Emin Çelik & Partners Emin Çelik & PartnersTechnology Law
TR Get Started

Home / Insights

How to File a KVKK Data Breach Notification: A Step-by-Step Guide (2026)

KVKK UpdatesJune 11, 20268 min readAv. Emin Çelik
How to File a KVKK Data Breach Notification: A Step-by-Step Guide (2026)

Short answer: A data controller who learns that personal data has been unlawfully obtained by a third party must notify the Turkish Personal Data Protection Board (KVKK Board) within 72 hours at the latest, and must inform affected individuals as soon as reasonably possible. Notification is made by completing the Authority's Data Breach Notification Form through the online breach notification system. Failing to notify, or notifying late, can trigger an administrative fine of up to TRY 13,620,402 under Article 18(1)(b) of the KVKK as of 2025.

When does the notification duty arise?

Article 12(5) of Law No. 6698 is clear: "Where personal data processed is obtained by others through unlawful means, the data controller shall notify the data subject and the Board as soon as possible."

The critical threshold here is the "obtaining" of data by a third party. In practice, this concept is interpreted broadly: unauthorized access to systems, a leaked database, an email sent to the wrong recipient, a stolen or lost device, and even data encrypted by ransomware can all trigger the notification duty. When in doubt, the question to ask is: has the confidentiality, integrity, or availability of personal data been compromised by an unauthorized act?

The duty rests with the data controller. Processors (cloud providers, call centers, software vendors) who learn of a breach must notify the controller without delay; it is the controller who must notify the Board.

The 72-hour rule: when does the clock start?

Where the law says "as soon as possible," the Board's decision of 24 January 2019 (No. 2019/10) translated this into a concrete 72-hour deadline. The clock starts the moment the controller becomes aware of the breach. "Awareness" does not mean having fully mapped out every dimension of the breach — it means understanding, with a reasonable degree of certainty, that a breach has occurred. You cannot extend the deadline by waiting for an investigation to be completed.

What if not all the information is available within 72 hours? The Board's accepted solution is phased notification: file an initial notification within the deadline using the information you have, then submit supplementary notifications to the Authority as further details become available. Where the 72-hour deadline is exceeded for a justified reason, the reasons for the delay must be explained alongside the notification. To be blunt: in practice, late notification has repeatedly appeared in Board decisions as a stand-alone ground for a fine — the ability to present a justification is not an amnesty mechanism.

The notification process, step by step

Step 1 — Detect and document the breach. Record, with timestamps, when and how the incident was discovered and which systems and categories of data were affected. These records both feed into the notification content and form the backbone of your defence regarding security measures in any later investigation.

Step 2 — Complete the Data Breach Notification Form. The Authority's published form sets out the minimum content of the notification. In summary, it requires:

  • The date the breach occurred and the date it was detected;
  • The source of the breach and how it occurred (cyberattack, human error, deliberate act, etc.);
  • The number of affected individuals and records (an estimate if the exact figure is unavailable);
  • The categories of data affected (with special categories identified separately);
  • The likely consequences of the breach;
  • The technical and administrative measures taken before and after the breach;
  • How affected individuals were informed and the data controller's contact details.

Step 3 — Submit the notification to the Authority. Notification is filed through the Authority's online breach notification system (ihlalbildirim.kvkk.gov.tr). In exceptional cases where the system cannot be used, the form may be submitted to the Authority physically or via registered electronic mail (KEP).

Step 4 — Inform the affected individuals. Under the Board's Decision No. 2019/10, individuals affected by the breach must be notified as soon as reasonably possible. Where contact information is available, notify them directly; where it is not, use an appropriate alternative method, such as a notice published on the controller's website. The notification should clearly and simply describe the nature of the breach, its likely consequences, the measures taken, and the channels through which the data subject can obtain further information.

Step 5 — Keep a breach record and report internally. Even once a breach is resolved, maintaining an internal inventory documenting the incident, its effects, and the actions taken is required both as part of the accountability principle and to be ready for any future information requests from the Board.

The cost of not notifying

The notification duty is one of the data security obligations under Article 12 of the KVKK; a breach of this duty triggers an administrative fine ranging, as of 2025, from TRY 204,285 to TRY 13,620,402 under Article 18(1)(b). In Board decisions, a failure to notify is treated as a separate and independent ground for a fine, distinct from any failure to implement adequate security measures — meaning a company can be fined separately for inadequate security and for failing to notify.

An important reminder: with the Cybersecurity Law that entered into force in 2025, where a breach also stems from a cyber incident, a separate notification duty to the Cybersecurity Presidency arises. The two notifications do not replace one another; as recognized in the literature, if both are neglected, both authorities may impose their own sanctions.¹ We cover the procedure for notifying the Presidency in a separate guide.

Frequently asked questions

The leaked data was encrypted. Is notification still required?
Strong encryption of the data, where the key was not compromised, affects the risk assessment for the individuals concerned. However, Turkish law does not contain an explicit "risk threshold" exception equivalent to GDPR Article 33(1), so the cautious approach is to notify.

A breach occurred at our overseas group company. Does it need to be notified in Turkey?
Yes, if data subjects in Turkey were affected and you act as the data controller in Turkey.

Does notifying protect us from a fine?
No — notification is the performance of a duty, not a cure for inadequate security measures. However, a timely and complete notification is considered a mitigating factor when the Board exercises its discretion on penalties.

Sources

  1. Akgün, Mustafa / Akıncı, Muhammed Furkan, "The Relationship of Concurrence Between Misdemeanours under the Personal Data Protection Law and Misdemeanours under the Cybersecurity Law," Ankara Hacı Bayram Veli University Faculty of Law Journal, 2026, Vol. 30, No. 3, pp. 1399-1455.
  2. Law No. 6698 (KVKK), Art. 12(5), 18(1)(b); Decision of the Personal Data Protection Board dated 24.01.2019, No. 2019/10.
  3. Personal Data Protection Authority, Data Breach Notification Form and online breach notification system (ihlalbildirim.kvkk.gov.tr).

Need legal support on this topic?

Get in touch for an assessment tailored to your company's situation.

Schedule Consultation

← All articles