Personal Data Protection Board of Türkiye (“Board”), in its public announcement dated January 20, 2026, regarding the data controller’s breach notification, stated that the duration for which the breach notification will remain visible on the Institution’s website shall be in accordance with the Decision dated December 25, 2025, numbered 2025/2451, pursuant to Article 12-f.5 of the Personal Data Protection Law No. 6698 (“Law”) Article 12-f.5, if personal data processed is obtained by others through unlawful means, the data controller shall notify the relevant person and the Board of this situation as soon as possible. The Board may, if necessary, announce this situation on its website or by any other method it deems appropriate. Furthermore, pursuant to the Board’s Decision No. 2019/10 dated January 24, 2019, on the Procedures and Principles for Reporting Personal Data Breaches, the phrase “as soon as possible” shall be interpreted as 72 hours, and in this context, the data controller shall report this situation to the Board without delay and within 72 hours at the latest from the date on which it becomes aware of the situation. Following the identification of the individuals affected by the data breach by the data controller, it has been decided that the data controller shall notify the relevant individuals within the shortest reasonable time, directly to the relevant person’s contact address if accessible, or if not accessible, through appropriate methods such as publication on the data controller’s own website.
The purpose of notifying the Board and individuals is to take measures to prevent or minimize any negative consequences that may arise for these individuals as a result of the breach. When deciding whether to publish on the Board’s website, criteria such as the relevant group of individuals affected by the breach, the number of individuals, the nature and quantity of personal data affected by the breach, the manner in which the breach occurred, the sector of the data controller, and whether the data controller has notified the relevant individuals are evaluated.
Currently, breach notifications are published without any time restrictions. However, pursuant to the Board’s Decision No. 2025/2451 dated 25/12/2025, data breach notifications will now be published within a specific timeframe, limited to 60 days. When the Board decides to publish a data breach on its website, this announcement cannot remain on the Board’s website indefinitely; the announcement will be removed after 60 days. However, if the data controller can prove that the relevant people were notified within a period shorter than 60 days, the announcement may be removed from the Board’s website before 60 days pass.
You can access the full text of the “Public Announcement” published on the Personal Data Protection Authority website on January 20, 2026, via the link below.
https://www.kvkk.gov.tr/Icerik/8595/kamuoyu-duyurusu
This Legal Alert has been prepared for general information purposes only on current legal issues, and the evaluations contained in this Legal Alert do not constitute legal advice or a legal opinion. It is not possible to impose any liability on SRP-Legal Law Office due to the content of this Legal Alert. It is recommended to obtain the opinion of a legal advisor regarding your questions and enquires within the scope of this Legal Alert.
