The Turkish Personal Data Protection Authority ("DPA") announced on 29 January 2026 that the use of the foreign electronic communications applications such as WhatsApp, Telegram etc. as a communication tool in public institutions ...

Authority Warns Public Institutions Against Use of Foreign Messaging Apps

The Turkish Personal Data Protection Authority ("DPA") announced on 29 January 2026 that the use of the foreign electronic communications applications such as WhatsApp, Telegram etc. as a communication tool in public institutions is contrary to Presidential Circular No. 2019/12 on 'Information and Communication Security Measures' published in the Official Gazette dated 06.07.2019 and numbered 30823, as such applications does not have any data centres established in Türkiye.

The relevant Circular emphasised that domestic applications should be preferred for communication in public institutions and official documents containing confidential or otherwise sensitive information should not be shared via these platforms.

It also noted that sharing official information and documents via these applications could constitute a personal data processing activity and comply with the data processing conditions set out in the Personal Data Protection Law ("Law"), otherwise administrative sanctions may apply.

DPA Issues 10th Bulletin Covering September– December 2025

On 26 January 2026, the DPA shared with the public the 10th issue of its Bulletin covering September-December 2025, summarising developments over the past three months and matters on the DPA agenda. The Bulletin focused on the relationship between digital literacy and personal data protection. Providing a general framework on digital literacy, the DPA announced that it had organised seminars on secure digital literacy in 16 cities across Turkey. The concept of digital privacy was defined, and suggestions were made for adults and children on how to use digital platforms safely.

The DPA also emphasised the importance of selecting privacy-secure mobile applications and made recommendations for protecting personal data, including location, audio, and image data. Furthermore, it emphasised that, to ensure cybersecurity, passwords should be multi-segmented, consisting of upper- and lowercase letters and symbols.

DPA Limits the Period for Which Data Breach Notifications Must Remain Posted to 60 Days

In its announcement on 20 January 2026, the DPA reminded that data controllers must report personal data breaches within 72 hours and that the data subjects must be notified as soon as possible. The DPA had been publishing breaches on its website without a time limit, considering factors such as the nature of the breach, the number of individuals affected, and the level of risk. However, with this announcement, it stated that it would remove the publication within 60 days of the notification date, provided that the party responsible for the breach proves that it notified the relevant parties before publication. The publication of breaches aims to minimise the damage caused by the breach, and this approach strikes a balance between this objective and the interests of the data controller concerned.

DPA Clarifies Consent Requirements for Push Notifications

In its announcement dated 14 January 2026, the DPA noted that consent for push notifications is typically obtained at the time of downloading the relevant application, but that the consent covers multiple purposes. It stated that the consent was given for the purpose of tracking operational processes related to orders and that this consent also forced users to accept campaign and advertising-related notifications, and that this situation violated the principle of 'granularity' (requiring explicit consent for each purpose) and therefore could not be considered "freely given explicit consent." The DPA invited data controllers to make the necessary changes to enable data subjects to manage their preferences by separating specific purposes in accordance with the granularity principle.

Authority Clarifies VERBIS Exemption Criteria for Non-Balance Sheet Controllers

On 12 January 2026, the DPA published a public announcement that clarifies how VERBIS registration exemptions apply to data controllers that do not keep accounting books on a balance sheet basis, based on Board Decision No. 2025/2393 (25 December 2025).

Under the clarified approach, data controllers maintaining accounts on a balance sheet basis must meet both the annual employee threshold and the financial balance sheet threshold cumulatively to benefit from the exemption. However, for controllers that do not keep balance sheet accounts, the exemption assessment will be based solely on the annual number of employees.

The DPA clarification is particularly relevant for small and micro-sized enterprises and underscores that failure to register with VERBIS where required may result in administrative sanctions under Law No. 6698.

The DPA announced the following data breach notifications in January:

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.