ARTICLE
17 July 2026

Data Protection In Türkiye - General Approach, Current Practices And The Processing Of Special Categories Of Personal Data

G+
Gun + Partners

Contributor

Gün + Partners is a full-service institutional law firm with a strategic international vision, providing transactional, advisory and dispute resolution services since 1986. The Firm is based in Istanbul, with working offices Ankara and Izmir. The Firm advises in life sciences, energy, construction & real estate, technology, media and telecoms, automotive, FMCG, chemicals and the defence industries.”
The primary legislation governing the protection of personal data in Türkiye is the Personal Data Protection Act No. 6698 (the “Law”), which came into force in 2016.
Turkey Privacy
Gun + Partners are most popular:
  • within International Law topic(s)

The primary legislation governing the protection of personal data in Türkiye is the Personal Data Protection Act No. 6698 (the “Law”), which came into force in 2016.

The Law, which was drafted on the basis of the European Council’s Data Protection Directive 95/46/EC, is influenced by the provisions of the European Union’s General Data Protection Regulation 2016/679 (“GDPR”), whilst its implementation is influenced by both the GDPR and the decisions of European data protection authorities.

The Law adopts similar objectives and fundamental concepts to the GDPR and contains provisions that are very similar in terms of the fundamental principles relating to the protection of personal data. However, the Law generally has a more limited, prescriptive and less detailed structure compared to the GDPR.

Developments and approaches in European data protection law are monitored by the Personal Data Protection Authority (the “Authority”).

The Law No. 7499 on the Code of Criminal Procedure and Amendments to Certain Laws (the “Amendment”), which came into force in 2024, has been one of the most significant steps to date in bringing Türkiye’s data protection law into line with GDPR standards. Under the Amendment Act, significant changes regarding the processing of special category personal data, cross-border data transfers, administrative sanctions and appeals against administrative fines came into force on 1 June 2024. In parallel with the Amendment, the Regulation on the Procedures and Principles Governing the Transfer of Personal Data Abroad was also drafted and entered into force upon its publication in the Official Gazette dated July 10, 2024.

The Board’s decisions and announcements from 2025 and early 2026 indicate that certain common errors in practice have been specifically targeted. There has been great confusion between the duty to provide information, explicit consent, consent for commercial electronic communications and marketing permissions. In its principle decision regarding sending of verification codes via SMS to data subjects during the provision of products and services, the Board emphasized that the purpose of SMS codes sent during transactions such as payments, membership, account registration or invoice generation must be clearly communicated to the data subjects; it also stressed that practices involving the obtaining of different legal consents—such as membership agreement consent, personal data processing consent and consent for commercial electronic communications—through a single action must be discontinued. This approach is a concrete reflection in practice of the fundamental principle that explicit consent must be specific to a particular matter, informed and freely given.

Similarly, in a public announcement published at the beginning of 2026 regarding push notifications sent via mobile applications, it was stated that combining operational notifications with those for advertising, campaign and marketing purposes under a single consent would not be lawful. Notifications regarding order status, parcel tracking or those directly linked to the provision of the service serve different purposes from campaign and advertising notifications. Consequently, forcing users to accept marketing notifications in order to use the service could undermine the element of free will inherent in explicit consent. In this regard, data controllers—particularly in relation to digital platforms and mobile applications, must design preference management mechanisms in accordance with the principles of ‘segmented explicit consent’ and ‘specificity’.

The Board’s decision on the principle regarding the recording of photocopies of Turkish identity cards of individuals receiving accommodation services in the tourism and hospitality sector is another significant development in 2025. Whilst the Board acknowledges that the recording of identity details in the context of accommodation services may be lawful within the framework of statutory obligations, it has assessed that taking and recording a photocopy of the identity document results in the processing of more data than is necessary and that this practice lacks a legal basis. This decision demonstrates that the principles of data minimization, purpose limitation and proportionality must be strictly observed in day-to-day commercial practices.

The processing of special category personal data was also one of the areas on which the Authority placed particular emphasis in 2025. Under the Law, special category personal data is defined in a limited manner as data relating to a person’s race, ethnic origin, political opinions, philosophical beliefs, religion, denomination or other beliefs, dress and appearance, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data. Prior to the Amendment, the processing of special category personal data was largely centered on the principle of explicit consent; significant issues were encountered, particularly in employer-employee relationships, health data processing procedures and processing activities arising from legal obligations, where explicit consent lacked a sound practical or legal basis.

With the amendment, the conditions for processing special category personal data have been expanded, and the previous distinction between data relating to health and sexual life and other special category personal data has been removed. Consequently, a broader set of legal grounds applicable to all special categories of personal data has been established. Whilst the data subject’s explicit consent remains a valid condition for processing, the processing of data without obtaining explicit consent has become the primary practice where the legal grounds listed in the Law are present.

Accordingly, all special category personal data (including health data and personal data relating to sexual life) may be processed where the following legal grounds exist:

  • (i) The data subject’s explicit consent,
  • (ii) Where expressly provided for by law,
  • (iii) Where it is necessary to protect the life or physical integrity of the data subject or another person, in cases where the data subject is unable to express their consent due to practical impossibility or where their consent is not legally valid,
  • (iv) Where the processing relates to personal data that the data subject has made public and is in accordance with their intention to make it public,
  • (v) Where the processing of data is necessary for the establishment, exercise or defence of a legal claim,
  • (vi) Where it is necessary for the protection of public health, the provision of preventive medicine, medical diagnosis, treatment and care services, and the planning, management and financing of health services by persons subject to a duty of confidentiality or by authorised institutions and organisations,
  • (vii) It is necessary for the fulfilment of legal obligations in the fields of employment, labour and social security or social services,
  • (viii) Where such processing is carried out by foundations, associations and other non-profit organisations or bodies established for political, religious or trade union purposes, provided that it complies with the legislation to which they are subject and their objectives, is limited to their areas of activity, and is not disclosed to third parties; and is directed at their current or former members and affiliates, or at persons who are in regular contact with such organisations and bodies.

The Guidance on the Processing of Special Categories of Personal Data, published in 2025, has set out the practical implications of these changes in somewhat greater detail. The Guidelines emphasize that there is no hierarchical distinction between explicit consent and other grounds for processing; however, if an appropriate ground for processing other than explicit consent exists, the data controller should not additionally seek explicit consent. This approach demonstrates that the common practice of ‘obtaining explicit consent just in case’ may pose a risk of contravening the law and the principle of good faith. Consequently, data controllers must identify the specific legal basis for each processing activity involving special category personal data separately, use explicit consent only where it is genuinely necessary, and draft information notices in accordance with this legal basis.

In this context, it will not be sufficient for data controllers to merely update their existing compliance documents in a superficial manner. With regard to the processing of special category personal data, it is necessary to reassess personal data processing inventories, privacy notices, consent forms, retention and destruction policies, and data security measures. In particular, the applicability of legal grounds other than explicit consent must be carefully analysed in relation to health data processed within the scope of occupational health and safety obligations during recruitment processes, employees’ criminal convictions or security measure information, trade union membership data, biometric access systems, and data processing activities in the healthcare sector.

Consequently, developments in 2025 and early 2026, along with the Board’s latest decisions and announcements, demonstrate that data controllers can no longer rely solely on general information notices and standard consent forms; each data processing activity must be assessed individually in terms of its purpose, legal basis, impact on the data subject, data minimization and preference management mechanisms. It is expected that, particularly with regard to special categories of personal data, the conduct of compliance work on a process-based rather than a document-based basis will remain one of the most important agenda items for data controllers in 2026 as well.

Transfer of Personal Data Abroad

Prior to the amendments, under the Law, personal data could generally be transferred abroad with the data subject’s explicit consent, as the scope of application of other legal grounds set out in the legislation was either non-existent or unenforceable. Since the Law’s publication in 2016, the fact that the Board had not yet drawn up a list of countries providing adequate protection had, in practice, confined the issue of cross-border transfers of personal data to a very narrow and challenging scope, and had resulted in obtaining explicit consent remaining the only method applicable to such transfers.

Significant steps addressing this issue, which had also been adversely affecting commercial relations, came into force on 1 June 2024 alongside the Amendment.

The Amendment introduces a three-stage assessment system for the transfer of data abroad. Within this framework, the amendments that have come into force stipulate that personal data may be transferred abroad in accordance with the scope of an adequacy decision issued by the Board, provided that one of the legal grounds for processing set out in the Law is present and an adequacy decision has been issued; in cases where no adequacy decision exists, in addition to the existence of one of the processing conditions set out in the Law, one of the appropriate safeguards must be provided, subject to the condition that the data subject has the opportunity to exercise their rights and have recourse to effective legal remedies in the country to which the data is to be transferred.

Where appropriate safeguards cannot be provided either, recourse may be had to limited exceptions, provided that such exceptions are of an occasional nature.

With this amendment, appropriate safeguards have been defined as agreements not constituting international treaties concluded between public bodies and organisations or international organisations, binding corporate rules, standard contractual clauses and undertakings authorised by the Board. In this respect, the Law has shifted the cross-border data transfer regime away from a structure centered on explicit consent towards one based on corporate safeguards, bringing it closer to the GDPR.

The year 2025 is significant as it marks the first full year of implementation of this new system for cross-border data transfers. According to the Authority’s 2025 Annual Activity Report, 2,497 standard contract notifications were submitted to the Authority during the year. In contrast, regarding the commitment letter mechanism, 90 applications were submitted to the Authority in 2025; authorisation for data transfers was granted in 13 cases, refused in 76 cases, and the review of one application was still ongoing at the end of the year. This table demonstrates that the undertaking mechanism remains a more limited and strictly assessed method, whilst standard contracts have become the most practical and widely used means of providing appropriate safeguards in practice.

The Authority’s 2025 annual report states that ex officio investigations were initiated into 70 of the standard contract notifications received by the Authority; 21 of these were concluded, and in 3 of the concluded investigations, administrative fines totaling 150,000 TRY were imposed. It appears that these shortcomings and the fines imposed stemmed primarily from a failure to comply with the necessary procedural requirements and a failure to notify the Board in a timely manner.

The Authority’s announcement that an application for binding corporate rules was approved by the Board in 2026 indicates that binding corporate rules may begin to be used as a more concrete transfer mechanism, particularly for multinational corporate groups. Whilst the preparation and approval processes are expected to be longer and more comprehensive than those for standard contracts, it should also be borne in mind that binding corporate rules may offer a more permanent and institutionalized solution for intra-group data transfers.

Under the new framework for cross-border data transfers, explicit consent is no longer the primary basis for routine and regular transfers. Cross-border transfers based on explicit consent are now regulated as an exceptional method, to be used only in cases of occasional transfers, provided that the data subject is informed of the potential risks, where no adequacy decision exists and none of the appropriate safeguards can be provided. Consequently, data controllers continuing to rely on explicit consent for cross-border data transfers within the scope of ongoing business processes will create a significant compliance risk.

Under Turkish law, there is no general or absolute data localisation obligation with regard to personal data. The law does not require personal data to be stored in Türkiye as a general rule; instead, it subjects the transfer of such data abroad to certain conditions. However, Turkish law does impose explicit data localisation or domestic system hosting obligations in certain sectors. Under sector-specific regulations governing banking, payments and electronic money, capital markets, electronic communications and certain public/critical infrastructure activities, there are specific rules regarding the retention in Türkiye of information systems, primary and secondary systems, backups, log records or certain records and documents. For this reason, companies operating in regulated sectors in particular must assess data transfers abroad not only within the framework of Article 9 of the Law, but also in conjunction with the relevant cybersecurity obligations.

Consequently, developments in 2025 and early 2026 indicate that the regime governing data transfers abroad in Türkiye has now evolved into a more institutionalized, documented and auditable framework. Although challenges persist in the implementation process regarding notifications and certain procedural obligations, standard contractual clauses are becoming the primary method in practice, whilst the prominence of other safeguards—such as binding corporate rules and agreements with public or international organizations is also increasing.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More