Personal Data Breach Notification under Turkey's KVKK: What Companies Must Do

A ransomware attack locks your servers, an employee mistakenly sends a customer database to the wrong email address, or a third-party vendor suffers a breach that exposes your clients' records — under Turkey's Personal Data Protection Law (KVKK, Law No. 6698), each scenario may trigger mandatory notification obligations within a strict timeframe. Getting this right matters: late or incomplete notification can attract significant administrative fines and reputational damage that far outweighs the cost of preparation.

The Legal Foundation: KVKK Article 12

Article 12 of KVKK establishes the core data security obligations of data controllers. Three duties are explicitly enumerated: preventing unlawful processing of personal data, preventing unlawful access to personal data, and ensuring the safeguarding of personal data. Controllers must take all necessary technical and administrative measures commensurate with the appropriate level of security.

The notification trigger appears in paragraph 5 of Article 12: when processed personal data is obtained by others through unlawful means, the data controller must notify both the affected individuals and the Personal Data Protection Board (KVK Board) as soon as possible.

The 72-Hour Notification Window

The KVK Board's Decision No. 2019/10 gave practical content to the "as soon as possible" standard. A data controller must notify the Board within 72 hours of becoming aware of the breach. If the notification cannot be completed within that window, the reason for the delay must be provided alongside the notification. Notification to affected individuals must follow without undue delay, calibrated to the severity of the breach.

What to Include in the Board Notification

Board notifications are submitted via the official electronic system on the KVK Board's website and must cover:

• Date and time of the breach (if known)
• Number of affected individuals and categories of data involved
• Possible consequences of the breach
• Measures taken or planned to address the breach
• Data Protection Officer contact details (if applicable)
• Reason for any delay in notification

Supporting evidence — logs, incident reports, forensic findings — should be attached where available.

Notifying Affected Individuals

Notification to individuals is required when the breach is likely to result in high risk to their rights and freedoms. The notice must clearly explain what happened, what data was involved, what measures have been taken, and how individuals can contact the data controller and the KVK Board. Where individual notification is impractical (e.g., contact details are unknown or numbers are very large), a public announcement is an acceptable substitute.

A Practical Breach Response Checklist

1. Contain the incident. Isolate affected systems, revoke compromised credentials, stop further data loss.
2. Document everything. Record what data was affected, how many people are involved, and how the breach occurred.
3. Assess the risk. Determine whether the breach poses high risk to individuals — this drives notification decisions.
4. Start the 72-hour clock. The moment you become aware of the breach, the countdown begins. Engage legal counsel immediately.
5. Notify the Board. Submit the notification form with all available information, noting any gaps to be supplemented.
6. Notify individuals. Tailor the message to the risk level and your available communication channels.
7. Keep records. Document every step — the Board retains audit rights.

Administrative Fines

Under Article 18 of KVKK, failure to comply with data security obligations can result in fines of up to two million Turkish lira (subject to annual re-valuation increases). Breach of notification obligations constitutes a separate violation and may attract an additional independent penalty. Fines are updated each year in line with the revaluation rate published by the Turkish Revenue Administration.

Frequently Asked Questions

Does every data breach require notification to the Board? No. Notification is triggered by breaches that create risk for affected individuals. Low-risk incidents should be documented internally but may not require external notification — that assessment itself must be documented in writing.

Must all information be ready before notifying the Board? No. The Board accepts phased notifications. Submit available information first and supplement as the investigation progresses.

Does KVKK apply to non-Turkish companies processing Turkish residents' data? Yes, if you process personal data of individuals in Turkey in connection with offering goods or services to them, KVKK obligations apply regardless of your company's location.

Can a data breach lead to criminal liability? Yes. Unauthorized disclosure or access to personal data may also attract criminal sanctions under Article 136 of the Turkish Penal Code, in addition to KVKK administrative penalties.

Are there extra obligations for breaches involving cross-border data transfers? Yes. Breaches affecting data transferred abroad trigger separate assessment under KVKK Article 9 and may require multi-jurisdictional notification.

How Mona Hukuk Can Help

When a data breach hits, every hour counts. Mona Hukuk supports companies in preparing breach response protocols in advance and, when incidents occur, handles Board notifications, drafts individual communications, and provides legal representation in KVK Board investigations.

Contact us at contact@monahukuk.com or call +90 (242) 606 14 32 for a consultation in Antalya.