Quick Read: Data Protection Law Updates In Türkiye – July 2025

August 2025 – In July 2025, the Turkish Personal Data Protection Authority (the 'DPA') published several bulletins, organised two seminars, and announced three data breach notifications.

Selected Global Updates Bulletins

On 1 July 2025, the DPA published its 45th Selected Updates Bulletin, covering recent global developments in data privacy, technology, and artificial intelligence. Key highlights included:

• the UK's adoption of comprehensive amendments to its data protection legislation;
• annual reports and AI-related guidance issued by the Irish and French authorities;
• the OECD's emphasis on privacy-enhancing technologies in AI systems;
• the introduction of new U.S. rules on children's online privacy.

You can find the 45th edition of this bulletin here (in Turkish only).

On 29 July 2025, the DPA published its 46th Selected Updates Bulletin focusing on the European Commission's final Guidelines under the Digital Services Act on protecting minors online. Recommendations include:

• default private settings for minors' accounts;
• restrictions on harmful design features; and
• enhanced safeguards against cyberbullying.

This edition also drew attention to new tools and reports from EU data protection authorities (e.g., CNIL's self-assessment tool, AP's guidance on algorithmic decision-making, and ICO's annual report).

You can find the 46th edition of this bulletin here (in Turkish only).

Academic Insights: Congress Proceedings

On 25 July 2025, the DPA published the proceedings booklet of the "II. International Personal Data Protection Congress", to be held in November 2025 in cooperation with Bilkent University Faculty of Law under the theme "Privacy in the Digital Age." The booklet compiles full and summary texts of 32 presentations, covering diverse aspects of personal data protection.

You can find this booklet here (in Turkish only)

Wednesday Seminars

16 July 2025 – Assessment of DP Law & GDPR in the Context of National Security: As part of the Wednesday Seminar series organised by the DPA, the Head of the Department of Information and Technology Law at Hacettepe University delivered a presentation on "Assessment of DP Law & GDPR and Judicial Decisions in the Context of National Security."

The presentation examined the relevant provisions under the GDPR, the European Convention on Human Rights, and the Turkish Personal Data Protection Law No. 6698 ("DP Law"), with a focus on how these legal instruments and judicial decisions interact in the context of national security.

30 July 2025 – Seminar on the DPA as an Independent Administrative Authority: Another seminar in the series was delivered by a Personal Data Protection Specialist of the DPA. The seminar focused on the establishment, structure, and functional characteristics of the DPA.

Data Breach Notifications

• Louis Vuitton Çantacılık Ticaret Ş. notified the DPA of unauthorised access that affected their customer database. Accordingly, 142,995 individuals were affected. Customer and potential customer identity and contact data was compromised.
• Bold LLC notified the DPA of a cyberattack that affected subscribers' personal data. Accordingly, identity, contact, professional information, visual record data, and other type of data were compromised, and 3,168 individuals were affected.
• Yatırım Finansman Menkul Değerler A.Ş. notified the DPA that their servers were subjected to a ransomware attack carried out by an international and specialised threat group. The number of data subjects affected, the groups of data subjects, and the categories of personal data have not yet been identified.