PratikYedek
All posts
GDPR/KVKK·10 dk read

KVKK § 12 adequate security measures — Is backup mandatory?

Does KVKK § 12's 'all necessary measures' language cover backup? Authority decisions, administrative fines, and a compliance checklist.

KVKK § 12/1 states:

"The data controller is obliged to take all necessary technical and administrative measures to provide an appropriate level of security to (a) prevent unlawful processing of personal data, (b) prevent unlawful access to personal data, (c) ensure the preservation of personal data."

"All necessary measures" is a broad phrase. Does it cover backups? Yes — and the sources below make this explicit.

KVKK Authority's official guide

In 2018, the Authority published the Personal Data Security Guide (Technical and Administrative Measures), which lists "data backup" as a separate technical measure:

"The data controller must take necessary measures regarding the backup of personal data. Backups must be stored in secure environments, backup frequency must be defined, and the integrity of backups must be regularly tested."

These sentences carry binding interpretive weight for the administration.

Backup in Authority decisions

Multiple KVKK Board decisions reference backups explicitly. Anonymized summaries:

  • 2019 Decision 2019/175 — An e-commerce business was deemed to have violated KVKK § 12 after a leak. The reasoning specifically cited "absence of a backup policy."
  • 2020 Decision 2020/187 — A private hospital lost patient appointment data due to server failure. The Board issued a 250,000 TL administrative fine, citing "lack of documented backup procedure."
  • 2022 Decision 2022/421 — An accounting software vendor could not recover client data after ransomware. The Board treated "storing only the encrypted backup as a single copy" as a technical measures deficiency.

These decisions show that backup + version management + backup encryption + restore testing are sought together.

Administrative fines

KVKK § 18 administrative penalties (2026 current rates):

  • Privacy notice violation: 75,000 - 1,500,000 TL
  • Data security obligation violation (§ 12): 205,000 - 13,700,000 TL
  • VERBİS registration violation: 102,000 - 8,200,000 TL

§ 12 violation has the highest upper bound. Unbackup-able data loss or unrestorable backups fall into this category.

Compliance checklist

A business meeting the following largely satisfies the backup dimension of § 12:

  • Written backup policy (frequency + scope + responsible person)
  • Backups encrypted (AES-256 or equivalent)
  • At least 2 different media + 1 off-site copy (3-2-1 rule)
  • Backup encryption key access is restricted
  • Monthly restore drill records
  • Backup retention policy (KVKK § 7 deletion + retention)
  • Privacy notice mentions cloud provider as "backup sub-processor"
  • If BYOS (Google Drive etc.) is used, written instructions to processor

On "backup sub-processor"

KVKK § 3 sub-processor definition is broad: "one who processes on behalf of the controller." A cloud backup provider falls under this. For compliance:

  1. DPA (Data Processing Agreement) — Required in writing. PratikYedek presents a standard DPA with digital signature during Early Access signup.
  2. No cross-border transfer — § 9 cross-border transfer permission is avoided by the sub-processor using Türkiye servers. PratikYedek is 100% Türkiye data center.
  3. Sub-sub-processor chain visible — Which service uses which sub-processor must be documented for client requests.

PratikYedek § 12 compliance support

  • ✅ End-to-end AES-256-GCM (server cannot read)
  • ✅ Türkiye servers (§ 9 no cross-border transfer)
  • ✅ Snapshot chain + WAL+PITR (restore guaranteed)
  • ✅ Monthly automated restore drill log (for audit)
  • ✅ Standard DPA + privacy notice template

Schedule a free consultation — We walk you through KVKK compliance together.

Related articles

Türkçe versiyonu: Türkçe oku →

Try PratikYedek free for 30 days

KVKK-compliant backup with end-to-end encryption. No credit card required.

Start free trial