Notable Data Protection Regulations in Turkey and Around the World
Data breach notifications have been published on the website of the Personal Data Protection Authority (“the Authority”).
Karakaya Kuruyemiş Gıda Tarım Ürünleri İnş. Taah. Turz. Teks. Sanayi ve Ticaret Limited Şirketi, Adnan Özen İnşaat Taah. Enerji Turizm Tic. Ve San A.Ş., Creditwest Faktoring A.Ş., Uber Technologies Inc., Güneş Ekspres Havacılık A.Ş., Ann & Robert H. Lurie Children’s Hospital of Chicago, Maltepe Üniversitesi, Gündoğdu Mobilya Sanayi Ticaret Ltd. Şti., İncirli Sağlık ve Sosyal Tesisler A.Ş., Kentaş Gıda Pazarlama ve Dağıtım Ticaret Limited Şirketi, Atılım Üniversitesi, Kilis 7 Aralık Üniversitesi, Lokman Hekim Üniversitesi
The Authority has published an announcement titled “Announcement Regarding the English Translation of the Regulation on the Procedures and Principles for the Transfer of Personal Data Abroad and Standard Contractual Clauses.” With this announcement, the draft English versions[1] of the regulation on the procedures and principles for transferring personal data abroad and the standard contractual clauses have been made available for public consultation.
As is well known, pursuant to Article 16 of the Personal Data Protection Law (“the Law”), all data controllers processing personal data are required to register and notify with the Data Controllers’ Registry (VERBİS). As of August 2024, the Board has imposed a total administrative fine of 503,935,000 TL on approximately 16,350 data controllers who have not complied with this obligation. [2] Additionally, disciplinary measures have been applied to public institutions, organizations, and professional associations with the status of public institutions.
On 09.10.2024, the Authority published an announcement titled “Learning About Personal Data with Verican.” Verican is a cartoon character designed to explain the potential dangers to personal data privacy for children and families and aims to raise awareness about a secure digital future. Through Verican, the Authority aims to provide more comprehensive information about personal data and ensure a safe online experience. [3]
With the decision of the Authority dated 17.10.2024, the “Standard Contract Notification Module” was launched; thus, data controllers and data processors are now able to fulfill their notification obligations regarding the transfer of personal data abroad quickly and efficiently via the internet. According to the Law, these notifications must be made within five business days from the date of signing. While notifications can be made physically via KEP address or other methods specified by the Board, the new module provided by the Authority aims to make these processes faster and more efficient online. [4]
The Authority published an announcement titled "Common Mistakes in Complaints and Notifications Sent to the Board" on its LinkedIn page. [5] The announcement states that the rights outlined in Article 11 of the Law can only be exercised by the data subject or their representative/legal representative. In this context, the Authority made a statement emphasizing that a person who does not have representation authority on behalf of the data subject cannot file a complaint with the Board.
The Authority shared a briefing note titled "Information Note on Chatbots (Example: ChatGPT)." [6] The note emphasizes that developers, producers, service providers, and decision-makers operating in the field of artificial intelligence should pay attention to the recommendations set by the Board. It also highlights the importance of fulfilling obligations arising from personal data protection legislation as a data controller or data processor. Specifically, it stresses that correctly and reliably determining the age in applications aimed at children is a critical element.
The United Kingdom’s Data Protection Authority -Information Commissioner’s Office- (ICO) published a report on how organizations should prepare for the increasing adoption of quantum technology and the challenges it may pose in the field of data protection. The report examines emerging applications in areas such as quantum sensing, timing, imaging, and quantum communications, and recommends taking precautions against current cybersecurity threats. It particularly emphasizes that large organizations should start preparing for a transition to post-quantum encryption.[7]
LinkedIn, owned by Microsoft, confirmed that it processed users' personal data for behavioral analysis and targeted advertising purposes without obtaining active consent. While LinkedIn did not notify users about these changes in its privacy settings, it offered an option to opt out of the default permissions. [8] However, this practice resulted in a violation of the legal bases for personal data processing as outlined by the General Data Protection Regulation(GDPR). The GDPR emphasizes that the processing of personal data must be supported by legal grounds such as consent, contractual necessity, or legitimate interests. Because LinkedIn processed data without providing such legal grounds or obtaining user consent, the Irish Data Protection Authority imposed an administrative fine of €310,000,000.[9] The Authority’s relevant guideline also includes definitions of “opt-in” and “opt-out.” [10]In this context, since valid explicit consent must be obtained through an opt-in method only, the processing of personal data based on an opt-out option will not be considered lawful.
The EDPB (European Data Protection Board) published a draft guideline open for public consultation until November 20, 2024, regarding the processing of personal data based on the legitimate interests of the data controller. The guideline evaluates the criteria under which a data controller may rely on legitimate interest as a legal basis and states that these criteria must be present prior to any personal data processing activity. The guideline, adopted by the EDPB, emphasizes that legitimate interest should not be used as a last resort or as a fallback legal basis when other grounds are not applicable.[11]
The company CEGEDIM SANTÉ, which provides management software for medical clinics and healthcare centers, was fined by the French Data Protection Authority (CNIL) for processing anonymized health data for research and statistical purposes without obtaining prior authorization under the French Data Protection Law. However, since the data included detailed patient information that could allow individuals to be re-identified, it was deemed not to meet anonymization standards. As a result, CNIL imposed an administrative fine of €800,000 on data controller CEGEDIM SANTÉ for processing health data without proper authorization. [12]
On January 11, 2024, the European Commission published a comprehensive guide on September 23, 2024, titled “Most Frequently Asked Questions” regarding the Data Act, which complements the Data Governance Act aimed at increasing trust in voluntary data-sharing mechanisms. This guide covers current regulations aligned with the GDPR and other EU legislation, the scope of data access rights, the definition of connected products and services, user rights and obligations, the responsibilities of data holders, and mechanisms addressing security concerns such as trade secrets. Additionally, the guide states that the Data Act will enter into force on September 12, 2025.[13]
The World Economic Forum has published this year’s edition of its series examining ten emerging technologies. The report highlights breakthroughs in artificial intelligence and connected technologies, while also featuring technologies that enhance environmental sustainability. It emphasizes that the technologies discussed aim to make the world a better place by strengthening innovation and global cooperation. Some of the technologies featured in the report include AI for scientific discovery, privacy-enhancing technologies, reconfigurable intelligent surfaces, high-altitude platform stations, and immersive technology. [14]
The Council of Europe has taken a significant step toward enhancing the security of internet-connected devices by adopting the Cyber Resilience Act (CRA).[15] This law aims to ensure the safe use of digital products, provide adequate information about their security features, and strengthen resilience against cyber threats. The regulation will enter into force twenty days after its publication in the Official Journal of the European Union and will include a 36-month transition period for full implementation. The key elements of the new regulation include the following:
-EU-Wide Cybersecurity Standards:
The application of cybersecurity requirements across the European Union is becoming mandatory in the design, production, and marketing of hardware and software products. In this context, products must bear the CE marking to demonstrate compliance with the relevant regulation.
-Coverage of All Connected Devices:
The relevant regulation will apply broadly to all products directly or indirectly connected to another device or network.
-Consumer Information:
Consumers will be supported in making informed choices by ensuring that the necessary information is provided, allowing them to prefer reliable hardware and software products from a cybersecurity perspective.
In the European Commission's 2024 Turkey Report, it is emphasized that despite the changes made, the Law is not yet fully aligned with EU acquis. [16] The report states that despite the changes in the 8th Judicial Reform Package, which was adopted in March 2024, and regulations regarding the transfer of personal data to third countries, the Law has not yet fully complied with EU standards. However, the 2025 Presidential Annual Program indicates that the alignment of the Law with the GDPR will be completed within 2025; similarly, the 2025-2027 Medium-Term Program forecasts that this alignment process will be completed by the fourth quarter of 2025.[17]
A study published by the Organization for Economic Co-operation and Development (OECD) addresses the relationship between artificial intelligence, data, and competition. In this context, the study covers topics such as what needs to be known about producer artificial intelligence (its potential economic impact, the producer artificial intelligence lifecycle, the use of these models, etc.), supply-side factors in artificial intelligence (structural factors, data availability, transition costs, ecosystem-related elements, etc.), tools that competition authorities may use, competition policy, and issues that may arise in the future regarding artificial intelligence.[18]
A report has been published on the "Children’s Data Lives" project conducted by the UK Information Commissioner’s Office (ICO). The project aims to provide a fundamental understanding of children’s online behaviors and how these behaviors intersect with rights related to personal data protection. It explores children’s awareness of data privacy and the importance they place on protecting their privacy.[19]
The protection of children's personal data has become an increasingly important and sensitive issue in the digital age. As children actively participate in online environments, spending more time on digital platforms such as games, social media, and educational sites, it creates serious risks regarding the collection and processing of their personal data. The European Commission, which has conducted detailed studies on this matter, has launched the updated version of the "Better Internet for Kids (BIK)" The portal provides online safety guidance for children, parents, educators, and policymakers. The "Parents and Caregivers Corner" offers screen time management and parental controls, while the "Youth Corner" aims to raise awareness about online safety. Additionally, the "BIK Information Centre" provides a central resource for children's safety.[20] Furthermore, in the 5th issue of the Personal Data Protection Authority’s (KVKK) Bulletin, developments related to data protection include brochures and recommendations for protecting children's data, safe gaming tips, and the "KVKK in Schools" project. [21]
Data breach notifications have been published on the website of the Personal Data Protection Authority (“the Authority”).
Karakaya Kuruyemiş Gıda Tarım Ürünleri İnş. Taah. Turz. Teks. Sanayi ve Ticaret Limited Şirketi, Adnan Özen İnşaat Taah. Enerji Turizm Tic. Ve San A.Ş., Creditwest Faktoring A.Ş., Uber Technologies Inc., Güneş Ekspres Havacılık A.Ş., Ann & Robert H. Lurie Children’s Hospital of Chicago, Maltepe Üniversitesi, Gündoğdu Mobilya Sanayi Ticaret Ltd. Şti., İncirli Sağlık ve Sosyal Tesisler A.Ş., Kentaş Gıda Pazarlama ve Dağıtım Ticaret Limited Şirketi, Atılım Üniversitesi, Kilis 7 Aralık Üniversitesi, Lokman Hekim Üniversitesi
The Authority has published an announcement titled “Announcement Regarding the English Translation of the Regulation on the Procedures and Principles for the Transfer of Personal Data Abroad and Standard Contractual Clauses.” With this announcement, the draft English versions[1] of the regulation on the procedures and principles for transferring personal data abroad and the standard contractual clauses have been made available for public consultation.
As is well known, pursuant to Article 16 of the Personal Data Protection Law (“the Law”), all data controllers processing personal data are required to register and notify with the Data Controllers’ Registry (VERBİS). As of August 2024, the Board has imposed a total administrative fine of 503,935,000 TL on approximately 16,350 data controllers who have not complied with this obligation. [2] Additionally, disciplinary measures have been applied to public institutions, organizations, and professional associations with the status of public institutions.
On 09.10.2024, the Authority published an announcement titled “Learning About Personal Data with Verican.” Verican is a cartoon character designed to explain the potential dangers to personal data privacy for children and families and aims to raise awareness about a secure digital future. Through Verican, the Authority aims to provide more comprehensive information about personal data and ensure a safe online experience. [3]
With the decision of the Authority dated 17.10.2024, the “Standard Contract Notification Module” was launched; thus, data controllers and data processors are now able to fulfill their notification obligations regarding the transfer of personal data abroad quickly and efficiently via the internet. According to the Law, these notifications must be made within five business days from the date of signing. While notifications can be made physically via KEP address or other methods specified by the Board, the new module provided by the Authority aims to make these processes faster and more efficient online. [4]
The Authority published an announcement titled "Common Mistakes in Complaints and Notifications Sent to the Board" on its LinkedIn page. [5] The announcement states that the rights outlined in Article 11 of the Law can only be exercised by the data subject or their representative/legal representative. In this context, the Authority made a statement emphasizing that a person who does not have representation authority on behalf of the data subject cannot file a complaint with the Board.
The Authority shared a briefing note titled "Information Note on Chatbots (Example: ChatGPT)." [6] The note emphasizes that developers, producers, service providers, and decision-makers operating in the field of artificial intelligence should pay attention to the recommendations set by the Board. It also highlights the importance of fulfilling obligations arising from personal data protection legislation as a data controller or data processor. Specifically, it stresses that correctly and reliably determining the age in applications aimed at children is a critical element.
The United Kingdom’s Data Protection Authority -Information Commissioner’s Office- (ICO) published a report on how organizations should prepare for the increasing adoption of quantum technology and the challenges it may pose in the field of data protection. The report examines emerging applications in areas such as quantum sensing, timing, imaging, and quantum communications, and recommends taking precautions against current cybersecurity threats. It particularly emphasizes that large organizations should start preparing for a transition to post-quantum encryption.[7]
LinkedIn, owned by Microsoft, confirmed that it processed users' personal data for behavioral analysis and targeted advertising purposes without obtaining active consent. While LinkedIn did not notify users about these changes in its privacy settings, it offered an option to opt out of the default permissions. [8] However, this practice resulted in a violation of the legal bases for personal data processing as outlined by the General Data Protection Regulation(GDPR). The GDPR emphasizes that the processing of personal data must be supported by legal grounds such as consent, contractual necessity, or legitimate interests. Because LinkedIn processed data without providing such legal grounds or obtaining user consent, the Irish Data Protection Authority imposed an administrative fine of €310,000,000.[9] The Authority’s relevant guideline also includes definitions of “opt-in” and “opt-out.” [10]In this context, since valid explicit consent must be obtained through an opt-in method only, the processing of personal data based on an opt-out option will not be considered lawful.
The EDPB (European Data Protection Board) published a draft guideline open for public consultation until November 20, 2024, regarding the processing of personal data based on the legitimate interests of the data controller. The guideline evaluates the criteria under which a data controller may rely on legitimate interest as a legal basis and states that these criteria must be present prior to any personal data processing activity. The guideline, adopted by the EDPB, emphasizes that legitimate interest should not be used as a last resort or as a fallback legal basis when other grounds are not applicable.[11]
The company CEGEDIM SANTÉ, which provides management software for medical clinics and healthcare centers, was fined by the French Data Protection Authority (CNIL) for processing anonymized health data for research and statistical purposes without obtaining prior authorization under the French Data Protection Law. However, since the data included detailed patient information that could allow individuals to be re-identified, it was deemed not to meet anonymization standards. As a result, CNIL imposed an administrative fine of €800,000 on data controller CEGEDIM SANTÉ for processing health data without proper authorization. [12]
On January 11, 2024, the European Commission published a comprehensive guide on September 23, 2024, titled “Most Frequently Asked Questions” regarding the Data Act, which complements the Data Governance Act aimed at increasing trust in voluntary data-sharing mechanisms. This guide covers current regulations aligned with the GDPR and other EU legislation, the scope of data access rights, the definition of connected products and services, user rights and obligations, the responsibilities of data holders, and mechanisms addressing security concerns such as trade secrets. Additionally, the guide states that the Data Act will enter into force on September 12, 2025.[13]
The World Economic Forum has published this year’s edition of its series examining ten emerging technologies. The report highlights breakthroughs in artificial intelligence and connected technologies, while also featuring technologies that enhance environmental sustainability. It emphasizes that the technologies discussed aim to make the world a better place by strengthening innovation and global cooperation. Some of the technologies featured in the report include AI for scientific discovery, privacy-enhancing technologies, reconfigurable intelligent surfaces, high-altitude platform stations, and immersive technology. [14]
The Council of Europe has taken a significant step toward enhancing the security of internet-connected devices by adopting the Cyber Resilience Act (CRA).[15] This law aims to ensure the safe use of digital products, provide adequate information about their security features, and strengthen resilience against cyber threats. The regulation will enter into force twenty days after its publication in the Official Journal of the European Union and will include a 36-month transition period for full implementation. The key elements of the new regulation include the following:
-EU-Wide Cybersecurity Standards:
The application of cybersecurity requirements across the European Union is becoming mandatory in the design, production, and marketing of hardware and software products. In this context, products must bear the CE marking to demonstrate compliance with the relevant regulation.
-Coverage of All Connected Devices:
The relevant regulation will apply broadly to all products directly or indirectly connected to another device or network.
-Consumer Information:
Consumers will be supported in making informed choices by ensuring that the necessary information is provided, allowing them to prefer reliable hardware and software products from a cybersecurity perspective.
In the European Commission's 2024 Turkey Report, it is emphasized that despite the changes made, the Law is not yet fully aligned with EU acquis. [16] The report states that despite the changes in the 8th Judicial Reform Package, which was adopted in March 2024, and regulations regarding the transfer of personal data to third countries, the Law has not yet fully complied with EU standards. However, the 2025 Presidential Annual Program indicates that the alignment of the Law with the GDPR will be completed within 2025; similarly, the 2025-2027 Medium-Term Program forecasts that this alignment process will be completed by the fourth quarter of 2025.[17]
A study published by the Organization for Economic Co-operation and Development (OECD) addresses the relationship between artificial intelligence, data, and competition. In this context, the study covers topics such as what needs to be known about producer artificial intelligence (its potential economic impact, the producer artificial intelligence lifecycle, the use of these models, etc.), supply-side factors in artificial intelligence (structural factors, data availability, transition costs, ecosystem-related elements, etc.), tools that competition authorities may use, competition policy, and issues that may arise in the future regarding artificial intelligence.[18]
A report has been published on the "Children’s Data Lives" project conducted by the UK Information Commissioner’s Office (ICO). The project aims to provide a fundamental understanding of children’s online behaviors and how these behaviors intersect with rights related to personal data protection. It explores children’s awareness of data privacy and the importance they place on protecting their privacy.[19]
The protection of children's personal data has become an increasingly important and sensitive issue in the digital age. As children actively participate in online environments, spending more time on digital platforms such as games, social media, and educational sites, it creates serious risks regarding the collection and processing of their personal data. The European Commission, which has conducted detailed studies on this matter, has launched the updated version of the "Better Internet for Kids (BIK)" The portal provides online safety guidance for children, parents, educators, and policymakers. The "Parents and Caregivers Corner" offers screen time management and parental controls, while the "Youth Corner" aims to raise awareness about online safety. Additionally, the "BIK Information Centre" provides a central resource for children's safety.[20] Furthermore, in the 5th issue of the Personal Data Protection Authority’s (KVKK) Bulletin, developments related to data protection include brochures and recommendations for protecting children's data, safe gaming tips, and the "KVKK in Schools" project. [21]
Turkish
