Noteworthy Data Protection Regulations in Turkey and Around the World
The Personal Data Protection Authority (“Authority”) has published new data breach notifications on its website. In this context, data breaches reported by various organizations and institutions from different sectors are listed as follows: Zello Inc., Anıl Özel Sağlık Hizmetleri Turizm Ticaret Limited Şirketi (Özel Hisar Medical Center), Karadeniz Holding A.Ş., Trabzon University Rectorate, Organik Haberleşme Teknolojileri Bilişim Sanayi Ticaret Limited Şirketi, Afyon Kocatepe University,Hızlı Kargo Taşımacılık Ticaret Anonim Şirketi. The Authority, which aims to raise awareness about the protection of personal data and inform data owners, continues to closely monitor the breaches.
The Authority has published an important announcement regarding the key points to be considered when transferring personal data abroad. Article 9 of the Personal Data Protection Law No. 6698 states that the Authority must be notified within five business days after signing standard contracts used for data transfer abroad. The Authority emphasizes that these standard contracts must be signed by authorized persons for their validity, and that the signatures must comply with the Turkish Code of Obligations. Additionally, the Authority reminds that after the appropriate standard contract type for personal data transfer has been determined, it is only possible to make changes to optional or alternative clauses of the standard contract, and no additions, deletions, or changes should be made to the contract text outside of these clauses.[1]
An important statement has been made regarding mediators within the framework of the Personal Data Protection Law and Law No. 6325 on Mediation in Legal Disputes. According to Article 11 of Law No. 6325, a mediator is required to inform the parties about the principles, outcomes, and duration of the mediation process at the beginning of the mediation activity. However, this obligation differs from the disclosure obligation in Article 10 of Law No. 6698 regarding the protection of personal data. The relevant public announcement emphasizes that mediators, who act as data controllers in terms of processing personal data, providing information only about the principles and process of mediation does not fulfill the disclosure obligation stipulated in Law No. 6698. It is necessary to fulfill the disclosure obligation by providing additional information to the relevant persons on the matters listed in Article 10 of the Law.[2]
The Personal Data Protection Authority (KVKK) has published an updated version of the 'Good Practices Guide for the Banking Sector on the Protection of Personal Data,' prepared specifically for the banking sector. The guide was created in line with the amendments to the Personal Data Protection Law No. 6698, aiming to help organizations operating in the banking sector conduct personal data processing and protection processes in compliance with the legislation. In this context, the guide outlines the procedures and principles that banks must follow to comply with regulatory requirements, as well as the obligations they must fulfill, presented concretely through examples of good practices.[3]
The Ministry of Family and Social Services Data Sharing Regulation was published in the Official Gazette No. 32814 dated February 15, 2025. This regulation defines how personal data in the Central Database related to the Ministry’s service provision will be shared with public institutions, international organizations, local governments, and individuals or legal entities requesting data sharing, including the scope and methods of sharing, as well as the procedures and principles of the Data Sharing Board. According to the regulation, data held in the Central Database may be shared with recipient institutions or other individuals using a sharing method approved by the Board, in compliance with the Personal Data Protection Law No. 6698. Pursuant to the first paragraph of Article 16 of the Regulation, recipient institutions and other individuals will be responsible for protecting the data they receive from the General Directorate against unauthorized access or use, as well as for compensating legal, criminal sanctions, and financial damages arising from such situations.[4]
The European Data Protection Board (EDPB), in a guide published in January 2025, explained how the use of pseudonyms (pseudonymization) can be an effective security measure for fulfilling data protection obligations. According to the guide, pseudonymized data, which can still be attributed to an identifiable individual through additional information, is still considered personal data. The guide highlights that this method may facilitate the legitimate interest basis for processing activities under GDPR Article 6(1)(f) and enhance compliance with data protection requirements. Additionally, addressing the interaction between competition law and data protection law, the EDPB stated that these two areas should be integrated and that data protection rules should also be considered in competition assessments. The guide will be publicly available until February 28, 2025, and stakeholders will be allowed to submit comments.[5]
The Presidential Decree No. 177, published in the Official Gazette No. 32776 on January 8, 2025, established the "Cybersecurity Directorate." Among the Directorate's responsibilities are setting policies and strategies to ensure cybersecurity, organizing training to raise cybersecurity awareness, and strengthening cooperation between the public sector, private sector, and universities. Additionally, efforts will be made to help local entrepreneurs become competitive in the global market. The Directorate will prioritize important activities such as conducting R&D and technology transfers in the field of cybersecurity, detecting cybersecurity vulnerabilities, establishing emergency plans, and setting up joint operation centers.[6]
The National Defense Committee of the Grand National Assembly of Turkey (TBMM) has published its report on the 21-article Draft Law on Cybersecurity. Following the establishment of the Cybersecurity Directorate under the Presidency on January 8, 2025, the draft was submitted to the Committee on January 10 and approved on January 15. The report dated January 22, 2025, includes sections such as the general preamble of the law, article-by-article justifications, the text adopted by the Committee, and opposition statements. The draft law introduces various sanctions related to cybersecurity. In particular, prison sentences of up to 15 years are proposed for acts such as cyberattacks and data breaches, while administrative fines of up to TRY 100 million are planned for violations of regulations. Entities failing to comply with audit obligations will be subject to turnover-based penalties.[7]
Google Cloud has released its 2025 AI Business Trends Report. According to the report, artificial intelligence is set to revolutionize the development of security systems in 2025. As defenses become stronger, threats will be detected and neutralized more quickly, and manual security tasks will be automated. However, these advancements are expected to trigger a new “arms race” between defenders and attackers. If malicious actors begin to use AI for more sophisticated attacks, organizations will need to take proactive measures to strengthen their security. The report also notes that financial institutions may benefit from AI in detecting fraudulent documents, while the media and entertainment sector is expected to develop AI-powered solutions to combat misinformation.[8]
A “Cooperation and Information Sharing Protocol” has been signed between the Capital Markets Board of Turkey (CMB) and the Personal Data Protection Authority (KVKK). During the signing ceremony, speakers emphasized the growing importance of protecting and processing personal data in capital market activities. Within the scope of the protocol, a Coordination Committee is planned to be established to strengthen collaboration and enhance information sharing between the two institutions. The protocol also aims to carry out joint projects on personal data protection, data security, and privacy; organize professional training programs; publish educational materials; and hold awareness-raising events. This cooperation is expected to enhance trust in capital markets and contribute to the protection of investors.[9]
In Italy, the Data Protection Authority (Garante) has emphasized that in order to protect children’s digital privacy on social media, it is mandatory to obtain consent from both parents—even when they share joint custody—before posting photos of children under the age of 14. Following a complaint filed by a mother, Garante investigated the case and ruled that the child’s photo being shared by the father on Facebook without the mother’s consent was unlawful and constituted a violation of the child's digital privacy. Considering the absence of similar precedent decisions, Garante concluded that sharing a child’s photo without the consent of both parents is prohibited.[10]
A damage consultancy firm was fined 300,000 Turkish lira by the Personal Data Protection Authority (KVKK) for unlawfully collecting the personal data of accident victims. It was determined that the company accessed victims’ contact information through accident reports and made various promises regarding the compensation process. Following a complaint and subsequent investigation, it was found that these firms had obtained personal data without consent and misled victims, keeping a large portion of the compensation for themselves. Officials from the Insurance Association of Turkey emphasized that insurance companies are reliable when it comes to the protection of personal data and advised that accident victims should directly contact insurance providers for assistance.[11]
The Swedish Data Protection Authority (IMY) has fined Avanza Bank €1,320,000 for what it deemed a serious data breach involving the unauthorized transfer of personal data to Meta via Meta Pixels. It was found that due to mistakenly activated functions within the Meta Pixel used on Avanza Bank’s platforms, sensitive personal data—including names, surnames, email addresses, current credit information, and account numbers—of approximately 500,000 to 1 million individuals had been transmitted to Meta. IMY stated that Avanza Bank lacked adequate internal controls and failed to comply with necessary procedures, thereby not fulfilling its legal obligations. The additional privacy obligations specific to the banking sector further intensified the gravity of the breach. The decision underscores the importance for data controllers to carefully manage tracking technologies, implement effective internal audits, and fully comply with sector-specific privacy requirements.[12]
With the rapid growth of e-commerce, the security of personal data shared with courier companies has become a topic of debate. In an article published by the Personal Data Protection Authority (KVKK), it was noted that barcodes on shipping packages expose sensitive information such as recipients’ names, surnames, addresses, phone numbers, and Turkish ID numbers—making it accessible to malicious actors. The article recommends the use of QR codes as an alternative to barcodes, emphasizing that a system accessible only by courier personnel would enhance data security. Other suggestions include using user codes instead of recipient names and implementing end-to-end encryption. The article also highlights that current penalties for personal data breaches are not deterrent enough and calls for increased fines. Last year, a courier company was fined 250,000 TL after an employee misused customer information to send harassing messages.[13]
Apple has made history by accepting the UK government's backdoor request, allowing access to the data of all iPhone users in the country. At the request of British intelligence, Apple disabled encryption on its iCloud systems, effectively removing high-level data protection for users in the UK. Normally, Apple offers Advanced Data Protection (ADP) to users worldwide, ensuring end-to-end encryption of their data. This move, which grants the UK government access to user data, is expected to draw strong criticism, particularly from U.S. officials. Industry experts warn that this step poses a serious threat to privacy, and if the decision is not reversed, it could set a precedent for other governments and companies to make similar demands.[14]
The Personal Data Protection Authority (KVKK) has imposed an administrative fine of 11.5 million Turkish lira on Meta, the owner of Instagram, for violating children's personal data. The investigation was launched after it was found that the private accounts of users under the age of 18 were being converted into business accounts, resulting in the public disclosure of their personal information and increasing their exposure to online risks. The investigation revealed that email addresses and phone numbers associated with Instagram business accounts were embedded in the platform’s HTML source code, making this information accessible to anyone. This situation left child users vulnerable to potential dangers in online environments. The fine imposed on Meta is considered a significant step toward the protection of children's personal data.[15]
South Korea has accused DeepSeek, a Chinese AI startup, of sharing user data with ByteDance, the parent company of TikTok. Citing data security concerns, the country removed DeepSeek from app stores. The Personal Information Protection Commission (PIPC) of South Korea confirmed that DeepSeek had communicated with ByteDance, noting a lack of transparency in the app’s privacy policy and detecting traffic linked to third-party data transfers. The app, which quickly gained global popularity, had been downloaded over one million times before its removal from South Korean app stores. Following countries like Australia and Taiwan, South Korea also banned DeepSeek on government devices and advised users to exercise caution when sharing personal data.[16]
The National Intelligence Organization (MIT) launched a major cyber espionage operation against software developed specifically for lawyers, which provided illegal access to citizens' personal data. In an operation coordinated by MIT, carried out with the Gendarmerie General Command and the National Cyber Incident Response Center (USOM), it was revealed that software named "Avatar" and "Justice" were used by hundreds of lawyers. The software was found to have a wide user network, allegedly integrated with the National Judiciary Network Project (UYAP), allowing illegal access to citizens' personal data. As part of the operation, five individuals, including the software developers and administrators, were arrested. To uncover the economic dimensions of the illegal activities and to identify and prevent criminal profits, the Financial Crimes Investigation Board (MASAK) was also included in the investigation.[17]
The Personal Data Protection Authority (“Authority”) has published new data breach notifications on its website. In this context, data breaches reported by various organizations and institutions from different sectors are listed as follows: Zello Inc., Anıl Özel Sağlık Hizmetleri Turizm Ticaret Limited Şirketi (Özel Hisar Medical Center), Karadeniz Holding A.Ş., Trabzon University Rectorate, Organik Haberleşme Teknolojileri Bilişim Sanayi Ticaret Limited Şirketi, Afyon Kocatepe University,Hızlı Kargo Taşımacılık Ticaret Anonim Şirketi. The Authority, which aims to raise awareness about the protection of personal data and inform data owners, continues to closely monitor the breaches.
The Authority has published an important announcement regarding the key points to be considered when transferring personal data abroad. Article 9 of the Personal Data Protection Law No. 6698 states that the Authority must be notified within five business days after signing standard contracts used for data transfer abroad. The Authority emphasizes that these standard contracts must be signed by authorized persons for their validity, and that the signatures must comply with the Turkish Code of Obligations. Additionally, the Authority reminds that after the appropriate standard contract type for personal data transfer has been determined, it is only possible to make changes to optional or alternative clauses of the standard contract, and no additions, deletions, or changes should be made to the contract text outside of these clauses.[1]
An important statement has been made regarding mediators within the framework of the Personal Data Protection Law and Law No. 6325 on Mediation in Legal Disputes. According to Article 11 of Law No. 6325, a mediator is required to inform the parties about the principles, outcomes, and duration of the mediation process at the beginning of the mediation activity. However, this obligation differs from the disclosure obligation in Article 10 of Law No. 6698 regarding the protection of personal data. The relevant public announcement emphasizes that mediators, who act as data controllers in terms of processing personal data, providing information only about the principles and process of mediation does not fulfill the disclosure obligation stipulated in Law No. 6698. It is necessary to fulfill the disclosure obligation by providing additional information to the relevant persons on the matters listed in Article 10 of the Law.[2]
The Personal Data Protection Authority (KVKK) has published an updated version of the 'Good Practices Guide for the Banking Sector on the Protection of Personal Data,' prepared specifically for the banking sector. The guide was created in line with the amendments to the Personal Data Protection Law No. 6698, aiming to help organizations operating in the banking sector conduct personal data processing and protection processes in compliance with the legislation. In this context, the guide outlines the procedures and principles that banks must follow to comply with regulatory requirements, as well as the obligations they must fulfill, presented concretely through examples of good practices.[3]
The Ministry of Family and Social Services Data Sharing Regulation was published in the Official Gazette No. 32814 dated February 15, 2025. This regulation defines how personal data in the Central Database related to the Ministry’s service provision will be shared with public institutions, international organizations, local governments, and individuals or legal entities requesting data sharing, including the scope and methods of sharing, as well as the procedures and principles of the Data Sharing Board. According to the regulation, data held in the Central Database may be shared with recipient institutions or other individuals using a sharing method approved by the Board, in compliance with the Personal Data Protection Law No. 6698. Pursuant to the first paragraph of Article 16 of the Regulation, recipient institutions and other individuals will be responsible for protecting the data they receive from the General Directorate against unauthorized access or use, as well as for compensating legal, criminal sanctions, and financial damages arising from such situations.[4]
The European Data Protection Board (EDPB), in a guide published in January 2025, explained how the use of pseudonyms (pseudonymization) can be an effective security measure for fulfilling data protection obligations. According to the guide, pseudonymized data, which can still be attributed to an identifiable individual through additional information, is still considered personal data. The guide highlights that this method may facilitate the legitimate interest basis for processing activities under GDPR Article 6(1)(f) and enhance compliance with data protection requirements. Additionally, addressing the interaction between competition law and data protection law, the EDPB stated that these two areas should be integrated and that data protection rules should also be considered in competition assessments. The guide will be publicly available until February 28, 2025, and stakeholders will be allowed to submit comments.[5]
The Presidential Decree No. 177, published in the Official Gazette No. 32776 on January 8, 2025, established the "Cybersecurity Directorate." Among the Directorate's responsibilities are setting policies and strategies to ensure cybersecurity, organizing training to raise cybersecurity awareness, and strengthening cooperation between the public sector, private sector, and universities. Additionally, efforts will be made to help local entrepreneurs become competitive in the global market. The Directorate will prioritize important activities such as conducting R&D and technology transfers in the field of cybersecurity, detecting cybersecurity vulnerabilities, establishing emergency plans, and setting up joint operation centers.[6]
The National Defense Committee of the Grand National Assembly of Turkey (TBMM) has published its report on the 21-article Draft Law on Cybersecurity. Following the establishment of the Cybersecurity Directorate under the Presidency on January 8, 2025, the draft was submitted to the Committee on January 10 and approved on January 15. The report dated January 22, 2025, includes sections such as the general preamble of the law, article-by-article justifications, the text adopted by the Committee, and opposition statements. The draft law introduces various sanctions related to cybersecurity. In particular, prison sentences of up to 15 years are proposed for acts such as cyberattacks and data breaches, while administrative fines of up to TRY 100 million are planned for violations of regulations. Entities failing to comply with audit obligations will be subject to turnover-based penalties.[7]
Google Cloud has released its 2025 AI Business Trends Report. According to the report, artificial intelligence is set to revolutionize the development of security systems in 2025. As defenses become stronger, threats will be detected and neutralized more quickly, and manual security tasks will be automated. However, these advancements are expected to trigger a new “arms race” between defenders and attackers. If malicious actors begin to use AI for more sophisticated attacks, organizations will need to take proactive measures to strengthen their security. The report also notes that financial institutions may benefit from AI in detecting fraudulent documents, while the media and entertainment sector is expected to develop AI-powered solutions to combat misinformation.[8]
A “Cooperation and Information Sharing Protocol” has been signed between the Capital Markets Board of Turkey (CMB) and the Personal Data Protection Authority (KVKK). During the signing ceremony, speakers emphasized the growing importance of protecting and processing personal data in capital market activities. Within the scope of the protocol, a Coordination Committee is planned to be established to strengthen collaboration and enhance information sharing between the two institutions. The protocol also aims to carry out joint projects on personal data protection, data security, and privacy; organize professional training programs; publish educational materials; and hold awareness-raising events. This cooperation is expected to enhance trust in capital markets and contribute to the protection of investors.[9]
In Italy, the Data Protection Authority (Garante) has emphasized that in order to protect children’s digital privacy on social media, it is mandatory to obtain consent from both parents—even when they share joint custody—before posting photos of children under the age of 14. Following a complaint filed by a mother, Garante investigated the case and ruled that the child’s photo being shared by the father on Facebook without the mother’s consent was unlawful and constituted a violation of the child's digital privacy. Considering the absence of similar precedent decisions, Garante concluded that sharing a child’s photo without the consent of both parents is prohibited.[10]
A damage consultancy firm was fined 300,000 Turkish lira by the Personal Data Protection Authority (KVKK) for unlawfully collecting the personal data of accident victims. It was determined that the company accessed victims’ contact information through accident reports and made various promises regarding the compensation process. Following a complaint and subsequent investigation, it was found that these firms had obtained personal data without consent and misled victims, keeping a large portion of the compensation for themselves. Officials from the Insurance Association of Turkey emphasized that insurance companies are reliable when it comes to the protection of personal data and advised that accident victims should directly contact insurance providers for assistance.[11]
The Swedish Data Protection Authority (IMY) has fined Avanza Bank €1,320,000 for what it deemed a serious data breach involving the unauthorized transfer of personal data to Meta via Meta Pixels. It was found that due to mistakenly activated functions within the Meta Pixel used on Avanza Bank’s platforms, sensitive personal data—including names, surnames, email addresses, current credit information, and account numbers—of approximately 500,000 to 1 million individuals had been transmitted to Meta. IMY stated that Avanza Bank lacked adequate internal controls and failed to comply with necessary procedures, thereby not fulfilling its legal obligations. The additional privacy obligations specific to the banking sector further intensified the gravity of the breach. The decision underscores the importance for data controllers to carefully manage tracking technologies, implement effective internal audits, and fully comply with sector-specific privacy requirements.[12]
With the rapid growth of e-commerce, the security of personal data shared with courier companies has become a topic of debate. In an article published by the Personal Data Protection Authority (KVKK), it was noted that barcodes on shipping packages expose sensitive information such as recipients’ names, surnames, addresses, phone numbers, and Turkish ID numbers—making it accessible to malicious actors. The article recommends the use of QR codes as an alternative to barcodes, emphasizing that a system accessible only by courier personnel would enhance data security. Other suggestions include using user codes instead of recipient names and implementing end-to-end encryption. The article also highlights that current penalties for personal data breaches are not deterrent enough and calls for increased fines. Last year, a courier company was fined 250,000 TL after an employee misused customer information to send harassing messages.[13]
Apple has made history by accepting the UK government's backdoor request, allowing access to the data of all iPhone users in the country. At the request of British intelligence, Apple disabled encryption on its iCloud systems, effectively removing high-level data protection for users in the UK. Normally, Apple offers Advanced Data Protection (ADP) to users worldwide, ensuring end-to-end encryption of their data. This move, which grants the UK government access to user data, is expected to draw strong criticism, particularly from U.S. officials. Industry experts warn that this step poses a serious threat to privacy, and if the decision is not reversed, it could set a precedent for other governments and companies to make similar demands.[14]
The Personal Data Protection Authority (KVKK) has imposed an administrative fine of 11.5 million Turkish lira on Meta, the owner of Instagram, for violating children's personal data. The investigation was launched after it was found that the private accounts of users under the age of 18 were being converted into business accounts, resulting in the public disclosure of their personal information and increasing their exposure to online risks. The investigation revealed that email addresses and phone numbers associated with Instagram business accounts were embedded in the platform’s HTML source code, making this information accessible to anyone. This situation left child users vulnerable to potential dangers in online environments. The fine imposed on Meta is considered a significant step toward the protection of children's personal data.[15]
South Korea has accused DeepSeek, a Chinese AI startup, of sharing user data with ByteDance, the parent company of TikTok. Citing data security concerns, the country removed DeepSeek from app stores. The Personal Information Protection Commission (PIPC) of South Korea confirmed that DeepSeek had communicated with ByteDance, noting a lack of transparency in the app’s privacy policy and detecting traffic linked to third-party data transfers. The app, which quickly gained global popularity, had been downloaded over one million times before its removal from South Korean app stores. Following countries like Australia and Taiwan, South Korea also banned DeepSeek on government devices and advised users to exercise caution when sharing personal data.[16]
The National Intelligence Organization (MIT) launched a major cyber espionage operation against software developed specifically for lawyers, which provided illegal access to citizens' personal data. In an operation coordinated by MIT, carried out with the Gendarmerie General Command and the National Cyber Incident Response Center (USOM), it was revealed that software named "Avatar" and "Justice" were used by hundreds of lawyers. The software was found to have a wide user network, allegedly integrated with the National Judiciary Network Project (UYAP), allowing illegal access to citizens' personal data. As part of the operation, five individuals, including the software developers and administrators, were arrested. To uncover the economic dimensions of the illegal activities and to identify and prevent criminal profits, the Financial Crimes Investigation Board (MASAK) was also included in the investigation.[17]
