Turkey: Two-Minute Recap Of Recent Developments In Turkish Personal Data Protection Law – September 2023

October 2023 – In September 2023, the Turkish Personal Data Protection Authority (the "DPA") published six data breach notifications but did not publish any decisions.

Countdown begins: Turkish DP Law to undergo amendments to align with GDPR standards

Turkey is set to change its data protection rules, as outlined in the Medium-Term Program announced on 6 September 2023. In this respect, the Turkish Data Protection Law ("DP Law") will be amended within the next year, with the changes expected to take effect in the fourth quarter of 2024. These amendments aim to bring the DP Law in line with the European Union's General Data Protection Regulation (GDPR) and other EU legislation.

Highlights from the 3rd Personal Data Protection Summit

On 20 September 2023, the 3rd Personal Data Protection Summit was held, focusing on "global developments in data governance". During the summit, the President of the DPA announced the initiation of a study on artificial intelligence within the context of personal data protection. Key statistics and achievements since 2017 were also shared, including:

	Out of 35,592 notifications, applications and complaints, the DPA has resolved 33,639.
	The DPA received 1,189 data breach notifications, with 277 published on the DPA's website
	As a result of the investigations, a total administrative fine of approximately TRY 291 million (approx. EUR 10 million was imposed.
	The DPA provided 1,040 legal opinions within the scope of the DP Law.
	The DPA approved seven written undertakings with sufficient qualifications for the transfer of personal data abroad.

September agenda of the DPA

The DPA had a packed agenda in September, hosting several insightful seminars:

• On 6 September, the seminars "Personal Data Security and Protection of Privacy in IoT Applications" and "Personal Data Security in Cloud Computing" delved into the increasing integration of IoT applications in daily life. The seminar emphasised the importance of prioritising individual privacy in IoT use and addressed data security issues in cloud computing, especially when using foreign infrastructure-based cloud services.

• On 26 September, the seminar "The Position of Lawyers under the DP Law" clarified the DPA's unique evaluation of each legal case. The main criterion for determining if a lawyer acts as a data controller is their role in the data processing activity and their independent authority in decision making regarding that activity. Concerning the data controllers' obligation to inform, the seminar stressed the need to provide information before initiating data processing.

• On 27 September, the seminars "Risk-Based Approach" and "Evaluation of Targeted Advertising Practices in terms of DP Law" addressed the definition of risk from the data protection perspective and emphasised the importance of a risk-based approach. The concept of targeted advertising was also highlighted, underscoring the importance of considering the DP Law's provisions to empower data subjects against targeted advertising practices.

• On 29 September, the event "Data Security in the Threat Ecosystem" at the Information and Communication Technologies Authority discussed the DPA's Guidelines on Personal Data Security as a roadmap. The seminar covered technical and administrative measures for ensuring personal data security.

The DPA announced the following data breach notifications in September:

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.