The amounts of fines to be imposed on data controllers who fail to perform their obligations under Law No. 6698 on the Protection of Personal Data (the "Law") are regulated under Article 18 of the Law. Monetary fines are applied by increasing the revaluation rate determined and announced for the related year, effective from the beginning of each calendar year.

According to the General Communiqué on Tax Procedure Law No 542, published in the Official Gazette dated 24 November 2022 and numbered 32023, the revaluation rate for 2023 was determined as 122.93%.

According to the Tax Procedure Law No 3475, the President of the Republic has the authority to increase or decrease the rates and amounts determined in this way by up to half, and to increase the relative rates by up to double, or to decrease them by up to half. If the President does not use this authority, the upper and lower limits of the monetary fines that may be imposed by the Personal Data Protection Authority will increase by 122.93% under the revaluation rate.

In 2023, the minimum and maximum amounts of monetary fines that can be imposed by the Personal Data Protection Authority are set out in the table below.

Explanation Possible fines amounts to be applied in 2023 in accordance with the revaluation rate (TL)
Failure to comply with an obligation to inform 29,853 597,192
Failure to comply with obligations related to data security 89,571 5,971,989
Failure to comply with any decision issued by the Board 149,285 5,971,989
Failure to comply with obligation to register and the obligation to report to VERBIS 119,428 5,971,989

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.