
The Personal Data Protection Law (KVKK) No. 6698 was enacted to protect individual rights and freedoms in the processing of personal data. The law safeguards both data subjects (those whose data is processed) and data controllers (those processing the data).
To prevent the misuse and indiscriminate collection of personal data, Articles 17 and 18 of KVKK outline both criminal and administrative liabilities. These provisions aim to strengthen the responsibility of data controllers and emphasize the importance of safeguarding personal data.
Under Article 17 of KVKK, Turkish Penal Code (TCK) Articles 135–140 apply for personal data-related crimes. These provisions were last updated in 2021.
What is TCK?
TCK (Türk Ceza Kanunu) refers to the Turkish Penal Code, which outlines criminal offenses and penalties in Türkiye.
| Offense | Criminal Penalty |
|---|---|
| Recording personal data unlawfully | 1 to 3 years imprisonment |
| Unlawfully recording sensitive data (e.g., religion, ethnicity, health, etc.) | 1 to 3 years imprisonment, increased by half |
| Unlawfully transferring, disseminating, or acquiring personal data | 2 to 4 years imprisonment |
| Committing the crime as a public officer or via professional privilege | Sentence increased by half |
| Failing to delete data as required under law | 1 to 2 years imprisonment |
| Failing to destroy data ordered to be removed by criminal law | Sentence increased by 100% |
What is Yargıtay?
Yargıtay is the Court of Cassation in Türkiye — the highest court of appeals for civil and criminal matters. It ensures consistency in court decisions across the country and serves as a final arbiter on legal interpretations.
Article 18 of KVKK sets out administrative fines for data controllers who violate their obligations. These fines apply to natural and private legal persons and are updated annually based on Türkiye's revaluation rate. Objecting to or cancelling such penalties follows the general rules on objection and cancellation of administrative fines in Turkey.
Updated Administrative Fines (2021)
| Violation | Applicable Fine (TRY) |
|---|---|
| Failure to fulfill the obligation to inform (KVKK Article 10) | 9,012 – 180,263 |
| Failure to ensure data security (KVKK Article 12) | 27,037 – 1,802,640 |
| Non-compliance with the Personal Data Protection Board decisions (KVKK Article 15) | 45,062 – 1,802,640 |
| Failure to register with VERBIS (KVKK Article 16) | 36,050 – 1,802,640 |
What is VERBIS?
VERBIS (Veri Sorumluları Sicil Bilgi Sistemi) is the Data Controllers' Registry Information System in Türkiye, where data controllers are required to register.
These fines are designed to ensure accountability and reinforce the importance of data protection among all entities processing personal data in Türkiye. For organizations aligning their practices with European standards, our guide to GDPR compliance in Türkiye offers further legal and practical insights.
An insurance employee sent a list of names, contact details, and license plate numbers from the company system to a personal email. The breach affected 91 individuals. The board found insufficient data loss prevention measures and fined the company TRY 90,000.
In 2019, a tourism company failed to prevent a breach and did not notify the authority promptly. Fines: TRY 400,000 for the breach, TRY 100,000 for delayed notification.
Mimar Sinan Fine Arts University failed to respond to a subject's data request on time. The board required internal disciplinary action and system improvements to limit data access only to the data subject.
Clickbus failed to stop a data breach for four days and lacked necessary technical safeguards. Total fine: TRY 550,000.
As technology advances, so does the need to process personal data—this results in an increase in data breaches and corresponding fines. The penalty amounts above are updated annually based on the revaluation rate and have grown rapidly in recent years, reflecting accountability requirements for both real persons and private legal entities processing personal data in Türkiye.
Violating Türkiye's data protection laws can lead to serious financial and criminal consequences. Both natural persons and companies must comply with KVKK and TCK provisions. Seeking expert legal advice is essential to avoid liability, especially in light of rising fines and stricter enforcement by the KVKK Board and Yargıtay.