Introduction
Data breach notification obligations under KVKK are among the most critical compliance duties for companies processing personal data in Turkey. As businesses rely more heavily on cloud systems, customer databases, employee platforms, e-commerce infrastructure, mobile applications, payment technologies, health information systems, artificial intelligence tools, and international service providers, the risk of unauthorized access, accidental disclosure, ransomware attacks, phishing incidents, insider threats, misconfigured servers, and unlawful data transfers continues to increase.
Turkey’s main data protection legislation is Law No. 6698 on the Protection of Personal Data, commonly known as KVKK. Under Article 12, data controllers must take all necessary technical and organizational measures to provide an appropriate level of security, prevent unlawful processing, prevent unlawful access, and ensure the protection of personal data. If processed personal data are obtained by others through unlawful means, the data controller must notify the Personal Data Protection Board and communicate the breach to affected data subjects within the shortest time.
The Turkish Personal Data Protection Board clarified this “shortest time” requirement through Decision No. 2019/10, interpreting it as not later than 72 hours after the data controller becomes aware of the breach. The Board also requires controllers to use the official Personal Data Breach Notification Form and to document all breaches, including facts, effects, and remedial measures.
For businesses operating in Turkey, data breach notification is not only a technical cybersecurity issue. It is a legal, regulatory, operational, reputational, and litigation-sensitive process. A delayed, incomplete, inaccurate, or poorly managed breach notification may result in administrative fines, Board investigations, public announcements, customer complaints, contractual disputes, civil claims, and loss of trust.
What Is a Personal Data Breach Under KVKK?
KVKK does not define a “personal data breach” in the same detailed manner as some foreign data protection regimes. However, Article 12/5 provides the core legal trigger: if processed personal data are obtained by others by unlawful means, the data controller must notify the Board and communicate the breach to the data subject.
In practice, a personal data breach may include many different incidents. Examples include unauthorized access to a customer database, accidental email disclosure, ransomware encryption of HR files, stolen laptops containing personal data, compromised administrator accounts, exposure of personal data through a misconfigured cloud bucket, unauthorized access by an employee, data scraping, phishing-based account takeover, disclosure of health records to the wrong recipient, or unlawful transfer of personal data to a third party.
A breach does not always require malicious hacking. Many breaches result from human error. Sending an Excel file containing employee salaries to the wrong email address, uploading customer data to an unsecured online folder, giving excessive access permissions to a vendor, or failing to revoke former employee access may all create breach notification issues.
The key question is whether personal data has been obtained, accessed, disclosed, or made available through unlawful means. If the incident involves only system downtime without access to personal data, it may be a cybersecurity incident but not necessarily a reportable personal data breach. However, if there is uncertainty, the company should conduct an immediate legal and technical assessment.
Data Controller’s Security Obligations Before a Breach
Data breach notification is only one part of Article 12. The first duty of the data controller is prevention. Article 12 requires the controller to take all necessary technical and organizational measures to ensure an appropriate level of security. These measures must aim to prevent unlawful processing, prevent unlawful access, and ensure the protection of personal data.
The Turkish Personal Data Protection Authority explains that data security measures should be determined according to the structure, activities, and risks of each data controller. There is no single security model that applies to every organization. The nature of the business, the type of personal data protected, the size of the company, and its turnover may all be relevant in determining appropriate measures.
For example, a hospital processing health records, a fintech company processing financial data, an e-commerce platform processing large customer databases, and a small consultancy processing limited business contact data will not have identical security obligations. However, every controller must adopt measures appropriate to its own risk environment.
Technical measures may include encryption, access control, multi-factor authentication, logging, vulnerability management, malware protection, secure backups, network segmentation, penetration testing, secure software development, endpoint protection, patch management, data loss prevention, and incident detection systems. Organizational measures may include employee training, confidentiality agreements, vendor due diligence, internal policies, authorization matrices, breach response plans, disciplinary rules, audit procedures, and retention policies.
The 72-Hour Notification Rule
The most important practical rule for breach notification under KVKK is the 72-hour deadline. The Board’s Decision No. 2019/10 interpreted the phrase “within the shortest time” in Article 12/5 as requiring notification to the Board without delay and not later than 72 hours after the data controller becomes aware of the breach.
This deadline creates an urgent compliance obligation. Once a company becomes aware of a personal data breach, it must act quickly. The company should not wait until every technical detail is fully known. If complete information is not available within 72 hours, the Board allows information to be provided gradually and without delay. The Board also states that if notification cannot be made within 72 hours, the reasons for the delay must be attached to the notification made without further undue delay.
The 72-hour period should be treated as a maximum, not a target. A company should notify as soon as it has enough information to identify that a personal data breach has occurred and to provide meaningful initial information. Delaying notification merely to complete internal reporting, obtain executive approval, or manage public relations may create regulatory risk.
When Does the 72-Hour Period Start?
The 72-hour period begins when the data controller becomes aware of the breach. In practice, this may be legally sensitive. A company may first detect unusual activity, then later confirm unauthorized access, and only later determine which personal data was affected. The “awareness” moment should be assessed carefully.
Awareness generally occurs when the controller has a reasonable degree of certainty that a personal data breach has occurred. A mere technical alert may not always be enough. However, once internal IT, legal, compliance, or management teams confirm that personal data may have been obtained unlawfully, the company should treat the deadline as running.
Companies should avoid artificial delay. If lower-level employees or IT teams discover a breach but fail to escalate it, the company may still face questions about whether it had adequate internal reporting procedures. Therefore, internal breach response policies should define who must report what, to whom, and within what internal time frame.
Notification to the Personal Data Protection Board
The Board requires the official Personal Data Breach Notification Form to be used for breach notification. Decision No. 2019/10 states that the form must be used in notifications to the Board and that, where information cannot be provided simultaneously, it must be provided gradually without delay.
A Board notification should generally include information such as the date and time of the breach, the date and time of detection, the nature of the breach, affected data categories, affected data subject groups, number of affected persons if known, possible consequences, measures taken before and after the breach, whether special categories of personal data are affected, whether data has been transferred abroad, contact information, and remedial steps.
The notification should be accurate but not speculative. If the company does not yet know the exact number of affected individuals, it may provide an estimate and later update the Board. If forensic investigation is ongoing, this should be explained. The key is to show that the company is acting transparently, urgently, and responsibly.
Notification to Data Subjects
Article 12/5 requires the data controller not only to notify the Board but also to communicate the breach to the affected data subject. The Board’s Decision No. 2019/10 states that data subjects should be informed within the shortest reasonable period of time after the persons affected by the breach are identified. If the contact address of the data subject can be reached, notification should be made directly; if not, notification may be made through appropriate methods such as publication on the controller’s website.
A data subject notification should be clear, understandable, and practical. It should not be written only for lawyers or cybersecurity experts. Affected individuals should be able to understand what happened, which data may be affected, what risks may arise, what measures the company has taken, what steps they should take, and how they can contact the company.
For example, if identity data and phone numbers were exposed, individuals may face phishing or impersonation risks. If passwords were compromised, users should be advised to change passwords and avoid reuse. If financial data was affected, individuals may need to monitor accounts. If health data was disclosed, the notification should be more sensitive and confidentiality-focused.
Notification by Foreign Data Controllers
KVKK breach notification rules may also apply to foreign data controllers. Decision No. 2019/10 states that if a data breach occurs involving a data controller established abroad, and the breach affects data subjects residing in Turkey who benefit from products and services provided within Turkey, the controller must notify the Board under the same principles.
This is highly important for foreign e-commerce platforms, SaaS providers, mobile application operators, social media companies, cloud providers, online gaming platforms, fintech services, health tourism businesses, and multinational employers. A foreign company may assume that only its local regulator must be notified, but if Turkish residents are affected and the service is provided within Turkey, KVKK notification obligations should be assessed.
Foreign companies should therefore include Turkey in their global incident response matrix. If an international breach affects users, customers, patients, employees, or subscribers in Turkey, Turkish counsel and KVKK notification requirements should be considered immediately.
Data Processor’s Role in Breach Notification
Many companies outsource processing to vendors, cloud providers, payroll providers, call centers, software companies, hosting providers, payment processors, marketing platforms, and IT service providers. Under Article 12, if personal data processing is carried out by another person on behalf of the controller, the controller is jointly responsible with that person for taking security measures.
Decision No. 2019/10 specifically states that if personal data held by the data processor is obtained by others through unlawful methods, the data processor must notify the data controller without any delay.
This means that processor contracts should include strict breach reporting clauses. A processor should not wait 72 hours before notifying the controller. The controller needs time to assess the incident and notify the Board within its own deadline. Therefore, vendor agreements should require immediate notification, cooperation, preservation of logs, forensic support, remedial measures, and assistance with data subject communication.
A common contractual mistake is requiring processors to notify “within a reasonable time.” This may be too vague. A stronger clause should require notification immediately after becoming aware of a suspected or confirmed breach, ideally within a defined short internal period, such as 24 hours or less, depending on the service and risk.
Breach Response Plan Requirement
Decision No. 2019/10 states that in case of a data breach, the data controller must prepare a data breach response plan to be reviewed periodically. The plan should address issues such as to whom the report will be provided within the controller, who is responsible for notifications under the law, and how potential consequences of the breach will be assessed.
A data breach response plan is essential because breach incidents are time-sensitive. Without a plan, companies lose critical hours trying to identify decision-makers, locate contracts, find system logs, contact vendors, understand legal obligations, and draft notifications.
A proper breach response plan should include an incident response team, escalation rules, decision-making authority, legal assessment criteria, technical investigation steps, communication templates, Board notification procedures, data subject notification procedures, vendor coordination rules, public relations strategy, evidence preservation, and post-incident remediation.
The plan should also be tested periodically through tabletop exercises. A written plan that no one has practiced may fail during a real incident.
What Information Should Be Collected During a Breach?
A controller should immediately collect and preserve information about the incident. This includes the date and time of discovery, the person or team who detected the incident, affected systems, affected databases, categories of personal data involved, number of affected persons, data subject groups, whether special categories of data are involved, whether data was encrypted, whether credentials were compromised, whether data was exfiltrated, whether the attacker is known, whether the incident is ongoing, and what immediate containment measures were taken.
The company should also identify whether data was processed by a vendor, whether the breach occurred in Turkey or abroad, whether foreign regulators must also be notified, whether law enforcement should be contacted, whether data subject communication is required, and whether contractual notification obligations exist.
Evidence preservation is important. Logs, emails, access records, screenshots, forensic images, vendor communications, timeline records, and internal reports may later be needed in a Board investigation, litigation, insurance claim, or criminal complaint.
Special Categories of Personal Data and High-Risk Breaches
Breaches involving special categories of personal data require heightened attention. Under KVKK, special categories include data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance, association/foundation/trade union membership, health, sexual life, criminal convictions and security measures, biometric data, and genetic data. These data categories are more sensitive because misuse may cause discrimination, reputational harm, employment consequences, financial loss, or serious interference with private life.
A breach involving health records, biometric templates, criminal record information, union membership data, or genetic data is likely to be treated as more serious than a breach involving only business contact data. The Authority also notes that adequate measures determined by the Board must be taken when processing special categories of personal data.
For example, a hospital breach exposing diagnosis records, a workplace breach exposing health reports, or a biometric database breach may require urgent mitigation, strong data subject communication, and careful legal analysis. The company should explain what additional measures were in place and what remedial actions were taken after the breach.
Common Types of Reportable Data Breaches
Reportable data breaches under KVKK may arise in many ways. One common scenario is a cyberattack, such as ransomware, credential theft, malware infection, SQL injection, or unauthorized database access. Another scenario is accidental disclosure, such as sending personal data to the wrong recipient or attaching the wrong file to an email.
Cloud misconfiguration is another frequent risk. If customer data is stored in an unsecured public bucket or database, unauthorized persons may access it. Insider threats may also lead to breaches, such as an employee downloading customer lists before leaving the company or sharing HR records with unauthorized persons.
Lost or stolen devices may also trigger notification if they contain unencrypted personal data. A lost laptop with encrypted data may be lower risk, but a lost USB drive containing plain-text health data or payroll records may require notification.
Vendor incidents are also common. A payroll provider, cloud platform, call center, marketing agency, or SaaS provider may suffer a breach affecting the controller’s data. The controller remains responsible for assessing notification obligations and communicating with the Board and data subjects.
Breach Notification and Cross-Border Data Transfers
Many data breaches involve cross-border systems. A Turkish company may use foreign cloud storage, foreign CRM software, international HR platforms, global customer support tools, or overseas IT vendors. If a breach occurs in such systems, the company must assess both breach notification obligations and international transfer compliance.
Following the 2024 amendments to KVKK Article 9, cross-border data transfers are governed by a structured regime based on adequacy decisions, appropriate safeguards such as standard contracts or binding corporate rules, and limited incidental transfer exceptions. Standard contracts must be notified to the Authority within five business days after signature.
In a breach investigation, the Board may examine whether the foreign transfer itself was lawful. Therefore, companies should ensure that international vendors and cloud providers are covered by valid Article 9 mechanisms. A breach involving an unlawful cross-border transfer may expose the controller to additional regulatory risk.
Documentation of All Breaches
Decision No. 2019/10 requires the controller to document all personal data breaches, including the facts relating to the breach, its effects, and the measures taken. This documentation must be available for the Board to examine.
This duty is important even where the company decides that notification is not required. If a security incident is investigated and the company concludes that no personal data was obtained unlawfully, the reasoning should be documented. If a breach is notified, the notification timeline, evidence, Board communication, affected individuals, and remediation steps should be archived.
A breach register should include incident reference number, discovery date, awareness date, affected systems, personal data categories, affected data subjects, risk assessment, notification decision, notification dates, reasons for delay if any, remedial measures, responsible persons, and closure date.
Administrative Fines and Legal Consequences
Failure to comply with data security obligations under Article 12 may lead to administrative fines. Article 18 provides administrative fines for failures such as breach of the obligation to inform, breach of data security obligations, failure to comply with Board decisions, breach of Registry obligations, and failure to notify standard contracts under Article 9/5. Administrative fines imposed by the Board may be appealed before administrative courts.
The Authority states that administrative fines under Article 18 are adjusted annually based on the revaluation rate determined under Turkish law, and updated amounts are effective from the beginning of each calendar year.
Legal risk is not limited to administrative fines. A breach may also lead to civil compensation claims by affected individuals, contractual liability toward business partners, employment disputes, consumer complaints, insurance issues, criminal complaints in serious cases, and reputational harm. Article 17 of KVKK also refers to Turkish Penal Code provisions concerning crimes related to personal data.
How the Board Evaluates Breach Incidents
Although each case is fact-specific, the Board generally considers whether the controller took adequate technical and organizational measures before the breach, whether the breach was detected promptly, whether the Board was notified within 72 hours, whether data subjects were informed in a timely and clear manner, whether affected data categories were sensitive, whether the number of affected individuals was high, whether the controller cooperated transparently, and whether remedial measures were effective.
The Board may also examine whether the company had proper access controls, encryption, logging, vendor management, employee training, data retention policies, and breach response procedures. If the breach resulted from obvious negligence, weak passwords, lack of access control, unsecured databases, untrained employees, or poor vendor oversight, the enforcement risk increases.
A controller’s post-breach conduct matters. A company that acts quickly, contains the incident, notifies properly, cooperates with the Board, informs data subjects clearly, and implements remedial measures will be in a stronger position than a company that delays, minimizes, conceals, or provides incomplete information.
Practical Steps After Discovering a Data Breach
A company discovering a potential breach should immediately activate its incident response plan. First, it should contain the incident. This may involve disabling compromised accounts, isolating affected systems, blocking malicious IP addresses, suspending risky integrations, revoking tokens, or taking servers offline.
Second, it should preserve evidence. Logs, files, alerts, emails, and system images should be secured before they are overwritten or deleted.
Third, it should assess whether personal data is involved. If yes, the company should identify categories, affected groups, number of persons, and whether special categories of data are affected.
Fourth, it should determine the awareness date and track the 72-hour deadline.
Fifth, it should prepare the Board notification. If all information is not available, an initial notification can be made and completed later.
Sixth, it should identify affected data subjects and prepare direct or appropriate communication.
Seventh, it should coordinate with vendors, insurers, legal counsel, cybersecurity experts, and management.
Eighth, it should document all decisions and remedial actions.
Ninth, after the incident is controlled, it should conduct a root-cause analysis and update security measures.
Drafting an Effective Data Subject Notification
A data subject notification should be practical, transparent, and understandable. It should explain what happened, when it happened, when it was detected, what categories of personal data were affected, what risks may arise, what measures the company has taken, what steps the individual should take, and how the company can be contacted.
The tone should be serious but not unnecessarily alarming. The notification should avoid vague statements such as “some data may have been affected” without further explanation. If exact details are not known, the company should say so and explain that investigation continues.
For high-risk breaches, the notification should provide concrete advice. For example, affected individuals may be advised to change passwords, enable two-factor authentication, be alert to phishing messages, monitor financial accounts, avoid sharing verification codes, or contact the company through official channels.
Sector-Specific Considerations
E-commerce companies should pay attention to customer databases, order history, delivery addresses, payment-related data, and marketing systems. A breach may create phishing, fraud, identity misuse, and consumer trust risks.
Employers should focus on personnel files, payroll data, health reports, disciplinary records, performance records, and candidate data. Employee data breaches may create workplace disputes and confidentiality issues.
Healthcare providers must treat breaches involving patient data as highly sensitive. Diagnosis, treatment, laboratory, prescription, and health insurance data require strong confidentiality and careful communication.
Financial and fintech companies should assess identity verification data, transaction records, device data, fraud scores, and account information. Even if full card data is not stored, payment-related metadata may still be sensitive.
SaaS providers and cloud companies should define controller-processor roles clearly and ensure rapid breach escalation to customers.
Law firms, accountants, consultants, and professional service providers should protect client files, litigation documents, financial records, and confidential business information because these files may include extensive personal data and sensitive data.
Common Mistakes in KVKK Breach Notification
One common mistake is waiting too long for a complete forensic report before notifying the Board. KVKK practice allows gradual information where all details are not available, but the initial notification should still be made within the legal timeline.
Another mistake is assuming that only hackers cause reportable breaches. Accidental disclosure, insider misuse, wrong email recipients, lost devices, and vendor errors may also be reportable.
A third mistake is failing to notify data subjects after notifying the Board. Article 12/5 requires both Board notification and communication to affected individuals.
A fourth mistake is relying on vendors without contractual breach-reporting duties. If a processor delays informing the controller, the controller may miss the 72-hour deadline.
A fifth mistake is failing to document non-notification decisions. Even if the company decides that an incident is not reportable, the reasoning should be recorded.
A sixth mistake is using vague or overly defensive data subject notices. Poor communication may increase complaints.
A seventh mistake is ignoring foreign data subjects or foreign regulators in multinational incidents, or conversely ignoring Turkey when a global incident affects Turkish residents.
KVKK Data Breach Compliance Checklist
A company should have a breach compliance framework before any incident occurs. The framework should include a data breach response plan, an incident response team, internal escalation channels, vendor breach clauses, Board notification templates, data subject notification templates, breach register, cyber insurance coordination, forensic support arrangements, employee training, and periodic simulations.
The company should also maintain a data inventory. Without knowing what personal data exists, where it is stored, who accesses it, and which vendors process it, breach assessment becomes extremely difficult.
Access controls should be reviewed regularly. Former employees, unnecessary administrator accounts, shared passwords, and excessive permissions are common breach causes.
Security measures should be tested. Vulnerability scans, penetration tests, backup restoration tests, phishing simulations, and access audits help demonstrate responsible compliance.
Retention policies should also be implemented. The less unnecessary data a company stores, the lower the breach impact will be. Old customer records, expired candidate files, obsolete logs, and unnecessary special category data can significantly increase breach exposure.
Conclusion
Data breach notification obligations under KVKK are a core part of Turkish personal data protection compliance. Article 12 requires data controllers to take appropriate technical and organizational security measures and to notify the Personal Data Protection Board and affected data subjects when processed personal data is obtained by others through unlawful means. The Board’s Decision No. 2019/10 clarifies that notification to the Board must be made without delay and not later than 72 hours after the controller becomes aware of the breach.
For companies operating in Turkey, a strong breach response system is essential. The legal obligation is not satisfied merely by sending a late or incomplete form after an incident. Controllers must detect incidents quickly, assess them accurately, notify the Board in time, communicate with affected individuals, document all breaches, cooperate with processors, preserve evidence, and implement remedial measures.
Data processors also play a critical role. They must notify the controller without delay when personal data held by them is obtained unlawfully. Therefore, vendor contracts, cloud agreements, payroll arrangements, SaaS contracts, marketing service agreements, and outsourcing structures must include strong breach reporting obligations.
A well-prepared company should have a written breach response plan, trained teams, clear escalation procedures, tested security controls, accurate data inventories, and documented decision-making. This preparation reduces regulatory risk, limits harm to individuals, protects business continuity, and strengthens trust.
In the digital economy, no organization can completely eliminate breach risk. However, every organization can reduce the likelihood of breaches and respond lawfully, quickly, and transparently when they occur. Under KVKK, effective breach management is not only a legal duty; it is a fundamental element of responsible data governance in Turkey.
Yanıt yok