KVKK Article 12: The data controller is obliged to notify the Board and relevant persons in case personal data is obtained by others through illegal means.
Types of Violation
- Hacker attack (cyber leak)
- Stolen laptop/USB memory
- Wrong e-mail sending
- Unauthorized personnel access
- Leakage of database backup
Notification Period
- Notification to the Board within 72 hours of learning of the violation
- Notification to the relevant persons "within reasonable time"
- Data Leak Notification Form (on the Board's website)
Notification Content
- Declaration of the violation date and duration
- Affected data categories and number
- Possible consequences of the violation
- Measures taken
- Contact point
Administrative Sanctions
- Failure to notify: annual current administrative fine
- Late notification: additional penalty
- Inadequate security measures: separate penalty
- In case of violation, victims material and moral compensation
KVKK Board Decisions
KVKK Board has been imposing administrative fines of millions of TL on large companies (banks, telecom, e-commerce) in recent years. It particularly draws attention to data minimization violations.
Practical Recommendations
- Prepare a violation response plan in advance
- Schedule the 72-hour period
- Get legal support for notification processes
- Transparent information to victims
KVKK expert lawyer is recommended.