This procedure sets out the steps, notification obligations, and record-keeping requirements to be followed by BÂROFE in the event of a personal data breach, in accordance with Article 12 of KVKK and Articles 33 and 34 of the GDPR.

What Is a Data Breach?

The accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data. Intent is not required — a misconfiguration or a misdirected email can constitute a breach.

Examples: unauthorised access to the customer database; personal data sent to a wrong recipient; cyber attacks such as ransomware, phishing, or SQL injection; loss or theft of devices holding personal data; data exposure through software vulnerabilities; unauthorised employee access.

Detection & Risk Classification

Anyone detecting a suspected breach must report it immediately to info@barofe.com. Breaches are classified as follows:

Low Risk — Encrypted data with limited impact. Urgent notification may not be required, but record-keeping continues.

Medium Risk — Limited exposure of customer contact data. Notification to the relevant authority within 72 hours may be required.

High Risk — Large-scale exposure of financial, identity, or sensitive personal data. Formal notification within 72 hours is mandatory; affected individuals must also be notified within a reasonable timeframe.

Response Process

0–4 hours: Scope of the breach is assessed; affected systems are isolated or access restricted; log and evidence records are preserved.

4–24 hours: Affected data categories and number of individuals are identified; the type of breach is established; source is investigated; all findings are documented with date and time.

24–72 hours: If the breach poses a risk to individuals, formal notification is submitted to the Personal Data Protection Authority within 72 hours. The notification must cover: the nature and scope of the breach, affected data categories, likely consequences, measures taken, and contact details.

Record-Keeping

All breaches are documented regardless of whether they reach the notification threshold. Records are retained for a minimum of 3 years and must include: date and time of detection, method of detection, type and scope of the breach, affected data categories and number of individuals, measures taken, notification status.

Preventive Measures

All data transmissions are encrypted via SSL/TLS. Payment data is processed in PCI-DSS compliant environments and not stored in BÂROFE's systems. Access privileges are defined on a least-privilege basis. The Shopify infrastructure is kept up to date. All system access is monitored through log records.

Contact

BÂROFE Moda Tekstil Ürünleri Sanayi ve Dış Ticaret Limited Şirketi

AOS 55. Street No: 42, Maslak B Block, No: 4, Unit 542

Sarıyer / Istanbul, Türkiye

info@barofe.com  |  www.barofe.com

kvkk.gov.tr  |  edpb.europa.eu