- within Government, Public Sector and Strategy topic(s)
June 2026 – May saw several significant developments in Türkiye across the areas of data protection, artificial intelligence, cybersecurity, and digital regulation. Notable updates included the Turkish DPA's approval of Binding Corporate Rules for international data transfers, new guidance concerning reality television programs, constitutional developments affecting digital searches, and further public and private sector initiatives on AI governance.
In this edition of Quick Read, we highlight the most notable recent developments in data protection, cybersecurity, and digital regulation in Türkiye.
Developments in Data Protection
1. DPA approves binding corporate rules for cross-border data transfers
The DPA approved a Binding Corporate Rules (“BCRs”) application submitted by Sosyo-Plus Bilgi Bilişim Teknolojileri Danışmanlık Hizmetleri Ticaret A.Ş. (Insider One).
BCRs constitute an approved safeguard for cross-border transfers of personal data within multinational groups and establish binding principles and accountability mechanisms governing intra-group data transfers. The approval marks an important milestone in the implementation of Türkiye's international data transfer framework and is expected to serve as a significant precedent for organisations carrying out regular intra-group transfers of personal data.
2. Reality TV programs under regulatory scrutiny
The DPA published a guidance on the processing of personal data in live reality TV programs. The guidance emphasises that live broadcasting does not automatically fall within the scope of freedom of expression and that producers and broadcasters remain subject to the obligations under the DP Law when processing personal data.
Among other matters, the guidance highlights the need to assess the public interest before broadcasting, implement appropriate technical safeguards, and comply with transparency, retention, and deletion requirements.
3. Constitutional Court annuls rules on digital search and seizure
Türkiye’s Constitutional Court annulled Article 134 of the Criminal Procedure Code, which governs the search, copying, and seizure of computers, computer programs, and digital records during criminal investigations.
In its decision, the Constitutional Court found that the existing framework lacked sufficiently clear safeguards regarding the examination, retention, and deletion of digital evidence and the protection of personal data stored on seized devices.
The Constitutional Court therefore concluded that the current framework constituted a disproportionate interference with the rights to privacy and the protection of personal data. The annulment will take effect following a nine-month transition period.
DPA Event Highlights
European DPA Spring Conference 2026 hosted in Antalya
The European Data Protection Authorities Spring Conference, a long-standing annual event held since 1991, took place in Antalya between 5 and 8 May 2026, hosted by the Turkish DPA.
The conference brought together representatives of data protection authorities, international organisations, and academia from the European Union, the European Economic Area, and other jurisdictions to discuss emerging privacy challenges, with particular focus on artificial intelligence, children’s data protection, and cross-border data transfers.
Data Breach Notification
The DPA’s data breach notifications published for May 2026 can be accessed from this link.
Developments in Cybersecurity
Information security guides updated
Türkiye’s Cybersecurity Presidency published updated versions of the Information and Communication Security Guide and the Information and Communication Security Audit Guide.
The amendments primarily reflect institutional changes following the transfer of responsibilities from the former Digital Transformation Office. Entities within the scope of the guidance are expected to continue conducting annual internal audits and reporting their compliance activities in line with the national information security governance framework.
Developments in Digital Regulation
Draft rules for unmanned aircraft systems and privacy
The Directorate General of Civil Aviation published a draft Instruction on Unmanned Aircraft Systems containing several provisions directly related to personal data protection.
Under the draft, operators using unmanned aircraft systems (e.g., drones) equipped with cameras, microphones, thermal sensors, or location tracking technologies would be recognised as data controllers under the DP Law.
Among other matters, the draft introduces requirements relating to:
- visible privacy notices and electronic notices during flights in public spaces;
- limiting the processing of image, audio, and location data to specified purposes;
- responding to data subject requests, including requests to erase individuals from recorded scenes;
- incorporating data protection procedures into operational manuals; and
- providing privacy and data protection training for unmanned aircraft pilots.
The draft also envisages the introduction of privacy-based geographical restrictions on drone operations.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
[View Source]
