Personal data breach penalties
PENALTIES IN CASE OF PERSONAL DATA BREACH
Introduction
Today, the protection of personal data has become an inseparable part of the individual’s right to privacy. Technological developments have paved the way for personal data to be processed more rapidly, widely, and uncontrollably; this situation has caused data breaches to occur more frequently and to result in more serious consequences. For this reason, the protection of personal data has been secured by legal regulations at both national and international levels.
In our country, the first comprehensive regulation regarding the protection of personal data was implemented with the Personal Data Protection Law No. 6698 (“Law”), which entered into force on April 7, 2016. With this Law, it is aimed to protect the fundamental rights and freedoms of individuals in the processing of personal data and to determine the obligations of natural and legal persons who process such data.
What Is Personal Data?
In Article 3 of the Law, personal data is defined as “any information relating to an identified or identifiable natural person.” Accordingly, a person’s name, surname, date of birth, telephone number, IP address, license plate, voice recording, fingerprint, and similar data are considered personal data. Personal data is divided into two categories:
- General personal data, such as a person’s name, surname, Turkish ID number, address, and e-mail information.
- Special categories of personal data include more sensitive information such as a person’s race, ethnic origin, political opinion, religious belief, clothing, health data, biometric data, criminal convictions, and trade union membership. Since this type of data poses a higher risk in terms of fundamental rights and freedoms, it is subject to stricter protection.
What Is a Personal Data Breach?
Although the Law does not explicitly define “data breach,” in line with the decisions and practices of the Personal Data Protection Board (“Board”), a data breach can be defined as the unauthorized acquisition, alteration, failure to delete, disclosure, or unauthorized access to personal data. Data breaches generally occur in the following ways:
- Systems being subjected to cyberattacks,
- Data being shared with unauthorized persons,
- Failure to delete data that should be destroyed,
- Processing data without explicit consent or unlawfully.
In such cases, both the intervention of the Board and criminal sanctions by judicial authorities may come into question.
Obligations of Data Controllers
The Law imposes certain obligations on natural and legal persons who process personal data. These obligations include:
- Obligation to inform (Art.10): Data controllers must inform data subjects about the purpose of processing personal data, with whom it is shared, the legal basis for processing, and the rights of individuals.
- Obligation to ensure data security (Art.12): Technical and administrative measures must be taken to prevent unlawful access, processing, and loss of personal data.
- Obligation to register with the registry (Art.16): Data controllers meeting certain criteria must register with VERBIS (Data Controllers Registry Information System).
- Obligation to notify a breach (Art.12/5): In the event of a data breach, notification must be made to the Board within 72 hours at the latest.
If data controllers violate these obligations, administrative fines may be imposed, and for certain violations, criminal liability may also arise under criminal law.
Administrative Fines to Be Imposed in Case of Personal Data Breach (Article 18 of the Law)
In cases where personal data is processed unlawfully, administrative fines are imposed on data controllers pursuant to Article 18 of the Law. The Law classifies these fines according to various types of violations:
| Type of Violation | PDPL Article | 2025 Administrative Fine (Lower – Upper Limit) |
| Violation of the obligation to inform | Art.10 | TRY 68,083 – TRY 1,362,021 |
| Failure to ensure data security | Art.12 | TRY 204,285 – TRY 13,620,402 |
| Failure to comply with Board decisions | Art.15 | TRY 340,476 – TRY 13,620,402 |
| Failure to register with VERBIS | Art.16 | TRY 272,380 – TRY 13,620,402 |
These fines are determined at the discretion of the Board, taking into account factors such as the nature and severity of the violation and whether it is repeated.
Crimes Within the Scope of the Turkish Penal Code (TPC Articles 135–140)
The unlawful processing of personal data is not limited to administrative sanctions and is also regulated as a crime under the Turkish Penal Code. In this context, acts such as the unauthorized acquisition, recording, disclosure, or failure to delete personal data may constitute a criminal offense.
TPC Art.135 – Recording of personal data
The unlawful recording of data relating to individuals’ political, philosophical, or religious views, racial origin, health conditions, sexual lives, or trade union memberships constitutes a crime. A person who commits this offense may be sentenced to imprisonment from 1 to 3 years.
TPC Art.136 – Unlawfully giving or obtaining data
If personal data is unlawfully given to another person, disseminated, or obtained, imprisonment from 2 to 4 years may be imposed. If this offense is committed by a public official or by taking advantage of the convenience provided by a certain profession, the penalty is increased.
TPC Art.138 – Failure to destroy data
Persons who fail to delete data that must be destroyed after certain periods as required by law or relevant legislation may be sentenced to imprisonment from 1 to 2 years.
TPC Art.139 – Aggravated circumstances
If the aforementioned offenses are committed within the framework of an organization’s activities, the penalties to be imposed are increased by half.
TPC Art.140 – Security measures for legal entities
If the offense is committed within the body of a legal entity, security measures such as the revocation of the activity permit specific to the legal entity or the closure of the relevant workplace may be applied.
Remedies in Case of Personal Data Breach
Persons whose data has been breached may seek remedies through the following means:
- Application to the data controller (Article 13 of the Law): A response must be given within 30 days.
- Complaint to the Personal Data Protection Board (Art.14): If no response is received from the data controller, the right to file a complaint arises within 60 days.
- Compensation lawsuit (Turkish Code of Obligations Art.49): In case of moral or material damage, a compensation lawsuit may be filed according to general provisions.
- Criminal complaint: A criminal complaint may be filed with public prosecutor’s offices.
Conclusion and Evaluation
The protection of personal data today concerns not only the privacy of individuals’ private lives but also public order, economic order, and social trust. The seriousness of this field is increasing day by day through both administrative sanctions and criminal penalties. Therefore, it has become essential for both individuals to become aware of the protection of personal data and for data controllers to act in compliance with the law, transparency, and trust. Otherwise, it is inevitable to face high administrative fines and imprisonment sanctions.
Sincerely,
Atabay Law Office