General Principles of Administrative Sanctions/Administrative Fines for Violations Regulated in the Personal Data Protection Law

By / August 14, 2025
  1. General Overview
    Article 17 of the Personal Data Protection Law (KVKK) includes a general regulation regarding actions that constitute crimes within the scope of personal data law. In Article 17, it is stipulated that Articles 135 to 140 of the Turkish Penal Code No. 5237 shall apply to crimes related to personal data. The second paragraph of Article 17 of KVKK establishes that failure to delete, destroy, or anonymize personal data after the reasons for processing the data in accordance with KVKK provisions cease to exist constitutes a crime. The procedures and principles regarding the deletion, destruction, or anonymization of personal data are determined by the “Regulation on the Deletion, Destruction, or Anonymization of Personal Data.” In addition, it is stated in Article 7 of the KVKK that individuals who fail to delete or anonymize personal data contrary to the provisions of Article 138 of the Turkish Penal Code shall be subject to penalties.
  2. Administrative Fines Shall Be Imposed by the Personal Data Protection Board
    Article 18 of the KVKK, titled “Offenses,” defines the violations that may lead to administrative fines. It is regulated that administrative fines prescribed in KVKK shall be imposed by the Personal Data Protection Board. The violations specified in the law include failing to fulfill the obligation of informing, failing to ensure data security, not complying with decisions made by the Board, and failing to comply with the registration and notification obligations related to the Data Controllers Registry. These administrative fines will be applied to real persons and private legal entities who are data controllers. If these violations are committed within public institutions, after notification by the Board, disciplinary sanctions will be applied to the public officials and personnel working in those institutions, and the results will be reported back to the Board.
  3. It Is Obligatory to Apply to the Data Controller Before Applying to the Board
    The rights of the data subject regarding the protection of personal data are defined in Article 11 of KVKK. A person who wishes to exercise their rights must apply to the data controller in writing or by other methods specified by the Board, in accordance with Article 13/1 of KVKK. The Personal Data Protection Authority published the “Communiqué on the Procedures and Principles for Application to the Data Controller” on March 10, 2018. According to Article 5 of the Communiqué titled “Application Procedure,” an application can be made to the data controller in writing or via registered electronic mail (KEP), secure electronic signature, mobile signature, or the email address registered in the data controller’s system, or through a developed software or application. The application must include the name and surname of the applicant, the Turkish ID number for citizens of Turkey, nationality, passport number or ID number for foreigners, the address of residence or workplace, the subject of the request, and if the application is made in writing, the signature of the applicant. The application must also include any relevant documents or information. The data controller is obligated to respond to the request within thirty days at the latest, free of charge. However, if the process requires additional costs, a fee as determined by the Board may be charged.
  4. Application to the Board After Refusal by the Data Controller
    If the data controller rejects the application, or if the response is insufficient or not given in time, the data subject may file a complaint to the Board within 30 days from the date they learn of the response, and in any case, within 60 days from the date of the initial application. The complaint should include the name, surname, and signature of the applicant, as well as their address of work or residence. Complaints not related to a specific subject or those involving matters under judicial authority will not be considered. The Board may request information and documents from the data controller, and the data controller is obliged to provide them within 15 days, unless the requested information contains state secrets. After reviewing the complaint, the Board must respond within 60 days, or the request will be deemed rejected. If the Board determines that an infringement exists, it will order the data controller to take corrective actions and notify the relevant parties.
  5. The Board May Issue a Temporary Suspension Order
    The Board, when making an investigation either following a complaint or ex officio, may decide to suspend data processing or data transfers abroad if there is an imminent risk of damage that is difficult or impossible to repair, and if the violation is clearly unlawful. This decision is an administrative procedure and can be reviewed by the judicial system, in contrast to decisions under the administrative procedure law.
  6. The Decisions of the Board Are Subject to Judicial Review
    Data controllers are responsible for determining the purposes and means of personal data processing, as well as establishing and managing the data record systems. Public legal entities, such as local governments, universities, and other public legal entities established by law or presidential decree, can also be data controllers. Complaints made to public institutions regarding the protection of personal data are subject to judicial review, and the actions taken by public institutions are also open to judicial scrutiny. Similarly, individuals who have suffered violations as a result of decisions or actions by the Personal Data Protection Board can file an administrative case or a full judicial case.
  7. Administrative Fines May Be Appealed in Administrative Court
    Data controllers who are fined with an administrative penalty can appeal to the judicial courts. If individuals’ personal data rights have been violated, they may seek compensation in judicial courts, either against private legal entities or, in the case of public legal entities, by filing a full remedy lawsuit.
  8. Statute of Limitations
    The statute of limitations for administrative fines is 8 years, in accordance with Article 20 of the Misdemeanors Law. The limitation period begins when the act is committed or when the result occurs. If the act also constitutes a crime, the statute of limitations for the crime applies to the administrative penalty investigation.
  9. Administrative Penalties May Be Imposed on Both Natural and Legal Persons
    The violations defined in the KVKK will lead to administrative fines for the responsible data controller. According to Article 8 of the Misdemeanors Law, legal entities can also be fined for the actions of their representatives or employees, if they are related to the entity’s activities. Similarly, the Personal Data Protection Board may impose administrative fines on private legal entities that violate the rules set forth in the KVKK.

Attorney Yalçın TORUN

 

© 2025 Torun Law Firm – All Rights Reserved.
This article is protected under the provisions of the Law on Intellectual and Artistic Works (No. 5846). The content, in whole or in part, may not be copied, reproduced, published, or shared on any other website without the prior written permission of the author and Torun Law Firm.
This material may only be shared by licensed attorneys, for professional purposes, without any modifications, and with full attribution to the author and the source.
Any unauthorized use may result in legal and criminal liability.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top