The Personal Data Protection Law, which will take effect on January 1, 2026, stipulates revenue-based penalties for certain particularly serious violations, with fines that can reach up to 5% of the preceding year's revenue for such infractions.
According to the Ministry of Public Security, during the first six months of 2025, police authorities discovered and handled 56 cases of illegal personal data trading, involving a total of over 110 million records.
In reality, there is a genuine demand for collecting personal data to serve production and business activities. It is precisely this demand that has driven many organizations and individuals to illegally collect personal data for their own purposes.
Additionally, many operators of information systems involved in collecting, analyzing, and processing personal data have significant vulnerabilities in their policies, procedures, and regulations for handling this data. This leads to the leakage, theft, or unauthorized use of the data they manage, whether it belongs to their own organization or entities they are entrusted with, ultimately compromising their customers' personal data.
In particular, public awareness regarding the protection of personal data and the exercise of individual data rights remains very limited. This is compounded by the public's complacency and lack of understanding when it comes to safeguarding their personal information.
In response to this alarming situation, the Personal Data Protection Law was passed by the National Assembly on June 25, 2025, and will take effect on January 1, 2026.