Regarding the protection of Personal Data, there are two types of legal sanctions in Articles 17 and 18 of the Law on the Protection of Personal Data No. 6698 ("Law") for unlawfulness that may arise. Firstly, it has been regulated that such violations of law may constitute the crimes listed between articles 135 and 140 of the Turkish Penal Code which are, recording personal data and illegally giving or obtaining data. In addition to criminal liability, some acts are regulated as faults in the Law. And as sanction to these acts, administrative fines that could be decided by the Personal Data Protection Board ("Board") are regulated in the Law.

The acts listed in Article 18 of the Law and defined as faults are arranged in four paragraphs. In this article, it is regulated that administrative fines could be imposed by Board on the data controllers, whether they are real or private legal persons, for violating some obligations regulated by the Law. The acts that require administrative fines and are regulated as faults in the Law are limited (numerus clausus) to the ones listed below:

  • Failure to fulfill the notice obligation, (Law article 18/1. a)
  • Failure to fulfill obligations regarding data security, (Law article 18/1. b)
  • Failure to fulfill the obligation to fulfill decisions made by the Board and (Law article 18/1. c)
  • Failure to fulfill the obligation to register with the Data Controllers' Registry (Law article 18/1. ç)

The amounts and lower and upper limits of administrative fines could be applied for these faults, are also indicated in the same article. In addition, with the Law on Faults article 17/7, it is regulated that the administrative fines to apply will be increased with the revaluation rate determined and announced in accordance with the provisions of the repeated article 298 of the Tax Procedure Law for that year and that increased amount will be applied from the beginning of each calendar year. When both provisions are taken into account, the administrative fines applied for the illegalities determined by the Board ex officio or upon complaint are increased according to the revaluation rate determined every year.

Within the scope of the explanations above, the limits of amounts of administrative finesto be applied is announced annually by the Personal Data Protection Authority ("Authority"). In the next part of this article, the lower and upper limits of the penalties regulated for those faults will be displayed with the changes in the limits for past years and the current amounts for 2022, as a table chart. Although the Authority's Activity Report for 2021 has not yet been published, according to the data announced, with 4,513 applications made to the Authority in 2021, past year has the highest number of notices and complaints received by the Authority in previous years.

  • Failure to fulfill the "clarification obligation" regulated in Article 10 of the Law (Law article 18/1. a)


  • Failure to fulfill "obligations regarding data security" regulated in article 12 of the Law, (Law article 18/1. b)


  • Failure to fulfill the "obligation to fulfill decisions made by the Board" regulated in article 15 of the Law (Law article 18/1. c)


  • Failure to fulfill the "obligation to register with the Data Controllers' Registry" regulated in article 16 of the Law (Law article 18/1. ç)


The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.