
- Law: Personal Data Protection Law No. 6698 (‘Law’).
- Personal data: Any information relating to an identified or identifiable natural person.
- Processing of personal data: Any operation performed upon personal data wholly or partially by automatic means or by non-automatic means provided that it is a part of any data registry system, such as obtaining, recording, storing, retaining, altering, rearranging, disclosing, transferring, taking over, making available, classifying, or preventing use.
- Board: Personal Data Protection Board.
- Plan: Company’s Data Breach Response Plan.
- Data Breach: Personal data processed by the data controller being obtained by others through unlawful means.
- Data registry system: The registry system in which personal data is processed by being structured according to specific criteria.
- Data controller: The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data registry system.
Data Breach
Pursuant to Article 12/5 of the Law, it is defined as personal data processed by the Company being obtained by others through unlawful means. In addition, a security incident that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored, or otherwise processed, shall also be considered a Data Breach within the scope of this Plan.
Objectives, Roles, and Responsibilities
Objectives
In the event of a Data Breach, the Company’s objectives under this Plan are to:
- Investigate the incident that caused the Data Breach internally across all relevant departments (in cooperation with law enforcement and other public institutions where necessary).
- Identify the source of the Data Breach.
- Identify the categories of personal data affected by the Data Breach.
- Identify the groups/parties of data subjects affected by the Data Breach.
- Identify the groups/parties of data subjects affected by the Data Breach.
- Determine the impact of the Data Breach on the Company’s organization, including the extent of commercial loss, operational reduction, reputational harm, and/or financial damage, and minimize them lawfully.
- Determine the time to recovery after the Data Breach.
- If there is a cyberattack, determine whether information systems were affected, the breached element, the impact on the Company’s organization, and the time to recovery after the attack.
• Determine steps taken to prevent recurrence of the breach and estimate the timelines to complete them.
• Notify the Board within 72 hours in accordance with the Law.
• Notify affected data subjects as soon as possible using appropriate methods.
• Notify employees as soon as possible.
• Where necessary, notify other domestic organizations or institutions within legal deadlines.
• Notify foreign data protection authorities or relevant institutions within legal deadlines where applicable.
• Conduct internal audits, organize training activities, and ensure internal communication after the incident to minimize future Data Breaches.
• Record information about data breaches, their impacts, and measures taken and keep them ready for the Board’s inspection.
Departments and Responsibilities
In the event of a Data Breach, departments responsible under this Plan shall be determined according to the nature of the incident; at least one representative from each department will be assigned. Responsibilities include:
| Management/Consultant | Veri İhlali Halinde Sorumlulukları |
| Yönetim/Danışman | Investigate the incident internally (and with relevant authorities where necessary). • Identify the source, affected data categories, affected groups, potential impacts, organizational impacts, time to recovery, and non-recurrence steps and timelines. • Notify the Board within 72 hours; notify foreign authorities where applicable; record all details; conduct internal audit, training, and communication; ensure notification by the data processor where relevant; review the Plan every six (6) months from its effective date. |
| IT Department | Determine whether information systems were affected; identify the breached element; determine organizational effects and recovery time. |
| Human Resources Department | Determine whether the breach was carried out by a Company employee; determine whether employees were affected; identify the breached element, organizational effects, and recovery time; prepare training and carry out internal communication; notify employees promptly; conduct internal audit after the incident. Notify affected data subjects as soon as possible using appropriate methods; notify domestic organizations or institutions within legal deadlines where necessary. |
Notification by the Data Controller
To prevent or minimize adverse consequences that may arise for affected individuals, notifications must be made to the Board and to affected data subjects. In line with the Board’s Decision dated 24.01.2019 and numbered 2019/10, the Company shall:
• Notify the Board without delay and within 72 hours at the latest from the date the Data Breach is learned.
• Upon identification of affected individuals, notify data subjects as soon as reasonably possible, directly if contact information is available, or via appropriate methods such as publication on the Company’s website if not.
• If it is not possible to notify the Board within 72 hours for a justified reason, explain the reasons for the delay together with the notification.
• Use the ‘Personal Data Breach Notification Form’ available at https://ihlalbildirim.kvkk.gov.tr/ or the form in Annex-1 of this Plan for notifications to the Board and read the guide in Annex-2 when using the internet form.
• Where it is not possible to provide all information at once, provide such information in stages without delay.
• Record information about data breaches, their impacts, and measures taken and keep them ready for the Board’s inspection.
All notification-related activities shall be carried out by the units specified above.
Principles for Notifying the Data Subject
Pursuant to the Board’s Decision dated 18.09.2019 and numbered 2019/271, notifications to affected or potentially affected data subjects shall be made in clear and plain language and shall include at least:
• When the breach occurred;
• Which personal data categories were affected (distinguishing between personal data and special categories of personal data);
• Possible consequences of the personal data breach;
• Measures taken or proposed to reduce adverse effects;
• Names and contact details of contact persons from whom data subjects can obtain information about the breach, or the full address of the data controller’s website, call center, etc.
Notification by the Data Processor
Where personal data held by the data processor is obtained by others through unlawful means, the data processor shall, without delay, notify the data controller (the Company). The Company shall then notify the Board.
Cross-Border Data Breach
If a data breach occurs at a data controller located abroad and affects data subjects resident in Türkiye who benefit from the products and services in Türkiye, that data controller shall also notify the Board.
Entry into Force
This Plan enters into force as of [•] and after its publication on the Company’s website.
Review of the Plan
This Plan shall be reviewed periodically every six (6) months.
