Introduction

The Authority's 2024 Annual Activity Report provided the most detailed official picture to date in the data breach notification field. According to the Report, the Authority received 281 data breach notifications in 2024; 63 of these notifications were announced through public disclosure; and a total of 552 million 668 thousand TL in administrative fines were imposed during the year. The figures demonstrate both an increase in the number of notifications compared to previous years and the maturation of the Authority's public disclosure policy.

In this article, we examine the patterns emerging from the Authority's data breach decisions published during 2024-2026, the criteria the Authority associates with severe penalties, and what companies should highlight in the notification process.

Framework of Decision No. 2019/10

The centerpiece of the notification regime is the Authority's decision dated 24 January 2019 and numbered 2019/10. The decision:

Requires the data controller to notify the Authority within 72 hours from the date it "learns" of a personal data breach.
Regulates the mandatory individual notification requirement in cases posing high risk to data subjects.
Determines the format, minimum content, and transmission method of the notification.

The Authority established the notification module based on this decision; companies submit their notifications through this module. The Authority's interpretation that the 72-hour period begins upon "learning" has solidified in practice to mean the moment the indicator is detected.

Patterns Emerging from Public Announcements

The Authority does not convert every breach into a public announcement. To issue a public announcement, the Authority evaluates together: the scale of the breach, the number of affected persons, the sensitivity of the data, and the public interest. In 2024, 63 out of 281 notifications were shared with the public — this ratio (22%) shows that the Authority uses public announcements as a selective tool.

The main patterns emerging from the analysis of public announcements:

1. Notification delay is an aggravating factor

In Authority decisions, the phrase "although the breach was [learned on X date], notification was made on [Y date]" is a prominent factor in penalty assessment. Even a few days' delay is treated as an aggravating factor; delays exceeding one week result in fines approaching the maximum limit.

2. Incomplete notification may be evaluated as multiple breaches

When companies' incomplete information from the initial notification — the number of affected data subjects, data categories, the scope of the incident — cannot still be clarified when inquired by the Authority, this may be evaluated not only as notification delay but also as a violation of data security obligations.

3. Technical and administrative measure deficiency is a frequent grounds for penalties

The majority of incidents stem from the failure to implement basic security measures:

Outdated systems, unpatched servers,
Lack of multi-factor authentication setup,
Weak access management for cloud services (forgotten user accounts, excessive permissions),
Employee exposure to phishing and lack of awareness training,
Unencrypted or weakly encrypted databases,
Absence or insufficiency of access logging.

The Authority links these deficiencies to the conclusion under Article 12 that "required technical and administrative measures were not taken."

4. Breaches originating from suppliers/cloud providers

In breaches not directly within the company's control and originating from suppliers or cloud providers, the Authority still treats the data controller as the primary addressee. The approach "the data controller is obligated to oversee the security measures of the data processor or sub-processor" is clearly applied. The existence of a Data Processing Agreement (DPA) and structures without audit mechanisms are additionally deemed at fault.

5. Algorithmic penalty calculation in large-scale breaches

In the 2024 Information Report, the Authority disclosed that it employs an algorithm for calculating penalties in large-scale breaches based on the company's annual financial balance sheet total assets. This has paved the way for penalties to approach the maximum limit, particularly for large enterprises.

6. Special category data aggravates the penalty

In breaches involving special category personal data such as health, biometric, political opinion, religion, and sexual life, the Authority both increases the penalty and raises the likelihood of public disclosure. In cases where adequate measures were not implemented under Authority Decision No. 2018/10, the penalty rationale accumulates from two separate grounds.

7. VERBIS record and notification breach — parallel penalties

If the Authority detects deficiencies in the data controller's VERBIS record during its investigation, in addition to the base penalty for the breach, a separate penalty may be imposed for VERBIS record/notification obligation violation. For 2025, this item ranges from 272,380 TL to 13,620,402 TL.

8. Lack of notification to data subjects also grounds a penalty

A company's failure to notify data subjects despite notifying the Authority, or notifying late, is evaluated as a separate violation. The Authority readily detects this deficiency particularly in breaches posing high risk.

Penalty Amounts — 2025 Framework

Administrative fines for 2025 have been set as follows with the revaluation rate update:

Violation of duty to inform: 68,083 TL - 1,362,021 TL
Violation of data security obligations (Article 12): 204,285 TL - 13,620,402 TL
Failure to comply with Authority decisions: 340,476 TL - 13,620,402 TL
Violation of VERBIS record/notification obligation: 272,380 TL - 13,620,402 TL
Violation of standard contract notification obligation: 71,965 TL - 1,439,300 TL

If multiple violations are identified in a single incident, penalties may be applied separately. In large-scale breaches, total penalties may reach millions of TL.

Lessons for Companies

The patterns from Authority decisions provide a concrete framework for how companies should act at the moment of notification.

1. Do not miss the notification deadline

72 hours is the maximum; do not wait in practice saying "the scope is still unclear." Submit the initial notification with the information on hand, and update it with a supplementary notification. The notification module operates precisely this way.

2. Be prepared

It is not possible to write a notification template on the day a breach occurs. The Authority notification draft to be included in the runbook, the data subject communication template, the internal escalation procedure — must all be in place before the incident occurs.

3. Basic measures must be persistently implemented

The areas for which the Authority frequently imposes penalties are routine security practices: patch application, multi-factor authentication, access hygiene, logging, encryption. Internal audit and independent review are necessary to ensure that the company's ordinary IT operations do not omit these points.

4. Do not have relationships without a DPA

A written contract with every data processor, defining oversight and sub-processor obligations, must be in place. Even if an incident originates from a supplier, the Authority's counterparty is the data controller; while a well-drafted DPA does not by itself provide protection against penalties, it clarifies the distribution of fault.

5. Do not neglect duty to inform and data subject communication

Even if the incident lacks fundamental technical deficiency, gaps in disclosure texts or omission of data subject communication become an additional penalty grounds for the Authority.

6. Prepare defense carefully in Authority investigation

The Authority's information/document requests must be answered completely and timely. Incomplete information, delayed responses, and unfavorable assessments in the investigation file lead to negative evaluation. A careful line must be maintained between internal work protected by attorney-client privilege and responses given to the Authority.

7. The annulment route in administrative court — read the decision

Authority decisions are not final; an action for annulment may be filed in administrative court. However, litigation success depends on how effectively the concrete faults stated in the decision can be refuted. Before filing suit, careful analysis of the Authority's reasoning and preparation of a defense based not only on legal but also technical evidence is required.

Conclusion

The Authority's data breach enforcement shows that the regime starting in 2019 has matured during 2024-2026. Penalties are shaped not only by their magnitude but also by which deficiency they target. Companies that omit basic security measures, miss notification deadlines, fail to communicate with data subjects, or establish no supplier oversight mechanism find themselves in the upper range of penalty amounts. At the same time, thanks to the public disclosure regime — the company's reputational loss must also be factored in.

When these patterns are carefully read, it is possible to say this: What the Authority targets with penalties is not merely a specific breach; it is the absence of a structured, serious, learning data protection governance culture. Companies that build this culture can conduct the process from a relatively more protected position even on the day the incident occurs.

Turkish Data Protection Authority's Data Breach Notification Decisions: Patterns and Lessons for Companies