ARTICLE
17 July 2026

Two-Minute Recap Data Protection Law Matters In Türkiye

GT
Gen Temizer

Contributor

Gen Temizer is a leading independent Turkish law firm located in Istanbul's financial centre. The Firm has an excellent track record of handling cross-border matters for clients and covers the full bandwidth of most complex transactions and litigation with its cross-departmental, multi-disciplinary and diverse team of over 30 lawyers. The Firm is deeply rooted in the local market with over 80 years of combined experience of the name partners while providing the highest global standards of legal services.
The DPA published a public announcement regarding the Board’s Principle Decision dated 29 April 2026 and numbered 2026/921, concerning the processing of biometric data for tracking employee working hours.
Turkey Privacy
Gen Temizer are most popular:
  • within Strategy, International Law and Tax topic(s)

DPA Issues Principle Decision on Biometric Data Processing for Workplace Attendance Tracking

The DPA published a public announcement regarding the Board’s Principle Decision dated 29 April 2026 and numbered 2026/921, concerning the processing of biometric data for tracking employee working hours.

According to the announcement, using biometric authentication systems (such as fingerprints, facial recognition, iris/retina scans) for attendance tracking creates a legal conflict with data protection principles. Due to the structural power imbalance in employment relationships, relying solely on explicit consent is deemed insufficient and legally unstable, as employees lack a truly free will to object or withdraw consent. Furthermore, since there is no explicit statutory provision requiring attendance to be tracked via biometrics, such practices fail to meet the “proportionality” and “data minimization” principles under Article 4 of the Personal Data Protection Law (“the Law”), especially when less intrusive alternative methods exist.

Consequently, the Board decided that data controllers must utilize alternative tracking methods; such as PIN/password systems, traditional paper sheets, RFID/NFC cards, or manual logs under supervision, instead of biometric systems. Ensuring compliance with this rule is considered a mandatory technical and administrative security measure under Article 12 of the Law, and data controllers who fail to comply will face administrative sanctions pursuant to Article 18 of the Law.

DPA Regulates Security Camera Usage in Apartment Buildings

The DPA published a public announcement clarifying the legal boundaries for residential datacontrollers, suchasapartmentandcomplex managements, when deploying security camera systems in common areas. While cameras can be legally installed for legitimate security, crime prevention, and property protection purposes under Condominium Law No. 634, the resulting data processing must strictly comply with the fundamental privacy and data protection principles of the Law.

According to the announcement, camera placement must carefully respect residents’ reasonable privacy expectations. Systems must not monitor stairwells or private apartment entrances in a way that reveals the inside of a home, and highly intrusive technologies like audio recording or facial recognition are strictly prohibited. Furthermore, surveillance inside confined spaces like elevators requires explicit justification, while all captured footage must be kept only for a reasonable duration with access restricted to authorized personnel. Data controllers are also required to post clear signs or privacy notices in the monitored areas to fulfill their legal obligation to inform residents and visitors.

Consequently, implementing these specific guidelines is deemed a mandatory technical and administrative security measure under Article 12 of the Law. The DPA explicitly warned that residential managements failing to comply with these standards will face administrative fines and legal sanctions pursuant to Article 18 of the Law.

DPA Issues Guidance on Security Camera Usage in Workplaces

The DPA published a public announcement clarifying the legal boundaries for workplace securitycameras. While surveillance ispermitted for legitimate purposes like ensuring workplace safety and crime prevention under Laws No. 6098 and 6331, employers must strictly comply with the core privacy principles of the Law to prevent widespread privacy violations.

According to the announcement, camera usage must respect employees’ reasonable privacy expectations and adhere to data minimization. Employers are strictly prohibited from using surveillance for abstract or disciplinary purposes, such as tracking employee efficiency or performance. Highly intrusive features like audio recording are heavily restricted, and cameras are completely banned in private zones like restrooms, changing rooms, and break areas.

Consequently, employers acting as data controllers must implement technical and administrative measures under Article 12 of the Law, including setting up strict access authorization matrices, keeping footage only for the minimum required duration, and utilizing automated data destruction. They are also legally obligated under Article 10 of the Law to provide explicit privacy notices to staff and visitors. The DPA warned that non-compliance will result in administrative fines under Article 18 of the Law.

DPA Halts Municipalities’ Live Broadcasts for Touristic Promotion

The DPA issued a public announcement ordering municipalities to immediately stop live-streaming footage of public tourist areas on their websites. The Board ruled that capturing recognizable faces and license plates constitutes unauthorized personal data processing under the Law, as it violates individuals’ reasonable expectations of privacy in public spaces and exposes them to tracking risks by third parties.

Since municipal laws do not grant a statutory mandate for such surveillance, these live streams cannot be justified under “legitimate interest.” Municipalities must switch to anonymous alternatives, such as digital blurring or non-personal imagery. Data controllers failing to comply with these guidelines will face administrative fines and legal sanctions under Article 18 of the Law.

Meta Relaunches Threads in Turkey Following Antitrust Approval

The Turkish Competition Authority has approved Meta’s compliance commitments, allowing Threads to relaunch in Turkey after a two-year hiatus. Under the approved framework, users can now choose to create an independent Threads account using only their mobile number. If this option is selected, Meta is prohibited from merging the user’s Threads data with their Instagram data, ensuring full regulatory compliance.

Constitutional Court Judgment on Processing Publicized Data

The Constitutional Court (“AYM”) evaluated a 100,000-TL KVKK fine imposed on a company for using publicly available contact information to make marketing calls. While the Board argued that public data cannot be used outside its original intent, the AYM annulled the sanction, ruling that it violated the principle of legality in crime and punishment. The Court highlighted that penalizing “use outside the purpose of publicization” is not explicitly or predictably defined within the text of the Law itself but was instead improperly based on the regulatory authority’s guidelines.

Importantly, the AYM clarified that this decision does not mean personal data on the internet can be freely exploited. Using visible contact information for commercial purposes does not automatically become lawful, the original context, intent of publicization, and processing purpose remain legally binding. The ruling strictly establishes that administrative penalties must be clearly grounded in statutory law.

Data Breach Notifications- July 2026:

Data Controller / Sector

Affected Data Subjects

Affected Personal Data Categories

Number of Data Subjects

Udemy Inc. / Education

Customers and potential customers

Name, surname,

phone number, email address, and address information

Approximately 12,000 individuals.

Beyoğlu Çikolata Sanayi Ticaret

Anonim Şirketi / Food

Customers, potential customers and employees

Identity,

communication, personnel, customer transaction, financial,

professional experience,

marketing, and health information

Due to the data controller’s inability to access the data

and the absence of physically stored

data, the number of individuals affected by the breach cannot

be determined at this stage.

Tempo Makina Pazarlama A.Ş. / Machinery

Employees, customers and potential customers

Identity,

communication,

location, personnel, customer transaction, financial, professional

experience,

marketing, audio/ visual records, racial and ethnic origin,

health information, and biometric data

Not yet determined.

Mepa Aktif Elektrik Pazarlama Sanayi ve Ticaret A.Ş /

Electricity

The groups of data subjects who may have been affected by the breach cannot be determined

with certainty at this stage; however, considering the

company’s operations and based on the results of the upcoming

technical investigation, it is evaluated that certain personal data belonging to employees, former employees, employee

candidates, customers, suppliers, business partners, authorized persons/representatives, and third parties in a commercial

or legal relationship with the

company may have been affected.

Could not be determined with

certainty

At the current stage, the groups of data subjects who may have been affected

by the breach cannot be determined with certainty.

Data Controller / Sector

Affected Data Subjects

Affected Personal Data Categories

Number of Data Subjects

Makel Elektrik

Malzemeleri San. ve Tic. A.Ş. / Electricity

The groups of data subjects who may have been affected by the breach cannot be determined

with certainty at this stage; however, considering the

company’s operations and based on the results of the upcoming

technical investigation, it is evaluated that certain personal data belonging to employees, former employees, employee

candidates, customers, suppliers, business partners, authorized persons/representatives, and third parties in a commercial

or legal relationship with the

company may have been affected.

Could not be determined with

certainty

Not yet determined.

Baltaş Eksen Seçme Değerlendirme

Eğitim ve Org. Tic. AŞ

/ Consulting

Employees, users, customers, potential customers, and other

individuals who are not yet known

Identity and

communication data of users registered to the web application, session and access

logs (transaction security), and

customer/business partner information within the scope

of corporate files located in the SharePoint folder (customer

transaction)

Not yet determined.

Doro Dizayn Teksil Sanayi ve Dış Ticaret

Limited Şirketi / Textiles

Employees and users

Transaction security, risk management,

finance, and marketing data

Between 1 and 10,000

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More