The data controller’s obligations regarding data security are specified in Article 12 of the Personal Data Protection Law (KVK Law). The data controller is required to take all necessary technical and administrative measures to ensure an adequate level of security in order to prevent the unlawful processing of personal data, unauthorized access to personal data, and to ensure the preservation of personal data. If personal data is processed by another natural or legal person on behalf of the data controller, the data controller is jointly responsible with these individuals for taking the measures outlined in the first paragraph. The data controller is also obliged to conduct or ensure audits within their institution or organization to ensure compliance with the provisions of this Law. Data controllers and data processors cannot disclose the personal data they have learned to others in violation of the provisions of the KVK Law, nor can they use it for purposes other than the original processing purpose. If personal data is unlawfully obtained by others, the data controller is obliged to notify the data subject and the Board as soon as possible. The Board may also announce this situation on its website or through any other method it deems appropriate.
The data controller is obligated to take necessary technical and administrative measures to prevent unlawful access to, processing, or storage of personal data, and to perform and maintain these actions. The offense is considered completed when the necessary measures are not taken, but it does not end there. There is no need for harm to occur for the offense to be considered complete, as it is a danger offense. In addition, the data controller is required to conduct or ensure audits within their institution or organization to ensure the provisions of the KVK Law are being followed. The obligation to conduct and ensure audits imposes a separate duty of action on the data controller. The data controller is also obliged to notify the data subject and the Board if personal data is unlawfully obtained by others. This notification obligation is a separate duty assigned to the data controller by the law, involving a separate act that must be carried out under certain conditions. The failure to carry out these acts, in other words, the failure to take technical and administrative measures, the failure to conduct audits, and the failure to notify the data subject and the Board about unlawful data breaches, is sufficient to constitute an offense, and no harm needs to be proven. If personal data is unlawfully obtained by others, the data controller is obliged to notify the data subject and the Board without delay. This action is immediate, unlike the continuous obligation to take preventive measures and conduct audits. Therefore, if the notification obligation is not fulfilled, the offense is considered complete and concluded. In other actions, the offense is considered to have been committed but continues.
The victim of the offense in question can only be the natural person whose personal data has been processed. The technical and administrative measures that natural and legal persons processing personal data, either fully or partially by automated or non-automated means, must take are of great importance in relation to this offense. According to Article 22/1-f of the KVK Law, the Personal Data Protection Board is authorized to make regulatory decisions to determine the data security obligations. In January 2018, the Personal Data Security Guide was prepared and published on the Board’s website. The guide summarizes the necessary administrative measures, including identifying risks and measures, employee training, awareness activities, defining personal data security policies and procedures, reducing personal data, and managing relationships with data processors. The technical measures section covers cybersecurity, monitoring personal data security, ensuring the security of environments containing personal data, storing personal data in the cloud, acquiring and maintaining IT systems, and backing up personal data.
There are several decisions by the Personal Data Protection Board on this subject. In the 2020/66 decision dated January 27, 2020, regarding the processing of a person’s contact number by an electricity distribution company, the Board ruled that the processing of the contact number, without any lawful basis or explicit consent, violated the personal data processing principles set forth in the KVK Law. The data controller was fined 100,000 TL for failing to meet the necessary data security obligations. Similarly, in the 2020/915 decision, the Board ruled that the failure to apply necessary technical and administrative measures to prevent unlawful processing of personal data led to a violation of the KVK Law, and the data controller was fined for failing to protect personal data.
In the 24/11/2020 decision (2020/905), the Board ruled that a data controller failed to comply with the obligation to notify personal data breaches “without delay,” as specified in Article 12(5) of the KVK Law, and fined the data controller for not notifying the data subjects and the Board in a timely manner. Similarly, in the 2019/144 decision, the data controller was penalized for failing to notify the Board and affected individuals about a cyberattack within the required time frame, violating the “without delay” notification obligation under Article 12(5) of the KVK Law.
Attorney Yalçın TORUN
© 2025 Torun Law Firm – All Rights Reserved.
This article is protected under the provisions of the Law on Intellectual and Artistic Works (No. 5846). The content, in whole or in part, may not be copied, reproduced, published, or shared on any other website without the prior written permission of the author and Torun Law Firm.
This material may only be shared by licensed attorneys, for professional purposes, without any modifications, and with full attribution to the author and the source.
Any unauthorized use may result in legal and criminal liability.