In January 2026, the Turkish Personal Data Protection Authority (the “DPA”) issued several public announcements and published six data breach notifications. In this edition of Quick Read, we highlight the most noteworthy developments in data protection and cybersecurity.

Tech Summit 2026: A Full Day of Legal, AI & Global Growth

Tech Summit 2026 – Legal, AI & Global Expansion for Tech Companies is now behind us. At KST Law, we were delighted to co-organise this event together with our colleagues at Kinstellar and Orrick, Herrington & Sutcliffe LLP.

Across five dynamic sessions, we explored the start-up and scale-up journey, covering topics ranging from VC expectations and early-stage investments to global structuring, compliance, data protection, cybersecurity, case studies on data breach incidents, AI regulations, policies and compliance expectations, and AI-driven transactional strategies.

We extend our sincere thanks to our esteemed speakers, as well as to all our participants and clients, for making the event such a success. See you at Tech Summit 2027.

60-Day Publication Period for Data Breach Notification in Türkiye

On 20 January 2026, the DPA introduced a 60-day publication limit for data breach notifications published on its website. Until now, breach notifications were published without any time limit. Under this new approach:

breach notifications will remain publicly available for a maximum period of 60 days; and

if the data controller provides evidence that affected individuals have already been notified, the announcement may be removed at an earlier stage.

This publication limit enhances legal certainty and reputational protection for data controllers while preserving transparency for data subjects. Data controllers are therefore advised to ensure that data subject notifications are properly documented. For a detailed analysis of the decision and the legal background, see our full article here.

Push Notifications Under Scrutiny: Consent Must Be Granular

On 14 January 2026, the DPA published a public announcement following multiple complaints concerning push notifications sent via mobile applications. As part of its assessment, the DPA reviewed the consent practices adopted by mobile application providers and identified certain compliance issues.

The DPA emphasised that consent obtained for push notifications must comply with the principles of specificity and free will. In particular, where push notifications serve multiple purposes (e.g., service-related notifications such as order status updates and marketing or promotional communications), data subjects must be provided with the opportunity to give separate and independent consent for each purpose.

Consent mechanisms that bundle different purposes under a single approval option do not meet the legal requirements for valid explicit consent under Turkish DP Law. Moreover, requiring users to accept marketing notifications in order to receive service-related notifications may be considered to undermine the “freely given” element of consent. This approach may expose mobile application providers to compliance risks under Turkish DP Law.

Accordingly, the DPA expects data controllers to review their consent flows and technical architecture to ensure that:

distinct purposes are clearly separated;

users are offered meaningful choices in relation to different categories of notifications; and

application and device settings allow users to manage their notification preferences in a granular manner.

VERBIS Exemption Update: How to Apply the Thresholds Where No Balance Sheet Total Exists

On 12 January 2026, the DPA published a public announcement clarifying how the thresholds for the exemption from registration with VERBIS should be applied in practice, particularly for data controllers that do not keep books on a balance sheet basis.

Currently, for local data controllers, the exemption from VERBIS registration applies to:

data controllers with fewer than 50 employees and an annual balance sheet total below TRY 100 million (approx. EUR 1.9 million) , provided that their main activity is not the processing of special categories of personal data; and

, provided that their main activity is not the processing of special categories of personal data; and data controllers whose main activity is the processing of special categories of personal data, provided that they have fewer than 10 employees and an annual balance sheet total below TRY 10 million (approx. EUR 195,000).

The DPA noted that the “annual balance sheet total” criterion is relevant only for data controllers keeping books on a balance sheet basis, which has led to uncertainty for those applying other accounting methods. With this announcement, the DPA clarified the position as follows:

where the data controller keeps books on a balance sheet basis, both criteria are assessed together (number of employees and annual balance sheet total); and

are assessed together (number of employees and annual balance sheet total); and where the data controller does not keep books on a balance sheet basis and therefore has no balance sheet total, the exemption assessment is made solely on the basis of the number of employees.

Use of Foreign Messaging Apps in Public Administration: Compliance and Security Risks

The DPA published a public announcement following complaints that public officials were effectively required to use WhatsApp for administrative communications, including receiving instructions and sharing official documents.

The DPA noted that sharing information via foreign messaging applications may constitute personal data processing and must comply with the processing conditions under the DP Law. The DPA also referred to Presidential Circular No. 2019/12, which emphasises the preference for domestic messaging applications and cautions against sharing confidential/critical data via mobile apps.

The announcement further emphasises the following:

The use of foreign-based messaging applications in official processes may raise data security and compliance risks, particularly given that such applications do not have data centres located in Türkiye and therefore should not be used for the sharing of confidential or critical official documents.

The sharing of documents containing personal data via such applications may be reviewed by the DPA, either upon complaint or ex officio, and may result in administrative consequences under the applicable disciplinary rules for the responsible public officials.

Public sector employees' mobile phone numbers constitute personal data, and any processing activities must be based on a valid legal basis under the DP Law.

Data Breach Notification

In light of the DPA's announcement on the 60-day publication period for data breach notifications, individual breach summaries are no longer included in our Quick Read editions.

The data breach notifications currently published on the DPA's website may be accessed here.

