Data Breach and Its Consequences

The Law requires data controllers to notify the Board and the data subject as soon as possible after becoming aware of the data breach. In its decision dated January 24, 2019 and numbered 2019/19 ("Decision"), the Board clarified the rules and procedures to be followed in data breach cases.

The Board adopted the approach of the GDPR in terms of the timing of breach notifications and explained that the phrase "as soon as possible" in the Law must be interpreted as within 72 hours after the data breach is detected.

The Law also requires data controllers to notify data subjects as soon as they identify data subjects affected by the data breach, regardless of whether the risk is low or not. In the aforementioned Decision, the Board did not stipulate a specific period of time regarding the duration of the notification to be made after the identification of the data subjects affected by the data breach, and stated that the notification should be made as soon as reasonably possible. Although reasonable time is a matter that should be evaluated in each concrete case, it would be appropriate to notify the relevant persons immediately after the notification of the data breach to the Board.

The Board’s decision requires data controllers to draw a roadmap in advance and clarify internal reporting mechanisms and procedures to be followed in order to be prepared for data breaches. Data controllers are obliged to keep records of data breaches and measures taken.

The obligation to report a data breach also applies to data controllers residing abroad. In the event that data controllers abroad experience a data breach and the data breach in question affects data subjects residing in Turkiye and goods/services used by data subjects in Turkiye, data controllers abroad are likewise obliged to follow the data breach notification procedures announced by the Board. The critical issue for data controllers abroad is that even if the data breach occurs abroad, the Board must be notified if the data subjects affected by the data breach are located in Turkiye. In this sense, the scope of application of the Law has been expanded in terms of data breach notifications.

The Board has also published a "Personal Data Breach Notification Form" for data controllers to fill out when notifying the Board.

When examining the data breach notifications published on the Institution’s website, it is observed that while most of the notifications have been made by private companies, breaches have also been reported by institutions such as hospitals and universities. On the other hand, the categories of individuals affected by the breaches predominantly consist of the relevant data controllers' employees, patients, subscribers, customers, students, clinical research participants, and business partners. Regarding the affected data categories, it is noted that they mainly include identity, education, health, association membership, transaction and physical space security, criminal convictions and security measures, race and ethnic origin, accounting and financial information, as well as genetic and biometric data. These data breach notifications have been made from both domestic and international sources.

Additionally, a significant portion of the published data breaches appear to have resulted from cyber-attacks targeting data controllers in the plastics industry and related sectors. Another major portion consists of data breaches reported by data controllers receiving services from a service provider that was subjected to an attack involving the infiltration of its management panel. In conclusion, when looking at the year 2024, it is observed that data breach notifications have been made by data controllers from a wide range of industries and sectors.

When examining the 2024 data breach statistics, a total of 81 data breach notifications were submitted to the Board, and 63 of these notifications were publicly announced. A review of the data breach notifications published on the Authority’s website reveals that data breaches generally occur as a result of ransomware attacks, cyberattacks, unauthorized access to user accounts, the compromise of an internal user's credentials, data leaks, data deletion, server lockouts, infiltration of the admin panel, public online exposure of data, and phishing attacks.

A data breach, in terms of its consequences, poses a risk of administrative fines for the data controller and must also be carefully considered due to potential criminal liability under the Turkish Criminal Law. As is known, the law includes provisions for both administrative fines and criminal liability. Regarding criminal liability, the law refers to the relevant provisions of the Turkish Criminal Law, which set out sanctions for the unlawful recording, disclosure, or acquisition of personal data.

In addition to criminal sanctions, the law also includes provisions detailing the administrative fines applicable in the event of a violation. Failure to fulfill data security obligations, data breaches, and failure to report a breach to the Board in a timely manner may result in administrative fines ranging from 68,083 Turkish Lira to 13,620,402 Turkish Liras (updated for 2025) for data controllers.

In the cases reviewed and announced by the Board regarding data breach notifications, it is observed that the Board tends to impose penalties, in contrast to the more constructive approach adopted by European data protection authorities. However, it should also be noted that the Board has issued decisions where no administrative fines were applied, considering factors such as the number of individuals affected by the breach, whether the breach had a negative impact on the data subject, whether the data controller could intervene, whether the breached data was deleted, whether the data controller reported the breach within the required timeframe, and whether reasonable administrative and technical measures were taken.

Proper and timely handling of data breach processes is critically important for data controllers. In addition to the principles and procedures established and implemented by data controllers regarding the processing, deletion, destruction, and disposal of personal data, it is essential to clearly define the procedures to be followed in the event of a data breach. Establishing a data breach response plan as part of compliance processes will contribute positively to minimizing the risks associated with a potential data breach by enabling a swift and effective response.

First published by Gün + Partners in Mar 04, 2025.