The Law provides for both administrative fines and criminal liability where data breaches have occurred.
Regarding criminal penalties, the Law refers to the relevant provisions of the Turkish Criminal Code that details sanctions for the unlawful recording, disclosing, or transferring of personal data.
In addition to criminal sanctions, the Law also contains provisions detailing administrative fines applicable in a breach. Four breaches have been defined under the Law:
- The data controller does not satisfy their obligation to inform the data subject.
- The data controller does not satisfy the data security requirements.
- The data controller does not implement the decisions of the Board.
- The data controller does not satisfy the obligation to register with the Data Controllers’ Registry.
These breaches may be sanctioned with administrative fines ranging from TRY 29,853 to TRY 5,971,980. (Based on the updated amounts for 2023.)
The Board has issued numerous decisions for breaches of the aforementioned types and has imposed administrative fines on data controllers for not taking data security measures in cases of unlawful data processing or data transfers.
In some cases, the Board renders decisions where it applies fines upon data breach notification or ex officio investigation without requesting further information and defences on the matter. Although the Regulation on Working Procedures and Principles of the Personal Data Protection Board does not explicitly require the Board to grant a right of defence to investigation subjects, doing so would enable a more precise justification for fines.
Although the Turkish courts have not yet effectively applied the Law to impose criminal liability, the lack of expertise in the criminal courts in terms of data protection rules creates a risk for data controllers and their data processing activities.