Quick Read: Data Protection Law Updates In Türkiye – December 2025

January 2026 – In December 2025, the Turkish Personal Data Protection Authority (the “DPA”) organised several events and announced six data breach notifications. In this edition of the Quick Read, we highlight notable updates in both data protection and cybersecurity in Türkiye.

2026 Update: Turkish Data Protection Fines Revaluated

The administrative fines set out under Article 18 of the Turkish Personal Data Protection Law (“DP Law”) have been revaluated for 2026 in accordance with the Misdemeanours Law No. 5326, based on the official revaluation rate announced for 2026. Below is a snapshot of the updated administrative fine ranges applicable as of 2026, together with approximate EUR equivalents for ease of reference.

New Presidential Decree Expands the Mandate of the Cybersecurity Presidency

On 25 December 2025, Presidential Decree No. 192 was published, expanding the mandate of the Cybersecurity Presidency. The Presidency's responsibilities now extend beyond cybersecurity to encompass digital government policies, public-sector IT infrastructures, data governance, and public-sector AI applications.

Key developments include:

• Expanded policy and regulatory role: The Cybersecurity Presidency is now formally mandated to lead legislative and regulatory initiatives and to develop national policies, strategies, and action plans in cybersecurity and digital government, including alignment with international standards and frameworks.
• Central authority for public-sector AI and data governance: The Decree assigns the Presidency a central role on public-sector AI, including the authority to set data governance and data quality standards throughout the entire data lifecycle and to support the development of common data space infrastructure.
• Oversight of e-government and public IT projects:  The Presidency will now oversee e-government services and public IT projects, including standards for project management and integration of public information systems.
• Organisational restructuring: The Decree introduces a revised organisational restructure, comprising a president and three deputy presidents, the authority to establish up to seven domestic representative offices and one overseas organisation, and the creation of new specialised units, including directorates dedicated to public AI and digital government.

DPA Event Highlights

1. Symposium on the Right to Privacy and the Protection of Personal Data

To mark Human Rights Day on 10 December 2025, the DPA hosted the “Symposium on the Right to Privacy and the Protection of Personal Data” bringing together representatives of public institutions and academia.

The event opened with remarks from the president of the DPA, followed by two panels focusing on ethics and privacy in the context of human rights and the protection of children's personal data in the digital age, with contributions from academic experts and DPA specialists.

During the symposium, the DPA also shared key figures reflecting its enforcement and guidance activities since 2017, including:

• 57,577 applications received (55,482 concluded);
• 1,881 data breach notifications (383 publicly announced);
• Administrative fines totalling TRY 1,277,717,000 (approx. EUR 25,477,900) imposed;
• 1,338 legal opinions issued;
• 13 approved international data transfer undertakings; and
• 3,629 standard contractual clauses submitted for cross-border data transfers.

2. Wednesday Seminar on “Artificial Intelligence and Criminal Law”

On 17 December 2025, as part of its ongoing “Wednesday Seminars” series, the DPA organised a seminar on “Artificial Intelligence and Criminal Law”, addressing the fundamentals of AI and examining AI-related conduct through practical examples from the criminal law perspective.

Data Breach Notification

• Beyçelik Holding A.Ş. and certain group companies (including Beyçelik Gestamp Otomotiv Sanayi A.Ş.) notified the DPA of a ransomware attack resulting in the encryption of systems following the deployment of ransomware on Beçelik Gestamp's servers. The incident occurred on 4 December 2025. At the time of notification, the affected data subject groups, the personal data categories, and number of impacted individuals had not yet been determined, and technical and /forensic reviews were ongoing.
• Dem İlaç Sanayi ve Ticaret A.Ş. and its group companies DMR Otomotiv Kiralama Sanayi ve Ticaret Ltd. Şti. and Pharmada İlaç Sanayi ve Ticaret A.Ş., (which submitted parallel notifications regarding the same incident) notified the DPA of a ransomware attack on 7 December 2025. The threat actor allegedly claimed to have exfiltrated approximately 1 TB of sensitive data, and the data controller's internal investigation was ongoing at the time of notification. The potentially affected data subject groups were reported as employees, users, and customers/potential customers. Given the claimed system-wide access, the affected data categories were reported to potentially include a broad range of personal data, including identity, contact, location, employment, legal transaction, customer transaction, physical premises security, transaction security, risk management, finance, professional experience, marketing, visual and audio records, health data, and criminal records and security measures. The number of affected individuals had not yet been determined.
• Balıkesir Uludağ Turizm Taş. İnş. Tic. Ltd. Şti. notified the DPA of a brute-force attack targeting an authorised user account on its portal management login page, resulting in unauthorised system access. The breach occurred between 1–5 December 2025 and was detected on 6 December 2025. The affected data subject groups were reported as employees, subscribers/members, and customers. While the data controller indicated that the affected personal data categories were limited to identity and contact data, the attacker allegedly claimed to have a broader dataset and asserted that over 10 million records were involved; the exact number of affected individuals was not yet confirmed.
• Uludağ Elektrik Dağıtım A.Ş.  notified the DPA of a data set containing subscriber information that was identified on a dark web file-sharing platform. The breach occurred on 5 August 2025 and was detected on 18 August 2025, reportedly resulting from unlawful access to a system protected by password and SMS-based verification. The affected data subject group was subscribers/members. The data set reportedly included 57 data categories (including personal data alongside predominantly technical data such as subscriber number, name-surname, partial address, consumption, and meter information). While the number of affected individuals was not confirmed, the number of queries performed was reported as 899,890.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.