- within Insolvency/Bankruptcy/Re-Structuring topic(s)
Introduction
Pursuant to Article 12 of the Personal Data Protection Law No. 6698 ("PDPL"), in cases where personal data are unlawfully obtained by third parties, data controllers are required to notify both the data subjects concerned and the Personal Data Protection Board ("Board") as soon as possible. This notification obligation aims to prevent or minimize, at the earliest possible stage, the negative consequences that personal data breaches may cause for data subjects.
Data Breach Notification Obligation and Changes Regarding Publication Periods
The scope of the notification obligation set out in the fifth paragraph of Article 12 of the PDPL was clarified by the Board's decision dated 24.01.2019 and numbered 2019/10 on the procedures and principles of personal data breach notifications. With decision No. 2019/10, the phrase "as soon as possible" in the PDPL was interpreted as the obligation of the data controller to notify the Board without delay and at the latest within 72 hours from the date on which the personal data breach is learned.1
Under this decision, once the data subjects affected by the breach are identified, these inpiduals must also be notified within a reasonably short period of time. Notifications to data subjects should primarily be made directly, provided that their contact details are available. However, in cases where the contact details of the data subject cannot be reached, it is also permitted for the data controller to provide information through appropriate methods such as publication on its own website. This approach aims to ensure that data subjects are informed of the breach in a timely manner and can take the necessary precautions.
On the other hand, when deciding whether personal data breach notifications submitted to the Board will be published on the website of the Personal Data Protection Authority ("Authority"), multiple criteria are evaluated together. These include, among others, the group and number of data subjects affected by the breach, the nature and scope of the personal data affected, the manner in which the breach occurred, the sector in which the data controller operates, and whether the data controller has notified the data subjects.
With the latest public announcement, a significant change has been introduced to this practice. In line with the Board's decision dated 25/12/2025 and numbered 2025/2451, personal data breach notifications that were previously published on the Authority's website without any time limitation will now be published for a maximum period of 60 days. If it is demonstrated that notifications have been made to the affected data subjects within a shorter period than these 60 days, the data breach announcement will be removed from the website. This regulation aims to encourage data controllers to provide timely and effective notifications to data subjects and to prevent announcements from remaining published longer than necessary.
Important Note: You may access the Board's decision No. 2019/271, which sets out the mandatory minimum elements required in data breach notifications to data subjects, which is only in Turkish, here.
Administrative Fines Imposed for Non-Compliance with Data Breach Notification Periods
In cases where data controllers fail to comply with the obligation to notify "as soon as possible" (within 72 hours pursuant to decision No. 2019/10) and to notify data subjects in accordance with decision No. 2019/271, administrative fines are imposed under Article 18(1)(b) of the PDPL. Within this scope, fines ranging from TRY 256,357 to TRY 17,092,242 may be imposed for violations of data security obligations, posing a serious financial risk for data controllers.
Conclusion
As of 2026, the risks faced by data controllers under the PDPL have increased significantly, both in terms of data breach notification and publication processes and administrative fines. In particular, the regulation of the periods for publishing data breaches on the Authority's website has made it even more critical for data controllers to notify data subjects in a timely manner and to document these notifications. Accordingly, it is of great importance for data controllers to update their data breach management and response procedures, strengthen internal audit and record-keeping mechanisms, fully comply with notification obligations, and effectively manage data subject notification processes, in order to mitigate both administrative fines and reputational risks.
You may access the full text of the announcement, which is only in Turkish, from here.
References
(Only in Turkish) Announcement on Personal Data Protection Board's Decision dated 24.01.2019 and numbered 2019/10 on the Procedures and Principles of Personal Data Breach Notifications . (2019, 02 15). Retrieved from Personal Data Protection Authority: https://www.kvkk.gov.tr/Icerik/5362/Veri-Ihlali-Bildirimi
Footnote
1. (Only in Turkish) Announcement on Personal Data Protection Board's Decision dated 24.01.2019 and numbered 2019/10 on the Procedures and Principles of Personal Data Breach Notifications , 2019)
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
