Data breach notification under Turkish law

Posted in Data protection and cybersecurity Compliance Risk advisory

Under Turkish data protection rules, data controllers (including foreign data controllers) must notify the data subjects and the Data Protection Authority (the “DPA”) as soon as possible if personal data has been obtained by others through unlawful means. The DPA may announce the breach on its website or through other means.

Applicable timelines 

With its decision dated January 24, 2019, the DPA, in line with the General Data Protection Regulation (GDPR), imposed a 72-hour window for data breach notifications made to the DPA. No specific timeframe has been set for notification to data subjects: they must be notified as soon as reasonably possible.

Formal requirements, content of notification

When notifying the DPA, data controllers must use the “Personal Data Breach Notification Form” available on the DPA’s website and send it to the DPA’s designated email address ( or deliver a physical copy to the DPA’s address. In addition, the DPA has recently announced that the notification may also be made online by filling out the aforementioned form through the notification system at

The form consists of the below:

  • Information about the data controller
  • Information about the breach
  • Potential consequences
  • Consequences of the breach
  • Measures taken

If all information cannot be provided at the same time, then remaining information can be provided if and when available, without delay.

For notification to data subjects, there is no formal requirements but in accordance with the DPA’s decision dated September 18, 2019, should include:

  • Date/time of the breach
  • Type of data affected (regular personal data and sensitive data to be specified)
  • Possible outcomes of the breach
  • Measures that should be taken or have been taken in order to reduce the impact of the breach
  • Contact information for any queries

Data controllers may reach out to data subjects through their contact information, if known by the data controller, and/or announce the above listed information on their websites. 


Turkey offers significant growth potential to international investors and developers, in addition to domestic businesses. Our understanding of the legal, economic and political landscape in Turkey is second to none and we understand that changes impacting your business can arise rapidly and vary significantly across the region.

Through Inside Turkey, we aim to keep you updated on domestic and international developments, as well as providing insights into how to navigate the current market across key industry sectors. Inside Turkey will also feature legal developments outside of Turkey that affect Turkish companies doing business abroad.

Blog Network