Introduction
Cybercrime and Turkish Personal Data Protection Law are now inseparable. A cyber incident rarely remains a purely technical problem. A ransomware attack may encrypt customer data. A phishing attack may expose employee e-mail accounts. A former employee may export customer lists. A hacker may access a patient database. A business e-mail compromise incident may reveal invoices, contracts and identity information. A cloud misconfiguration may make thousands of records publicly available.
In Turkey, these incidents may trigger several legal consequences at the same time: criminal investigation under the Turkish Penal Code, breach notification duties under the Personal Data Protection Law No. 6698, possible reporting and cooperation obligations under Cybersecurity Law No. 7545, civil compensation claims, internal investigation duties, contractual liability and reputational damage.
The Turkish Personal Data Protection Law, commonly known as KVKK, requires data controllers to take all necessary technical and organizational measures to ensure appropriate data security. Article 12 expressly requires measures to prevent unlawful processing of personal data, prevent unlawful access to personal data and ensure the protection of personal data. If processed personal data is obtained by others through unlawful means, the data controller must notify the affected data subject and the Personal Data Protection Board within the shortest time.
This article explains KVKK compliance after cyber incidents in Turkey. It focuses on data breach notification, cybercrime classification, digital evidence, incident response, criminal complaints, data subject rights, corporate liability and defence strategies.
1. What Is a Cyber Incident Under Turkish Law?
A cyber incident may be understood as an event affecting the confidentiality, integrity or availability of information systems or data. In practice, it may involve unauthorized access, malware, ransomware, phishing, credential theft, data exfiltration, website compromise, business e-mail compromise, system disruption, cloud exposure, insider data theft or unauthorized data transfer.
A cyber incident becomes a personal data protection issue when personal data is affected. This does not require the data to be sold or published. Unauthorized access, copying, transfer, loss of control, encryption, alteration, disclosure or destruction may all raise KVKK concerns.
Examples include:
A ransomware attack encrypting employee and customer databases.
A phishing attack compromising a corporate mailbox containing customer information.
A former employee sending client lists to a personal e-mail address.
A hacker downloading identity documents from an online platform.
A hospital system breach exposing patient records.
A cloud folder containing HR files becoming publicly accessible.
A fake invoice fraud incident exposing supplier and customer payment data.
A lost laptop containing unencrypted personal data.
The first legal question after any cyber incident should be: Was personal data affected? If yes, the company must immediately assess KVKK obligations, criminal law implications and evidence preservation.
2. KVKK Article 12: Data Security Obligations
Article 12 of KVKK is the foundation of data security compliance in Turkey. It imposes three core duties on the data controller: preventing unlawful processing of personal data, preventing unlawful access to personal data and ensuring the protection of personal data. The data controller must take all necessary technical and organizational measures to provide an appropriate level of security.
Technical measures may include encryption, access control, multi-factor authentication, logging, backup management, firewall configuration, endpoint protection, secure software development, vulnerability testing, network segmentation, data loss prevention and incident detection systems.
Organizational measures may include employee training, internal policies, authorization matrices, confidentiality undertakings, vendor controls, incident response procedures, data inventory management, access review, breach response planning and periodic audits.
KVKK also makes clear that where data processing is carried out by another person on behalf of the controller, the controller remains jointly responsible with that person for taking the required measures. The Authority’s public guidance similarly states that data processors must also take measures to ensure data security, and that controllers must conduct necessary audits to ensure implementation of the law.
This is crucial in cyber incidents involving cloud providers, payroll companies, accounting firms, call centers, software vendors, hosting companies, marketing agencies or managed IT service providers. A controller cannot simply say “the breach happened at our vendor.” The controller must assess whether it selected, instructed, monitored and contractually controlled the processor properly.
3. When Does a Cyber Incident Become a KVKK Data Breach?
A cyber incident becomes a KVKK data breach when processed personal data is obtained by others through unlawful means. Article 12(5) requires the data controller to communicate the breach to the data subject and notify the Board within the shortest time.
The concept should be interpreted functionally. A breach may involve:
Unauthorized access to personal data.
Exfiltration or copying of personal data.
Publication of personal data online.
Loss of personal data through stolen devices.
Transfer of personal data to unauthorized recipients.
Encryption of personal data by ransomware.
Deletion or alteration of personal data.
Disclosure of customer data through phishing.
Misdelivery of files containing personal data.
Unlawful access by employees or former employees.
Not every cybersecurity alert is automatically a reportable personal data breach. For example, a blocked attack that did not reach personal data may not require notification. However, where there is uncertainty, the controller should conduct and document a careful assessment. The critical issues are whether personal data was accessed, acquired, disclosed, lost, altered, made unavailable or put at real risk.
4. The 72-Hour Data Breach Notification Rule
The Personal Data Protection Board’s Decision No. 2019/10 interprets the phrase “within the shortest time” in Article 12(5) as without delay and no later than 72 hours after the controller becomes aware of the breach. The decision also states that affected data subjects should be informed within the shortest reasonable period after they are identified. If the controller cannot notify the Board within 72 hours, the reasons for delay must be attached to the notification, and where all information cannot be provided at once, information must be provided gradually without delay.
This is one of the most important compliance rules after a cyber incident in Turkey. The 72-hour period does not mean that the company must have completed its entire forensic investigation. In many cyber incidents, especially ransomware and cloud breaches, full technical certainty may take days or weeks. The rule means that once the controller becomes aware of a breach requiring notification, it must notify promptly and update the information as it becomes available.
A strong breach notification should address:
The date and time of discovery.
The estimated date and time of occurrence.
The categories of personal data affected.
The categories and number of affected persons.
The possible consequences of the breach.
The measures taken or proposed.
Whether data subjects were notified.
Contact details for further information.
Whether a processor or third party is involved.
Whether law enforcement has been contacted.
The controller should also keep internal records showing how it assessed the incident, why notification was or was not made, and what remedial measures were taken.
5. Data Breach Response Plan
The Board’s Decision No. 2019/10 requires data controllers to prepare a data breach response plan, periodically review it, determine to whom internal reports will be made and identify the persons responsible for notification duties.
A breach response plan should not be a generic policy stored in a folder. It should be an operational playbook. The company should know who will lead the response, who will preserve evidence, who will communicate with IT vendors, who will assess KVKK notification, who will contact insurers, who will draft criminal complaints and who will approve external communication.
A practical KVKK cyber incident response plan should include:
Incident detection and escalation procedures.
Internal response team roles.
Legal assessment workflow.
Forensic evidence preservation rules.
Data breach classification criteria.
KVKK notification decision process.
Data subject communication templates.
Processor-controller notification rules.
Criminal complaint decision process.
Cybersecurity Law assessment.
Media and customer communication rules.
Post-incident remediation review.
Without a prepared plan, companies often lose time in the first critical hours. This may result in missed notification deadlines, poor evidence preservation and inconsistent communication.
6. Relationship Between KVKK and Turkish Penal Code Cybercrimes
A cyber incident may simultaneously constitute a personal data breach and a criminal offence. The main cybercrime provisions under the Turkish Penal Code include Article 243 on unauthorized access to information systems, Article 244 on system interference and data manipulation, Article 245 on misuse of bank or credit cards and Article 245/A on prohibited devices or programs. The Council of Europe’s Turkey cybercrime profile identifies Articles 243, 244, 245 and 245/A as core cybercrime provisions and notes that cybercrime investigations are directed by the prosecution service with technical support from police authorities.
For example:
A hacker entering a customer database may trigger Article 243 and KVKK notification.
A ransomware attack making personal data inaccessible may trigger Article 244 and KVKK breach assessment.
A former employee exporting customer data may trigger Articles 136 and 244, as well as KVKK obligations.
A phishing attack compromising a corporate mailbox may trigger qualified fraud, unauthorized access and data breach notification duties.
A stolen card database used for online purchases may involve Article 245, personal data offences and KVKK compliance.
The legal response should therefore be coordinated. A company should not file a criminal complaint without considering KVKK. It should not notify KVKK without preserving evidence for prosecution. It should not restore systems without documenting forensic findings.
7. Personal Data Crimes Under Turkish Penal Code
Cyber incidents may also trigger personal data crimes under Articles 135–140 of the Turkish Penal Code. These provisions may apply where personal data is unlawfully recorded, obtained, delivered, published or not destroyed when required.
Typical scenarios include:
A former employee copying customer data.
An insider sending employee records to a competitor.
A hacker publishing identity numbers online.
A person obtaining patient data from a hospital system.
A contractor exporting user data beyond the project scope.
A fraudster collecting identity documents through a fake website.
In these cases, the company may be both a victim and a data controller with compliance obligations. The individual offender may face criminal liability, while the company may need to demonstrate that it took appropriate technical and organizational measures.
8. Cybersecurity Law No. 7545 and KVKK Compliance
Turkey’s cybersecurity framework expanded significantly with Cybersecurity Law No. 7545, which entered into force after publication in the Official Gazette on 19 March 2025. The law aims to protect public institutions, individuals and private sector entities from cyber threats and establishes a broader framework for national cybersecurity policies and strategies. Its scope applies broadly to public institutions, private legal entities, professional associations and individuals operating in cyberspace.
For companies, this means that cyber incident response may no longer be assessed only under KVKK. Depending on the company’s sector, role and systems, Cybersecurity Law obligations may require incident notification, cooperation with authorities, audit readiness and compliance with standards to be determined by the Cybersecurity Presidency. A 2026 country Q&A notes that Law No. 7545 introduces a risk-based centralized governance model, obligations relating to cybersecurity measures, incident notification, cooperation with authorities and compliance with standards, while further implementation details are expected through secondary legislation.
Therefore, after a cyber incident, companies should ask three separate questions:
Is there a KVKK data breach?
Is there a criminal offence requiring a prosecutor complaint?
Is there a cybersecurity reporting or cooperation obligation under Law No. 7545 or sector-specific regulations?
The answer may be yes to all three.
9. First 24 Hours After a Cyber Incident
The first 24 hours are decisive. A company must act quickly but carefully. The wrong technical response may destroy evidence. The wrong legal response may create unnecessary admissions. The wrong communication may increase reputational harm.
A practical first-day response should include:
Contain the incident without destroying evidence.
Preserve logs, alerts, affected files and system images.
Identify affected systems and accounts.
Determine whether personal data is involved.
Disable compromised credentials.
Check whether data was exfiltrated.
Identify whether special category data is affected.
Record the time of discovery.
Notify internal legal and management teams.
Engage forensic support where necessary.
Assess whether a processor or vendor is involved.
Prepare the preliminary KVKK notification assessment.
Consider whether a criminal complaint is urgent.
Avoid deleting messages, logs or malware samples before preservation.
The company should document every step. Documentation is not bureaucracy; it is legal protection. It shows that the company responded responsibly, preserved evidence and assessed compliance duties in good faith.
10. Digital Evidence Preservation
Digital evidence is critical after cyber incidents. It may prove the identity of the attacker, the attack vector, the data affected, the timeline, the damage and the company’s diligence.
Important evidence may include:
Server logs.
Firewall logs.
VPN records.
Cloud access logs.
Endpoint detection alerts.
Mailbox audit logs.
Database export records.
File metadata.
Ransom notes.
Malware samples.
Phishing e-mails with headers.
IP addresses.
User account activity.
Backup logs.
USB connection records.
Download records.
Dark web publication screenshots.
Vendor communications.
Internal incident reports.
For criminal proceedings, evidence should be preserved in a forensic manner where possible. For regulatory defence, evidence should show what happened, what was affected and what measures were taken. For civil litigation, evidence should prove damage, causation and due diligence.
A common mistake is restoring systems too quickly without preserving logs. Business continuity matters, but evidence preservation is equally important. A company should coordinate IT recovery with legal and forensic review.
11. KVKK Notification to Data Subjects
Board Decision No. 2019/10 states that affected data subjects should be informed within the shortest reasonable period after they are identified; if contact information is available, direct notification should be made, and if not, appropriate methods such as website publication may be used.
A data subject notification should be clear, practical and not misleading. It should explain what happened, what data may be affected, what risks may arise, what measures the company has taken and what steps the individual can take.
Depending on the incident, individuals may be advised to:
Change passwords.
Enable two-factor authentication.
Monitor bank accounts.
Beware of phishing messages.
Watch for identity theft attempts.
Contact the company’s data protection contact point.
Report suspicious activity.
A notification should avoid unnecessary panic but should not minimize the incident. Understating the risk may create further liability if harm later occurs.
12. Internal Investigations and Employee-Related Incidents
Cyber incidents often involve employees or former employees. A current employee may fall victim to phishing. A former employee may export customer data. An IT administrator may misuse access rights. A salesperson may send client lists to a private e-mail account.
Internal investigations must be lawful, proportionate and documented. Companies should not conduct unlimited searches of employee private communications. The investigation should focus on relevant systems, business accounts, access logs and company devices, within the scope of internal policies and applicable law.
The company should examine:
Employment role and access rights.
Whether access exceeded authorization.
Whether company policies were violated.
Whether personal data was copied or transferred.
Whether a competitor received the data.
Whether the employee acted intentionally or negligently.
Whether disciplinary action is justified.
Whether a criminal complaint is necessary.
Whether KVKK notification is required.
A poorly conducted internal investigation may create privacy and evidence problems. A well-conducted investigation can support both criminal and civil remedies.
13. Vendor and Processor Incidents
Many cyber incidents occur through vendors. A payroll provider may be breached. A cloud provider may misconfigure storage. A marketing agency may expose customer data. A software provider may be compromised. A call center may suffer unauthorized access.
KVKK requires controllers and processors to take appropriate security measures, and the Board’s decision states that if personal data held by a processor is obtained unlawfully, the processor must notify the controller without delay.
Contracts with processors should include:
Security obligations.
Incident notification deadlines.
Evidence preservation duties.
Cooperation with forensic investigations.
Audit rights.
Subprocessor restrictions.
Data return and deletion obligations.
Breach cost allocation.
Confidentiality provisions.
Liability clauses.
After a vendor incident, the controller should not wait passively. It must request facts, determine affected data, assess notification duties and document all decisions.
14. Ransomware and KVKK Compliance
Ransomware creates special KVKK problems. It may affect availability, confidentiality and integrity at the same time. Personal data may be encrypted, deleted, copied or threatened with publication.
The company should determine:
Was personal data encrypted?
Was personal data exfiltrated?
Were backups affected?
Did attackers access file directories?
Is there evidence of outbound data transfer?
Are dark web leak claims credible?
Is special category data involved?
How many individuals are affected?
Was the system restored?
Should affected individuals be notified?
A ransomware incident should not be treated as “not a breach” simply because the company hopes there was no data exfiltration. The company must make a reasoned assessment based on logs, forensic indicators and available evidence.
15. Phishing and Business E-Mail Compromise
Phishing and business e-mail compromise are common sources of KVKK breaches. A compromised mailbox may contain personal data in attachments, signatures, invoices, contracts, HR documents, customer communications and identity records.
The company should inspect:
Which mailbox was compromised.
How long the attacker had access.
Whether forwarding rules were created.
Whether emails were downloaded.
Whether attachments were accessed.
Whether customer or employee data was exposed.
Whether payment fraud occurred.
Whether data subjects should be informed.
Whether the incident involves criminal fraud.
If a fake invoice fraud occurred, the company may need to file a criminal complaint for qualified fraud and unauthorized access while also assessing KVKK notification.
16. Cloud Misconfiguration and Public Exposure
Cloud misconfiguration is a frequent breach scenario. A storage bucket, shared drive, database, backup folder or collaboration platform may be accidentally made public. Even without an external hacker, public exposure of personal data may be a breach.
Key questions include:
Was the folder publicly accessible?
For how long?
Which data categories were exposed?
Was the data indexed by search engines?
Were files downloaded?
Were access logs available?
Were third-party links shared?
Did the exposure involve special category data?
Can access be revoked immediately?
Is notification required?
Companies using cloud systems should maintain strict access controls, periodic permission reviews and logging. Cloud security is not solely the vendor’s responsibility; the controller must configure and monitor its own environment.
17. Data Subject Rights After Cyber Incidents
Data subjects have rights under KVKK, including the right to learn whether personal data is processed, request information about processing, learn the purpose of processing, know third parties to whom data is transferred, request correction or deletion under legal conditions and claim compensation for damage arising from unlawful processing.
After a cyber incident, individuals may submit requests to the controller. The controller should be prepared to respond accurately and within the legal framework. Poor responses may lead to complaints before the Board.
The controller should not disclose sensitive forensic details that could worsen security, but it should provide meaningful information about the personal data affected, risks, measures and available remedies.
18. Civil Compensation After Data Breaches
A cyber incident may lead to civil compensation claims. Data subjects may claim material damages, such as financial loss, identity theft expenses, account recovery costs or fraud-related losses. They may also claim moral damages if the incident caused distress, reputational harm, privacy violation or exposure of sensitive data.
Companies may also claim damages against attackers, former employees, vendors or negligent service providers.
A compensation case will usually examine:
Was there unlawful processing or insufficient security?
Did the controller take appropriate technical and organizational measures?
Was the breach foreseeable?
Was notification timely?
Did the claimant suffer actual damage?
Is there causation between breach and damage?
Did the company take remedial measures?
A well-documented incident response can significantly strengthen the company’s defence.
19. Administrative Fines and Regulatory Risk
KVKK violations may lead to administrative sanctions, especially where the controller failed to take adequate security measures, failed to notify a breach, failed to respond to data subject requests or ignored Board decisions. The risk is higher if the incident involves special category data, large numbers of individuals, delayed notification, poor documentation or repeated security weaknesses.
Regulatory risk is not limited to fines. The Board may publish breach announcements, order remedial actions and examine the controller’s security measures. Reputational consequences may be severe.
Therefore, companies should treat KVKK compliance as a continuing cybersecurity governance obligation, not a one-time legal formality.
20. Defence Strategy for Companies After Cyber Incidents
A company facing regulatory, civil or criminal consequences after a cyber incident should build a defence around diligence, proportionality and documentation.
A strong defence should show:
The company had security policies.
Technical and organizational measures existed.
Employees were trained.
Vendors were contractually controlled.
Access rights were limited.
Logs were maintained.
The incident was detected and contained.
Forensic review was conducted.
KVKK notification was assessed promptly.
Data subjects were informed where required.
A criminal complaint was filed where appropriate.
Remedial measures were implemented.
The company should avoid unsupported statements such as “no data was affected” unless technically verified. Overconfidence may create legal problems if later findings contradict early statements.
21. Practical KVKK Compliance Checklist After Cyber Incidents
A Turkish company should follow this checklist after a cyber incident:
Identify and contain the incident.
Preserve evidence.
Record the discovery time.
Determine affected systems.
Identify whether personal data is involved.
Classify data categories.
Identify affected persons.
Assess whether special category data is involved.
Determine whether data was accessed, copied, altered, deleted or encrypted.
Assess KVKK notification duty within the 72-hour framework.
Prepare Board notification if required.
Inform data subjects where necessary.
Notify the controller if acting as processor.
Consider criminal complaint.
Assess Cybersecurity Law obligations.
Review contractual notification duties.
Notify cyber insurer if applicable.
Document all decisions.
Implement remedial measures.
Review and update the breach response plan.
This checklist should be integrated into the company’s internal incident response procedure.
22. Why Legal Assistance Is Important
KVKK compliance after cyber incidents requires coordination between legal, IT, forensic, management, communication and compliance teams. A lawyer can help classify the incident, assess notification duties, preserve evidence, draft Board notifications, communicate with data subjects, prepare criminal complaints, review vendor contracts, handle Board investigations and defend against compensation claims.
A Turkish cybercrime and data protection lawyer can also help ensure that technical findings are translated into legally meaningful arguments. This is important because a forensic report may identify an IP address, access event or data export, but the legal meaning depends on authorization, intent, personal data categories, breach risk and statutory duties.
Conclusion
Cybercrime and Turkish Personal Data Protection Law intersect directly after cyber incidents. A ransomware attack, phishing incident, business e-mail compromise, former employee data theft, cloud exposure or database breach may trigger criminal law, KVKK notification duties, Cybersecurity Law obligations, civil compensation claims and internal governance responsibilities.
Under KVKK Article 12, data controllers must take all necessary technical and organizational measures to prevent unlawful processing, prevent unlawful access and ensure protection of personal data. If processed personal data is obtained by others unlawfully, the controller must notify the Board and affected data subjects within the shortest time; the Board’s Decision No. 2019/10 interprets this as no later than 72 hours after awareness for Board notification.
For companies, the strongest legal protection is preparation: data inventory, access control, incident response planning, vendor management, employee training, logging, encryption and periodic audits. When an incident occurs, the company must preserve evidence, assess KVKK notification, consider criminal complaint, evaluate cybersecurity obligations and document every decision.
For victims and data subjects, Turkish law provides rights to information, correction, deletion under legal conditions and compensation for damage caused by unlawful processing. For suspects and defendants, the key issues are authorization, intent, digital attribution and lawfulness of evidence.
In Turkey’s digital economy, cyber incidents are not only IT emergencies. They are legal events. Effective response requires speed, evidence, legal classification and disciplined KVKK compliance.
Yanıt yok