Not The Final Word: How to Challenge Personal Data Protection Board Decisions in Türkiye
For many businesses in Türkiye, a single decision of the Personal Data Protection Board can now mean multimillion-lira fines, suspended data transfers, and immediate operational disruptions. The Law on the Protection of Personal Data No. 6698 ("LPPD") constitutes a core component of Türkiye's personal data privacy framework. It safeguards individuals’ fundamental right to privacy and regulates the entire lifecycle of personal data processing. The LPPD also provides legal remedies for decisions made by the supervisory administrative authority, the Personal Data Protection Board ("Board").
Despite the criminal penalties regulated under the Turkish Criminal Code No. 5237 and other applicable legislation, this article focuses on the administrative consequences of non-compliance with the LPPD, outlines the sanctions available under the LPPD, and examines the avenues for judicial review and procedural routes for legal recourse.
2. ADMINISTRATIVE SANCTIONS UNDER THE LPPD
Under Articles 18 and 22 of the LPPD, the Board may impose administrative sanctions, including administrative fines on data controllers and, for certain duties, on data processors. In practice, sanction levels depend on both the nature of the violation and the Board’s assessment of its seriousness.
Table 1: Administrative Fines under the LPPD (Re-evaluated Annually)
| Violated Obligation | Administrative Fines (TRY, 2025) | Administrative Fines (TRY, 2026) |
|---|---|---|
| Article 9 – Failure to notify the Board regarding Standard Contracts for cross-border transfers | 71,965 – 1,439,300 | 90,308 – 1,806,177 |
| Article 10 – Failure to inform data subjects | 68,083 – 1,362,021 | 85,437 – 1,709,200 |
| Article 12 – Failure to fulfil data security obligations | 204,285 – 13,620,402 | 256,357 – 17,092,242 |
| Article 15 – Failure to comply with Board decisions | 340,476 – 13,620,402 | 427,263 – 17,092,242 |
| Article 16 – Failure to register with VERBIS | 272,380 – 13,620,402 | 341,809 – 17,092,242 |
(Administrative fines are re-evaluated annually under Article 17 of the Misdemeanours Law No. 5326 and Article 298 of the Tax Procedure Law.)
Administrative fines, however, represent only one aspect of the Board’s enforcement powers. Crucially, the Board can also suspend data processing or international transfers (LPPD Art. 15), which poses the ultimate operational risk to businesses.
The Board has broad discretion when assessing the seriousness of a violation by considering the following:
- The nature of the personal data involved,
- The degree of fault of the controller or processor,
- The financial standing of the infringing party,
- The potential damage to data subjects.
Administrative sanctions are independent of civil or criminal liability. Thus, a controller may simultaneously face administrative fines, civil damages suits, and, in severe cases, criminal prosecution.
Although these administrative sanctions are significant, they are open to legal challenge. In practice, effectively challenging the Board’s decisions requires a practical understanding of the available legal remedies and how they operate procedurally.
3. JUDICIAL REVIEW MECHANISMS
The Board’s administrative actions are broadly classified into two categories:
- Individual acts (e.g., administrative sanctions, including fines and suspension measures imposed on a specific controller),
- General regulatory acts (e.g., guidelines, principal decisions, or broader regulations).
Understanding this distinction is the first step in determining the appropriate judicial review mechanism and the specific grounds for challenging Board decisions.
3.1 Challenging Individual Acts
Under Article 18 of the LPPD and Article 7 of the Administrative Jurisdiction Procedure Law No. 2577 ("IYUK"), individual acts (such as fines or sanctions imposed on a party) must be challenged by filing an annulment action at the Ankara Administrative Courts within a strict 60-day deadline from notification.
Prior to judicial review, controllers may request the Board to reconsider its decision under Article 11 of the IYUK. This application is optional and suspends the deadline for filing a lawsuit. If the Board does not respond to such application within 30 days, remaining time resumes once the Board issues a response or the statutory period expires.
3.2 Challenging General Regulatory Acts
General regulatory acts, which are decisions or guidance issued by the Board that have broad application to all controllers rather than specific individuals, may be directly challenged before the Council of State (Danıştay) within 60 days of notification or publication.
Table 2: Challenging Mechanisms
| Type of Act | Legal Basis | Competent Court | Time Limit | Optional Pre-Review | Potential Outcomes |
|---|---|---|---|---|---|
| Individual Acts (e.g., fines, sanctions, and suspension measures against a specific controller) |
LPDP Art. 18 & IYUK Art. 7 | Ankara Administrative Courts | 60 days from notification | Optional application to the Board within 60 days (IYUK Art. 11) |
• Annulment of the act • Stay of execution (to prevent enforcement of fines or suspension of processing) • Upholding the Board’s decision |
| General Regulatory Acts (e.g., guidelines, principal decisions, general regulations) |
General principles of administrative law | Council of State (first instance) | 60 days from notification | N/A | • Annulment of the act (regulation/guideline) • Rejection of the claim, confirming validity |
However, securing a venue for appeal is only half the battle; preventing the immediate enforcement of administrative fines and suspension measures is the other.
4. STAY OF EXECUTION
The process has gone through several adjustments as the system has matured.
During the early implementation period of the LPPD, certain administrative fines were reviewed by criminal courts of peace under the Misdemeanours Law No. 5326, where filing an objection automatically suspended enforcement until judicial review was concluded. Yet, these courts lacked expertise in administrative and data protection matters, leading to inconsistent and unpredictable outcomes.
Later Constitutional Court rulings (e.g., M.I.I. [GK], B. No: 2020/7518, 12/10/2023, § …), followed by legislative amendments introduced by Law No. 7499, consolidated the position that administrative courts are the competent judicial forum for reviewing administrative sanctions imposed by the Board.
While this correction resolved the judicial inconsistency, it removed the automatic suspensive effect that existed under the misdemeanour procedure.
Consequently, when a Board decision is challenged, simply filing a lawsuit does not automatically suspend enforcement. In practice, this means fines can be collected, and data processing activities can be suspended while the lawsuit is still pending. Therefore, the most decisive step is applying for a stay of execution under Article 27 of the IYUK.
This interim remedy allows businesses to avoid irreversible consequences while judicial review is still pending. However, the court will only grant this vital temporary safeguard if two strict conditions are met simultaneously.
- The administrative act must be clearly unlawful, and
- Its execution would cause irreparable or serious harm that would be difficult to remedy.
If both conditions are met, the court can suspend the enforceability of the decision, thereby preventing the collection of fines or the implementation of processing bans while the case remains under review.
Why Is It Important for Data Controllers?
For data controllers facing multimillion-lira fines or restrictions on data processing and international transfers, obtaining a stay of execution is often indispensable for preserving business continuity and avoiding irreversible operational damage.
In this context, a successful application:
- Prevents the immediate enforcement,
- Maintains business continuity where data processing or transfer is at risk of interruption, and
- Reduces reputational risks associated with immediate enforcement.
In the absence of a stay of execution, Board decisions are immediately enforceable. This creates a risk where, despite a subsequent judicial annulment, the controller must retroactively seek restitution for administrative fines or attempt to resume processing activities that were already disrupted.
5. CONCLUSION
Board decisions are not merely regulatory outcomes; they are strategic events that require prompt, well-structured legal responses. However, Turkish law provides several safeguards:
- Annulment actions before administrative courts,
- Stay of execution to prevent immediate enforcement,
- Optional internal review before initiating a lawsuit.
For businesses, particularly those processing sensitive personal data or engaging in international data transfers, an effective litigation strategy is essential not only for regulatory compliance but also for preserving long-term business value.
Experience shows that, in an enforcement-driven regulatory environment, procedural strategy can be just as decisive as substantive compliance.
Key Takeaways
- Board decisions are not final; they can be challenged.
- The 60-day deadline is strict; timely action is essential.
- A stay of execution request can significantly influence the outcome, particularly for high-value fines or processing restrictions.
- Legal guidance matters. Strategic litigation planning is key to maintaining operational stability.
Disclaimer: This article is intended for general guidance only and should not be regarded as legal advice. For further information or tailored advice, please contact the authors.
NEWS & ANNOUNCEMENTS
Divorce Cases with Questions and Answers in Supreme Court Practice and Doctrine
NEWS & ANNOUNCEMENTS
Data Privacy In Mergers & Acquisitions: Boundaries Of Lawful Disclosure And Compliance Thereafter
Data privacy compliance is business-critical for mergers and acquisitions (M&A), as the significant disclosure and transfer of personal data between the buyer and target company require strict adherence to privacy regulations and effective risk management.
