The Law on the Protection of Personal Data (“LPPD”) and its secondary legislation is a living law that is frequently updated since its effective date. Many procedures and principles related to data protection are determined not only by the Law, Regulation and Communiqué, but also by the Board Decisions, Principle Decisions and Board Decision Summaries. Therefore, our monthly bulletins aim to inform those concerned about the practices of the Personal Data Protection Board (“Board”) and to keep them up-to-date.

On 7 April, the Personal Data Protection Day, the sixth anniversary of the entry into force of the Personal Data Protection Law was celebrated. In the statement made by the Board, drawing attention to the importance of personal data, spreading data protection awareness and transferring this awareness to future generations were listed as the primary objectives of the day.

7 April Personal Data Protection Day Event was organised as “Privacy in the Digital Age: Protection of Personal Data of Children” panel, we are of the opinion that the issues such as the consent of the child and parental consent, which are included in the GDPR application but not in the KVKK, may be included in the legislation with the new update.

In the event, it was emphasised that the importance of technological developments in the digital age and the basic approach in technologies that are in the process of development such as artificial intelligence and especially recently metaverse, algorithms can help people in their choices, but the person himself should be the one who makes the final decision.


With the Public Announcement dated 1 April 2022, explanations were made regarding VERBIS registrations and sanctions.

As it is known, Article 16 of the LPPD regulates that a public Data Controllers Registry will be kept. Registration to this registry, called VERBIS, must be made within the period determined and announced by the Board.

Pursuant to this provision, the data controllers specified in the Board’s Decision dated 11/03/2021 and numbered 2021/238 were given until 31.12.2021 to fulfil their registration and notification obligations to the Registry.

Pursuant to Article 18 of the LPPD, administrative sanctions may be imposed ex officio by the Board on data controllers who fail to fulfil their obligation to register and notify the Registry. In this context, administrative sanctions have started to be imposed on data controllers who are found to have failed to fulfil their obligation to register and notify the Registry in accordance with Article 18 of the LPPD.

It would not be wrong to interpret that the adaptation process has ended and the sanction process has begun in the LPPD, which celebrates its sixth year with the said practice. Having introduced the VERBIS registration obligation at the first stage, the Board will undoubtedly apply ex officio sanctions for other obligations in the following days.


Principle Decision of the Board dated 21/04/2022 and numbered 2022/388 on Payment and Debt Enquiry Services of Municipalities

It was reported that accessing the real estate information of the citizen by entering only the Turkish ID number on the property tax payment/quick payment or debt inquiry pages offered online by the municipalities poses a problem in terms of the protection of personal data, and it was requested to examine the issue within the scope of KVKK.

In the Personal Data Security Guide (Technical and Administrative Measures), the implementation of two-stage authentication control in case personal data is accessed remotely when necessary is listed among the measures to be taken to ensure security. It is important to implement queries with two-factor authentication methods that will significantly reduce or eliminate this risk instead of single-stage authentication systems that carry the risk of easy access to personal information.

Within the scope of the services provided online by municipalities through pages such as property tax payment/quick payment or debt enquiry etc., it is important to fulfil the obligations under Art. 12 of the LPPD and to prevent any data breach; for two-factor verification, it is considered that it would be appropriate to perform the first verification with data such as Turkish ID number, name, surname, tax number, registration number, while the secondary level verification should be carried out with a system such as a personalised SMS or password sent to e-mail, and at the secondary level, instead of information such as phone number, date of birth, parents’ name, registration number, which can also be accessed by others, it would be appropriate to provide the services in question with systems or membership systems that will be determined exclusively for the person concerned and only the data that can be accessed by the person concerned are requested.

In the light of these evaluations; Municipalities should take the necessary technical and administrative measures within the scope of Art. 12 of the LPPD by using membership and password or two-factor verification in property tax payment/quick payment and debt inquiry services, and in line with the complaints/notifications to be submitted about the municipalities that do not take the measures, action will be taken against the relevant municipality in accordance with Art. 18 of the LPPD, and it has been unanimously resolved to take a Resolution of Principle within the scope of Article 15 paragraph 6 and to publish it in the Official Gazette and on the website of the Authority within the scope of Article 15 paragraph 6 that “membership and password” or “two-factor verification” should be used in the property tax payment/quick payment and debt inquiry services of the municipalities within the scope of Article 12.


Article 12/5 of the LPPD titled “Obligations regarding data security” states that “In the event that the processed personal data is obtained by others through unlawful means, the data controller shall notify the relevant person and the Board as soon as possible. If necessary, the Board may announce this situation on its website or by any other method it deems appropriate.”

In April 2022, five data breach notifications were published on the website of the Personal Data Protection Authority,

Yıldızlar Yatırım Holding AŞ, Yıldız Demir Çelik Sanayi AŞ, Yıldız Entegre Ağaç Sanayi AŞ, Istanbul Gübre Sanayi AŞ (İGSAŞ)

Unidentified cyber attackers encrypted the servers belonging to data controllers with a method that has not yet been detected; changed the administrator password used to manage the physical server and made it impossible to access the server; left a note to demand a ransom in the area where the file server is located, encrypted all data related to e-invoice, e-ledger, accounting, logistics, stock, personnel, human resources, production, management and similar systems belonging to data controllers; all encrypted files are unusable and inaccessible, and the categories of personal data affected by the breach, the relevant groups of people and the number of people are not included in the notification.

Villacım Emlak Turizm Turizm İnşaat Sanayi ve Ticaret Limited ŞTİ.

It has been stated that a Cross Site Scripting attack was carried out on the website of the data controller ( and the phone number information of the customers was captured and a campaign message was sent to the customers by the attackers, then a ransom demand was made from the data controller, the name, surname, TR ID number, telephone and address information of the relevant persons were processed by the data controller, and it was stated that it could not be determined exactly which data were in the hands of the attackers, the number of relevant people affected by the breach is estimated 35,956, the person group is customers, and the research on the subject is ongoing.

Paketman E-Ticaret Sanayi Ticaret A.Ş.

It has been informed that a cyber attack was carried out by cyber attackers on the database system of the data controller, a data breach occurred by deleting the data in the database, seizing the data in question by the attackers and then demanding ransom, the personal data affected by the breach are identity (name, surname), contact (e-mail, telephone) and location (address) data, the number of people concerned is 1,362, the group of people is users, and investigations are ongoing.

Magna Ventures Yazılım ve Teknoloji Girişimleri Ticaret A.Ş.

Unauthorised persons accessed the Poda Mobile Application, which is one of the products of the data controller and offers a personal workspace connected to the internet in different locations with internet access, and the database password was captured by persons who gained unauthorised access to the system, and the violation detected on 20.04. 2022, the name, surname, e-mail address and telephone numbers of the users who are members of the application were accessed, the group of people affected by the violation are members and there are 7823 member records, it has not been determined that there are people affected by the violation, and if it is determined, necessary notifications will be made, and the investigation on the subject is ongoing.

Keyubu Internet and Information Services

A cyber attack was organised due to a vulnerability in the OnatWeb Auto VM virtual server management software installed on the servers used by the data controller and the data on all servers were destroyed, the relevant group of people affected by the breach are customers, personal data categories are identity, contact, customer transaction and transaction security information, the data hosted here by the users who purchased web hosting and virtual servers through Keyubu were also destroyed, but the data controller could not determine what kind of data related to how many people were included in the content, and investigations on the subject are ongoing.