TÜBİTAK Defines Strict IT Criteria for Crypto Providers to Protect Personal Data
TÜBİTAK BİLGEM has issued a technical fra mework for Crypto Asset Service Providers (KVHS), emphasizing their obligations as data controllers under Turkish data protection law. The newly published criteria set minimum stan dards for wallet security, access management, data logging, and system continuity—all essen tial for safeguarding personal data processed through digital asset platforms. Beyond IT inf rastructure, the guidelines address how service providers must implement technical and organi zational measures aligned with the Law No. 6698 on the Protection of Personal Data. Seen as a de facto engineering manual for the crypto sector, the document is expected to play a central role in Capital Markets Board of Türkiye's licensing pro cedures and compliance oversight.
Turkish High Court Rules: Accessing Call Logs Without Consent Breaches Personal Data Law
The Turkish Court of Cassation has ruled that accessing a former partner's mobile phone call records without consent constitutes unlawful acquisition of personal data, rather than a vio lation of communication privacy. Citing Article 136 of the Turkish Penal Code, the court emphasized that any personal data—regardless of how it is stored or acquired—remains protected under the law. Even when such data is accessed through observation or memory, unauthorized use can trigger criminal liability. By overturning the acquittal, the court clarified that the act falls under data protection offenses, not merely priva cy violations.
Executive Who Copied Company Data Illegally Cannot Claim Severance
The Turkish Court of Cassation has ruled that a senior executive who copied confidential com pany data to an external device without autho rization is not entitled to severance or notice compensation. Despite an acquittal in the rela ted criminal proceedings, the Court found that the act constituted a clear breach of the duty of loyalty under labor law. Citing forensic reports, internal emails, and confidentiality agreements, the Court emphasized that the employee's acti ons fell outside his job responsibilities and viola ted internal protocols. The decision underscores that unauthorized handling of sensitive data— even without proven malicious use—can justify immediate termination with no severance rights.
Right to Be Forgotten Prevails Over Outdated Allegations
The Court of Cassation has ruled that keeping a 2005 online news article accessible — despite the individual's acquittal years ago — constitutes a violation of personal rights. Emphasizing the ero sion of relevance and absence of public interest, the Court held that the right to be forgotten must be respected when outdated information conti nues to harm a person's reputation and control over personal data. The decision underscores that data controllers, including media outlets, must weigh the public's right to know against an individual's right to move beyond a stigmatizing past. A key ruling for balancing digital memory with human dignity.
KVKK Releases Comprehensive Glossary of Personal Data Protection Terms
In April 2025, the Turkish Personal Data Protecti on Authority ("DPA") published the first edition of its "Glossary of Terms Related to Personal Data Protection." This resource goes beyond the defi nitions set out in Law No. 6698 and its secondary legislation—it also compiles key concepts from international sources such as the European Data Protection Board ("EDPB"), the European Data Protection Supervisor ("EDPS"), and the IAPP. Covering 100 selected terms, the glossary aims to resolve terminological ambiguities common ly encountered in data processing practices. By promoting a shared understanding among data controllers, practitioners, and the general public, the glossary contributes to more coherent imp lementation and better comprehension of data protection rights.
The DPA announced the following data breach notifications in May:
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
