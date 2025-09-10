September 2025 – In August 2025, the Turkish Personal Data Protection Authority (the 'DPA') published one announcement, issued two global updates bulletins, organised two seminars, and disclosed two data breach notifications.

DPA Announcement: Unlawful Sharing of Debtors' Relatives' Contact Information

On 20 August 2025, the DPA published an announcement entitled "Public Announcement Regarding the Sharing of Debt Information by Accessing the Telephone Numbers of Relatives of Individuals Who Owe Money, as Provided by Creditors' Representatives."

In its announcement, the DPA states that when creditors' attorneys or representatives access the contact details of debtors' relatives and disclose debt-related information, such conduct constitutes a potential violation of Data Protection Law No.6698 ("DP Law"). Under the DP Law, personal data may only be processed in accordance with the conditions prescribed by law or with the explicit consent of the data subject.

The DPA emphasised that in debt collection processes, the processing of personal data concerning both debtors and third parties must comply with the principles of lawfulness, proportionality, and data security. Failure to comply may trigger administrative monetary fines for data controllers.

You can read the announcement here. (in Turkish only).

Global Snapshots: AI Governance and Data Security

On 19 August 2025, the DPA published a bulletin on selected recent international developments highlighting the following points:

California: The Judicial Council adopted rules and standards requiring courts in the state of California—including trial, appellate, and the Supreme Court—to establish policies on the use of generative AI by judicial officers and staff no later than 15 December 2025, unless such use is entirely prohibited.

The Judicial Council adopted rules and standards requiring courts in the state of California—including trial, appellate, and the Supreme Court—to establish policies on the use of generative AI by judicial officers and staff no later than 15 December 2025, unless such use is entirely prohibited. United Kingdom: The UK Law Commission published a working paper on AI and the law, covering autonomy, adaptability, oversight, training data, and the possibility of granting AI legal personality.

The UK Law Commission published a working paper on AI and the law, covering autonomy, adaptability, oversight, training data, and the possibility of granting AI legal personality. France: The French Data Protection Authority (CNIL) issued a note on the risks stemming from personal data breaches, especially the theft of IBAN details, and mitigation measures.

You can read this Global Updates Bulletin here (in Turkish only).

Wednesday Seminars

1. Personal Data Processing Activities Carried Out by Lawyers

On 28 August2025, the DPA organised a presentation on "Personal Data Processing Activities Carried Out by Lawyers". The seminar addressed data collection, its transfer (domestic and cross-border), and disclosure in the context of lawyers' activities.

2. Assessment of Data Subject Rights under DP Law and GDPR

On 13 August 2025, the DPA organised a presentation focusing on data subject rights under the DP Law. The seminar compared data subject rights under the DP Law with those under the GDPR, including restrictions and application mechanisms.

Data Breach Notifications

Türk Tabipler Birliği notified the DPA of a cyberattack that resulted in unauthorised access to personal data. Approximately 107,000 individuals were affected.Identity, legal transaction, contact and location data of users, employees and member were compromised.

notified the DPA of a cyberattack that resulted in unauthorised access to personal data. Approximately were affected.Identity, legal transaction, contact and location data of users, employees and member were compromised. Biletal İç ve Dış Ticaret A.Ş. notified the DPA of unauthorised access to personal data within its system. Approximately 7,800 customers were affected. Identity, customer transaction, and contact of customers were compromised.

