January 2025 – In this edition of Quick Read, we summarise the latest updates in data protection law and sector news in Türkiye. In the past month, the Turkish Data Protection Authority (“DPA”):
- released Guidelines on Cross-border Data Flows;
- issued a memorandum regarding temporal application of the new amendment to the DP Law;
- published its 2024 Activity Report;
- announced updated administrative fines for 2025;
- disclosed two data breaches.
New guidelines on cross-border data transfers now available
On 2 January 2025, the DPA released updated guidelines on cross-border data transfers (“Guidelines”), providing critical clarity for organisations handling international data flows. The Guidelines, which are aligned with the Law on the Protection of Personal Data No.6698 (“DP Law”), outlines the legal obligations, compliance mechanisms, and safeguards for data controllers and processors. Below is a brief summary of the key points:
Legal framework and basis: The Guidelines emphasise compliance with the DP Law, setting clear conditions for cross-border transfers, including explicit consent, adequacy decisions, and reliance on Binding Corporate Rules (BCRs).
Alignment with EU standards: The Guidelines integrate EU-inspired principles to harmonise Turkish DP Law practices with international standards.
Practical examples: Concrete scenarios and use cases are provided to help data controllers understand and implement compliance measures effectively.
Transparency requirements: Organisations must log transfer details with VERBIS ( Data Controllers Registry Information System), ensuring clarity and accessibility for data subjects.
Organisations are advised to review their current data transfer practices to ensure that mechanisms such as explicit consent, standard contractual clauses (“SCCs”), and binding corporate rules comply with the Guidelines. Risk assessments should be conducted to evaluate potential impacts on data subjects' privacy, with detailed documentation of mitigation strategies. Additionally, internal policies and agreements must be updated to align with the newly specified requirements, particularly for transparency measures such as VERBIS registration.
See our article here for more detailed information.
Time-sensitive updates to Turkish Data Protection Law
On 19 December 2024, the DPA released a crucial memorandum regarding amendments to the DP Law. This memorandum provides guidance on the temporal application of the DP Law for administrative offenses and outlines transitional rules for cross-border transfers. Below is a summary of the key points:
Cross-border data transfers: Transition period ends 1 September 2024
- Until 1 September 2024: Explicit consent alone suffices for transferring personal data abroad.
- After 1 September 2024: New rules apply, requiring additional safeguards.
Temporal application of the law: Determining which rules apply
- Offenses and complaints filed before 1 June 2024 are governed by the pre-amended DP Law.
- Continuous offenses extending beyond 1 June 2024 may fall under the amended DP Law.
- Where more favourable, the older rules may still apply under the lex mitior
Specific scenarios
- Completed offenses before 1 June 2024: The pre-amended DP Law applies.
- Continuous offenses unresolved after 1 September 2024: The amended DP Law rules apply.
- Complaints filed after 1 June 2024, involving older offenses: The DPA assesses the more favourable legal framework.
As a result, the memorandum highlights the need for proactive measures to mitigate potential risks.
- Practices should be reviewed to ensure alignment with the stricter rules taking effect on 1 September
- A thorough audit of unresolved cases can determine whether they fall under older or newer provisions, ensuring compliance with applicable rules.
- Robust policies are essential to prepare for the requirements of the post-transition period, including updated protocols for cross-border transfers and complaint handling.
Highlights from the DPA’s 2024 Activity Report
On 30 December 2024, the DPA published its 2024 Activity Report, summarising key achievements and updates in personal data protection.
|
Activity |
Count |
|
Complaints Received |
8,186 |
|
Resolved Cases |
6,958 |
|
Data Breach Notifications |
281 |
|
Public Breach Announcements |
63 |
|
Fines Imposed |
TRY 552.7 million |
|
Approved Data Transfer Commitments |
3 |
In 2024, the DPA focused on cross-border data transfers, introducing regulations that included standard contractual models and Binding Corporate Rules to ensure compliance with international standards. The DPA also published several guidelines, including sector-specific guidelines, such as those addressing the processing of Turkish Republic ID numbers, election activities, and emerging issues like deepfakes and chatbots.
Additionally, the DPA carried out extensive awareness campaigns, with a particular focus on children. Efforts included educational projects in schools, tailored materials for children and parents, and creative activities like competitions and comic series to teach personal data protection in engaging ways. On the collaboration front, the DPA actively engaged in national and international partnerships, signing agreements with various organisations and participating in global events such as the Global Privacy Assembly and the International Digital Law Forum.
Updated administrative fine amounts released for 2025!
On 2 January 2025, the DPA announced the upated administrative fine amounts for 2025. The administrative fines determined by Article 18 of the DP Law have been updated for 2025, reflecting a revaluation rate of 43.93% as per the relevant provisions of the Tax Procedure Law. Below is a summary table of the updated fines for key violations:
|
Violation |
Minimum fine |
Maximum fine |
|
Failure to fulfill the obligation to inform |
TRY 68,083 (approx. EUR 1,840) |
TRY 1,362,021 (approx. EUR 36,811) |
|
Non-compliance with data security obligations |
TRY 204,285 (approx. EUR 5,521) |
TRY 13,620,402 (approx. EUR 368,118) |
|
Non-compliance with the DPA Decisions |
TRY 340,476 (approx. EUR 9,202) |
TRY 13,620,402 (approx. EUR 368,118) |
|
Failure to regiter with VERBIS |
TRY 272,380 (approx. EUR 7,361) |
TRY 13,620,402 (approx. EUR 368,118) |
|
Non-compliance with notification obligation |
TRY 71,965 (approx. EUR 1,945) |
TRY 1,439,300 (approx. EUR 38,900) |
Data breach notifications
- A data breach caused by a cyberattack occurred at Anil Özel Saglik Hizmetleri Turizm Ticaret Limited Sirketi between 22–24 November 2024 and discovered on 2 December 2024. Employees and patients were affected, and their health and identity information was compromised.
- A data breach caused by a suspected cyberattack occurred at Karadeniz Holding A.S. The breach was identified on 10 December 2024 following an internet outage and routine security check. Investigations are ongoing to determine the extent of the breach, including the categories of data and the number of affected individuals.