AC
Anasayfa Makaleler IT Law

KVKK Data Breach Notification and Administrative Fines

9 Nisan 2026 IT Law 2 dk okuma 55 görüntülenme

Personal Data Protection Law No. 6698 (KVKK) Article 12/5 obliges data controllers to notify the Board within 72 hours and the relevant person as soon as possible in case of a data breach.

What is a Data Breach?

Personal data obtained by others through illegal means; leakage, deletion, alteration, disclosure or unauthorized access.

Common Examples

  • Cyber attack on company database (ransomware, hacking)
  • Unauthorized employee data copying and external sharing
  • Using "CC" instead of "BCC" when sending e-mail
  • Data leak due to USB / laptop loss
  • Disclosure of customer data due to website security vulnerability
  • Incorrect access authorization

Notification Obligation

To the KVKK Board within 72 Hours

A notification is made via the form on the Institution's website within 72 hours from the moment the data breach is detected. Form content:

  • Starting date and duration of the violation
  • Data categories affected by the breach
  • Number of affected contacts
  • Possible consequences of violation
  • Measures taken and to be taken
  • Contact person information

Notification to Relevant Persons

Affected people will be informed as soon as possible via e-mail, SMS, KEP or website announcement.

Sanction Powers of the Board (KVKK article 18)

  • Administrative fine: Between 50,000 TL - 2,000,000 TL (updated annually)
  • Violation of the obligation to inform
  • Non-compliance with obligations regarding data security
  • Failure to comply with board decisions
  • Violation of the obligation to register with the Data Controllers Registry

Important Decisions of the Board

The KVKK Board has imposed high administrative fines on large companies such as Facebook, Cathay Pacific, Marriott, Clubhouse for violations. In Türkiye, fines exceeding million TL have been imposed on local banks, e-commerce platforms and social media companies.
The Board considers "failure to notify data breach or late notification" as a separate violation and imposes additional penalties.

Preparation as a Data Controller

  • Registration to VERBİS (Data Controllers Registry)
  • Incident Response Plan
  • Data inventory
  • Information texts and explicit consent
  • Employee training
  • Penetration tests and security audit
  • Data processing agreements (with third parties)

Rights of the Relevant Person (KVKK article 11)

  • Learning whether your data is being processed
  • If it is processed, check whether it is suitable for its purpose
  • Learning the third parties to whom it has been transferred
  • Request correction if incomplete/incorrect processing
  • Deletion/destruction request

Data liability obligations can lead to high penalties due to negligence. Consultancy for KVKK compliance processes is recommended.

Telif bildirimi This content and all related Q&A texts are protected under Turkish Copyright Law No. 5846. Unauthorized copying, reproduction, publication, adaptation, bulk extraction, or commercial use is prohibited; legal and criminal remedies are reserved in case of infringement.

Hukuki destek arıyorsanız

Bu konuda profesyonel hukuki destek için Aycan Ceylan Avukatlık Bürosu olarak yanınızdayız.

Görüşme Planla