How much is the data breach fine?

Administrative fines under KVKK Article 18 are set in broad bands that are updated each year by the statutory revaluation rate. The actual amount is decided by the KVKK Board based on the breach type, the number of affected data subjects, data sensitivity, and the adequacy of security measures.

What is the 72-hour rule?

Once a data controller becomes aware of a breach, the KVKK Board is expected to be notified without undue delay, with a 72-hour expectation. Affected data subjects should also be informed in the shortest reasonable time.

Who must be notified?

Both the Personal Data Protection Board (KVKK) and the affected data subjects must be notified. The breach, its effects and the remedial actions should be documented.

KVKK Data Breach Fine & Obligation Estimator

Get an indicative administrative fine range and your notification obligations after a personal data breach under KVKK Article 18. This is an educational estimate, not legal advice.

Indicative administrative fine range

Lower band · ₺50.000 - ₺300.000

These are broad, illustrative bands under KVKK Article 18. The actual amounts are updated each year by the statutory revaluation rate, so treat them as wide ranges rather than fixed figures.

Notification obligations

Notify the Personal Data Protection Board (KVKK) without undue delay; the 72-hour expectation applies once you become aware of the breach.
Inform the affected data subjects in the shortest reasonable time, using a suitable method.
Document the breach, its effects and the remedial actions taken.

Risk factors

Based on your inputs, no major aggravating factors were flagged. Timely notification and demonstrated security measures tend to reduce exposure.

What the Board weighs

The Board typically weighs the adequacy of technical and organizational security measures, the timeliness of notification, and the sensitivity of the data. Timely notification together with demonstrated, documented measures tends to reduce exposure.

This tool provides an educational estimate only and is not legal advice. Actual fines and obligations are decided by the KVKK Board on a case-by-case basis. Consult a qualified data protection professional before acting.

How the estimate works

The estimator weighs the same factors the KVKK Board typically considers: the breach type, the number of affected data subjects, data sensitivity, VERBIS registration status, whether the breach was notified within the 72-hour expectation, and the adequacy of your security measures. For litigation exposure and forensic readiness, see our guide on KVKK compensation claims and digital forensics.

Reduce your exposure

Timely notification together with demonstrated, documented technical and organizational measures tends to reduce exposure. Building a compliant program in advance matters most; explore our KVKK compliance and data security solutions.

Is VERBIS registration required for you?

VERBIS registration is mandatory for many data controllers, and a missing registration is treated as a separate compliance gap. Check whether it applies to you in the VERBIS registration obligation guide.

Need tailored help with breach response or KVKK compliance? Contact DSET at +90 536 662 38 09 · [email protected]

Disclaimer: This tool and page provide an educational estimate only and do not constitute legal advice. Actual fines and obligations are decided by the KVKK Board on a case-by-case basis. Please consult a qualified data protection professional.