In today’s digital age, personal data has become one of individuals’ most valuable assets. With the proliferation of the internet and technology, the collection, processing, and storage of personal data have also increased rapidly. However, this also brings with it data security risks, and occasional data breaches can cause individuals to suffer serious losses. In the event of a breach of personal data, protected by the Personal Data Protection Law (KVKK), victims have the right to file a lawsuit for compensation. However, this process involves important details that require legal knowledge and careful attention. In this article, we will examine in detail the critical points that individuals considering filing a lawsuit for compensation due to a data breach should consider.
What is a Personal Data Breach and Its Legal Basis
A personal data breach refers to the unlawful acquisition, alteration, destruction, or disclosure of personal data processed by a data controller. Such breaches can typically occur through cyberattacks, system vulnerabilities, human error, or malicious actors.
Concepts of Personal Data and Data Breach
Personal data encompasses any information relating to an identified or identifiable natural person. This includes a wide range of data, including name, surname, Turkish ID number, address, telephone number, email address, health information, and financial information. A data breach, as stipulated in Article 12/5 of the Personal Data Protection Law, results in the data controller being liable for compensation if the processed personal data is obtained by a third party through unlawful means. This definition demonstrates that breaches can occur in a wide range of situations.
KVKK and the Obligations of the Data Controller
The Personal Data Protection Law (KVKK) regulates the fundamental principles to be followed in the processing of personal data and the obligations of data controllers. A data controller is the natural or legal person responsible for determining the purposes and means of processing personal data and for establishing and managing the data recording system. According to the KVKK, data controllers are obligated to take all technical and administrative measures to ensure an appropriate level of security to prevent the unlawful processing of personal data, prevent unlawful access to data, and ensure the safekeeping of data. If a data breach occurs as a result of a breach of these obligations, the data controller will be legally liable.
The Effects of Data Breach on Individuals and Victim Rights
Data breaches can have a variety of negative impacts on individuals, both financial and emotional. These impacts may require victims to pursue legal action to seek their rights.
Material and Moral Damages
The financial losses individuals can suffer as a result of a data breach are quite diverse. For example, situations such as theft of credit card information, withdrawals from bank accounts, fraudulent transactions using identities, and exposure to fraudulent activity can all lead to financial losses. Non-pecuniary damages, on the other hand, include the emotional and psychological effects of personal data disclosure, such as embarrassment, stress, anxiety, loss of reputation, and violation of privacy. Compensation for non-pecuniary damages may be sought to compensate for these types of losses.
Ways to Seek Rights: Personal Data Protection Law Institution and Litigation Process
Data breach victims can pursue various avenues to pursue their rights. First, they can contact the relevant data controller to demand remediation of the breach and compensation for their damages. If the request is not responded to within a certain period or is rejected, a complaint can be filed with the Personal Data Protection Authority (KVKK). The KVKK can assess the complaint and impose administrative fines on the data controller or order the remediation of the breach. However, individual compensation claims require legal action, i.e., filing a lawsuit for compensation.
Steps to Take Before Filing a Compensation Lawsuit
There are several critical steps to take before filing a data breach compensation claim. These steps are crucial for increasing your chances of success and preventing loss of rights.
Detection of Violation and Collection of Evidence
First, it’s essential to ensure that a data breach actually occurred and to gather the evidence to substantiate it. Documents and records, such as breach notifications from the data controller, email correspondence, bank statements, official identity theft documentation, cybersecurity reports, or information from relevant public institutions (e.g., General Directorate of Security reports), will form the basis of the case. Collecting complete and accurate evidence is crucial for proving a compensation claim.
Contacting the Data Controller and Following the Breach Notification
Pursuant to Article 13 of the Personal Data Protection Law (KVKK), victims of data breaches must first contact the data controller to assert their rights. The data controller is obligated to respond to this request within 30 days at the latest. The data controller is also obligated to notify the Board of the data breach. These notifications and the measures taken by the data controller can be used as evidence in litigation. It is essential to carefully monitor the data controller’s statements regarding the breach, the measures taken, and their commitments to the victims.
Complaints to the Personal Data Protection Authority and Process
If a positive response to a request made to the data controller is not received or if a response is not received within the timeframe, a complaint can be filed with the Personal Data Protection Board. The Board may initiate an investigation into the complaint and impose an administrative fine on the data controller or order the rectification of the violation. Board decisions can set an important precedent in compensation cases and help prove the data controller’s fault. However, it should be noted that the Board cannot directly award compensation; compensation can only be awarded through the courts.
Burden of Proof and Damages in Data Breach Compensation Cases
In order to be successful in a compensation claim, it is necessary to prove that there was a breach, that damage occurred and that this damage resulted from the breach.
Proof of Damage and Violation
In compensation cases, the burden of proof generally rests with the plaintiff. This means you must prove with concrete evidence that you suffered a data breach, that you suffered damage as a result of the breach, and that this damage was the result of the breach. Establishing that the data controller failed to fulfill its obligations under Article 12 of the Personal Data Protection Law (KVKK), that is, that they failed to take necessary measures to ensure data security, or that they did so inadequately, will positively impact the outcome of the case.
Claims for Material Compensation
Financial compensation aims to cover the financial losses directly suffered as a result of a data breach. Financial compensation can cover tangible and documentable losses, such as stolen money, debts incurred as a result of fraud, expenses incurred due to identity theft, loss of employment, or reduced income. It is crucial that the amount of these damages be clearly stated and supported by relevant documentation.
Claims for Non-Pecuniary Damages
Non-pecuniary damages are intended to compensate for the psychological and emotional harm inflicted on an individual by a data breach. Violations of privacy, loss of reputation, embarrassment, stress, fear, and anxiety are all subjects to non-pecuniary damages. The amount of non-pecuniary damages is at the discretion of the judge and is determined by considering factors such as the nature, duration, and extent of the breach, the degree of harm suffered by the victim, and the extent of fault on the part of the data controller. In such claims, a detailed explanation of the grievance and, if available, supporting reports (such as a psychologist’s report) may be helpful.
Litigation Period and Statute of Limitations
Paying attention to the statute of limitations when filing a data breach compensation claim is critical to preventing loss of rights.
General Statute of Limitations
According to the Turkish Code of Obligations, the general statute of limitations for compensation claims arising from tort is two years from the date the injured party learns about the damage and the perpetrator. In any case, it is ten years from the date the act was committed. In the case of a data breach, the two-year period begins when the injured party learns about the breach and the data controller responsible for the breach.
Calculation of Special Circumstances and Durations
Because data breaches often involve complex structures, determining the start of the statute of limitations can be difficult. Factors such as when the breach was discovered, when the data controller notified the breach, and when the victim became aware of the notification can all influence the start of the statute of limitations. Therefore, it is important for data breach victims to seek legal assistance as soon as possible to assess their situation and accurately calculate the statute of limitations. Otherwise, the right to file a lawsuit may become statute-barred.
Why is Legal Support Important?
Data breach compensation claims are complex processes that require technical and legal expertise. Enlisting the support of an expert legal professional is crucial for victims to fully and completely obtain their rights.
Expert Opinion and Process Management
In a data breach case, expert advice is needed at many stages, including determining the nature of the breach, assessing damages, gathering evidence, formulating legal arguments, and preparing legal petitions. An experienced legal professional can accurately analyze their client’s situation, develop an effective litigation strategy, and professionally manage the entire process. This saves time and increases the likelihood of success.
Prevention of Loss of Rights
Factors such as statutes of limitations, difficulties in gathering evidence, and the complexity of legal procedures can cause data breach victims to lose their rights. A qualified legal professional can minimize these risks and ensure their client protects all their legal rights. Potential errors in the legal process are prevented and the victim’s rights are protected to the best of their ability.
Data breach compensation lawsuits safeguard individuals’ right to the protection of their personal data, one of the most fundamental rights in the digital world. For individuals considering filing such a lawsuit, carefully considering the aforementioned issues and seeking professional support from the outset of the legal process is a critical step in their success in seeking legal action. Increasing awareness of personal data protection and the effective use of legal mechanisms are crucial for ensuring individual security in this increasingly digital world.