Personal Data Breach

YOUSIZER.COM PERSONAL DATA BREACH RESPONSE PROCEDURE 04.01.2026

1. DEFINITIONS AND ABBREVIATIONS

This Personal Data Breach Response Procedure ("Procedure"),www.yoursizer.comThis Procedure has been prepared by Yoursizer.com ("Company" or "Data Controller"), operating at [address], in accordance with the provisions of the Law No. 6698 on the Protection of Personal Data (KVKK) and related secondary legislation. Clarifying the technical and legal terms used in this Procedure is of great importance in order to create a common understanding for all stakeholders. Below, the key terms and abbreviations used within the scope of this Procedure are explained in accordance with the provisions of the relevant legislation, primarily Article 3 of the KVKK:

  • Anonymizing:Personal data processing refers to rendering personal data in such a way that it cannot be linked to an identified or identifiable natural person, even when combined with other data. In the specific case of Yoursizer.com, this includes irreversibly severing the identity link, particularly for data used for algorithm improvement and aggregate research purposes.
  • Biometric Data:According to Article 6 of the Law on the Protection of Personal Data, personal data that serves to uniquely distinguish a person's body shape, such as height, leg length, waist circumference, shoulder width, chest, and hip circumference, are considered special categories of personal data.Recommended size informationThis refers to physical body measurements, for example. This data is sensitive information that distinguishes a person from others and makes them identifiable.
  • 3D Avatars:An avatar is a digital three-dimensional model representing a person's physical characteristics, generated through our algorithms from the user's body measurements. This avatar is a unique representation created through the processing of biometric data and is considered a category of sensitive personal data.
  • Contact Person:It refers to the natural person whose personal data is being processed. In the specific case of Yoursizer.com, this includes platform users, website visitors, and other natural persons who benefit from our services.
  • Personal Data:Personal data refers to any information relating to an identified or identifiable natural person. As emphasized in the decision of the 12th Criminal Chamber of the Supreme Court of Appeals, numbered 2020/1085 E., 2022/5406 K., any information that identifies or makes identifiable a person, distinguishes them from other individuals in society, and is suitable for revealing their characteristics, such as demographic information, criminal record, place of residence, educational status, profession, bank account information, telephone number, e-mail address, blood type, marital status, fingerprints, DNA, biological samples such as hair, saliva, and nails, sexual and moral orientation, ethnic origin, political, philosophical, and religious views, and trade union affiliations, which a person does not disclose to unauthorized third parties but shares with a limited circle upon request, is considered personal data.
  • Personal Data Breach (Data Breach):Personal data processing refers to situations where personal data is obtained, disclosed, accessed, altered, deleted, destroyed, or damaged by others through unlawful means. According to Article 12/5 of the Personal Data Protection Law, the data controller has an obligation to notify if such a situation is detected.
  • Board:It refers to the Personal Data Protection Board, which is the decision-making body of the Personal Data Protection Authority (KVKK, Article 19).
  • Special Category Personal Data:Personal data refers to information relating to a person's race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and clothing, membership in associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data (KVKK Article 6/1). Biometric data, within this scope, are highly sensitive and considered special categories of personal data.
  • Data Controller:It refers to the natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system (KVKK Article 3/ı). Within the scope of this Procedure, it refers to Yoursizer.com.
  • Data Processor:It refers to the natural or legal person who processes personal data on behalf of the data controller, based on the authority given by the data controller (KVKK Article 3/ğ). Third parties such as cloud infrastructure providers and analytics service providers that Yoursizer.com uses may be considered within this scope.
  • VINE:It is an abbreviation for Data Breach Response Team.

2. DATA BREACH RESPONSE TEAM (VIME) AND RESPONSIBILITIES

At Yoursizer.com, we have established an interdisciplinary Data Breach Response Team (VIME) to ensure a rapid, coordinated, and effective response in the event of a data breach. This team intervenes from the moment a breach is detected, managing the processes of containing the incident, mitigating its effects, and ensuring full compliance with legal obligations. The team members and their responsibilities may be expanded or narrowed depending on the complexity and scale of the incident.

2.1. Structure and Core Members of VIME:VIME consists of the following core members and is expanded with external consultants as needed:

  • Senior Management Representative (CEO/CTO):
  • It provides overall coordination and strategic direction for the breach response process.
  • They have the ultimate authority in making critical decisions.
  • It approves notifications and public statements to be made to the Board.
  • It ensures the rapid allocation of necessary resources (financial, human resources). ● Technical Leader (CTO/DevOps Manager):
  • They are responsible for the technical detection, verification, and determination of the extent of the violation.
  • It coordinates the isolation of affected systems, patching the vulnerability, system restoration, and digital forensics investigations.
  • It prepares log analysis and technical reports.
  • It collaborates with cybersecurity experts and other technical teams.
  • Legal / GDPR Compliance Officer:
  • It monitors the compliance of the breach response process with the Personal Data Protection Law (KVKK) and related legislation.
  • It governs the legal content and timing of notifications to the Board and relevant individuals.
  • It assesses potential legal risks and provides necessary legal advice.
  • It coordinates with foreign legal advisors.
  • Marketing/Communications Manager:
  • It collaborates with the legal department in preparing informational texts for relevant individuals.
  • It manages communication with the public and the media when necessary. ● It develops strategies to protect brand reputation and public perception.

2.2. Incident Response Contact List and Emergency Call Tree:The identities and contact information of VIME members and external consultants (cybersecurity firm, external legal advisor, PR/communications support) are maintained in restricted-access "Incident Response Contact List" and "Emergency Call Tree" documents within the company to prevent unauthorized access. Access to these lists is generally limited to senior management, the GDPR/compliance officer, and the technical leader/DevOps officer. The lists are checked periodically (at least every 6 months) for currency and updated immediately in case of changes. These mechanisms aim to minimize response time by ensuring rapid and uninterrupted communication in the event of a breach.

2.3. Coordination with External Consultants:Depending on the nature and scale of the incident, VIME may coordinate with external cybersecurity experts, digital forensics firms, external legal advisors, and public relations/communication agencies. These external stakeholders provide support to VIME in their areas of expertise, contributing to the professional and comprehensive execution of the breach response process. Data security, confidentiality, and breach notification obligations are clearly stated in all contracts with external service providers. In accordance with Article 12/2 of the KVKK (Personal Data Protection Law), the data controller is jointly responsible with another natural or legal person for taking the necessary measures when personal data is processed on their behalf.

3. DATA BREACH DETECTION AND INITIAL ASSESSMENT PROCESS

Effective data breach management depends primarily on the rapid and accurate detection of the breach, followed by an initial assessment and immediate response steps. At Yoursizer.com, we manage these processes with the following steps:

3.1. Reporting Suspected Breach and Opening an Incident Record:Suspicion of a data breach can come from various sources:

  • System Log Anomalies:Anomalous access, unauthorized data transfers, or system behaviors detected by security information and event management (SIEM) systems.
  • User Complaints:Suspicious activity in the accounts of the individuals concerned, allegations of disclosure of personal data, or signs of identity theft.
  • Third-Party Notices:Breach reports made by security researchers, business partners, or other organizations.
  • Internal Audits:Critical security vulnerabilities identified during periodic security audits or vulnerability scans. In case of any suspected breach, relevant personnel immediately notify VIME, and an incident record is opened through the "Incident Management System". This record should include the time the incident started, how it was detected, the person who reported it, and initial observations.

3.2. Initial Technical Verification and Isolation Strategies:After an incident report is opened, the Chief Technical Officer (CTO/DevOps Officer) and the relevant technical team take the following steps to quickly verify the suspected breach:

  • Verification:Log records, system metrics, security alerts, and the status of affected systems are examined to determine the reality and nature of the breach. Scenarios such as

unauthorized access, data leakage, lost devices, and misuse of data are evaluated.

  • Isolation and Emergency Measures:To stop the spread of the breach and minimize potential harm, emergency isolation strategies are implemented. These strategies may include: ● Access Interruption:Accounts or keys found to have been accessed without

authorization will be immediately revoked.

  • System Segmentation:Affected systems are isolated from other critical systems or the general network through network segmentation (VPC isolation).
  • Service Suspension/Restriction:Temporarily suspending or restricting access to the service that caused the breach.
  • Password Rotation:All system passwords and API keys that may have been affected by the breach will be rotated.
  • Firewall Rules:Blocking traffic from suspicious IP addresses using firewall rules. ● The Goal: To Stop the Spread:The primary goal of these initial response steps is to limit the scope of the breach, prevent further data loss or unauthorized access, and protect system integrity. The Supreme Court's 11th Civil Chamber's decision, numbered 2024/229 E., 2024/5935 K., also stated that banks' failure to implement adequate security measures in their internet infrastructure constitutes negligence. This clearly demonstrates the data controller's technical responsibility to prevent and halt the spread of breaches.

3.3. Determining the Affected Scope:Simultaneously with the isolation steps, efforts are made to quickly determine the data categories affected by the breach, the estimated number of people involved, the systems affected, and the time frame of the breach. This information is critical for subsequent risk analysis and notification processes.

4. VIOLATION CLASSIFICATION AND RISK ANALYSIS

Following the detection of a data breach and the initial isolation steps, a comprehensive risk analysis is conducted to determine the severity of the incident and its potential impact on affected individuals. This analysis forms the basis for determining the response strategy, notification obligations, and measures to be taken. Yoursizer.com classifies potential breaches within the framework of the following risk matrix:

4.1. Risk Classification Matrix:

Risk LevelDefinitions and CriteriaExample ScenariosUrgency of Intervention
Low RiskLimited scope, low-sensitivity data (e.g., anonymized usage data), quickly contained incident, low risk of tangible harm to relevant individuals.Short-term and limited unauthorized access to anonymized analytical data; accidental disclosure and rapid retrieval of masked data in a test environment.Immediate notification may not be required; internal reporting and corrective actions take priority.

Medium Risk

Broader user impact or impact on personal data (non-directly identifying) such as transaction security/usage data. Potential but low-to-moderate risk of harm to data subjects.

A limited number of users' IP addresses and browser information may be accessed without authorization; their email addresses may be at Notification to the Board may be required; a risk assessment will be conducted for

individual

risk of being added to spam lists.notification to relevant persons.
High RiskBiometric data (body measurements, 3D avatar) or identity/contact information (name, surname, email, national identity number) leaks of sensitive or private personal data pose a high risk of large-scale impact, identity theft, fraud, discrimination, or reputational damage.Unauthorized access to users' body measurements or 3D avatars; disclosure of numerous users' names, surnames, and email addresses; and (limited) leakage of payment information.Immediate notification to the Board and relevant parties is mandatory. Action must be taken as soon as possible, within 72 hours.

4.2. Risk Analysis Criteria:The following criteria are thoroughly evaluated when classifying violations:

  • Affected Data Category:The sensitivity level of the data. Especially.biometric data (body measurements, 3D avatar)According to Article 6 of the KVKK (Law on Protection of Personal Data), these are special categories of personal data, and their violation is directly categorized as "High Risk." This is because, as stated in the precedents of the Supreme Court, these data are sensitive information that identifies or makes an individual identifiable, distinguishes them from other individuals in society, and is suitable for revealing their characteristics. Financial data (payment information), identity and contact information also carry a high-risk potential.
  • Number of people affected:The risk level increases as the number of individuals affected by the breach increases.
  • Nature and Scope of the Violation:What actions affected the data, such as unauthorized access, copying, modification, deletion, or destruction? How long the breach lasted and how wide a geographical area it covered.
  • Potential Consequences of the Violation:The individuals involved may suffer tangible and serious harm, such as identity theft, fraud, discrimination, reputational damage, and financial loss.
  • Data Protection Level:Whether the compromised data was encrypted, masked, or anonymized. Such protective measures can reduce the level of risk.
  • Data Controller's Ability to Control:How quickly the violation was brought under control and the effectiveness of the measures taken to prevent its recurrence.

This risk analysis is quickly completed by VIME, enabling the development of an appropriate response plan and notification strategy based on the severity of the incident.

5. OPERATIONAL INTERVENTION AND SYSTEM IMPROVEMENT

To minimize the impact of the data breach and restore system security, operational response and remediation processes are being carried out rapidly and coordinately by VIME's technical team. These processes include steps ranging from containing the breach to implementing permanent solutions.

5.1. Patching the Vulnerability and Restoring System Security:

  • Root Cause Analysis (RCA):A detailed root cause analysis (RCA) is conducted to determine the underlying cause of the breach (e.g., software vulnerability, misconfiguration,

unauthorized access, human error). This analysis is critical for preventing similar breaches in the future. The Supreme Court's 8th Criminal Chamber's decision numbered 2019/7710 E., 2019/13426 K. also criticized the investigative authorities for failing to gather sufficient evidence and determine the cause of the incident; this reinforces the data controller's responsibility to identify and address the root cause of the breach.

  • Vulnerability Patching:The identified vulnerability (e.g., software bug, security flaw) is immediately patched. This is done by applying security patches, making code changes, or updating system configurations.
  • Password/Key Rotation:All user passwords, system passwords, API keys, and encryption keys that may have been affected by the breach will be immediately rotated. Users will be asked to change their passwords.
  • Tightening Access Controls:Role-based access control (RBAC) policies are reviewed, authorizations are redefined, and the use of multi-factor authentication (MFA) is made mandatory for critical access. According to Article 12 of the Turkish Personal Data Protection Law (KVKK), the data controller is obliged to take all necessary technical and administrative measures to ensure an appropriate level of security to prevent unlawful access to personal data. Court precedents also indicate that the lack of such measures can lead to administrative fines.
  • System Improvements:Firewall (WAF) rules are updated, network segmentation policies are strengthened, and monitoring/alerting systems are made more sophisticated.

5.2. Restoring from Backups and Restarting the Service:

  • Data Integrity Check:The integrity and accuracy of the affected data are checked. If data loss or corruption is detected, a restoration plan is developed from secure and clean backups. ● Restore:Affected systems or databases are restored using the most current and secure backups. Backup strategies are designed to ensure rapid and reliable recovery in the event of a data breach (see Retention and Destruction Policy).
  • Phased Launch of the Service:After the systems are securely restored and all vulnerabilities are patched, the service will be gradually restarted under close monitoring. Initial measures may include limiting access or disabling certain features.

5.3. Time Objectives:Timing is critical in operational response processes. Yoursizer.com adopts the following time targets:

  • Initial Isolation and Emergency Measures:Following the detection of a suspected violationwithin the first hoursIt is completed. The aim is to immediately stop the spread of the violation.
  • Scope/Risk Assessment and Initial Reporting:Initial assessment regarding the scope of the breach, the data categories affected, and the number of people involved,within the first 24-48 hoursThis is clarified. This forms the basis for determining notification obligations.
  • Vulnerability Patching and System Restoration:Depending on the severity of the incident, the vulnerability may be patched and systems may be safely restored.within a few daysIt is planned to be completed.
  • Permanent Corrective and Preventive Actions:Following the completion of the root cause analysis, permanent technical and administrative improvements will be implemented to

prevent similar violations from occurring in the future.in the weeks following the closure of the incidentIt is planned and implemented.

These steps aim to minimize the operational impact of the data breach while restoring system security and data integrity as quickly as possible.

6. NOTIFICATION OBLIGATIONS AND PROCEDURE

In the event of a personal data breach, the data controller's obligation to notify the Personal Data Protection Authority (the Board) and the data subjects is explicitly regulated in Article 12, paragraph 5 of the KVKK (Law on the Protection of Personal Data). The procedures and principles for these notifications are detailed in the Board's Decision No. 2019/10 on "Notification of Data Breach". Yoursizer.com follows the procedures below to fulfill these obligations completely and on time:

6.1. Notification to the Board:

  • Notification Period:If personal data being processed is obtained by others through unlawful means, the data controller shall report this situation.as soon as possibleand, where applicable, from the date the infringement was learnedWithin 72 hoursThe Board is notified (KVKK Article 12/5). This period begins to run from the moment the violation is definitively determined or suspicion of a violation arises with strong evidence. In case of a delay, the justifiable reasons for this delay are recorded in detail and stated in the notification.
  • Content of the Announcement:Notification to the Board shall be made by completing the "Data Breach Notification Form" published by the Board. This form must include the following minimum information:
  • Date of the violation and time it was detected.
  • The nature of the breach (e.g., unauthorized access, data leak, loss).
  • Affected data categories (e.g., identity, contact, biometric, financial).
  • Estimated number of people affected.
  • The potential consequences of the breach (e.g., risk of identity theft).
  • Measures taken or planned to be taken by the data controller.
  • Advice that those concerned can take to protect themselves.
  • Contact channels that interested parties can use.
  • Notification Format:Notification to the Board shall be made through the online portal or other electronic communication channels designated by the Board.

6.2. Notification to the Data Subject:

  • Notification Obligation:Notification to the relevant parties, the impact of the violation on the relevant partieshigh riskIf this occurs, it is done without delay (KVKK Article 12/5). Situations such as the disclosure of biometric data (body measurements, 3D avatar), identity theft, or fraud are considered "high risk".
  • Content of the Announcement:The notification to the relevant individuals is prepared in simpler and more understandable language than the notification to the Board. It should include at least the following information:
  • Summary and nature of the violation.
  • Which personal data was affected.
  • The potential consequences of the violation on themselves.
  • Measures taken by the data controller.
  • Steps they can take to protect their personal data (e.g., changing passwords, checking account activity).
  • Application and communication channels (email, support line).
  • Notification Format:Notification to relevant individuals is made through appropriate communication channels such as email, SMS, in-app announcement, or personal notification via the platform. In accordance with Article 10/1-d of the Personal Data Protection Law (KVKK), which mandates informing relevant individuals about their rights, this notification also addresses those rights.
  • Notification in Case of International Transfer:In cases of breaches occurring when personal data is transferred abroad, the data controller fulfills its notification obligations to the Board and the relevant individuals within the framework of transfer security responsibilities pursuant to Article 9 of the KVKK (Personal Data Protection Law). The data processor to whom the data is transferred is also obligated to notify the data controller of the breach. Pursuant to Article 12/2 of the KVKK, the data controller is jointly liable with the data processor.

6.3. Gradual Distribution of Notifications:In some cases, it may not be possible to fully ascertain all the details of the breach within 72 hours. In such cases, the Data Controller shall inform the Board with a partial notification based on the information obtained and shall provide supplementary information with additional notifications as soon as possible. This approach is consistent with the Board's expectation of transparency and prompt notification.

7. MONITORING OF PREVENTIVE TECHNICAL AND ADMINISTRATIVE MEASURES

The effectiveness of a data breach response procedure is ensured not only by reactive steps taken at the time of the breach, but also by continuously reviewing and updating proactive measures to prevent breaches. In accordance with Article 12 of the Turkish Personal Data Protection Law (KVKK), Yoursizer.com implements the following audit mechanisms to fulfill its data security obligations and minimize potential breaches:

7.1. Review of Technical Measures:Technical security measures are regularly audited and updated, taking into account technological developments and the dynamic nature of cyber threats. In this context:

  • Multi-Factor Authentication (MFA):The effectiveness and scope of MFA usage in accessing critical systems and sensitive data is at least...Every 6 monthsIt is reviewed. The MFA requirement is extended for new systems and user groups.
  • Role-Based Access Control (RBAC):Access authorization matrices and RBAC policies ensure that employees are at least [number] years old after job changes or system updates.Every 6 monthsIt is reviewed. Compliance with the "least privilege" principle is continuously monitored.
  • Encryption Methods:The currency and reliability of the encryption algorithms used in transport (TLS) and at-rest encryption are checked periodically. The management and rotation of encryption keys are also monitored.
  • Network Security (Firewall/WAF, Segmentation):Firewall rules, network segmentation policies, and intrusion detection/prevention systems (IDS/IPS) are regularly tested and optimized. Updates are made to address new threats.
  • Vulnerability Management and Patching:Regular scans are conducted for software and hardware vulnerabilities in the systems, and identified vulnerabilities are prioritized, with patching and updating processes implemented quickly.
  • Secure Backup and Destruction:Backup strategies, backup security, encryption, and rotation periods (72-day rotation) must be at least...Every 6 monthsThe data is reviewed. The secure disposal processes for expired backups are audited.

7.2. Review of Administrative Measures:Administrative measures are regularly evaluated to minimize risks that may arise from human factors:

  • Staff Training and Awareness:The effectiveness and frequency of training provided to all employees on personal data protection, data security, and data breach response procedures should be at leastEvery 6 monthsThey are evaluated. Mandatory orientation training is provided for newly hired employees.
  • Confidentiality Agreements and Authorization Matrix:The accuracy and currency of confidentiality agreements signed with employees and business partners, and the applicability of the authorization matrix, are checked periodically.
  • Supplier/Subcontractor Audit:The data security policies and practices of third-party service providers processing personal data must comply with at least their contractual obligations.once a yearThis is monitored. In cases where data is transferred abroad, the effectiveness of the safeguards provided pursuant to Article 9 of the KVKK (standard contract clauses, undertakings) is checked.
  • Internal Policies and Procedures:All internal policies and procedures, such as Privacy Notices, Explicit Consent Statements, Cookie Policy, Storage and Destruction Policy, are updated in accordance with legislative changes and Board decisions, at a minimum.Every 6 monthsIt is reviewed and updated.

7.3. Audit Obligation and Reporting:In accordance with Article 12/3 of the KVKK (Law on Protection of Personal Data), the data controller is obliged to conduct or have conducted the necessary audits within their own institution or organization to ensure the implementation of the provisions of this Law. In this context, the results of the audit activities carried out by VIME and the KVKK Compliance Officer are regularly reported to senior management. These reports include identified deficiencies, corrective actions taken, and improvement plans. This continuous audit and improvement cycle strengthens Yoursizer.com's commitment to personal data security and legal compliance.

8. DOCUMENTATION AND RECORD KEEPING

Detailed and complete documentation is one of the most critical elements in ensuring transparency, accountability, and future improvements in the data breach response process. Yoursizer.com meticulously records every stage of the breach process, fulfilling its legal obligations and incorporating the lessons learned into its corporate memory.

8.1. Documenting the Breach Process:From the moment a data breach is detected, all decisions made, actions taken, and notifications issued by VIME are recorded chronologically and in detail. These records must include the following information:

  • Incident Record Number and Date:The unique identifier of the breach and the date it was first recorded.
  • Method of Detection:How and by whom the breach was detected (e.g., log anomaly, user complaint, third-party report).
  • Initial Review and Verification Results:The reality, nature, and initial findings of the breach.
  • Isolation and Emergency Response Steps:All technical and administrative steps taken to stop the spread of the breach (e.g., access denial, password rotation, system segmentation). ● Affected Data Categories and Estimated Number of People:The types of personal data affected by the breach (identity, contact, biometric, financial, etc.) and the estimated number of individuals involved.
  • Risk Analysis Results:Assessment of the potential risk of the breach to the relevant individuals (low, medium, high).
  • Root Cause Analysis (RCA) Report:The root causes of the breach, the vulnerabilities identified, and how they were addressed.
  • Corrective and Preventive Measures Taken:Permanent system improvements and process changes to prevent the recurrence of the violation.
  • Notifications Sent to Relevant Persons:The notification's date, content, communication channels used, and number of people affected.
  • Notifications Submitted to the Board:The date of the notification, its content, the form used, and any accompanying documents.
  • VIME Meeting Notes and Decisions:Dates, participants, and decisions made at all meetings held by VIME during the breach process.
  • Records of Communication with External Stakeholders:All correspondence and meeting notes with cybersecurity firms, legal advisors, or PR agencies.

8.2. Record Keeping and "Breach Log File":In accordance with the Personal Data Protection Law (KVKK) and related legislation, all processes related to the deletion, destruction, or anonymization of personal data are recorded, and these records are kept for at least a certain period, excluding other legal obligations.for three yearsThis principle also applies to data breach records. All these documents are kept in a central and secure digital environment (encrypted and with restricted access) under the name "Breach Record File". This file is the primary reference source to be presented in a possible Board audit or legal process. The importance of protecting the integrity and validity of digital evidence was also emphasized in the decision of the 3rd Criminal Chamber of the Court of Cassation, numbered 2021/4383 E., 2023/2717 K. Therefore, the integrity and immutability of all documents in the breach record file are technically guaranteed.

8.3. Post-Incident Assessment and Continuous Improvement:Every data breach incident is a learning opportunity for our Company. After the breach process is complete, VIME prepares a detailed "Post-Incident Assessment Report". This report includes lessons learned from the breach, areas for improvement in existing procedures, and recommendations for mitigating future risks. These reports contribute to the continuous strengthening of Yoursizer.com's data security posture by providing input to the mechanism for reviewing and updating preventive technical and administrative measures (see Section 7).

Yoursizer.com