KVKK limits publication period for data breach notices to 60 days
The Turkish Personal Data Protection Authority (“Kişisel Verileri Koruma Kurulu“, “KVKK”, or “the Board”) has introduced an important change to how long data breach notifications remain publicly accessible on its website. With the Board’s Decision dated 25 December 2025 (No. 2025/2451), breach notices will now stay online for a maximum of 60 days, marking a clear shift from the previous practice where they remained available indefinitely. This new approach narrows the window of public visibility while still prioritising transparency for affected individuals.
Legal Framework and Notification Duties
Under Article 12(5) of Law No. 6698 and the Board’s earlier Decision of 24 January 2019 (2019/10), data controllers must notify the KVKK within 72 hours of becoming aware that personal data has been unlawfully accessed. After identifying the affected individuals, controllers are required to inform them directly as soon as possible, or, if direct communication is not feasible, via an announcement on their own website.
These notification obligations aim to help individuals take timely steps to protect themselves. When deciding whether to publish a breach on its own website, the Board considers factors such as the number and category of affected individuals, the sensitivity of the compromised data, the nature of the breach, the controller’s sector, and whether notifications to individuals have already been completed.
What the New 60‑Day Model Means
With the new time‑limited publication model, breach notices will be removed from the KVKK website after 60 days. If a controller can demonstrate that all affected individuals were notified earlier, the announcement may be taken down sooner. This creates a more balanced system by providing necessary transparency without leaving breach details accessible for an indefinite period.
Practical Implications for Data Controllers
The change requires controllers to revisit their internal incident‑response processes. Since early removal now depends on completing notifications promptly, controllers will need to keep strong, verifiable records, such as communication logs and delivery confirmations, showing that affected individuals were duly informed.
Compliance teams should also ensure that:
- the 72‑hour notification deadline to the KVKK can always be met,
- affected individuals can be identified and notified without delay,
- documentation mechanisms are reliable and well maintained,
- incident response policies and governance documents are updated accordingly.
Preparing notification templates and clarifying internal reporting lines can help avoid delays during an actual incident.
For further information on these developments and their implications for your organisation, please contact your CMS partner or local CMS experts in Data Protection Law: Dr. Döne Yalçın or Erdinç Dalar.
