Skip to content
Kivuz
All posts
Guide6 June 20262 min read

How to Report a Data Breach (The 72-Hour Rule)

Who do you notify of a personal data breach, and when? The 72-hour rule, what the notification must contain, and a step-by-step roadmap for the moment of a breach.

Author: Kivuz Team

When a data breach is discovered, every hour matters. KVKK places certain notification obligations on the data controller in the event of a breach, and those obligations are expected to be fulfilled on time. This article summarizes who to notify, when and how.

This content is for general information only and does not constitute legal advice. For current procedure and deadlines, rely on the decisions of the Turkish Data Protection Authority.

What is a data breach?

A data breach is the unlawful acquisition, disclosure, alteration of, or loss of access to personal data by others. A cyberattack, an email sent to the wrong recipient, or a lost device can also fall within scope.

Who do you notify, and when?

Per the established practice of the Data Protection Board:

  • Notifying the Board: The data controller notifies the Board as soon as possible and in any case within 72 hours of becoming aware of the breach.
  • Notifying data subjects: If the affected individuals can be identified, they are also informed as soon as possible by an appropriate method.

If not all information is clear within the 72 hours, the notification is made without delay and missing details can be completed later.

What does the notification contain?

A breach notification generally requires the following:

  • When and how the breach occurred.
  • The personal data categories involved.
  • The (approximate) number of affected persons and records.
  • The likely consequences of the breach.
  • The measures taken and planned.
  • Contact person details.

What to do at the moment of a breach

  1. Detect and contain. Identify the source and stop it from spreading.
  2. Assess. Which data, how many people are affected? What is the likely harm?
  3. Notify. Inform the Board (and, where required, data subjects) on time.
  4. Record. Document the breach, the response and the decisions you made — this is the basis of accountability.

Preventing a breach takes preparation

Acting correctly during a breach requires preparation set up in advance: technical and administrative measures, a response plan and record-keeping discipline. These measures are part of the broader KVKK compliance process, and their absence increases the risk of administrative fines.

Kivuz KVKK is a KVKK compliance software that supports this preparation — from recording measures to documenting the breach process. To assess your organization's readiness, request a demo.

This content does not constitute legal advice.