KVKK article 18 regulates administrative fines for law violations. Penalties are re-evaluated every year.
Types of Penalties
- Violation of the obligation to inform
- Violation of the obligation to provide information
- Violation of the obligation to provide data security
- Failure to comply with the board's decision and control
- Violation of the VERBIS registration obligation
Approximate Upper Limits (annual updated)
- Violation of information: high
- Data security violation: very high
- Failure to comply with the board decision: the highest category
Factors Affecting the Penalty
- Nature of the violation
- Number of people affected
- Data category (severe if special)
- Previous violations
- Degree of cooperation
- Company size
Objection
- To the administrative court within 60 days from the notification of the decision
- Request for stay of execution
- Administrative justice process
Sample Decisions of the KVKK Board
In recent years, the KVKK Board has imposed fines reaching millions of TL to banks, telecom, e-commerce and healthcare companies. Especially for "data minimization" and "unauthorized transfer".
Practical Recommendations
- Regular internal audit
- Data inventory update
- Employee training
- Breach response plan
- KVKK compliance project