- within International Law topic(s)
The Personal Data Protection Authority (the “Authority”) has issued guidelines and publications principle decisions and public announcements, with the efforts to raise awareness and enhance effectiveness in the field of personal data protection for the effective implementation of the Personal Data Protection Act No. 6698 (the “Law”), and we have seen significant developments regarding the proper handling of intersections with areas such as competition, cyber security, artificial intelligence (AI), digital ethics and other relevant legal fields.
In 2025, significant steps continued to be taken towards establishing a regulatory framework for artificial intelligence in Türkiye. Although a comprehensive and standalone artificial intelligence law has not yet come into force, legislative proposals, national AI action plans, the approach of the data protection authority and the guidance and publications it has issued specifically for this field, when considered alongside the influence of European Union regulations, it became apparent that Türkiye is on track to introduce a more comprehensive, risk-based and internationally compliant AI regulatory framework in the near future.
For data controllers, this has been a period characterized by intensive compliance efforts, particularly regarding data transfers abroad.
Digital platforms were a particular focus of the Board, given the risks they pose to individuals’ privacy due to large-scale data collection, processing and sharing processes, and the increasingly central role they play in users’ lives.
The Authority’s activity report for 2025 indicates that both supervisory and enforcement activities, as well as guidance and awareness-raising initiatives, continued at a high pace in the field of personal data protection. Following the significant amendments to the Law that came into force in 2024, 2025 was a year in which new trends in practice became more apparent, particularly regarding data transfers abroad, standard contractual clauses, the Data Controllers’ Registry (“VERBİS”) obligations, data breach notifications and data subject requests. The data published in the Authority’s report for 2025 reveals, on the one hand, an increase in compliance awareness amongst data controllers and, on the other hand, that the risk of sanctions remains significant, particularly in relation to procedural obligations, the obligation to register with VERBİS and data security processes.
Year In Review with Data from the 2025 Report
During 2025, the Board imposed administrative fines totaling TRY 352,510,494 on a total of 876 data controllers. An analysis of the distribution of these fines reveals that they were predominantly imposed for failure to comply with the data controllers’ VERBIS registration obligation and with notification obligations and not complying with security measures.
It is stated that 12,512 reports and complaints were received by the Authority in 2025; together with cases carried over from previous years, an investigation process was conducted regarding a total of 15,578 applications. The vast majority of concluded applications were rejected on the grounds that they did not meet procedural requirements or fell outside the scope of the Law and this demonstrates that there remains a need for greater awareness regarding the proper exercise of data subjects’ rights.
With regard to data breaches, it is stated that 328 data breach notifications were submitted to the Authority in 2025; of these, 105 were concluded, 51 were published by the Authority, and investigations into 223 were still ongoing as at the end of the year. These figures demonstrate that, for data controllers, data breach response plans, internal reporting mechanisms and the processes for notifying the Authority remain of paramount importance.
In the area of data transfers abroad, it is evident that the standard contractual clauses mechanism has been widely adopted in practice. It has been reported that 2,497 standard contract notifications were submitted to the Authority in 2025. In contrast, regarding the undertaking mechanism, authorisation was granted for only 13 out of 90 applications, 76 applications were rejected, and the review of one application is ongoing. This situation demonstrates that standard contracts have become a more practical and widely used means of providing adequate safeguards in cross-border data transfer processes. Further we have also seen the first approval for corporate binding rules on May 20, 2026.
New Decision on the Publication of Data Breach Notifications
In 2025, a significant change occurred in the Authority’s approach to the publication of data breach notifications. Decision to publish data breach notifications on the Authority’s website for a limited period of time (1 month) has provided an approach more in line with the fundamental principles of the Law, reducing the disproportionate reputational impact on data controllers and thereby contributing to the protection of their trademark and commercial reputation.
Key Guidelines
Best Practice Guideline on the Protection of Personal Data in Banking Sector has been updated, and, in line with the legislative amendment concerning the processing of special category personal data, the Guideline on the Processing of Special Category Personal Data has been prepared to provide guidance to data controllers so that, where special category personal data is processed, they may process such data on the basis of valid legal grounds and fulfil their obligations in accordance with the Law
The Guideline on Best Practices for the Protection of Personal Data in the Payment and Electronic Money Sector has been published to ensure the protection of individuals’ personal data whilst they use services such as money transfer services, POS services, bill payment intermediary services and mobile payment services, and to provide guidance to data controllers operating in the relevant sector.
The “Guideline on Generative Artificial Intelligence and the Protection of Personal Data” has been published to provide insight on the impact of generative artificial intelligence systems in the context of personal data protection, to encourage an approach that respects individuals’ privacy in the development and use of these systems, and to provide guidance to actors acting as data controllers regarding personal data processing activities carried out throughout the system’s lifecycle.
Principal Decisions and Public Announcements
Principal Decision No. 2025/1072, published in June 2025, aimed to address legal non-compliance in common practices regarding the processing of personal data through the sending of verification codes via SMS to data subjects during the provision of products and services. The decision specifically criticizes the use of verification codes for the purpose of obtaining commercial electronic communications consent or explicit consent, and the presentation of this process as an essential part of the service; it highlights that such practices breach the requirements that explicit consent must be based on free will and informed consent. In this context, the Board has mandated that data subjects be provided with clear and comprehensible information regarding the purpose and consequences of SMS verification codes; that separate explicit consent be obtained for different data processing activities (such as membership, data processing authorisation and consent to commercial communications); and that consent to commercial communications must not be presented as a mandatory element of the provision of a product or service.
Principal Decision on the Recording of Photocopies of Turkish Identity Cards of Persons Receiving Accommodation Services in the Tourism and Hospitality Sector, published in December 2025, assessed that obtaining photocopies of identity cards from persons receiving accommodation services constitutes excessive data processing and that there is no legal basis for this processing. Furthermore, attention was drawn to the risk of processing special categories of personal data, such as religion and blood group, which may be included in identity card photocopies. In this context, the Board decided that accommodation establishments must cease the practice of collecting identity card photocopies and that data obtained in this manner in the past must be destroyed in accordance with Article 7 of the Law.
In its Public Announcement published in January 2025 entitled “Fulfilment of the Duty to Provide Information within the Scope of Mediation Activities” stated that, with regard to personal data processed within the scope of mediation activities, the mediator must fulfil the duty to provide information by additionally informing the data subjects of the matters listed in Article 10 of the Law/
In August 2025, a Public Notice regarding sharing of debt information by accessing the telephone numbers of relatives of the relevant individuals who are debtors, via the creditors’ representatives, has been published to ensure that personal data processing activities are carried out in accordance with the Law with regard to the processing of personal data of relevant individuals in the capacity of debtors and third parties in the capacity of relatives of relevant individuals who are not involved in the matter during professional activities carried out by creditors’ representatives in the course of debt collection.
Latest Developments – First half of 2026 – Key Principal Decisions
Pursuant to Board’s Principal Decision No. 2026/266 dated February 11, 2026 regarding the use of a loyalty card member’s mobile phone number or loyalty card number by a third party during a purchase, it was determined that applications enabling purchases to be made by third parties using a loyalty card number or mobile phone number without verification are unlawful, and data controllers were obliged to establish effective verification mechanisms to confirm that transactions take place with the knowledge and consent of the data subject. This decision clearly demonstrates that data security obligations are not limited to technical measures alone but also encompass processes ensuring the accuracy and authorisation of user transactions and has become one of the most important agenda items for professionals working in the field of data protection law as of 2026.
Principal Decision No. 2026/347 dated February 18, 2026, the Board provided detailed explanations regarding the need to prepare information notices separately from consent forms, as it was observed that these were not being correctly applied in practice.
Under Principal Decision No. 2026/921, dated April 29, 2026, the processing of biometric data for the purpose of working time monitoring in the workplace is addressed in detail; it sets out general principles and outlines the restrictions on the processing of special categories of data, such as biometric data.
It is also expected that the Authority’s approach to artificial intelligence-based systems will become more apparent in 2026. Developments in the first quarter of the year support this forecast; a public announcement regarding Google Assistant stated that an ex officio investigation had been launched following allegations that users’ private conversations had been recorded without consent due to devices being triggered inadvertently; this situation demonstrates that AI-powered voice assistants have become a direct subject of scrutiny in terms of privacy, data security and legal compliance.
Similarly, in a Public Announcement regarding the Grok AI system, practices involving the processing of user data for model training purposes were also subject to scrutiny; it was emphasized that a lack of transparency and user control (opt-out mechanisms) posed a significant compliance risk.
Another notable development in 2026 is the growing trend towards regulation aimed at protecting children in the digital environment. In a notice published by the Authority in February 2026, ex officio investigations were launched into various service providers—primarily major platforms—regarding the processing of children’s personal data in connection with their use of social media. This development indicates that the principle of ‘the best interests of the child’ is now being applied more actively in data protection law and that the platform economy, in particular, will be subject to stricter scrutiny with regard to child users.
When all these developments are considered together, it is evident that, as of the first quarter of 2026, data protection law has evolved into a more dynamic and interventionist framework, focusing not only on traditional data processing activities but also on areas such as artificial intelligence applications, user verification processes, digital platforms and vulnerable user groups (particularly children). In the coming period, this approach is expected to continue and strengthen further, with the concretization of regulations specific to artificial intelligence and the introduction of more detailed sector-specific obligations.
New Development – Constitutional Court Ruling – The Principle of Legality
Finally, the Constitutional Court’s decision dated January 27, 2026, numbered 2020/32193, concerning the application by Viennalife Emeklilik ve Hayat A.Ş., was published in the Official Gazette dated June 16, 2026, issue number 33282. In the decision, it was ruled that the principle of legality in criminal law and penal procedure had been violated with regard to the administrative fine imposed under the obligation to prevent the unlawful processing of personal data; it was noted that the basis for the administrative fines previously imposed by the Authority was not provided for in law, and this decision has sparked significant debate. This decision has highlighted the need for a more detailed regulation of offences under the Law and is interpreted as potentially accelerating the changes required for compliance with the GDPR.
Cybersecurity Act – Establishment of Cybersecurity Authority
In 2025, the Cybersecurity Authority (SGB) was established, while the Digital Transformation Office was abolished and its powers and responsibilities were transferred to the SGB. This institutional reform integrates data security, the protection of critical infrastructure, log management, incident response, and data governance as integral components of digital transformation initiatives. The new regulatory framework imposes both technical and administrative obligations concerning data security and digital infrastructure and introduces new audit and notification requirements as well as administrative monetary sanctions for non-compliance.
In mid-2026, a legislative proposal was submitted to the Turkish Grand National Assembly to transfer the Information and Communication Technologies Authority's (BTK) internet-related powers and responsibilities to the Cybersecurity Authority (SGB). At the same time, the proposal seeks to strengthen BTK’s role as the sectoral regulator of the electronic communications market, while assigning the implementation and enforcement of Law No. 5651 on the Regulation of Publications on the Internet and Combating Crimes Committed through Such Publications to the SGB. When enacted, these reforms would significantly expand the SGB's regulatory and supervisory authority in the digital sphere, positioning it as the central public authority responsible for cybersecurity and internet governance in Türkiye.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
[View Source]