The Personal Data Protection Law (KVKK) No. 6698 was enacted to protect individual rights and freedoms in the processing of personal data. The law safeguards both data subjects (those whose data is processed) and data controllers (those processing the data).
Legal Framework for Criminal Liability under KVKK
To prevent the misuse and indiscriminate collection of personal data, Articles 17 and 18 of KVKK outline both criminal and administrative liabilities. These provisions aim to strengthen the responsibility of data controllers and emphasize the importance of safeguarding personal data.
Under Article 17 of KVKK, Turkish Penal Code (TCK) Articles 135–140 apply for personal data-related crimes. These provisions were last updated in 2021.
What is TCK?
TCK (Türk Ceza Kanunu) refers to the Turkish Penal Code, which outlines criminal offenses and penalties in Türkiye.
Criminal Offenses and Corresponding Penalties
Offense
Criminal Penalty
Recording personal data unlawfully
1 to 3 years imprisonment
Unlawfully recording sensitive data (e.g., religion, ethnicity, health, etc.)
1 to 3 years imprisonment, increased by half
Unlawfully transferring, disseminating, or acquiring personal data
2 to 4 years imprisonment
Committing the crime as a public officer or via professional privilege
Sentence increased by half
Failing to delete data as required under law
1 to 2 years imprisonment
Failing to destroy data ordered to be removed by criminal law
Sentence increased by 100%
What is Yargıtay?
Yargıtay is the Court of Cassation in Türkiye — the highest court of appeals for civil and criminal matters. It ensures consistency in court decisions across the country and serves as a final arbiter on legal interpretations.
Administrative Fines under KVKK Article 18
Article 18 of KVKK sets out administrative fines for data controllers who violate their obligations. These fines apply to natural and private legal persons and are updated annually based on Türkiye’s revaluation rate.
Updated Administrative Fines (2021)
Violation
Applicable Fine (TRY)
Failure to fulfill the obligation to inform (KVKK Article 10)
9,012 – 180,263
Failure to ensure data security (KVKK Article 12)
27,037 – 1,802,640
Non-compliance with the Personal Data Protection Board decisions (KVKK Article 15)
45,062 – 1,802,640
Failure to register with VERBIS (KVKK Article 16)
36,050 – 1,802,640
What is VERBIS?
VERBIS (Veri Sorumluları Sicil Bilgi Sistemi) is the Data Controllers’ Registry Information System in Türkiye, where data controllers are required to register.
Notable Decisions by the Turkish Personal Data Protection Authority (KVKK Board)
1. Insurance Company Email Breach
An insurance employee sent a list of names, contact details, and license plate numbers from the company system to a personal email. The breach affected 91 individuals. The board found insufficient data loss prevention measures and fined the company TRY 90,000.
2. Tourism Company – Failure to Notify and Secure Data
In 2019, a tourism company failed to prevent a breach and did not notify the authority promptly. Fines: TRY 400,000 for the breach, TRY 100,000 for delayed notification.
3. Public University Delay in Responding to Data Subject Request
Mimar Sinan Fine Arts University failed to respond to a subject’s data request on time. The board required internal disciplinary action and system improvements to limit data access only to the data subject.
4. Clickbus Travel – Continued Data Breach
Clickbus failed to stop a data breach for four days and lacked necessary technical safeguards. Total fine: TRY 550,000.
Annual Increase in KVKK Administrative Fines
As technology advances, so does the need to process personal data—this results in an increase in data breaches and corresponding fines. The chart below reflects the rapid growth in penalties over recent years:
Administrative Fines Under KVKK Article 18
Article 18 of the Law on the Protection of Personal Data (KVKK) regulates the administrative fines imposed on data controllers who violate their obligations. These fines apply to both real persons and private legal entities. The penalty amounts are updated annually based on the revaluation rate.
For instance, those who fail to fulfill the obligation to inform data subjects, as stated in Article 10, may face administrative fines ranging from 9,012 TRY to 180,263 TRY. Data controllers who neglect their data security obligations, as outlined in Article 12, may be fined between 27,037 TRY and 1,802,640 TRY. Failure to comply with the decisions of the Personal Data Protection Board under Article 15 may result in penalties from 45,062 TRY to 1,802,640 TRY. Finally, not registering with or notifying the Data Controllers' Registry (VERBIS), as required by Article 16, can lead to fines between 36,050 TRY and 1,802,640 TRY.
These fines are designed to ensure accountability and reinforce the importance of data protection among all entities processing personal data in Türkiye.
|Conclusion
Violating Türkiye’s data protection laws can lead to serious financial and criminal consequences. Both natural persons and companies must comply with KVKK and TCK provisions. Seeking expert legal advice is essential to avoid liability, especially in light of rising fines and stricter enforcement by the KVKK Board and Yargıtay.
