Data breach response and cyber compliance in Turkey have become central legal issues for companies of every size, not only for banks, telecom operators, or major technology platforms. Any business that stores employee files, customer records, payment data, health information, call-center logs, or cloud-based operational data now sits inside a legal framework that combines personal data protection, sector regulation, and cybersecurity obligations. In Turkey, this framework does not come from a single source. It is built primarily on Personal Data Protection Law No. 6698, the Board’s breach-notification decisions and guidance, sector-specific information-systems rules, and, since 2025, the new Cybersecurity Law No. 7545. The result is that companies need a response model that is both privacy-focused and cyber-focused.
For businesses, the first important point is conceptual. A data breach under Turkish personal data law is not identical to every cyber incident, and every cyber incident is not necessarily a reportable personal data breach. The KVKK regime is concerned with personal data being obtained unlawfully by others and with the controller’s duty to protect personal data through appropriate technical and organizational measures. The newer Cybersecurity Law, by contrast, is broader and aims at protecting Türkiye’s cyber domain against threats, reducing the effects of cyber incidents, strengthening cybersecurity policy, and regulating responsibilities across public institutions, private persons, and other actors operating in cyberspace. A Turkish company therefore needs two lenses during an incident: one asking whether personal data were affected, and another asking whether broader cybersecurity obligations or sector rules have been triggered.
The Core Personal Data Security Duty Under the KVKK
The starting point for breach response in Turkey is Article 12 of the Personal Data Protection Law. The law states that the data controller must take all necessary technical and organizational measures to provide an appropriate level of security in order to prevent unlawful processing of personal data, prevent unlawful access to personal data, and ensure the preservation of personal data. The law also says that where personal data are processed by another real or legal person on behalf of the controller, the controller and the processor are jointly responsible for these security measures, and that the controller must carry out, or procure, the audits necessary to ensure implementation of the law within its own organization. This is the legal foundation for Turkish cyber compliance in the privacy context: security is not optional, and vendor use does not remove the controller’s responsibility.
The Personal Data Protection Authority’s guidance reinforces that the security measures must fit the controller’s structure, activity, and risk profile. The Authority expressly says there is no single model for data security and that the nature of the business, the type of data processed, and the risks involved all matter. That is very important in practice because it means Turkish companies cannot defend weak controls by saying they are using a generic policy or a global template. A healthcare provider, e-commerce platform, manufacturer, employer, fintech, and logistics company will all have different risk profiles, and Turkish law expects their controls to reflect those differences.
When a Breach Must Be Reported
Article 12 also contains the breach-notification rule. It provides that if processed personal data are obtained by others through unlawful means, the data controller must notify the relevant person and the Board as soon as possible. The Board’s well-known decision on breach notification then interprets “as soon as possible” to mean that, for notification to the Board, the controller should notify without delay and no later than 72 hours after learning of the breach; where this cannot be done within 72 hours for a justified reason, the reasons for delay must be explained together with the notification. The Authority also states that if all information is not yet available, the controller may provide information in stages without undue delay.
This timeline is one of the most important practical rules in Turkish breach response. It means that a company does not have the luxury of waiting for a perfect technical report before engaging with the Authority. Once the controller learns of a breach affecting personal data, the response clock starts. In real incidents, this usually means the company must run several tracks at once: technical containment, legal qualification, evidence preservation, internal escalation, notification drafting, and impact assessment for affected individuals. A delay in organizing the internal team can itself create legal exposure because the 72-hour period is tied to awareness of the breach, not to completion of the forensic investigation.
What the Authority Expects in Practice
The Authority’s published breach decisions give useful insight into what counts as a defensible response. In one official decision summary involving a bank-related breach, the Board noted that the breach had been detected on 8 July 2019 and the notification reached the Authority on 11 July 2019; because the notification was made within 72 hours and the affected individuals were also notified, the Board took no action against the controller under Article 12(5). By contrast, in another decision summary concerning a help-desk panel service provider, the Authority emphasized that no breach notification had been made to the Board within the required 72-hour period and imposed an administrative fine under Article 18. In the Cathay Pacific decision published by the Authority, the Board imposed a separate fine because the breach was not notified to the Board within the shortest time. These published outcomes make the Turkish position very clear: timely notice does not eliminate all risk, but late notice can become an independent violation on top of the underlying security problem.
The same body of decisions also shows that Turkish enforcement does not focus only on the notification deadline. The Authority looks at whether the controller took the necessary technical and organizational measures in the first place. In published decision summaries, the Board has imposed fines where controllers failed to implement adequate administrative and technical safeguards under Article 12(1), sometimes in addition to breach-notification fines. That matters because a company may report a breach on time and still face sanction exposure if its access controls, monitoring, segregation, processor oversight, or internal procedures were weak before the incident occurred.
The Broader Cybersecurity Layer: Law No. 7545
Since 2025, companies also need to read data-breach response alongside the Cybersecurity Law No. 7545. The TBMM law page shows that Law No. 7545 was adopted on 12 March 2025 and published in the Official Gazette on 19 March 2025. TBMM’s official legislative summary explains that the law covers public institutions and organizations, public professional bodies, real and legal persons, and entities without legal personality that exist, operate, or provide services in cyberspace, while certain intelligence and military activities are excluded. The same summary states that the law sets the general framework for protecting actors against cyber attacks, strengthening cybersecurity, and establishing the Cybersecurity Board and the Cybersecurity Presidency.
This development matters because it expands the compliance conversation beyond personal data. According to TBMM’s official summary of the enacted rules, cybersecurity is treated as an inseparable part of national security; protection of critical infrastructure and information systems is described as a core objective; and accountability is stated as a basic principle in cybersecurity processes. The same summary states that cybersecurity measures should be applied throughout the life cycle of services and products. For private companies, the practical consequence is that cyber compliance in Turkey is no longer only a privacy-office issue. It is now more clearly a governance, operational resilience, and regulatory-readiness issue.
Reporting Duties and Inspection Powers Under the Cybersecurity Law
The Cybersecurity Law also introduces a more explicit incident-reporting logic. TBMM’s official summary states that entities in scope that provide services, collect or process data, or conduct similar activities using information systems must provide the Cybersecurity Presidency with the data, information, documents, software, hardware, and other contributions it requests in a timely manner; they must take the measures prescribed by legislation for cybersecurity; and they must notify the Presidency without delay of vulnerabilities or cyber incidents they identify in their service area. The same official summary states that the Presidency may conduct inspections, request systems and devices to be kept open to inspection, and determine technical criteria for cybersecurity products and services used by public bodies and critical infrastructure.
For companies, this creates a second reporting axis beyond the KVKK. A breach involving personal data may need to be assessed both as a KVKK incident and as a cybersecurity incident under the newer law, especially where the entity is part of critical infrastructure, provides digital services at scale, or falls within a sector likely to attract closer cyber supervision. This is where Turkish incident response becomes legally complex: the company may need to coordinate privacy notices, sector-regulator engagement, and cybersecurity reporting while preserving one consistent factual record.
The Continuing Role of SOME and Critical-Sector Response
Turkey’s cyber-response architecture did not begin in 2025. Official USOM materials show that the national model has long included USOM, sectoral SOME, and institutional SOME structures. The Sectoral SOME Guide, published on the official USOM domain, explains that the 11 November 2013 notification on Cyber Incident Response Teams created an organizational structure around national, sectoral, and institutional cyber incident response, and identifies critical sectors such as transportation, energy, electronic communications, finance, water management, and critical public services. The guide also explains that institutional SOMEs respond at entity level, sectoral SOMEs coordinate within the sector, and USOM provides national coordination and technical support.
This longer history matters because it shows that incident response in Turkey has an established coordination tradition, especially for critical infrastructure and major public-interest services. The 2025 Cybersecurity Law did not appear in a vacuum; it sits on top of an older response and coordination ecosystem. For companies in critical sectors, that means cyber compliance should not be designed as an isolated legal memo. It should be aligned with the incident-escalation and coordination architecture that Turkish authorities have been building for years.
Sector-Specific Cyber Rules: Banking and Payments
Sector-specific rules can significantly intensify breach-response obligations. In banking, BDDK’s Regulation on Information Systems and Electronic Banking Services states that its purpose is to set the minimum procedures and principles for the management of information systems used by banks in their activities and operations, for the provision of electronic banking services, for management of the related risks, and for the information-systems controls that must be established. This means banks are expected to maintain a cyber and information-systems control environment that is far more detailed than the minimum generally applicable privacy rule.
In payments, the Central Bank’s legal framework under Law No. 6493 and its payment-systems regulations similarly places the sector inside a formal regulatory perimeter. The Central Bank’s payment-systems regulations page shows that payment services and electronic money institutions are governed through a specific legal framework, and related communiqués include information-systems rules for payment activities. For payment institutions and e-money providers, a serious incident may therefore trigger not only internal technical response and possible KVKK notification, but also an assessment of payment-sector regulatory expectations and system integrity.
Building a Turkish Data Breach Response Plan
A defensible breach-response plan in Turkey should begin before the incident. The plan should identify who makes the initial legal classification, who leads forensic analysis, who decides whether Article 12(5) has been triggered, who communicates with the Authority, who assesses notification to affected persons, and who handles sector-regulator contact where necessary. It should also identify how processor incidents are escalated, because the KVKK expressly says the controller remains jointly responsible for security measures where processing is carried out by another person on its behalf. In other words, vendor and processor coordination must already be embedded in the plan.
The first operational phase should usually include containment, preservation, and scoping. Containment is the technical step: isolating the compromised account, server, endpoint, or connection. Preservation is the evidentiary step: securing logs, images, access records, email traces, change history, and vendor communications. Scoping is the legal step: determining what categories of personal data, if any, were affected; how many individuals were impacted; whether special categories were involved; whether data were exfiltrated, altered, exposed, or merely rendered unavailable; and whether the incident also affects a critical service or regulated system. The Turkish legal framework does not use these exact incident-response labels, but they are the most practical way to satisfy the law’s combined security and notification expectations.
The second phase is notification and documentation. The Board’s decision requires use of the breach-notification form for notice to the Authority, and it allows staged submission if all information is not immediately available. Internally, the company should create a written incident file recording when the breach was first detected, when it was escalated, what facts were known at each stage, what containment actions were taken, what legal analysis was performed, and when notifications were sent. This documentation is critical because, in Turkish practice, the company may later need to prove not only that it notified on time, but also that it acted diligently and proportionately as facts developed.
Governance, Board Oversight, and Evidence
The best Turkish response plans are not owned by IT alone. The Turkish Commercial Code places top-level supervision and organizational responsibility on the board, and Article 378 creates a risk-focused governance expectation, especially for listed companies. In cyber matters, that means the board or top management should know when an incident reaches the threshold for escalation, when outside counsel or forensic support should be retained, and how remediation and regulatory engagement are tracked after the initial crisis. A company that has no governance escalation rule for cyber incidents is more likely to miss deadlines, contradict itself in notifications, or fail to implement lessons learned.
Evidence also matters more than many companies realize. Under both the KVKK and the Cybersecurity Law’s broader logic, the regulator’s real question is often not “did something bad happen?” but “what did the company do once it knew?” Turkish enforcement materials show that timely notice, security measures, and documented response can materially affect outcomes. That is why post-incident reports, root-cause analyses, processor correspondence, patch records, and training updates are not just internal housekeeping. They are the company’s legal defense file.
Conclusion
Data breach response and cyber compliance in Turkey now operate on two connected tracks. The first track is the KVKK regime: Article 12 security duties, processor oversight, breach notification to the Board and affected persons, and enforcement focused on both security measures and timeliness. The second track is the broader cybersecurity regime reinforced by Law No. 7545, which now frames cyber resilience, incident reporting, inspection powers, critical-infrastructure protection, and Cybersecurity Presidency oversight in a much wider national-security and regulatory context. For banks, payment institutions, and other regulated entities, there is also a third layer consisting of sector-specific information-systems and operational-resilience rules.
For companies operating in Turkey, the safest approach is to treat cyber incidents as legal events from the first hour. The organization should preserve evidence immediately, classify the incident quickly, decide whether personal data were affected, test whether sector or cybersecurity reporting has also been triggered, notify within the legal timeframe, and record every material step. In the Turkish framework, the difference between a difficult incident and a much worse enforcement problem is often not the attack itself. It is whether the company had a real response system before the attack happened.
Yanıt yok