Long Awaited Guidelines Published
The Turkish DPA has published its Guidelines on Cross-Border Transfer of Personal Data (“Guidelines”) which eliminate grey areas and standardize practice. They cover various transfer mechanisms such as adequacy decisions, appropriate safeguards, and exceptional transfers. The Guidelines also provide concrete examples to clarify common situations such as data transfers between subsidiaries and foreign parent companies and transfers by Turkish companies to foreign entities.
Novel Administrative Fine Amounts Announced
Administrative fines under the Turkish PDPL are revised annually to reflect the revaluation rate published at the beginning of each calendar year in accordance with Article 17 of the Misdemeanours Law No. 5326 and Article 298 of the Tax Procedure Law. For 2025, the revaluation rate has been set at 43.93% resulting in an increase in the number of administrative fines compared to 2024.
Cybersecurity Presidency Established
The “Cybersecurity Presidency” (“Presidency”) was established through Presidential Decree on 8 January, 2025. The Presidency is responsible for detecting cybersecurity vulnerabilities, identifying priority areas, and creating emergency and crisis management plans. It will enhance collaboration between public institutions, the private sector and universities while developing domestic products and technologies.
The Presidency will also focus on raising awareness of cybersecurity through training and events. Strategy development, research, technology transfer, and encouraging participation in both national and international events are also key foci.
New Guidelines for Banking Sector
The Banking Sector Best Practices Guidelines on Personal Data Protection (“Guidelines”) have been published by the DPA in collaboration with the Banks Association of Türkiye. The Guidelines have been updated to reflect changes to the Amendments to the Code of Criminal Procedure and Certain Other Laws.
Mediator Obligations Widened
A January 13 announcement explained mediation requirements under the Turkish PDPL. Mediators, who are considered data controllers, must explain how data is processed to the parties involved in mediation. Current obligations under the Mediation Law are not wide enough to satisfy Turkish PDPL data protection requirements
Important Statistics Shared
The President of the Turkish DPA announced that a total of approx. EUR 27 million in administrative fines has been imposed by the authority since 2017. The announcement also detailed the following:
- 47,038 notifications and complaints (45,263 concluded).
- 1,601 data breach notifications (353 published on DPA website).
- 1,545 standard contract notifications for cross-border data transfers submitted.
- 10 written commitments for cross-border data transfer approved.
Trabzon University in Major Data Breach T
he DPA published details of a data breach involving Trabzon University on 16 January 2025. The breach, which began in 2023 and was detected on 1 June 2024, affected 25,237 individuals including university staff and students. Compromised data included identity details, contact information, personnel data, and location data which were reportedly sold on illegal online platforms by the cyber attackers. This was the only data breach published in January.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
