Short answer: With Law No. 7545 on Cybersecurity, the same data-processing activity can now fall under the jurisdiction of two separate supervisory authorities: the Personal Data Protection Authority and the Cybersecurity Presidency. For breaches committed through a single act — such as failing to implement security measures — only the heavier of the two penalties applies. But for breaches committed through separate acts — such as notification duties — each authority can issue its own fine independently. Rumours that the KVKK has been implicitly repealed are simply not true.
Two laws, one company: the new supervisory architecture
On paper, data protection and cybersecurity may look like two separate areas of law, but in practice they meet on the same server, the same database, and the same network. Today, personal data is overwhelmingly processed in cyberspace; where cybersecurity cannot be ensured, data protection becomes meaningless. Indeed, the Personal Data Protection Authority's Guide to Personal Data Security explicitly lists cybersecurity measures among the technical measures a data controller must implement.
The Cybersecurity Law, adopted on 12 March 2025, turned this overlap into an institutional reality. Every organization that provides services, collects, or processes data through information systems is now simultaneously subject to obligations under both the KVKK and the Cybersecurity Law. As rightly noted in the literature, this raises a genuine predictability problem: a data controller cannot always know in advance which authority will evaluate it against which standard.¹
Why the claim that "the KVKK has been implicitly repealed" is wrong
After the Cybersecurity Law was adopted, some commentators suggested that the misdemeanour provisions of the KVKK had been implicitly repealed. The reasoning was that a newer, special law providing for heavier penalties renders the older provisions inoperative.
Recent academic work examining this question from the perspective of the law on administrative misdemeanours shows that this claim does not hold up.² Four of the five misdemeanours under Article 18 of the KVKK — breach of the duty to inform, failure to comply with Board decisions, breach of the duty to register with the Data Controllers' Registry, and failure to notify a standard-contract-based cross-border transfer — have no overlap with the Cybersecurity Law at all; these are obligations directed at the right to data protection itself, not at cybersecurity. Enforcement in these areas continues exactly as before.
The overlap is concentrated in essentially one place: the breach of data security obligations under Article 18(1)(b) of the KVKK, and the misdemeanour of failing to implement cybersecurity measures under Article 16(10) of the Cybersecurity Law.
Where they overlap: security measures and ideal concurrence
Consider a company that has failed to encrypt its database and has not implemented access controls. This single omission can simultaneously breach both the duty under Article 12(1) of the KVKK to "implement the technical and administrative measures necessary to ensure the appropriate level of security" and the duty to implement the measures required under cybersecurity legislation.
This is where Article 15(1) of the Misdemeanours Law applies: where a single act constitutes more than one misdemeanour, only the heaviest administrative fine is imposed. So which fine is heavier? This is the thorniest question of the new era. As of 2025, the penalty range under Article 18(1)(b) of the KVKK runs from TRY 204,285 to TRY 13,620,402; the range under Article 16(10) of the Cybersecurity Law runs from TRY 1,000,000 to TRY 10,000,000. Looking at the ceiling, the KVKK fine looks heavier; looking at the floor, the Cybersecurity Law fine looks heavier.
What complicates this further is the proportional-fine mechanism in Article 17(2) of the Cybersecurity Law: where the breach has caused damage or generated a benefit, the fine can be set at three to five times that amount. This means it is not possible to determine in the abstract, by comparing penalty ranges, which fine is "heavier." As Akgün and Akıncı argue, the comparison must be made based on the fines actually calculated in the specific case.² This, in turn, requires a robust coordination mechanism between the two authorities — otherwise, it is inevitable that both will impose separate fines for the same act, with the dispute ultimately ending up before the administrative courts.
Where they don't overlap: notification duties and real concurrence
While the "heaviest penalty" formula applies to security measures, the picture for breach notifications is entirely different. The data breach notification to the Board and affected individuals under Article 12(5) of the KVKK, and the cyber incident notification to the Presidency under Article 7(1)(b) of the Cybersecurity Law, are two separate duties that differ in content and addressee. Neglecting both is treated as two separate acts and "real concurrence" applies: each authority issues its own fine, and the fines are cumulative.
In summary, the new penalty map looks like this:
| Scenario | Concurrence type | Outcome |
|---|---|---|
| Failure to implement security measures | Ideal concurrence | Whichever authority's fine is heavier in the specific case |
| Failure to notify a breach/incident | Real concurrence | Separate fines from both authorities |
| Breach of duty to inform, registry, Board decisions, standard contracts | No concurrence | KVKK only |
| Use of unauthorized cybersecurity products, etc. | No concurrence | Cybersecurity Presidency only |
Practical implications for companies
First, do not shelve your KVKK compliance program. The Board's supervisory and sanctioning powers remain fully in force; the only narrowing applies to security-measure breaches where, in a given case, the Cybersecurity Law fine turns out to be the heavier of the two.
Second, treat cybersecurity compliance as a distinct workstream from KVKK compliance going forward. The obligation set under the Cybersecurity Law (implementing measures, notification, being open to audit, using authorized suppliers) extends over a broader area than the KVKK and also covers systems that contain no personal data at all.
Third, keep records that would allow you to build a defensible file vis-à-vis both authorities at the moment of an incident. A company that cannot document which measures were taken when, and when the breach was discovered and reported to whom, finds itself exposed on two fronts at once.
Sources
- For the predictability problem highlighted by authors including M. Bedii Kaya, see Akgün/Akıncı, op. cit., p. 1407 and the sources cited therein.
- Akgün, Mustafa / Akıncı, Muhammed Furkan, "The Relationship of Concurrence Between Misdemeanours under the Personal Data Protection Law and Misdemeanours under the Cybersecurity Law," Ankara Hacı Bayram Veli University Faculty of Law Journal, 2026, Vol. 30, No. 3, pp. 1399-1455.
- Law No. 5326 on Misdemeanours, Art. 15; Law No. 6698 (KVKK), Art. 12, 18; Law No. 7545 on Cybersecurity, Art. 7, 16, 17.
- KVKK, "Administrative Fine Amounts under Law No. 6698 on the Protection of Personal Data," kvkk.gov.tr, 03.01.2025.
Need legal support on this topic?
Get in touch for an assessment tailored to your company's situation.
Schedule Consultation