ARTICLE
16 July 2025

Quick Read: Data Protection Law Updates In Türkiye – June 2025

KST LAW

Contributor

KST LAW logo

KST LAW is an independent Istanbul based full service corporate law firm in cooperation with Kinstellar.

We provide legal services relevant to all aspects of business in a wide variety of sectors. We operate to the highest international standards in managing cross border transactions or investments and providing practical and creative solutions to legal or regulatory issues.

KST LAW is proud to have an exceptional client base consisting some of the largest Turkish conglomerates, sector leaders in Turkey, multi-nationals, investment or private equity funds and financial institutions.

Explore Firm Details
July 2025 – In June 2025, the Turkish Personal Data Protection Authority (the "DPA") organised several events, announced five data breach notifications, and published one principal decision.
Turkey Privacy
Ceren Ceyhan,Hatice Nur Arslan, and Simge Erdem

July 2025 – In June 2025, the Turkish Personal Data Protection Authority (the "DPA") organised several events, announced five data breach notifications, and published one principal decision.

In addition, two other regulatory developments were introduced. The first strengthened oversight of electric vehicle advertising to ensure transparency and prevent misleading claims. The second established a national monitoring framework for digital accessibility compliance.

Turkish DPA flags mandatory SMS verification in purchases

On 26 June 2025, the DPA issued its Principle Decision No. 2025/1072, addressing the widespread use of mandatory SMS verification codes during consumer transactions such as registration, payment, and membership. This practice often involves collecting multiple consents, such as for data processing and marketing, through a single SMS input, without providing sufficient information or obtaining valid, explicit consent. The DPA confirmed that this approach violates the Turkish Personal Data Protection Law ("DP Law").

This is not the first time the DPA has addressed this issue. It had previously issued public announcements on 17 December 2021 and 13 November 2023 warning against similar practices. However, with this Principle Decision, the Authority has now formalised its position and signalled a stronger enforcement approach.

The DPA rearticulated that in order to comply with the DP Law while using such methods, data controllers must:

  • clearly explain the purpose of SMS codes both before and within the message;
  • separate the services they provide from the marketing consent condition; and
  • ensure that such consent is freely given and not bundled with transaction steps.

The DPA also recommends collecting marketing consent after the transaction is completed and emphasised the importance of regular internal training for customer-facing personnel. Non-compliance may lead to administrative fines ranging from TRY 340,476 to TRY 13.6 million (approximately EUR 7,300 to EUR 291,929), as outlined in Article 18 of the DP Law. These fines are specifically applicable to violations of the DPA's Principle Decisions, adding a new layer of enforcement to prior guidance.

You can read our detailed summary of the Principle Decision here.


DPA to Serve Fines via Revenue Administration's e-Notification System

On 10 June 2025, the DPA announced that administrative fines issued under Article 18 of the DP Law will now be delivered through the e-Notification system operated by the Ministry of Treasury and Finance's Revenue Administration. This change follows the completion of the necessary technical integration and protocol arrangements between the institutions.

In accordance with Article 26(4) of Misdemeanours Law No. 5326, this electronic method is legally valid, and notifications will be deemed served on the fifth day after reaching the recipient's registered electronic address.

The new system replaces physical notifications and aims to streamline enforcement processes. However, if a data controller does not have an active tax registration, or if their registration has been removed, the DPA will continue to serve notifications under the procedures set out in Notification Law No. 7201.


Heightened Regulatory Scrutiny on Electric Vehicle Advertisements

On 12 June 2025, the Turkish Ministry of Trade's Advertising Board ("Advertising Board") published a new decision increasing scrutiny over electric vehicle ("EV") advertisements. The Advertising Board highlighted widespread non-compliance with advertising regulations, especially concerning misleading claims about vehicle range based on WLTP data collected under laboratory conditions and presented without sufficient context regarding real-life use.

The Board expects manufacturers and advertisers to:

  • clearly disclose the testing standards used;
  • explain that real-world range may differ from advertised values; and
  • inform consumers about key influencing factors such as climate and driving habits.

This move follows a broader enforcement trend, with over TRY 141 million (approx. EUR 3 million) in fines issued in first half the 2025 alone. Ongoing monitoring by the Advertising Board will continue to prioritise consumer transparency and accurate marketing.

You can read our detailed summary of the Advertising Board's announcement here.

Monitoring Framework for Digital Accessibility Standards

On 21 June 2025, Presidential Circular No. 2025/10 was published in Türkiye's Official Gazette, introducing a legal framework to ensure that websites and mobile applications are accessible to all users, particularly persons with disabilities and the elderly. This circular reinforces obligations under Law No. 5378 on the Rights of Persons with Disabilities and aligns national practices with international web accessibility standards.

The circular mandates compliance with two key benchmarks: the Web Accessibility Checklist – Level A, developed by the Ministry of Family and Social Services, and the WCAG 2.2 guidelines issued by the World Wide Web Consortium (W3C).

In order to monitor compliance, the Ministry of Family and Social Services has established a Monitoring Commission and an Advisory Commission, with the former responsible for oversight and reporting, and the latter providing guidance and stakeholder engagement.

Websites and mobile apps found to meet the required standards will be eligible to display an official "Accessibility Logo" for two years, signalling compliance and commitment to digital inclusion.

The circular also sets phased deadlines:

  • Within one year, compliance is required from public bodies, universities, municipalities, banks, private hospitals and schools, major transport providers, and telecom operators with over 200,000 subscribers.
  • Within two years, businesses engaged in e-commerce, regulated under Law No. 6563, must meet the same standards.

You can read our detailed summary of the Circular here.

DPA Event Highlights

1. DPA Seminar on Digital Identity and Privacy

As part of its weekly "Wednesday Seminars", the Turkish DPA hosted a session on 12 June focusing on personal data protection in digital identity systems. The speaker, a DPA expert, discussed digital identity models, the EU's digital ID policies, and data protection challenges.

2. DPA Signs Cooperation Protocol with Ankara Hacı Bayram Veli University

The DPA has signed a cooperation protocol with Ankara Hacı Bayram Veli University to promote joint efforts on personal data protection, privacy, data security, and education.

The protocol aims to facilitate joint activities, awareness-raising initiatives, and national or international projects, establishing a framework for ongoing collaboration between the DPA and the university.

Data Breach Notifications

  • Manisa Ulaşım Hizmetleri Makina Sanayi ve Ticaret A.Ş. notified the DPA of a cyberattack that affected subscribers/members' personal data. Accordingly, subscribers/members' identity, contact, health information, visual and auditory recordings, and professional experience data was compromised.
  • Richemont İstanbul Lüks Eşya Dağıtım Anonim Şirketi notified the DPA of a cyberattack that affected customers' and potential customers' personal data. Accordingly, identity, contact, customer information, and location data were compromised.
  • İstanbul Gedik Üniversitesi notified the DPA of unauthorised access following a security problem on its web system. Accordingly, employees, users, and students' identity, contact, transaction security, information about the institution/department, and the user's traffic data were compromised.
  • TCO Turkey Mücevherat Ticareti Limited Şirketi notified the DPA regarding a data breach caused by unauthorised access to the systems of its US-based affiliate, Tiffany and Company. The breach potentially affected identity, contact, personnel information, and transaction security data of employees and consultants, as well as customer's identity, contact, customer information data.
  • BeiGene, Ltd. notified the DPA of a data breach involving the unauthorised upload of corporate files containing clinical trial planning data to external platforms (pastebin.com and swisstransfer.com). The breach affected 467 individuals in Türkiye, including 17 employees and 450 patients. The compromised personal data categories include identity, contact, and health information.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Ceren Ceyhan
Ceren Ceyhan
Photo of Hatice Nur Arslan
Hatice Nur Arslan
Photo of Simge Erdem
Simge Erdem
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More