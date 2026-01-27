January 2026 – The Turkish Personal Data Protection Authority ("Authority") published a public announcement on 20 January 2026 regarding Board Decision No. 2025/2451 dated 25 December 2025...

KST LAW is proud to have an exceptional client base consisting some of the largest Turkish conglomerates, sector leaders in Turkey, multi-nationals, investment or private equity funds and financial institutions.

We provide legal services relevant to all aspects of business in a wide variety of sectors. We operate to the highest international standards in managing cross border transactions or investments and providing practical and creative solutions to legal or regulatory issues.

KST LAW is an independent Istanbul based full service corporate law firm in cooperation with Kinstellar.

Article Insights

Ceren Ceyhan’s articles from KST LAW are most popular: within Privacy topic(s)

in Turkey KST LAW are most popular: within Privacy, Technology, Food, Drugs, Healthcare and Life Sciences topic(s)

January 2026 – The Turkish Personal Data Protection Authority (“Authority”) published a public announcement on 20 January 2026 regarding Board Decision No. 2025/2451 dated 25 December 2025 on the publication period of data breach notifications.

Under this Decision, data breach notifications published by the Authority will remain publicly accessible for a maximum period of 60 days and will be removed from the Authority's website at the end of this period, or earlier, if the data controller provides documentary evidence confirming that the affected individuals have been duly notified.

Legal Background

Under Law No. 6698 on the Protection of Personal Data (“DP Law”), data controllers are required to notify both the affected data subjects and the Personal Data Protection Board (“Board”) without undue delay in the event of unlawful access to personal data.

The scope and timing of this obligation were further clarified by the Board's Decision dated 24 January 2019 and numbered 2019/10, which interprets the phrase “without undue delay” as follows:

Data controllers must notify the Board no later than 72 hours from the moment they become aware of the data breach.

from the moment they become aware of the data breach. Once the affected individuals are identified, data controllers must also notify the data subjects within a reasonable period of time:

» directly, if the contact details of the individuals are available, or

» through alternative appropriate means, such as publication on the data controller's website, where direct contact is not possible.

Following such notifications, the Board may decide to publicly disclose the data breach on its website or through other means it deems appropriate.

What is New Under Decision No. 2025/2451?

With its Decision No. 2025/2451, the Board has introduced a time limit for public disclosures. Until now, data breach notifications published on the Authority's website were displayed without any time limitation. Under this Decision:

Data breach notifications will be publicly disclosed for a maximum period of 60 days.

If the data controller provides evidence that the affected individuals have been notified earlier, the relevant announcement may be removed before the end of the 60-day period.

Publication Criteria

The Decision further provides that, in assessing whether a data breach notification should be published, the Board will take into account factors such as:

the scope and number of affected individuals;

the nature and type of the breach;

the sector of the data controller; and

whether and how the data subjects have been informed.

The purpose of these disclosures remains to enable affected individuals to take timely measures and to limit the potential adverse effects of data breaches.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.