Image for project Penalties for Personal Data Violations in Türkiye (KVKK Fines)

The Personal Data Protection Law (KVKK) No. 6698 was enacted to protect individual rights and freedoms in the processing of personal data. The law safeguards both data subjects (those whose data is processed) and data controllers (those processing the data).

Legal Framework for Criminal Liability under KVKK

To prevent the misuse and indiscriminate collection of personal data, Articles 17 and 18 of KVKK outline both criminal and administrative liabilities. These provisions aim to strengthen the responsibility of data controllers and emphasize the importance of safeguarding personal data.

Under Article 17 of KVKK, Turkish Penal Code (TCK) Articles 135–140 apply for personal data-related crimes. These provisions were last updated in 2021.

What is TCK?
TCK (Türk Ceza Kanunu) refers to the Turkish Penal Code, which outlines criminal offenses and penalties in Türkiye.

Criminal Offenses and Corresponding Penalties

OffenseCriminal Penalty
Recording personal data unlawfully1 to 3 years imprisonment
Unlawfully recording sensitive data (e.g., religion, ethnicity, health, etc.)1 to 3 years imprisonment, increased by half
Unlawfully transferring, disseminating, or acquiring personal data2 to 4 years imprisonment
Committing the crime as a public officer or via professional privilegeSentence increased by half
Failing to delete data as required under law1 to 2 years imprisonment
Failing to destroy data ordered to be removed by criminal lawSentence increased by 100%

What is Yargıtay?
Yargıtay is the Court of Cassation in Türkiye — the highest court of appeals for civil and criminal matters. It ensures consistency in court decisions across the country and serves as a final arbiter on legal interpretations.

Administrative Fines under KVKK Article 18

Article 18 of KVKK sets out administrative fines for data controllers who violate their obligations. These fines apply to natural and private legal persons and are updated annually based on Türkiye's revaluation rate. Objecting to or cancelling such penalties follows the general rules on objection and cancellation of administrative fines in Turkey.

Updated Administrative Fines (2021)

ViolationApplicable Fine (TRY)
Failure to fulfill the obligation to inform (KVKK Article 10)9,012 – 180,263
Failure to ensure data security (KVKK Article 12)27,037 – 1,802,640
Non-compliance with the Personal Data Protection Board decisions (KVKK Article 15)45,062 – 1,802,640
Failure to register with VERBIS (KVKK Article 16)36,050 – 1,802,640

What is VERBIS?
VERBIS (Veri Sorumluları Sicil Bilgi Sistemi) is the Data Controllers' Registry Information System in Türkiye, where data controllers are required to register.

These fines are designed to ensure accountability and reinforce the importance of data protection among all entities processing personal data in Türkiye. For organizations aligning their practices with European standards, our guide to GDPR compliance in Türkiye offers further legal and practical insights.

Notable Decisions by the Turkish Personal Data Protection Authority (KVKK Board)

1. Insurance Company Email Breach

An insurance employee sent a list of names, contact details, and license plate numbers from the company system to a personal email. The breach affected 91 individuals. The board found insufficient data loss prevention measures and fined the company TRY 90,000.

2. Tourism Company – Failure to Notify and Secure Data

In 2019, a tourism company failed to prevent a breach and did not notify the authority promptly. Fines: TRY 400,000 for the breach, TRY 100,000 for delayed notification.

3. Public University Delay in Responding to Data Subject Request

Mimar Sinan Fine Arts University failed to respond to a subject's data request on time. The board required internal disciplinary action and system improvements to limit data access only to the data subject.

4. Clickbus Travel – Continued Data Breach

Clickbus failed to stop a data breach for four days and lacked necessary technical safeguards. Total fine: TRY 550,000.

Annual Increase in KVKK Administrative Fines

As technology advances, so does the need to process personal data—this results in an increase in data breaches and corresponding fines. The penalty amounts above are updated annually based on the revaluation rate and have grown rapidly in recent years, reflecting accountability requirements for both real persons and private legal entities processing personal data in Türkiye.

Conclusion

Violating Türkiye's data protection laws can lead to serious financial and criminal consequences. Both natural persons and companies must comply with KVKK and TCK provisions. Seeking expert legal advice is essential to avoid liability, especially in light of rising fines and stricter enforcement by the KVKK Board and Yargıtay.

Recently Added Blogs