Data Protection And Privacy Law In Türkiye Key Developments And Predictions – 2025

In this year’s report, we focus on the latest developments
in the field of personal data protection, recent decisions, and
published guidelines, as well as the fundamental regulations and
principles of personal data protection law. Additionally, we
analyse key developments in Turkiye, current significant issues in
this area, and expectations, evaluations, and trends for the
future.

The year 2024 has once again been marked by significant
developments in personal data protection. We have witnessed the
long-anticipated amendments to the Law on the Protection of
Personal Data No. 6698 (“Law“) coming
into effect, secondary legislation efforts, and the Personal Data
Protection Authority’s (“Authority“)
guidance and publications aimed at providing direction to data
controllers. Additionally, efforts were made to enhance awareness
and effectiveness in personal data protection, ensure the effective
implementation of the Law, and establish the proper relationship
between the Law and other legal fields it intersects with,
particularly competition law.

With the impact of regulations in the EU resonating in our
country, discussions surrounding artificial intelligence (AI),
although not yet at the desired level of maturity, have gained more
prominence in 2024. In the new digital era that has taken hold
worldwide, the steps to be taken in personal data protection and
how to strike a balance between technology and privacy will
continue to be key topics on the agenda in the coming years.

While we continue to witness positive developments each year in
terms of compliance with the Law, the amendments introduced in 2024
made the second half of the year particularly intense for data
controllers, as they focused on extensive compliance efforts,
especially regarding cross-border data transfers.

Digital platforms, which play an increasingly central role in
users’ lives and pose privacy threats and risks due to
large-scale data collection, processing, and sharing, remain a
focal point for the Personal Data Protection Board
(“Board“), as they do worldwide. With
the growth of the digital economy, the data collection and
processing activities of digital platforms have created a
significant intersection between data protection and competition
law. Notably, the competition investigation conducted by the
Turkish Competition Authority against social network provider META
is expected to have implications in the field of personal data
protection as well.

The statistics in the information note published by the Board
regarding its activities in 2024 indicate an increase in the number
of notices, complaints, and applications compared to the previous
year. While the Board continued its examinations intensively
throughout 2024, only two of its decisions were publicly
announced.

As a result of emerging practical needs and the objective of
aligning the Law with the European Union’s General Data
Protection Regulation (“GDPR”), significant legislative
amendments were introduced in the field of personal data protection
in 2024. The amendments, which came into force on June 1, 2024,
marked the beginning of a new era in personal data protection, with
compliance required by September 1, 2024. Within this framework,
the “Regulation on the Procedures and Principles for
Cross-Border Transfers of Personal Data” was published on
July 10, 2024. The limited timeframe for compliance has posed
challenges for both data controllers and practitioners, and for
many data controllers, the compliance process is still ongoing.

In 2024, the Board continued to publish various guidelines,
documents, and information notes to raise awareness in the field of
data protection and provide guidance to practitioners. The
Guideline on the Processing of Turkish Republic Identity
Numbers outlined key considerations regarding the processing
of Turkish ID numbers, which, due to their potential to grant
access to other personal data, could lead to significant risks and
harm if mishandled. Meanwhile, the Guideline on the Protection
of Personal Data in Election Activities reminded public
authorities, political parties, candidates, and voters of their
obligations and rights under the Law. Additionally, the Authority
published several informative materials aimed at practitioners,
including the Deepfake Information Note, the Information Note
on the Legal Basis for Personal Data Processing Stipulated by Law,
the Information Note on the Temporal Application of Misdemeanors
under Law No. 6698, the Information Note on Chatbots (Example:
ChatGPT), and the Most Common Mistakes in Complaints and
Notifications Submitted to the Board. These publications
provided practical insights to help ensure compliance with data
protection regulations.

As part of cross-border data transfers, the Standard
Contract Notification Module system was established, allowing
data controllers to electronically notify the Authority of standard
contractual clauses, which are one of the appropriate safeguards
regulated under the Law.

In 2024, the Board imposed administrative fines totaling
552,668,000 Turkish liras, with the majority of these penalties
being issued against data controllers who failed to fulfil their
obligation to register with the data controllers’ registry and
submit the required notifications despite being subject to this
requirement.

In its Public Announcement regarding the Data Controllers’
Registry published in August 2024, the Authority stated that the
Board had initiated ex officio investigations into data controllers
who failed to fulfill their registration and notification
obligations. As of August 1, 2024, the Board had imposed
503,935,000 Turkish liras in administrative fines on both domestic
and foreign natural and legal person data controllers who were
subject to this obligation but had not complied.

As a result of the developments regarding the cross-border data
transfers a total of 1,345 standard contracts were notified to the
Board in 2024 (based on the Authority’s records for the
June–December period). These figures indicate that compliance
efforts are still ongoing among data controllers.

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.