Pursuant to the data privacy legislation, data controllers are required to notify both the DPA and the relevant individuals regarding any data breach within 72 hours (at the latest) after becoming aware of the breach. Also, data controllers should finalise and respond to the applications of individuals (e.g. applications for rectification, erasure, destruction and anonymisation of personal data) within shortest period of time, but not later than 30 days as of the date of such application. Failure to comply with these time periods may lead to monetary fines.
According to the announcement made on 23 March 2020, DPA notifies that it will take into account the extraordinary circumstances caused by the Coronavirus outbreak on a case by case basis when assessing time periods regarding any data privacy breach notification or application.