60-Day Rule for Data Breach Announcements

Personal Data Protection Authority (“Authority”) announced through its Public Announcement (“Announcement”) dated 20 January 2026 that a change has been introduced in the practice regarding the publication of personal data breach notifications on the Authority’s website. Pursuant to Article 12/5 of the Law No. 6698 on the Protection of Personal Data (the “Law”), in the event that personal data are obtained through unlawful means, data controllers are required to notify both the relevant data subjects and the Personal Data Protection Board (the “Board”) without undue delay. With its decision dated 24 January 2019 and numbered 2019/10, the Board interpreted this requirement as corresponding to a period of 72 hours, and clarified that data controllers must notify the Board no later than 72 hours from the moment they become aware of the breach, and inform the affected data subjects within a reasonable timeframe.

Personal Data Protection Authority stated in the Public Announcement that, in deciding whether a personal data breach notification will be published on the Authority’s website, various criteria are taken into account, including the group and number of affected data subjects, the nature of the personal data involved, the manner in which the breach occurred, the sector in which the data controller operates, and whether notification has been made to the affected data subjects. While such notifications had previously been published without any time limitation on the Authority’s website, the Board’s decision dated 25.12.2025 and numbered 2025/2451 introduced a change to this practice, providing that personal data breach notifications shall be published on the Authority’s website for a maximum period of 60 days. Furthermore, where the data controller substantiates that notification has been made to the affected data subjects within a shorter period than 60 days, the relevant announcement may be removed from the Authority’s website without waiting for the expiry of the said period.

This amendment highlights the increased importance of ensuring that notifications made to data subjects are documented in a timely and procedurally compliant manner.