Türkiye Strengthens Oversight of Online Product Safety
In a significant step toward regulating e-commerce practices, a new regulation issued by the Turkish Ministry of Trade has entered into force as of April 1, 2025. The Regulation on Market Surveillance and Inspection of Products Offered to the Market via Remote Communication Tools, first published on October 30, 2024, aims to enhance consumer protection by imposing new obligations on online sellers and platforms.
The regulation applies to all products sold via the internet, except for services such as ready-to-eat food offered on delivery platforms. Sellers must clearly display, in Turkish, the identity and contact information of the manufacturer or importer, as well as all product safety markings. Companies selling goods to Türkiye from abroad are now required to appoint a local representative.
Online marketplaces are also subject to new obligations, including the establishment of a dedicated "Product Safety Contact Point" for consumer complaints. In cases where a product is found to be unsafe, the relevant listing must be removed within 24 hours. Failure to comply may result in the listing being blocked entirely.
Ministry of Health Introduces Stricter Data Processing Rules for Private Healthcare Providers
On April 8, 2025, the Turkish Ministry of Health published a new regulation that imposes detailed obligations on private healthcare institutions—such as clinics, medical centers, and outpatient facilities—regarding the processing and protection of personal health data. These provisions are introduced under Article 24 of the Regulation on Private Healthcare Institutions Providing Outpatient Diagnosis and Treatment.
Under the new rules, all patient data must be recorded electronically using Ministry-registered health information systems. Such data must be processed in accordance with the Turkish Personal Data Protection Law ("KVKK"), relevant secondary legislation, and the Ministry's data processing procedures, and transferred to Türkiye's centralized health data system.
The regulation mandates strict technical and administrative safeguards to ensure the confidentiality and integrity of medical records, including the use of secure electronic signatures and regular data backups. Additional precautions apply to judicial reports and records, which can only be accessed and amended under strict conditions.
Moreover, healthcare providers are now required to establish a compliant digital or physical medical archive and ensure secure data retention, even when delivering remote health services.
Bar Association Challenges Data Protection Officer Certification Regulation
On April 7, 2025, the Turkish Council of State held the first hearing in a lawsuit filed by the Union of Turkish Bar Associations ("TBB") seeking the annulment of the Turkish Personal Data Protection Authority's 2021 regulation on the certification of Data Protection Officers ("DPOs").
The regulation, published under the Communiqué on the Principles and Procedures Regarding the Personnel Certification Mechanism, establishes a voluntary certification scheme for individuals who meet specified criteria and pass an official exam. Certified individuals receive the title of "Data Protection Officer" ("Veri Koruma Görevlisi" – VKG). However, the Authority emphasized that this role should not be confused with the "Data Protection Officer" under the EU General Data Protection Regulation ("GDPR"), as the VKG title is not recognized under Turkish law and does not confer any formal legal or advisory status.
The Bar Association contends that the certification scheme permits non-lawyers to provide legal advisory services in a field—data protection law—that falls under the exclusive scope of licensed attorneys, as defined in Article 35 of the Attorneys' Act. It argues that this contradicts the legal monopoly granted to lawyers and poses a risk to the legal profession.
No final decision has yet been issued by the court.
Prosecutors Seek Over 34 Years in Prison for Developers of Illegal Data Access Software Used by Law Firms
According to a report by Anadolu Agency, Turkish prosecutors have demanded prison sentences of up to 34 years and 6 months for individuals accused of developing and selling illicit software designed to access personal data through law firms.
The indictment, issued by the Ankara Chief Public Prosecutor's Office, follows an investigation launched after Türkiye's National Computer Emergency Response Center (USOM) detected the use of unauthorized query software, named "Avatar/Adalet," by certain law offices. The operation, coordinated with the National Intelligence Organization (MIT), led to the arrest of five suspects—including the software's developers—through simultaneous raids in Istanbul and Izmir.
The software allegedly enabled unauthorized access to sensitive personal data of Turkish citizens, including names, ID numbers, birth details, contact information, vehicle registrations, land registry data, and more. Investigators found that the suspects used phishing methods to obtain login credentials of authorized public officials and converted these into a private query system sold to third parties.
Prosecutors have charged the suspects with multiple offenses, including unlawful acquisition and dissemination of personal data, illegal interference with information systems for profit, and the procurement of state security-related classified information.
New Best Practice Guidelines on Data Protection in the Payment and E-Money Sector
In light of rapid technological advances transforming the financial industry, the Turkish Personal Data Protection Authority ("DPA"), in collaboration with the Turkish Payment and Electronic Money Association ("TÖDEB"), has published the Best Practice Guidelines on the Protection of Personal Data in the Payment and Electronic Money Sector. The Guidelines aim to address the sector's growing reliance on the processing of sensitive personal data—such as identity information, contact details, financial history, and transaction records—and to support compliance by data controllers operating in this space.
The Guidelines provide practical direction for institutions offering services such as money transfers, POS transactions, bill payment intermediation, and mobile payment solutions. They cover key data protection concepts including the roles of data controller and processor, legal bases for processing, data transfers, data security, and specific obligations under the Personal Data Protection Law ("KVKK").
Importantly, the scope extends beyond e-money and payment institutions to also include their representatives, service providers, e-commerce platforms, and, indirectly, crypto asset service providers involved in these ecosystems.
The DPA announced the following data breach notifications in April:
| Data Controller (and sector) | Affected Data Subjects | Affected Personal Data Categories | Number of Data Subjects |
|---|---|---|---|
| Bellapais (Beauty) | Employees, users and customers / potential customers | Name, surname, telephone number, address information and order details | – |
| Robotistan (Marketplace) | Customers / potential customers | Name, surname, telephone number, address information and order details | – |
| Kullanatmarket (Marketplace) | Customers / potential customers | ID (name, surname), contact (e-mail address, phone number, possible address information), customer transaction (order details, transaction history) and transaction security (records containing information such as IP address, username, etc. of user sessions) | – |
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
