Quick Read: Data Protection Law Updates In Türkiye – October 2025

November 2025 – In October 2025, the Turkish Personal Data Protection Authority (the "DPA") organised several events and announced four data breach notifications. In this edition of Quick Read, we highlight notable updates in both data protection and cybersecurity.

A New Era for Cybersecurity in Türkiye

Following the enactment of the Cybersecurity Law on 19 March 2025 and the establishment of the Cybersecurity Presidency, the first Head of the Cybersecurity Presidency was officially appointed on 24 October 2025.

This appointment is expected to accelerate the development of secondary legislation. You can find our summary note regarding this appointment here.

Türkiye Sets 2026 Finish Line for DP Law–GDPR Alignment

The Turkish Presidency's 2026 Annual Program, published in the Official Gazette on 30 October 2025, confirms that Türkiye aims to complete the alignment of Turkish Personal Data Protection Law ("DP Law") with the EU's GDPR in 2026.

In this respect, the Annual Program outlines a comprehensive digital policy agenda, including:

• Artificial Intelligence Governance – Establishing ethical and legal frameworks for AI and developing AI-based recommendation tools to assist the judiciary.
• Cybersecurity Enhancement – Strengthening the national cybersecurity framework in line with the EU's NIS2 Directive and developing secondary legislation inspired by the EU Cyber Resilience Act.
• Data Governance on Open Data – Implementing a National Data Strategy and Action Plan, introducing legal provisions to facilitate the sharing of public data, and launching a national open data portal.

DPA Updates Resources on VERBIS

On 7 October 2025, the DPA announced updates to its resources on the Data Controllers' Registry Information System (VERBIS). The following materials were revised in line with recent interface changes:

• Questions and Answers on VERBIS
• VERBİS Guideline

These documents, originally published to support data controllers in fulfilling their registration and notification obligations under the DP Law, were revised in light of recent changes made to the VERBİS interface.

You can find the relevant updated versions of Q&A VERBIS and VERBIS Guideline here (in Turkish only).

DPA Event Highlights

1. Data, Artificial Intelligence, and Law: Boundaries, Risks, Applications Conference

On 1 October 2025, the conference "Data, Artificial Intelligence and Law: Boundaries, Risks, Applications" was held at Bilkent University in collaboration with the DPA and the Data Protection Association.

The conference brought together experts in law, technology, and academia to discuss the legal and ethical implications of AI, alongside data protection and privacy, evaluating the rapidly evolving opportunities and risks.

During the event, the President of the DPA announced that a new guideline on generative AI will be published soon.

2. Seminar on Privacy-Enhancing Technologies in an AI Ecosystem and Synthetic Data

On 23 October 2025, as part of its weekly "Wednesday Seminars" series, the DPA hosted a session focusing on the intersection of artificial intelligence and data protection principles.

The seminar explored privacy-enhancing technologies and highlighted the concept of synthetic data (that is, data generated through algorithms, simulations, or generative models) and how analyses conducted on synthetic datasets can yield results comparable to those obtained from real data.

Data Breach Notification

• Cleverbridge GmbH notified the DPA of unauthorised access to its customer database following unusual API activity. Accordingly, identity, contact, customer transaction and finance data were compromised. The incident affected 1,235 individuals and occurred on 10 September 2025.
• Haydigiy E-Ticaret Tekstil Sanayi ve Ticaret Limited Şirketi notified the DPA of unauthorised access via a compromised administrator account that injected code into the website. The breach potentially affected contact, location, and finance data and impacted subscribers/members and customers/potential customers.
• Istanbul Golf Ihtisas Spor Kulübü reported to the DPA that a ransom note was observed on a data controller's computer on 15 October 2025 and that encryption attempts on local files failed. Accordingly, identity, contact, location, personnel (e.g., marital status, criminal record), and professional experience data were affected and subscribers/members were impacted.
• Mango T.R. Tekstil Tic. Ltd. Sti. notified the DPA of unauthorised access to customer data via a leaked administrator credential used for the API of its digital-marketing email platform. The attack targeted Mango's Spanish headquarters. Accordingly, customers' identity, contact and location data (e.g., country, postal code) were compromised. For Mango Turkey, 4,349,620 data subjects were affected.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.