Duyurular

Public Announcement on the Duration of Publication of Personal Data Breach Notifications on the Website of the Turkish Personal Data Protection Authority Has Been Published

The Turkish Personal Data Protection Authority (“Authority”) published a public announcement regarding the duration for which personal data breach notifications are published on the Authority’s official website on 20 January 2026.

The public announcement briefly includes the following points:

  • Pursuant to paragraph (5) of Article 12 of Law No. 6698, titled “Obligations Regarding Data Security,” where personal data are obtained by others through unlawful means, the data controller is required to notify the data subject and the Authority as soon as possible. Where necessary, the Authority may announce such incidents on its website or through any other method it deems appropriate.
  • With the decision of the Turkish Personal Data Protection Board (“Board”) dated 24 January 2019 and numbered 2019/10, concerning the procedures and principles regarding personal data breach notifications, the phrase “as soon as possible” was interpreted as 72 hours. Accordingly, data controllers are required to notify the Board without delay and no later than 72 hours from the date they become aware of the breach. In addition, once the data subjects affected by the breach are identified, notifications must be made to the relevant individuals within a reasonable period, either directly if their contact details are available, or, if not, through appropriate methods such as publication on the data controller’s website.
  • With the Board’s decision dated 25 December 2025 and numbered 2025/2451, a time limitation has been introduced regarding the publication of personal data breach notifications on the Authority’s website. Accordingly, such notifications will be published for a maximum period of 60 days, and where the data controller substantiates that notification has been made to the relevant data subjects within a shorter period, the announcement will be removed from the Authority’s website.
  • Through this decision, while preserving the objective of preventing or mitigating the potential adverse effects of personal data breaches within the framework of data controllers’ notification obligations towards the Board and the relevant data subjects, proportionality in terms of the duration of publication is intended to be ensured.

You can access the full text of the public announcement here.

 

Kind regards,

Zumbul Attorneys-at-Law

info@zumbul.av.tr

All information and documents on our website have been prepared by Zumbul Attorneys at Law for general informational purposes only, in accordance with the Attorneyship Law, other relevant legislation and the Professional Rules of Attorneyship of the Union of Turkish Bar Associations. These publications are not intended for advertising or commercial purposes. The information and documents provided are of a general nature and under no circumstances, do they guarantee or warrant that the content is complete, accurate, up-to-date, or reliable. You should not rely on the information and documents on this website without first consulting a lawyer or expert. The links included in our website’s publications are sourced from publicly available materials and are provided solely for the convenience of visitors in accessing additional information. These links do not constitute any form of recommendation or endorsement of the linked persons, institutions or organizations. The information on this website does not in any way constitute legal advice or establish an attorney-client relationship with visitors to the site. All content on this website is the property of by Zumbul Attorneys at Law, and no content may be copied, reproduced, or used without prior written permission.