ARTICLE
13 October 2025

Quick Read: Data Protection Law Updates In Türkiye – September 2025

KST LAW

Contributor

KST LAW logo

KST LAW is an independent Istanbul based full service corporate law firm in cooperation with Kinstellar.

We provide legal services relevant to all aspects of business in a wide variety of sectors. We operate to the highest international standards in managing cross border transactions or investments and providing practical and creative solutions to legal or regulatory issues.

KST LAW is proud to have an exceptional client base consisting some of the largest Turkish conglomerates, sector leaders in Turkey, multi-nationals, investment or private equity funds and financial institutions.

Explore Firm Details
In September 2025, the Turkish Personal Data Protection Authority (the "DPA") issued one decision, organised several events, and announced one data breach notification.
Turkey Privacy
Ceren Ceyhan,Hatice Nur Arslan, and Simge Erdem
Ceren Ceyhan’s articles from KST LAW are most popular:
  • within Privacy topic(s)
  • in United States
KST LAW are most popular:
  • within Privacy, Environment, Media, Telecoms, IT and Entertainment topic(s)
  • with readers working within the Banking & Credit industries

October 2025 – In September 2025, the Turkish Personal Data Protection Authority (the "DPA") issued one decision, organised several events, and announced one data breach notification. Below is a summary of key developments.

New Exemption Criteria for VERBIS Registration

On 4 September 2025, the DPA published Decision No. 2025/1572 (the "Decision"), introducing a new exemption from the requirement to register with the Data Controllers' Registry ("VERBIS").

Under this Decision, data controllers whose main activity involves processing sensitive (special category) personal data are exempt from VERBIS registration if they employ fewer than 10 people and have an annual balance sheet total below TRY 10 million (approx. EUR 200,000).

This exemption primarily benefits small-scale healthcare providers, such as pharmacies, medical and dental clinics that meet the above thresholds. Such data controllers may also deregister from VERBIS if already registered.

Importantly, this exemption does not relieve data controllers of other obligations under Personal Data Protection Law No. 6698 ("DP Law"). Obligations such as informing data subjects, ensuring data security, and responding to data subjects' requests continue to apply.

The existing VERBIS registration thresholds remain unchanged. Currently, the following data controllers are obliged to register with VERBIS:

  • Data controllers whose main activity does not involve the processing of special categories of personal data, if they:

– employ more than 50 employees; or

– have an annual financial balance sheet total exceeds TRY 100 million (approx. EUR 2 million).

  • Data controllers whose main activity involves the processing of special categories of personal data, if they:

– employ more than 10 employees; or

– have an annual financial balance sheet total exceeds TRY 10 million (approx. EUR 200,000);

  • Data controllers located abroad;
  • Data controllers that qualify as public institutions or organisations.

You can read our detailed summary of the Decision here.

DPA Event Highlights

1. 47th Global Privacy Assembly

On 15–19 September 2025, the DPA participated in the 47th Global Privacy Assembly in Seoul, hosted by the Korean Data Protection Authority.

Themed "AI in Our Daily Lives: Data and Privacy", the assembly gathered regulators, industry leaders, and academics to discuss issues such as health data protection and agentic AI. The DPA also held bilateral meetings with Apple and Meta on current technological developments.

2. Future's Digital Shield: Cybersecurity and Personal Data Protection Event

On 23 September 2025, as part of the "Anadolu Bilişim Buluşmaları" series, the DPA hosted an event titled "The Future's Digital Shield: Cybersecurity and Personal Data Protection," with participation from public and private sector representatives, experts, and academics.

In his opening remarks, the President of the DPA underlined that personal data protection serves as a key safeguard for individual rights, that cybersecurity is integral to data security, and that raising awareness is essential given that human error remains a major vulnerability.

The event featured panels on; "Digital Sovereignty and Public Assurance," "Personal Data Security in the Digital Age," and "AI-Supported Personal Data Protection"

During the event, the DPA shared the following statistics:

  • 54,594 notices, complaints, and applications received (with 52,683 concluded);
  • 1,827 data breach notifications received (378 publicly announced);
  • 1,307 legal opinions issued;
  • 13 undertakings approved for cross-border data transfers;
  • 3,088 standard contractual clause notifications received;
  • TRY 1,179,295,000 (approx. EUR 24.2 million) in total administrative fines imposed.

3. Wednesday Seminar

As part of its weekly "Wednesday Seminars," the DPA hosted a session with three experts focusing on implementing the right to erasure in AI systems, recent data protection developments in the Asia–Pacific region, and privacy/security considerations in surveillance technologies.

Data Breach Notification

  • Sinch AB notified the DPA of a cyberattack occurring between 28–30 August 2025, affecting 716 individuals. The incident compromised the identity, contact, and finance data of affected users.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Ceren Ceyhan
Ceren Ceyhan
Photo of Hatice Nur Arslan
Hatice Nur Arslan
Photo of Simge Erdem
Simge Erdem
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More