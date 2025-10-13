Ceren Ceyhan’s articles from KST LAW are most popular:

October 2025 – In September 2025, the Turkish Personal Data Protection Authority (the "DPA") issued one decision, organised several events, and announced one data breach notification. Below is a summary of key developments.

New Exemption Criteria for VERBIS Registration

On 4 September 2025, the DPA published Decision No. 2025/1572 (the "Decision"), introducing a new exemption from the requirement to register with the Data Controllers' Registry ("VERBIS").

Under this Decision, data controllers whose main activity involves processing sensitive (special category) personal data are exempt from VERBIS registration if they employ fewer than 10 people and have an annual balance sheet total below TRY 10 million (approx. EUR 200,000).

This exemption primarily benefits small-scale healthcare providers, such as pharmacies, medical and dental clinics that meet the above thresholds. Such data controllers may also deregister from VERBIS if already registered.

Importantly, this exemption does not relieve data controllers of other obligations under Personal Data Protection Law No. 6698 ("DP Law"). Obligations such as informing data subjects, ensuring data security, and responding to data subjects' requests continue to apply.

The existing VERBIS registration thresholds remain unchanged. Currently, the following data controllers are obliged to register with VERBIS:

Data controllers whose main activity does not involve the processing of special categories of personal data, if they:

– employ more than 50 employees; or

– have an annual financial balance sheet total exceeds TRY 100 million (approx. EUR 2 million).

Data controllers whose main activity involves the processing of special categories of personal data, if they:

– employ more than 10 employees; or

– have an annual financial balance sheet total exceeds TRY 10 million (approx. EUR 200,000);

Data controllers located abroad;

Data controllers that qualify as public institutions or organisations.

You can read our detailed summary of the Decision here.

DPA Event Highlights

1. 47th Global Privacy Assembly

On 15–19 September 2025, the DPA participated in the 47th Global Privacy Assembly in Seoul, hosted by the Korean Data Protection Authority.

Themed "AI in Our Daily Lives: Data and Privacy", the assembly gathered regulators, industry leaders, and academics to discuss issues such as health data protection and agentic AI. The DPA also held bilateral meetings with Apple and Meta on current technological developments.

2. Future's Digital Shield: Cybersecurity and Personal Data Protection Event

On 23 September 2025, as part of the "Anadolu Bilişim Buluşmaları" series, the DPA hosted an event titled "The Future's Digital Shield: Cybersecurity and Personal Data Protection," with participation from public and private sector representatives, experts, and academics.

In his opening remarks, the President of the DPA underlined that personal data protection serves as a key safeguard for individual rights, that cybersecurity is integral to data security, and that raising awareness is essential given that human error remains a major vulnerability.

The event featured panels on; "Digital Sovereignty and Public Assurance," "Personal Data Security in the Digital Age," and "AI-Supported Personal Data Protection"

During the event, the DPA shared the following statistics:

54,594 notices, complaints, and applications received (with 52,683 concluded);

1,827 data breach notifications received (378 publicly announced);

1,307 legal opinions issued;

13 undertakings approved for cross-border data transfers;

3,088 standard contractual clause notifications received;

TRY 1,179,295,000 (approx. EUR 24.2 million) in total administrative fines imposed.

3. Wednesday Seminar

As part of its weekly "Wednesday Seminars," the DPA hosted a session with three experts focusing on implementing the right to erasure in AI systems, recent data protection developments in the Asia–Pacific region, and privacy/security considerations in surveillance technologies.

Data Breach Notification

Sinch AB notified the DPA of a cyberattack occurring between 28–30 August 2025, affecting 716 individuals. The incident compromised the identity, contact, and finance data of affected users.

