MUSICHOOL
PERSONAL DATA BREACH PROCEDURE
TABLE OF CONTENTS
1. PURPOSE AND SCOPE
2. BACKGROUND
3. DATA CONTROLLER
4. DEFINITIONS
5. DATA BREACH / DATA BREACH RISK
6. ACTION PLAN
7. VIOLATIONS AND SANCTIONS
8. REVISION
1. Purpose and Scope
Musichool shows maximum sensitivity regarding compliance with data privacy legislation and adopts a risk-based approach in this context.
In accordance with the Personal Data Protection Law No. 6698 (hereinafter referred to as "PDPL") and other legislation containing special provisions, policies and procedures regarding personal data stored as data controller have been created and published. The Musichool Personal Data Breach Procedure has been prepared for operations related to personal data that may be obtained or processed in case of violation of the said policies. This procedure has been created for the purpose of planning necessary measures, initial operations, correspondence, and processes to be executed.
With this procedure, the action plan to be taken against the possibility of personal and special categories of personal data processed within Musichool under data protection regulations falling into the hands of third parties through illegal means has been detailed.
2. Background
Musichool Data Breach Procedure has been prepared in accordance with the PDPL and Decision No. 2019/10 dated 24.01.2019 on the Notification Procedures and Principles of Personal Data Breaches, Musichool PDPL Policy, and publications and guides published by the Personal Data Protection Authority.
One of the most sensitive obligations of the data controller is to ensure the security of personal data processed within its structure. For this purpose, Musichool, in accordance with Article 12 of the PDPL:
- To prevent unlawful processing of personal data
- To prevent unlawful access to personal data
- To ensure the preservation of personal data
takes all necessary technical and administrative measures to ensure an appropriate level of security for these purposes.
3. Data Controller
Musichool, which determines the purposes and means of processing personal data processed under its legal entity and is responsible for data processing activities, is the data controller in accordance with the PDPL.
4. Definitions
Important definitions in the Musichool Data Breach Procedure and legislation are listed in the table below with their meanings:
| Term | Description |
|---|---|
| Personal Data | All kinds of information relating to an identified or identifiable natural person |
| Special Categories of Personal Data | Data concerning race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, dress, association, foundation or union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data |
| Data Subject | The identified or identifiable natural person whose personal data is processed (Concerned person) |
| Data Breach | In personal data protection law; processed personal data falling into the hands of third parties through illegal means |
| Data Controller | The natural or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data recording system |
| PDPL Authority | Personal Data Protection Authority |
| Data Security Board | The Board that will provide the necessary coordination within the Company within the scope of ensuring, maintaining and sustaining compliance with personal data protection legislation by Musichool |
5. Data Breach / Data Breach Risk
Obtaining, processing, sharing with third parties located domestically or abroad of data defined as personal data or special categories of personal data in accordance with the PDPL without obtaining explicit consent from the data subject, or despite obtaining explicit consent, falling into the hands of third parties by violating published policies on the protection of personal data, transfer of data to third parties by illegally interfering with physical or electronic areas, and failure to take sufficient data security measures in physical and electronic environments will be qualified as data breach or data breach risk.
6. Action Plan
In case of data breach detection, the situation is notified to the relevant data subjects and the Personal Data Protection Board as soon as possible and within 72 hours at the latest. In order to comply with the 72-hour notification period, the execution of the processes listed below is essential.
In case of data breach detection, verbal notification is made by the relevant personnel without delay and within 60 minutes at the latest to the Data Security Board officials, or to Musichool officials if these persons cannot be reached. Upon hearing of the breach; the Data Security Board must convene within 24 hours at the latest and work on the processes listed below.
6.1. Determination of Data Breach Cause
- Sending personal data to wrong recipients
- Document/device theft or loss
- Storage of data in insecure environments
- Malicious software
- Social engineering
- Sabotage
- Accident/Negligence
- Other
6.2. Data Subjects Affected by the Breach
Data subjects affected by the breach are informed about the breach within a reasonable time.
Requests and applications of data subjects regarding their personal data after the breach are immediately processed and evaluated in accordance with the Musichool Data Subject Relations Guide.
6.3. Personal Data Categories
- Identity
- Contact
- Location
- Personnel
- Legal Transaction
- Customer Transaction
- Physical Space Security
- Transaction Security
- Risk Management
- Finance
- Professional Experience
- Marketing
- Visual and Audio Records
6.4. Special Categories of Personal Data
- Race and Ethnic Origin
- Political Opinion
- Philosophical Belief
- Religion, Sect and Other Beliefs
- Dress and Attire
- Association Membership
- Foundation Membership
- Union Membership
- Health Information
- Sexual Life
- Criminal Conviction and Security Measures
- Biometric Data
- Genetic Data
6.5. Groups of Persons Affected by the Breach
- Employees
- Users
- Subscribers/Members
- Customers and Potential Customers
- Other
6.6. Impact of the Breach on Individuals
- Loss of control over personal data
- Identity theft
- Discrimination
- Restriction of rights
- Fraud
- Financial loss
- Loss of reputation
- Loss of confidentiality of personal data
- Other
6.7. Impact of the Breach on the Organization
| Level | Description |
|---|---|
| Unknown | Impact not yet assessed |
| Low | No loss of activity |
| Medium | Lost ability to provide an important service to some users |
| High | Lost ability to provide all important services to all users |
6.8. Recovery Time
- Normal: Recovery in standard time
- Assisted: Recovery with additional resources
- Extended: Long-term recovery
- Irreversible: Permanent damage
- Completed: Recovery completed
6.9. Information System Affected by Cyber Attack
If the information system is affected by a cyber attack; a detailed report is prepared on the description, recovery time and impact on the organization.
7. Violations and Sanctions
In case of violation of policies and procedures regarding personal data published by the data controller by employees; the employee's defense is taken according to the Employment Contract, PDPL Confidentiality Commitment and Labor Law No. 4857, and disciplinary action is taken according to the law. The violation may constitute a crime under the Turkish Penal Code No. 5237.
8. Revision
This Procedure enters into force from the moment it is approved by the Data Security Board. The Data Security Board is also authorized regarding the changes to be made within this Procedure and how they will be implemented.
Musichool Personal Data Breach Procedure is reviewed at least once a year in any case, and if there are necessary changes, it is updated by submitting it to the approval of the Data Security Board. In case of conflict between the regulations included in this Procedure and the legislation in force, primarily the PDPL, the provisions of the legislation will apply.
Musichool reserves the right to make changes in the Personal Data Breach Procedure in parallel with the legal regulations to be made by the PDPL Authority, which is the administrative authority. Revisions that may occur in this procedure or legislation will be added to the procedure by specifying the date and subject, and will be accepted as an integral part of the procedure after the necessary announcements are made.