Introduction
Personal data breaches and cybercrime under Turkish law are closely connected. A cyberattack may start as unauthorized access to an information system, but it often becomes a personal data breach when customer records, employee files, identity information, passwords, financial data, health records, e-mail addresses, private messages or user accounts are accessed, copied, transferred, encrypted, deleted or published.
In Turkey, a data breach is not only a technical cybersecurity problem. It may trigger several legal consequences at the same time: criminal liability under the Turkish Penal Code, administrative obligations under the Personal Data Protection Law No. 6698, breach notification duties before the Personal Data Protection Board, civil compensation claims, employment disputes, contractual liability, content removal requests and corporate governance responsibilities.
The Personal Data Protection Law No. 6698, commonly known as the KVKK, aims to protect fundamental rights and freedoms, especially privacy, in relation to personal data processing, and it applies to natural or legal persons processing personal data wholly or partly by automated means or as part of a data filing system. Turkish criminal law separately punishes unlawful recording, acquisition, publication or transfer of personal data, as well as unauthorized access to information systems and interference with data.
This article explains personal data breaches and cybercrime under Turkish law from a practical legal perspective. It focuses on KVKK breach notification, Turkish Penal Code offences, digital evidence, corporate duties, victim rights, criminal complaint strategy and defence issues.
1. What Is a Personal Data Breach Under Turkish Law?
A personal data breach generally occurs when personal data is unlawfully accessed, obtained, disclosed, altered, destroyed, lost, encrypted, transferred or made available to unauthorized persons. Under Turkish law, the concept is especially important where personal data processed by a data controller is obtained by third parties through unlawful means.
Personal data may include a wide range of information. Names, surnames, Turkish identity numbers, passport numbers, phone numbers, addresses, e-mail addresses, IP addresses, photographs, bank account details, card information, health records, employment records, location data, user credentials, customer records and private communications may all constitute personal data if they relate to an identified or identifiable natural person.
A personal data breach may occur in many ways:
A hacker accesses a company database.
A ransomware group encrypts employee and customer files.
A former employee exports customer lists.
A phishing attack captures user credentials.
A cloud storage folder is left publicly accessible.
A company sends personal data to the wrong recipient.
A website vulnerability exposes user information.
A stolen laptop contains unencrypted personal data.
An employee publishes customer data online.
A business e-mail compromise incident leads to disclosure of personal data.
The key issue is not only whether data was “stolen.” Unauthorized access, disclosure, transfer, loss of control, encryption, alteration or publication may all create legal risk.
2. KVKK and the Data Controller’s Security Obligations
The KVKK imposes obligations on data controllers. A data controller is the person or entity that determines the purposes and means of processing personal data and is responsible for establishing and managing the data filing system.
Under KVKK, data controllers must act lawfully and take necessary technical and organizational measures to ensure data security. In practice, this means that companies, clinics, hospitals, law firms, e-commerce businesses, employers, software providers, schools, financial institutions and other organizations processing personal data must maintain reasonable security measures.
Technical measures may include encryption, access control, multi-factor authentication, network security, logging, backups, vulnerability management, endpoint protection, data loss prevention and secure software development. Organizational measures may include employee training, data protection policies, incident response plans, confidentiality undertakings, vendor controls, authorization procedures and breach response workflows.
A company that suffers a cyberattack is not automatically liable merely because an attacker acted unlawfully. However, regulators and courts may ask whether the company took appropriate measures before the incident, detected the breach in time, preserved evidence, notified relevant authorities and affected persons, and took remedial steps.
3. Data Breach Notification to the Personal Data Protection Board
One of the most important obligations in a personal data breach is notification. Article 12(5) of the KVKK provides that if processed personal data is obtained by others through unlawful means, the data controller must notify the data subject and the Personal Data Protection Board within the shortest time. The Board may also announce the breach where necessary.
The Personal Data Protection Board’s Decision No. 2019/10 interprets “within the shortest time” as without delay and no later than 72 hours after the data controller becomes aware of the breach. If notification cannot be made within 72 hours, reasons for the delay must be attached to the notification. The same decision states that affected data subjects should be informed within the shortest reasonable period after they are identified, and that data controllers must document all personal data breaches, including facts, effects and measures taken.
This 72-hour rule is critical in cyber incidents. A company should not wait until every technical detail is fully known if it has already become aware of a breach requiring notification. If all information cannot be provided at once, the Board’s decision allows gradual provision of information without delay.
A proper breach notification assessment should answer the following questions:
When did the organization become aware of the incident?
What personal data categories are affected?
How many people may be affected?
Was the data accessed, copied, encrypted, deleted or published?
Is special category personal data involved?
Has the incident been contained?
What measures were taken?
Should affected persons be notified?
Should the Board be notified?
Is a criminal complaint necessary?
Are contractual or sectoral notifications required?
4. Criminal Liability for Personal Data Crimes
Personal data breaches may also constitute criminal offences under the Turkish Penal Code. Articles 135 to 140 regulate offences concerning personal data.
Article 135 punishes unlawful recording of personal data. Article 136 punishes unlawfully delivering data to another person, publishing data or acquiring data through illegal means, with imprisonment from one year to four years. Article 137 increases the punishment by one half if the offence is committed by a public officer by using the influence of public office or by exploiting the advantage of a profession or art. Article 138 punishes failure to destroy data after the legally prescribed period expires.
These provisions may apply in many breach scenarios. For example, a former employee who copies customer data and sends it to a competitor may be investigated under Article 136. A person who publishes another person’s identity information, phone number or private data online may face personal data offence allegations. An employee who unlawfully records patient information, customer lists or private identity data may face Article 135 liability.
Legal entities may also face security measures where personal data offences are committed within the activities of a legal entity, according to Article 140 of the Turkish Penal Code.
5. Cybercrime Offences Connected to Data Breaches
A personal data breach often occurs together with cybercrime offences. The main provisions are Articles 243 and 244 of the Turkish Penal Code.
Article 243 punishes a person who unlawfully enters all or part of a data processing system or remains there, with imprisonment up to one year or a judicial fine. If the act results in deletion or alteration of data within the system, imprisonment from six months to two years may apply.
Article 244 punishes hindering or destroying the operation of a data processing system with imprisonment from one year to five years. It also punishes deleting, changing, preventing access to data, installing data into a system or sending available data elsewhere with imprisonment from six months to three years. Where the offence is committed against systems belonging to a bank, credit institution or public institution, the penalty is increased by one half.
These provisions are highly relevant to data breaches. A hacker who enters a customer database may face Article 243. If the hacker transfers the database elsewhere, Article 244 may also apply. If ransomware makes customer data inaccessible, Article 244 may be relevant. If a former employee exports personal data from a company system, both Article 244 and Article 136 may need to be considered.
6. Common Cyber Incidents That Cause Personal Data Breaches
Personal data breaches can arise from several types of cyber incidents.
Ransomware
Ransomware may encrypt or lock personal data. If the attacker also exfiltrates data and threatens publication, the incident becomes more serious. The company must assess whether personal data was accessed, copied or made unavailable, and whether KVKK notification is required.
Phishing
Phishing attacks may capture e-mail credentials, banking information, customer login data or employee passwords. If an employee’s corporate mailbox is compromised and contains personal data, the incident may trigger breach notification.
Unauthorized Database Access
Hackers may exploit software vulnerabilities or weak passwords to access databases. If customer or employee records are exposed, both criminal complaint and KVKK notification analysis are necessary.
Insider Data Theft
Current or former employees may copy customer lists, patient records, employee files or commercial databases. This may create criminal liability and civil claims.
Lost or Stolen Devices
A laptop, phone, USB drive or hard disk containing unencrypted personal data may cause a breach if lost or stolen.
Misdelivery and Human Error
Not every breach is caused by hacking. Sending files to the wrong e-mail address, exposing data in public links or uploading documents to the wrong portal may also create breach risk.
7. Personal Data Breach and Ransomware
Ransomware is one of the most serious breach scenarios. A ransomware attack may create three legal problems at once.
First, the attacker may have committed cybercrime by unlawfully accessing systems, disrupting operations and making data inaccessible. Second, the attacker may have unlawfully obtained or transferred personal data. Third, the data controller may need to notify the Personal Data Protection Board and affected persons if personal data was compromised.
The critical question is whether personal data was only encrypted or also accessed, copied or exfiltrated. Even if exfiltration is not fully proven, the organization must assess available indicators: unusual outbound traffic, attacker statements, dark web publication, suspicious archive files, log records and forensic findings.
A company should not assume that ransomware is outside KVKK merely because the data was encrypted. Loss of availability, unauthorized access and possible exfiltration may all be relevant to breach assessment.
8. Personal Data Breach and Phishing
Phishing may create a personal data breach when employees or customers are deceived into sharing credentials, identity information, card details or passwords. A corporate phishing attack may compromise e-mail accounts containing personal data. If attackers use the account to access customer files or employee data, the company must assess breach notification duties.
In addition to KVKK obligations, phishing may constitute qualified fraud, unauthorized access, bank card misuse or personal data offences depending on the facts. For example, if a fake login page captures user credentials and the attacker enters customer accounts, Articles 243 and 136 may be relevant.
For companies, the legal response should include preserving the phishing e-mail, headers, fake URLs, access logs, mailbox rules, forwarding settings, affected messages and user activity records.
9. Cybersecurity Law No. 7545 and Data Breaches
Turkey’s cybersecurity framework has expanded with Cybersecurity Law No. 7545. The law came into force after publication in the Official Gazette on 19 March 2025 and aims to protect public institutions, private legal entities, professional associations and individuals operating in cyberspace from cyber threats, while establishing comprehensive national cybersecurity policies and strategies.
This law is relevant to data breach response because many personal data breaches arise from cyber incidents. Depending on the organization’s sector and role, a cyber incident may trigger obligations beyond KVKK, including cybersecurity reporting, cooperation with competent authorities, audits or critical infrastructure requirements.
Cybersecurity Law No. 7545 does not replace the KVKK or the Turkish Penal Code. Instead, it operates alongside them. A serious cyber incident may therefore require simultaneous analysis under cybersecurity law, data protection law, criminal law, contract law and sector-specific regulations.
10. Digital Evidence in Personal Data Breach Cases
Digital evidence is central to both criminal investigation and regulatory defence. Without proper evidence, a company may not be able to determine what happened, whether personal data was affected, who caused the incident or whether notification was required.
Important evidence may include:
Server logs.
Firewall logs.
VPN records.
Cloud access logs.
Database audit trails.
Endpoint detection alerts.
User account activity.
E-mail headers.
Malware samples.
Ransom notes.
IP records.
Download logs.
File metadata.
USB connection records.
Employee access records.
Backup logs.
Dark web screenshots.
Incident response reports.
Forensic expert reports.
The Council of Europe’s cybercrime profile for Turkey notes that the National Cybercrime Department has competence in urgent measures related to expedited preservation of traffic data, and that urgent search and seizure of computer data may be carried out on the basis of judicial authorization under Article 134 of the Criminal Procedure Code.
For companies, evidence preservation should begin immediately. Formatting devices, deleting logs, reinstalling systems or making undocumented changes may weaken both the criminal complaint and the company’s regulatory defence.
11. Criminal Complaint Strategy After a Data Breach
Where a personal data breach results from a cyberattack, insider theft or unlawful access, a criminal complaint should be considered. The complaint should be detailed, technical and supported by evidence.
A strong criminal complaint should explain:
The identity of the complainant.
The affected systems.
The type of personal data involved.
The suspected method of attack.
Dates and times of suspicious activity.
Whether data was accessed, transferred, deleted or published.
Whether the system was disrupted.
Known or suspected perpetrators.
Damage suffered by the company or data subjects.
Available logs and technical findings.
Requests for forensic examination.
Requests for preservation of traffic and access records.
Legal qualification under Articles 135, 136, 243, 244 and other applicable provisions.
If the incident involves bank fraud, phishing, blackmail or publication of private content, the complaint should also address those offences.
12. Victim Rights in Personal Data Breach Cases
Affected individuals may have several legal remedies. Under KVKK, data subjects have rights such as learning whether their personal data is processed, requesting information about processing, learning the purpose of processing, knowing third parties to whom data has been transferred, requesting correction or deletion under legal conditions, and claiming compensation for damage arising from unlawful processing.
In addition, individuals may file a criminal complaint if their personal data was unlawfully recorded, obtained, shared or published. If private life was violated, privacy offences may also be relevant. If financial loss occurred, fraud or bank card misuse offences may be considered. If identity theft occurred, content removal, access blocking and civil compensation claims may be necessary.
A victim should preserve evidence such as breach notifications, suspicious messages, bank records, fake accounts, screenshots with URLs, e-mails, platform warnings and identity misuse records.
13. Civil Compensation Claims
A personal data breach may cause material and moral damages. Material damages may include financial loss, identity theft expenses, fraudulent transactions, account recovery costs, business interruption, legal expenses and cybersecurity costs. Moral damages may arise from distress, fear, reputational harm, exposure of private information, publication of sensitive data or loss of control over personal information.
A compensation claim may be directed against the perpetrator of the cybercrime. In some cases, a claim may also be directed against a data controller if the breach resulted from unlawful processing, inadequate security measures or failure to comply with data protection obligations.
The claimant must prove unlawfulness, damage and causal connection. In practice, a regulatory decision, criminal file, forensic report, breach notification, expert opinion or documentary evidence may strengthen the claim.
14. Corporate Liability and Management Responsibility
A data breach is a corporate governance issue. Management should ensure that the organization has data security policies, incident response procedures, employee training, vendor controls and legal review mechanisms.
A company should be prepared to show:
What personal data it processes.
Where the data is stored.
Who has access to the data.
Which security measures are in place.
Whether logs are retained.
Whether employees are trained.
Whether vendors are controlled.
Whether backups are tested.
Whether breach response procedures exist.
Whether previous vulnerabilities were addressed.
If a company cannot answer these questions after a breach, it may face difficulty before regulators, courts, customers and business partners.
15. Vendor and Data Processor Breaches
Many data breaches involve vendors or data processors. A cloud provider, payroll company, call center, software vendor, hosting provider, marketing agency or IT support company may process personal data on behalf of the data controller.
The Personal Data Protection Board’s Decision No. 2019/10 states that if personal data held by a data processor is obtained by others unlawfully, the processor must notify the data controller without delay.
Therefore, data processing agreements should clearly regulate incident notification, security obligations, audit rights, subcontracting, log retention, cooperation with investigations, evidence preservation and liability. A vague vendor contract may create serious problems during breach response.
16. Internal Investigation After a Data Breach
A company should conduct an internal investigation immediately after discovering a suspected breach. However, the investigation must be lawful and controlled.
The company should:
Identify the incident.
Preserve evidence.
Limit further access.
Determine affected systems.
Identify affected data categories.
Assess whether personal data was accessed.
Document the timeline.
Take forensic images where necessary.
Avoid unnecessary interference with evidence.
Interview relevant employees.
Review vendor involvement.
Assess KVKK notification duty.
Assess criminal complaint strategy.
Prepare remedial measures.
Internal investigation should not become a privacy violation itself. Employee devices, e-mails and logs should be reviewed only within a lawful, proportionate and necessary scope.
17. Defence Strategies in Data Breach and Cybercrime Allegations
Persons accused of data breach-related crimes may include hackers, former employees, IT staff, managers, vendors or account holders. Defence strategy should focus on the specific elements of the alleged offence.
Possible defence arguments include:
The accused did not access the system.
The accused had authorization.
The access was within employment duties.
There is no proof of unlawful intent.
The data was not personal data.
The data was not transferred or published.
Logs are incomplete or unreliable.
The IP address does not identify the accused.
The device was shared or compromised.
The alleged breach resulted from technical failure.
The evidence was obtained unlawfully.
The correct legal classification is Article 243, not Article 244 or Article 136.
There is no causal link between the accused and the breach.
In cybercrime files, technical evidence must be challenged carefully. A username, IP address or device record may be relevant, but it does not automatically prove personal guilt.
18. Practical Breach Response Checklist for Companies
A company facing a personal data breach in Turkey should act quickly and systematically:
- Activate the incident response team.
- Contain the incident.
- Preserve logs and digital evidence.
- Identify affected systems and data categories.
- Determine when the breach was discovered.
- Assess whether personal data was obtained unlawfully.
- Assess whether KVKK notification is required.
- Prepare notification within the 72-hour framework where necessary.
- Inform affected persons within the shortest reasonable time where required.
- Notify data controller if acting as processor.
- File criminal complaint if cybercrime is involved.
- Review contractual and sectoral notification duties.
- Communicate carefully with customers and employees.
- Document all decisions and measures.
- Remediate vulnerabilities.
- Review policies after the incident.
The most important principle is coordination. IT, legal, management, compliance and communications teams must work together.
19. Preventive Compliance Measures
Prevention is stronger than post-breach defence. Organizations should implement a data protection and cybersecurity compliance program.
Recommended measures include:
Personal data inventory.
Data minimization.
Access control.
Encryption of sensitive data.
Multi-factor authentication.
Secure backup systems.
Employee training.
Vendor due diligence.
Data processing agreements.
Incident response plan.
Breach notification procedure.
Log retention policy.
Periodic penetration testing.
Vulnerability management.
Secure deletion procedures.
Internal audit.
Board-level cybersecurity reporting.
A company that documents its security measures and incident response process is in a stronger position if a breach occurs.
20. Why Legal Assistance Is Important
Personal data breaches and cybercrime cases are legally complex. A single incident may require KVKK notification, criminal complaint, forensic analysis, content removal, employee investigation, vendor dispute, civil compensation defence and public communication.
A Turkish data breach lawyer can assist with:
Breach notification analysis.
Drafting notification forms.
Communication with the Personal Data Protection Authority.
Criminal complaint preparation.
Evidence preservation.
Coordination with forensic experts.
Internal investigation.
Vendor contract review.
Compensation claims.
Defence against administrative fines.
Defence in criminal proceedings.
The best legal strategy begins immediately after discovery of the incident. Delay may result in lost evidence, missed notification deadlines and increased liability.
Conclusion
Personal data breaches and cybercrime under Turkish law form a multi-layered legal field. The KVKK imposes obligations on data controllers to protect personal data and notify breaches within the legal framework. The Personal Data Protection Board’s Decision No. 2019/10 interprets the breach notification period as no later than 72 hours after awareness. Turkish Penal Code Articles 135 to 138 punish unlawful recording, acquisition, publication, transfer and failure to destroy personal data. Articles 243 and 244 punish unauthorized access to information systems, system interference, data deletion, data alteration, data transfer and making data inaccessible.
For companies, a data breach is not only an IT problem. It is a legal crisis requiring evidence preservation, regulatory assessment, criminal law analysis, communication strategy and remediation. For victims, Turkish law provides criminal, civil and data protection remedies. For suspects, defence depends on authorization, intent, attribution, evidence reliability and correct legal classification.
In Turkey’s digital economy, personal data is one of the most valuable assets. When that data is breached, stolen, published or misused, the legal response must be fast, precise and technically informed. Effective breach management requires cooperation between lawyers, cybersecurity experts, management teams and data protection professionals.
Yanıt yok