11 November
Data Protection

Personal Data Protection Law – Updated Penalties

by Senem Gölge Yalçın and Ecem Akyiğit 0 Comments

Administrative Fines Under Personal Data Protection Law to Be Applicable For 2025 Are Published

The Personal Data Protection Law No. 6698 (“PDPL“) aims to protect privacy, ensure data security and prevent unlimited and indiscriminate collection of personal data, unauthorised access, disclosure or violation of personal rights as a result of misuse or violation. The failure to comply with the rules set forth under PDPL may result in administrative fines, which are revised each year, and also in criminal sanctions.

The administrative fines to be applicable for 2025 are determined as follows depending on the violation:

  • For those who do not fulfil the obligation to inform provided for in Article 10, an administrative fine of 083 TL- 1.362.021 TL shall be imposed;
  • For those who do not fulfil the obligations related to data security provided for in Article 12, an administrative fine of 285 TL- 13.620.402,00 TL shall be imposed;
  • For those who do not fulfil the decisions issued by the Personal Data Protection Board pursuant to Article 15, an administrative fine of 476,00 TL- 13.620.402,00 TL shall be imposed;
  • For those who act contrary to the obligations for registry with the Data Controllers’ Registry and for notification provided for in Article 16, an administrative fine of 380,00 T- 13.620.402,00 TL shall be imposed; and
  • For those who do not notify the Personal Data Protection Authority within 5 (five) days from the signing of the standard agreement, an administrative fine of 965,00 TL-1.439.300,00TL shall be imposed.

Last but not the least, the violation of personal data privacy rules may have criminal liability consequences;

  • Pursuant to Article 135 of the Turkish Penal Code (“TPC”), anyone who unlawfully records personal data shall be sentenced to imprisonment from one to three years;
  • Pursuant to Article 136 of the TPC, anyone who unlawfully discloses to or seizes personal data of another person shall be sentenced to imprisonment from two to four years;
  • Pursuant to Article 138 of TPC, those who do not destroy the data in the system upon the expiry of the periods determined by the law shall be sentenced to imprisonment from one to two years.

You can contact us for any questions.

Senem Gölge Yalçın
In Socials:
Restriction of Data Portability as an Antitrust Concern