February 2025 – As 2025 begins, Türkiye continues to strengthen its data protection framework with new regulatory updates and strategic initiatives. The Turkish Data Protection Authority ("DPA") and Turkish president have introduced significant measures affecting multiple sectors. Key updates from January include;
- the Turkish president established the Cybersecurity Presidency;
- the National Intelligence Service carried out a cybersecurity operation against unauthorised data access;
- the DPA clarified obligations for data processing in mediation activities;
- the DPA updated the Guidelines on Banking Sector Best Practices;
- the DPA signed a cooperation protocol with the Turkish Capital Markets Board;
- the DPA released Guidelines on Cross-border Data Transfers;
- the DPA announced updated administrative fines for 2025.
Cybersecurity operation uncovers unauthorised data access
The Turkish National Intelligence Organisation, in coordination with the military and the National Cyber Incident Response Center, carried out a significant operation against unauthorised access to personal data.
On 27 January 2025, public reports confirmed that five individuals were arrested for unlawfully accessing Turkish citizens' personal data using speciliased legal software, "Avatar" or "Justice". The suspects, including software administrators and developers, were apprehended in simultaneous operations in Istanbul and Izmır. Investigations are ongoing together with the Turkish Financial Crimes Investigation Board to examine financial connections and uncover the economic aspects of these illegal activities.
DPA reminds mediators of their data protection obligations
On 13 January 2025, the DPA issued an announcement for the clarification on data processing in mediation activities. Within the announcement, the DPA highlighted that:
- mediators are considered data controllers under Turkish Data Protection Law (“DP Law”) and must comply with the same obligation as other controllers;
- the obligation to inform under the DP Law is separate from other information disclosure requirements (e.g., the disputing parties) under mediation regulations;
- mediators must ensure compliance with DP Law when processing personal data of parties involved in mediation.
Strengthened collaboration in capital markets
On 6 January 2025, the DPA and the Capital Markets Board announced their cooperation protocol aimed at improving personal data protection practices in the financial sector. This collaboration seeks to:
- enhance compliance with data processing regulations within capital markets;
- promote best practices among financial organisations;
- strengthen data privacy rights for individuals engaging in capital market activities.
Updated banking sector guidelines announced
The DPA announced on 8 January 2025 that it updated the Guidelines on Banking Sector Best Practices. The new version addresses:
- cross-border data transfer in banking operations;
- processing of sensitive personal data within the sector.
You can find the updated guidelines here (in Turkish only).
Türkiye establishes Cybersecurity Presidency
On 8 January 2025, the Presidency of the Republic of Türkiye established the Cybersecurity Presidency (Siber Güvenlik Başkanlığı in Turkish), a dedicated national body focusing on digital security. This development marks a pivotal moment to enhance the digital security infrastructure of Türkiye and reflects a growing recognition of the critical importance of cybersecurity in today’s interconnected world. See our article here for details of the Cybersecurity Presidency.
New Guidelines on Cross-border Data Transfers now available
On 2 January 2025, the DPA released updated Guidelines on Cross-border Data Transfers (“Guidelines”), providing clarity for organisations handling international data flows. The Guidelines outlines the legal obligations, compliance mechanisms, and safeguards for data controllers and processors. You may review our article here for more detailed information.
Updated administrative fine amounts released for 2025!
On 2 January 2025, the DPA announced the updated administrative fine amounts for 2025. The administrative fines determined by Article 18 of the DP Law have been updated for 2025, reflecting a revaluation rate of 43.93% as per the relevant provisions of the Tax Procedure Law. See our article here for more detailed information.
Data breach notifications
- Trabzon Üniversitesi notified a data breach caused by a cyberattack after discovering the personal data of employees and students exposed in online panels. Employees and students were affected, and their identity, contact, and location information was compromised.