- within Government, Public Sector and Strategy topic(s)
- in Turkey
July 2026 – June was another active month for technology regulation in Türkiye, with a particular focus on workplace privacy. The Turkish DPA published important guidance on employee CCTV monitoring and biometric attendance systems, signalling increased scrutiny of employers' monitoring practices.
At the same time, significant Constitutional Court judgements clarified the legal framework for publicly disclosed personal data and e-commerce platform liability, while the government unveiled its 2026–2030 AI Vision and Action Plan and introduced new identity verification and subscription rules for the electronic communications sector.
In this edition of Quick Read, we highlight the most notable recent developments in data protection, AI, and digital regulation in Türkiye.
Developments in Data Protection
1. Turkish DPA Reinforces Restrictions on Biometric Attendance Systems
On 2 June 2026, the Turkish DPA published a Principle Decision reaffirming its strict approach to the use of biometric technologies—such as fingerprint, facial recognition, and iris scanning—for employee attendance and work-time monitoring.
The DPA concluded that biometric attendance systems are likely to be disproportionate where less intrusive alternatives are available, even where employees have provided explicit consent, noting that such consent will generally not be regarded as freely given due to the imbalance of power in the employment relationship. Employers should therefore consider alternatives such as access cards, PIN codes, RFID/NFC cards, or manual attendance records.
2. Turkish DPA Clarifies Rules on Workplace CCTV Monitoring
On 8 June 2026, the Turkish DPA published guidance clarifying the conditions for the use of CCTV systems in the workplace. The DPA reiterated that employers may use CCTV only where there is a valid legal basis and the monitoring complies with the general principles under the Turkish DP Law.
The guidance emphasises that employers should:
- ensure CCTV monitoring is necessary, proportionate, and limited to clearly defined purposes, and not use it for employee performance or disciplinary monitoring;
- limit camera coverage to appropriate common or high-risk areas and avoid private spaces, with audio recording used only in exceptional circumstances;
- provide clear privacy notices and appropriate signage; and
- implement appropriate retention, access, and security measures, supported by internal policies governing the use of CCTV footage.
3. Data Breach Notification
The DPA’s data breach notifications published for June 2026 may be accessed from this link.
Developments in Artificial Intelligence
2026–2030 AI Vision and Action Plan Published
On 13 June 2026, during the Türkiye Artificial Intelligence Summit, the government’s Artificial Intelligence Vision and Action Plan for 2026–2030 was announced, setting out a roadmap to accelerate AI adoption, expand national AI infrastructure, support domestic AI technologies, and establish a human-centred AI governance framework. Among its headline targets are providing AI literacy training to five million people within two years, establishing a National Data Library, and increasing data centre capacity to at least 1 GW by 2030.
Developments in Digital Regulation
1. Constitutional Court Reshapes E-Commerce Platform Liability
In its decision dated 12 February 2026, the Constitutional Court annulled provisions broadly exempting e-commerce intermediary service providers from liability for defective goods and unlawful content in consumer transactions. The Court held that a uniform exemption failed to reflect the different roles platforms may play in online sales and could leave consumers without an effective remedy, particularly where the seller cannot be reached or is unable to compensate them.
The decision does not establish a new liability regime. The legislature must introduce a framework reflecting each platform’s actual involvement in the transaction. The annulled provisions will cease to have effect on 2 March 2027.
2. New Identity Verification and Subscription Rules for Electronic Communications Providers
Two amending regulations entered into force on 25 June 2026, introducing new identity verification and subscription requirements for electronic communications providers. The amendments expand permitted verification methods to include e-Government, electronic identity documents, and video verification, while introducing alternative procedures for certain foreign applicants.
They also revise subscription documentation requirements, introduce limits on the number of lines, and require operators to periodically verify subscriber information. Services may be restricted or deactivated where verification cannot be completed.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
[View Source]