AC
Anasayfa Makaleler KVKK and Data Protection Law

KVKK Data Breach Notification: 72 Hour Rule

25 Şubat 2026 KVKK and Data Protection Law 2 dk okuma 15 görüntülenme Son güncelleme: 8 Mayıs 2026

KVKK Article 12/5 imposes an obligation on the data controller to notify the Personal Data Protection Board and the affected data owner "as soon as possible" in case of a personal data breach. The Institution interpreted this period as "72 hours" (Board decision, 18.01.2019).

What is a "Violation"?

  • Unauthorized access (hacking, insider leak).
  • Unauthorized transfer (email to wrong person, file sharing).
  • Unauthorized alteration or deletion.
  • Unencrypted device/USB loss.
  • Ransomware attack.

Notification Obligation

  • Notification to the institution: Within 72 hours, with the "Personal Data Breach Notification" form.
  • Notification to the data subject: “Within a reasonable time” — typically 3-7 days.
  • The notification must be in clear and understandable language.
  • Affected data categories and number of people must be specified.
  • Measures taken and recommended should be reported.

Consequences of Exceeding the Deadline

  • Administrative fine (100,000 - 5,000,000 TL band, according to the current schedule).
  • Destruction decision (obligation to delete/destroy).
  • Publication on the violation list (reputation damage).
  • Concrete basis for compensation lawsuits.

Notification Form Content

  • Date and time when the event occurred.
  • Type of incident (cyber attack, insider leak, etc.).
  • Data categories affected (name, phone, financial, health, etc.).
  • Number of people affected.
  • Possible consequences.
  • Measures taken and to be taken.
  • Contact point (DPO).

Notification to Data Owner — Format

  • Can be delivered via SMS, e-mail or sending.
  • Title: "Notification about Personal Data Breach".
  • Summary of the event (plain language).
  • Measures that the data owner can take (password change, bank warning).
  • Contact point.

Board Decisions — Established Approach

Personal Data Protection Board initiates the notification obligation from the "moment of suspicion"; Waiting for a "definitive determination" is not enough. Late notification violation usually results in administrative fines; The amount is determined according to the magnitude of the violation.

Preventive Measures

  • Data mapping and VERBIS registration are up to date.
  • Access controls and password policy.
  • Regular penetration tests.
  • Incident Management Plan (Incident Response Plan).
  • Appointing a DPO (Data Protection Officer).
  • Employee training (phishing awareness).

    • Post-Breach Process

  • Detecting the incident (suspicion).
  • Evaluation with internal team + DPO.
  • Institution notification within 72 hours.
  • Notification to the data subject.
  • Judicial process (TCK Article 135-136).
  • Preparation for compensation cases.

    • Data breach management operates on a tight timeline. The process should be planned with KVKK and IT law lawyer.

    Telif bildirimi This content and all related Q&A texts are protected under Turkish Copyright Law No. 5846. Unauthorized copying, reproduction, publication, adaptation, bulk extraction, or commercial use is prohibited; legal and criminal remedies are reserved in case of infringement.

    Hukuki destek arıyorsanız

    Bu konuda profesyonel hukuki destek için Aycan Ceylan Avukatlık Bürosu olarak yanınızdayız.

    Görüşme Planla