Data Controller’s Compensation Obligation in Case of Personal Data Protection Law Violation in Antalya

With the rapid increase in digitalization today, the protection of personal data has become vitally important for both individuals and organizations. In Türkiye, Personal Data Protection Law No. 6698 (KVKK) aims to protect fundamental rights and freedoms, particularly the right to privacy, in the processing of personal data. However, despite all measures, personal data breaches can occur, which can have serious legal consequences for data controllers. For businesses and institutions operating in large and dynamic cities like Antalya, in particular, the issue of data controllers’ liability for compensation in the event of KVKK breaches requires meticulous attention.

This article will examine in detail what constitutes a violation of the Personal Data Protection Law (KVKK), the legal liability of data controllers for such violations, types of compensation, and exemptions from liability. Our goal is to enlighten both data controllers and individuals whose personal data has been breached on this issue and to provide a comprehensive perspective on the legal process.

KVKK and Definition of Data Controller

The Personal Data Protection Law is the fundamental legislation governing the processing, storage, transfer, and destruction of personal data. The law aims to ensure the legality of data processing activities by establishing the principles and guidelines for the protection of personal data.

A data controller is the natural or legal person responsible for determining the purposes and means of processing personal data and for establishing and managing the data recording system. A company’s executives, relevant units of a public institution, or a self-employed person are considered data controllers within the scope of their activities. A hotel, a hospital, an e-commerce website, or a law firm operating in Antalya are considered data controllers for the personal data they collect and process. The fundamental obligations of a data controller include the obligation to inform, the obligation to ensure data security, and the obligation to fulfill the rights of data subjects.

What is a KVKK Violation?

A violation of the Personal Data Protection Law (KVKK) refers to any situation that results from the processing, storage, transfer, or security of personal data in violation of the Law. These violations generally manifest in the following ways:

* Unauthorized Access: Unauthorized access, theft, or leakage of personal data. For example, a customer database compromised in a cyberattack.
* Data Loss or Destruction: Accidental or intentional loss, deletion, or destruction of personal data. For example, complete deletion of data due to a failure in a system without a backup.
* Unauthorized Change: Change or falsification of personal data by unauthorized persons.
* Unlawful Processing: Use of personal data in violation of the processing conditions specified in the Law, such as without explicit consent or for purposes other than the purpose of processing.
* Violation of the Obligation to Inform: The data controller fails to adequately inform the relevant person when processing personal data.

Such violations may entail administrative fines for the data controller, as well as liability for compensation for damages suffered by the data subjects.

Legal Liability of the Data Controller and Compensation

The Personal Data Protection Law (KVKK) imposes significant obligations on data controllers regarding the security of personal data. Pursuant to Article 12 of the Law, data controllers are obligated to take all necessary technical and administrative measures to ensure an appropriate level of security to prevent the unlawful processing of personal data, prevent unlawful access to data, and ensure the preservation of data.

If personal data is unlawfully processed or accessed as a result of a breach of this obligation, the data controller is liable for such damage. This liability is assessed within the framework of the general provisions of the Turkish Code of Obligations (TCO) and is generally based on the principle of “strict liability.” In other words, even if the data controller is not at fault, they can be held liable for damages if they fail to take the necessary technical and administrative measures, or if these measures are inadequate. The data controller is responsible for proving that the damage was not caused by their fault and that they took all necessary measures.

Types of Compensation

Persons who have suffered damages due to a violation of the KVKK may claim two types of compensation from the data controller:

#### 1. Financial Compensation

Monetary damages cover tangible and monetarily measurable losses arising directly or indirectly from a data breach. Such losses may include:

* Direct Financial Losses: Direct financial losses such as unauthorized spending and withdrawals from bank accounts resulting from theft of credit card information.
* Loss of Income: Loss of income suffered by individuals whose business or commercial activities are disrupted due to the breach.
* Additional Charges: Expenses incurred to protect against identity theft or fraud attempts (e.g., credit report monitoring services, costs of issuing new identification documents).
* Loss of Education or Career: Loss of education or career opportunities due to disclosure of sensitive personal data (health information, criminal records, etc.).

In order to claim financial compensation, the damage must be concrete and documentable.

#### 2. Non-pecuniary Damages

Non-pecuniary damages aim to compensate for the emotional distress, grief, distress, loss of reputation, shame, fear, and anxiety experienced by an individual as a result of a data breach. Because personal data breaches directly impact the privacy of individuals, the occurrence of non-pecuniary damages is quite common.

* Loss of Reputation: Damage to a person’s reputation in their social circle or business life, especially in the event of disclosure of sensitive personal data (health information, sexual life, political views, etc.).
* Psychological Effects: Psychological disorders such as stress, anxiety, sleep disorders, and depression experienced due to the violation of personal data.
* Privacy Violation: Discomfort and insecurity felt as a result of the violation of privacy.

The amount of non-pecuniary damages is determined by the court, taking into account the nature of the incident, the severity of the violation, the fault of the data controller (even if fault is not required under the principle of strict liability, the degree of fault may affect the amount of compensation), the extent of the grievance suffered by the relevant person, and the social and economic status of the parties.

Cases of Exemption from Responsibility

To avoid liability for damages resulting from a violation of the Personal Data Protection Law, the data controller must prove that the damages were not caused by its own fault or that it took all necessary measures. If this burden of proof can be met, the data controller may be exempt from liability for compensation. The following are the circumstances in which liability can be exempted:

* The data controller must prove that it has taken all necessary technical and administrative measures: According to Article 12 of the Personal Data Protection Law (KVKK), the data controller is obligated to take “all necessary technical and administrative measures” to ensure data security. If the data controller can prove that, despite the breach, they have fully implemented all these measures and that the breach occurred for a reason beyond these measures, they can be exempt from liability. This is generally supported by cybersecurity certifications, regular audits, training, and security protocols.
* Damage caused by force majeure: In cases where the data breach is caused by an unforeseen and unavoidable event (such as an earthquake, flood, terrorist attack), the data controller may not be held responsible.
* Damage caused by a third party’s fault: Liability may be exempted if the data breach was caused by the fault of a third party beyond the data controller’s control (e.g., a data processor or another cyber attacker), and the data controller took all reasonable measures to prevent the breach. However, data processors’ faults generally do not relieve the data controller of liability; the data controller is obligated to exercise due diligence in selecting and supervising data processors.
* Damage caused by the data subject’s own negligence: In cases where the damage occurs due to the data subject’s own negligence or fault, the liability of the data controller may be reduced or completely eliminated.

The Compensation Claim Process and the Role of Antalya Law Firms

The process for individuals seeking compensation for a violation of the KVKK generally includes the following steps:

1. Application to the Data Controller: First, upon discovery of the breach, the data subject must submit a written application to the data controller and request redress for the damage. The data controller is obligated to respond to this request within 30 days.
2. Complaint to the Personal Data Protection Board: If the data controller fails to respond to the request within a timely manner, the response is deemed inadequate, or the request is rejected, the data subject may file a complaint with the Personal Data Protection Board (KVKK) within 60 days. The Board may review the complaint, impose administrative fines on the data controller, and make recommendations for redress. However, the Board does not have the authority to directly award compensation.
3. Litigation: Compensation claims are brought through a lawsuit filed in the Civil Courts of First Instance, in accordance with general provisions. During the litigation process, the existence of a violation, the occurrence of the damage, the causal link between the damage and the violation, and the strict liability or fault of the data controller must be proven.

A law firm operating in Antalya can provide comprehensive legal support to both data controllers and data breach victims during this process. Legal advice is crucial for data controllers, including managing their KVKK compliance processes, establishing data security policies, determining the actions to be taken in the event of a breach, and developing defense strategies against potential compensation claims.

For data breach victims, the support of an experienced attorney in matters such as assessing damages, preparing applications to the data controller, monitoring the Board process, and filing and pursuing compensation claims in court increases the effectiveness of the legal process. Legal expertise in Antalya plays a critical role in local judicial practices and the proper interpretation of legislation.

Personal data protection is one of today’s most important legal issues, and the data controller’s liability for compensation in the event of a data breach is a concrete reflection of this protection. Data controllers’ full compliance with their obligations in this regard is key to minimizing potential legal and financial risks. For data subjects, knowing their rights and taking the necessary legal action in the event of a breach is an essential part of ensuring their personal security in the digital world. Seeking professional legal support during these processes will ensure that both data controllers and data breach victims are properly and effectively addressed.