AC
Anasayfa Makaleler

Data Subject Requests (DSAR) and 30 Day Response Obligation

TL;DR

KVKK m.13 veri sahibi talepleri için 30 gün yanıt zorunlu; yanıt vermemek veya geç yanıt 18.000-1.000.000 TL para cezası riski.

15 Şubat 2026 3 dk okuma 8 görüntülenme Son güncelleme: 9 Mayıs 2026

Response within 30 days is mandatory when the data subject requests. Risk of administrative fine of 18,000-1,000,000 TL if no response is given or if a misleading response is given.

KVKK article 13 — request process

  • The data owner applies in writing (letter, KEP) or electronically (web form, e-mail).
  • The company will respond within 30 days at the latest.
  • If the response is not satisfactory for the data owner, complaint to KVKK within 30 days.
  • KVKK review will be concluded within 60-180 days.

    • Rights of the data subject

    • Learning whether personal data is being processed.
    • Requesting information if personal data has been processed.
    • Purpose of processing + learning whether it is used appropriately.
    • Knowing the third party to whom the transfer is made.
    • Requesting correction of incomplete/incorrectly processed data.
    • Requesting deletion or destruction (art.7).
    • Do not object to the transaction.
    • Objection if affected by the result of automatic processing.
    • Demanding compensation (Art.14).

    Ideal response process

  • 0-3 days: Request receipt + authentication (TC ID / registered e-mail).
  • 3-7 days: Scoping; Which systems will be scanned (CRM, ERP, log, backup).
  • 7-21 days: Data collection; redaction (third party data removed).
  • 21-28 days: Draft response + legal + DPO approval.
  • 28-30 days: Response sent by KEP or registered e-mail; requested format (PDF, JSON).

    • Frequently asked questions

    The request appears to be fraudulent/malicious; Can we refuse?

    Rejected in cases of "manifestly ill-founded" or "unauthorized person". However, justified and written; Otherwise, KVKK will be justified in its complaint.

    We cannot delete the data, we must keep it by law; what should we do?

    Reason for rejection: legal liability (tax, insurance, commercial book). Automatic deletion information is given at the end of the storage period.

    What do we do with bulk DSAR (10K users simultaneously)?

    Automated portal + manual approval process. Duration: 30 days for a single user; Same time for bulk demand but additional staff + automation. KVKK extension may be requested (justified).

    Do we respond to anonymous email?

    No, authentication is required. KVKK article 13/2 - the data controller confirms the identity. TR ID + registered e-mail is recommended.

    What does KVKK do when there is no response?

    Opens an investigation upon complaint; The administrative fine is in the range of 18,000-1,000,000 TL. The scope of recidivism and violation is multiplier.

    Relevant legislation

    • KVKK no. 6698 article 12 — Data security obligation; notice of violation (art.12/5).
    • KVKK no. 6698 article 14 — Right to compensation.
    • KVKK no. 6698 article 18 — Administrative fine (up to 5 million TL).
    • GDPR Art. 33-34 — 72-hour infringement notification on EU cross-border transfer.
    • TCK art.135-136 — Unlawful recording/dissemination of personal data.
    Legal notice: This article is for general information purposes; A meeting with a lawyer is required for a concrete case. Durations, rates and application are shaped by jurisprudence; Check the current legislation before applying.

    Kaynaklar ve referanslar

    Kaynaklar

    Veri Sahibi Talepleri (DSAR) ve 30 Gün Yanıt Yükümlülüğü içeriği hazırlanırken resmi mevzuat ve yüksek yargı kaynakları esas alınmıştır.

    Telif bildirimi This content and all related Q&A texts are protected under Turkish Copyright Law No. 5846. Unauthorized copying, reproduction, publication, adaptation, bulk extraction, or commercial use is prohibited; legal and criminal remedies are reserved in case of infringement.

    Hukuki destek arıyorsanız

    Bu konuda profesyonel hukuki destek için Aycan Ceylan Avukatlık Bürosu olarak yanınızdayız.

    Görüşme Planla