Critical Amendment in KVKK: Time Limit for Breach Announcements

The Personal Data Protection Board (KVKK) made a fundamental change in the procedures for announcing data breaches to the public with a critical decision taken at the meeting dated December 25, 2025, reshaping digital transparency processes.

The 60-Day Rule and Early Removal Option

Breach notifications published on the Board's official website will now be kept online for a maximum of 60 days in line with this new decision. This regulation aims to prevent announcements from being accessible indefinitely and to ensure the Board's site reflects current data security risks.

However, the most strategic aspect of the regulation for data controllers lies in the "early removal" opportunity provided. If the data controller substantiates to the Board that they have completed direct notification to the affected data subjects and performed the necessary disclosure in accordance with procedure, said public announcement can be removed without waiting for the maximum 60-day period.

"A critical step regarding the balance between companies' reputation management and the 'right to be forgotten'."

Risk-Oriented Review to Continue

While deciding to share breach notifications with the public, the Board will continue to meticulously examine the following criteria:

• Number of people affected by the breach,
• Sensitivity of the leaked data (whether it is special category data),
• The manner in which the breach occurred.

This new approach encourages companies to accelerate post-breach intervention and notification processes, while allowing institutions that act proactively in crisis management to protect their reputation.