Emin Çelik & Partners Emin Çelik & PartnersTechnology Law
TR Get Started

Home / Insights

The 72 Hours After a Cyberattack: Dual Notification Duty to the KVKK Board and the Cybersecurity Presidency

Cybersecurity AlertsJune 12, 20268 min readAv. Emin Çelik
The 72 Hours After a Cyberattack: Dual Notification Duty to the KVKK Board and the Cybersecurity Presidency

Short answer: The moment you discover that your systems have been breached and personal data has been compromised, you no longer have one notification duty — you have two. You must notify the Turkish Personal Data Protection Board (KVKK Board) within 72 hours, and the Cybersecurity Presidency "without delay." Fulfilling one does not exempt you from the other; each authority can impose its own administrative fine under its own legislation.

What changed?

Law No. 7545 on Cybersecurity, adopted on 12 March 2025, fundamentally changed the legal framework for cyber incident management in Turkey. Before this law, a company that suffered a data breach effectively answered to one body: the Personal Data Protection Authority. Article 12(5) of Law No. 6698 (the Turkish Data Protection Law, "KVKK") requires that, where personal data processed by the controller is unlawfully obtained by third parties, the data subject and the Board must be notified "as soon as possible"; the Board's decision of 24 January 2019 (No. 2019/10) translated this into a concrete 72-hour deadline.

Article 7(1)(b) of the Cybersecurity Law introduces a new, separate duty for anyone who provides services, collects, or processes data through information systems: any vulnerability or cyber incident detected within their service area must be reported to the Cybersecurity Presidency without delay. A breach of this duty triggers an administrative fine ranging from TRY 1,000,000 to TRY 10,000,000 under Article 16(10) of the Law.

The key point: these two notifications do not substitute for one another.

Why two separate fines? Why the "it's the same incident" defence doesn't hold

In practice, the objection we hear most often from clients is: "It's a single incident — how can I be fined twice for the same attack?" The answer lies in the rules on concurrence of administrative offences (içtima) under Turkish law.

Article 15(1) of the Misdemeanours Law (Kabahatler Kanunu) provides that where a single act constitutes more than one misdemeanour, only the heaviest administrative fine is imposed (a form of "ideal concurrence"). However, when it comes to notification duties, there is no single act. Notification to the KVKK Board and notification to the Cybersecurity Presidency are two distinct duties, different in both content and addressee. In the first, you inform the Board and the affected individuals that personal data has been unlawfully obtained; in the second, you inform the Presidency about the cyber incident itself. A controller who neglects both has, in legal terms, committed two separate omissions.

For this reason, what applies here is not ideal concurrence but "real concurrence" (gerçek içtima): each authority issues its own fine independently. A comprehensive study by Akgün and Akıncı, published in the Ankara Hacı Bayram Veli University Faculty of Law Journal, reaches exactly this conclusion: failures to comply with reporting obligations that differ in content and addressee constitute legally distinct acts, so separate sanctions by each authority do not violate the ne bis in idem (double jeopardy) principle.¹ As the authors note, German case law has taken a similar approach: the Frankfurt Court of Appeal held that a failure to send the same banking report to both the Bundesbank and BaFin constitutes two separate omissions.²

A concrete scenario

Suppose a private healthcare provider's systems are infected with ransomware and patient records are encrypted. Management neither notifies the Personal Data Protection Authority within 72 hours nor informs the Cybersecurity Presidency, and the affected patients are never told.

In this scenario:

  • The failure to comply with the notification duty under KVKK Article 12(5) constitutes a misdemeanour under Article 18(1)(b). As of 2025, this fine ranges from a minimum of TRY 204,285 to a maximum of TRY 13,620,402.
  • At the same time, the failure to comply with the notification duty under Article 7(1)(b) of the Cybersecurity Law constitutes a separate misdemeanour under Article 16(10), punishable by a fine between TRY 1,000,000 and TRY 10,000,000.

The total sanction is the sum of both fines. Moreover, Article 17(2) of the Cybersecurity Law allows for a proportional fine of up to three to five times the damage caused or the benefit obtained as a result of the breach — meaning that in large-scale incidents, the final bill can be considerably higher than these baseline figures.

What should companies do?

In our experience, the greatest time loss at the moment of a breach is spent debating "who do we notify, about what, and how." Both notification channels need to be defined in advance within your incident response plan:

  1. Build two notification tracks into a single incident response plan. For the KVKK notification, use the Authority's breach notification system and form; for the Presidency notification, follow the procedure set out in secondary legislation.
  2. Do not confuse the deadlines. The 72-hour KVKK deadline is a hard ceiling. The Cybersecurity Law's "without delay" standard points to an even shorter window and offers no buffer to justify waiting.
  3. Prepare the content of each notification separately. The KVKK notification should focus on the number of affected individuals and records, the categories of data involved, and the measures taken; the Presidency notification should focus on the technical nature of the incident. Sending the same text to both authorities is often treated as an incomplete notification.
  4. Run the notification decision through legal review, but don't delay it. While it is possible to present justifications for late notification to the Board, in practice a late notification is often treated as grounds for a fine in its own right.

Frequently asked questions

There was no data breach, only an attempted intrusion. Is notification still required?
The KVKK notification duty is triggered when personal data is actually obtained by unauthorized parties. However, because Article 7(1)(b) of the Cybersecurity Law also covers detected "vulnerabilities," a notification duty to the Presidency may arise even in incidents that have no personal-data dimension at all.

We are a data processor, not a controller. Does the notification duty fall on us or on the controller?
Under KVKK, the notification duty is addressed to the data controller; a processor that becomes aware of a breach must inform the controller immediately. The Cybersecurity Law, however, covers anyone providing services through information systems — so an entity acting as a processor may also be directly liable to the Presidency.

We notified both authorities. Are we still at risk of a fine?
Fulfilling the notification duty does not erase a finding that you failed to implement adequate security measures. Notification duties and security-measure duties are assessed separately — we cover this in a separate article.

Sources

  1. Akgün, Mustafa / Akıncı, Muhammed Furkan, "The Relationship of Concurrence Between Misdemeanours under the Personal Data Protection Law and Misdemeanours under the Cybersecurity Law," Ankara Hacı Bayram Veli University Faculty of Law Journal, 2026, Vol. 30, No. 3, pp. 1399-1455.
  2. OLG Frankfurt a.M., Decision of 30.4.2020 – 2 Ss-OWi 85/19.
  3. Law No. 6698 on the Protection of Personal Data, Art. 12, 18; Decision of the Personal Data Protection Board dated 24.01.2019, No. 2019/10.
  4. Law No. 7545 on Cybersecurity, Art. 7, 16, 17.

Need legal support on this topic?

Get in touch for an assessment tailored to your company's situation.

Schedule Consultation

← All articles