March 2025 – In February, the Turkish Data Protection Authority ("DPA") published a guideline on the processing of sensitive personal data and issued a notice regarding the implementation of standard contractual clauses. Additionally, the DPA shared two informative notes concerning the use of artificial intelligence.
The preparation of cyber security legislation also gained momentum in February, as discussions on the draft Cyber Security Law began in the General Assembly of the Grand National Assembly of Türkiye.
AI Applications are Under Radar of the DPA
Through its social media account, the DPA published two information notes in February, "Recommendations for the Protection of Personal Data in the Use of AI" and "Key Considerations for the Protection of Personal Data in the Use of Generative AI".
The DPA emphasised that when using AI technologies, particularly generative AI tools such as ChatGPT, Gemini, and Grok, it is crucial to:
i. be mindful of sharing personal data,
ii. prefer anonymous use where possible, and
iii. verify the data-sharing permissions of the application.
Key Considerations for Standard Contracts
On 6 February 2025, the DPA issued an announcement outlining key considerations for the preparation and signing process of Standard Contracts (“SCCs”), a commonly used method for cross-border personal data transfers. This announcement addresses common mistakes encountered by the DPA in practice.
The following points are highlighted in the announcement:
- language requirements;
- verification of the signatory's authorisation;
- notification deadline of SCCs;
- accuracy of party information;
- unauthorised modifications.
You can find our article here for full details of this announcement.
New Guidelines on the Processing of Sensitive Personal Data
On 26 February 2025, the DPA issued a new guideline regarding the processing of sensitive personal data (“Guideline”). This Guideline provides guidance for data controllers to ensure compliance with the recent amendment to Turkish Data Protection Law No. 6698 ("DP Law").
Within the Guideline, the following points are highlighted:
i. The scope of sensitive personal data:
Sensitive personal data is specifically outlined in Article 6 of the DP Law and includes information that could lead to discrimination or harm for the individual. The following categories are considered sensitive personal data:
- health data;
- sexual life;
- biometric data;
- philosophical beliefs;
- clothing and attire;
- genetic data;
- race and ethnic origin;
- political opinions;
- membership in associations, foundations, or trade unions;
- religion, sect, or other beliefs;
- criminal convictions and security measures.
It is important to note that nationality or citizenship status is not considered sensitive personal data, unlike race. Additionally, if a person is apolitical, this falls under "political opinion," making it sensitive personal data. Similarly, if someone does not belong to any religion, this is classified as "religious belief" and is also sensitive personal data.
Health data includes more than just a person’s current health status. It also covers information that suggests a potential illness or confirms a medical condition. Medical test results, preliminary diagnoses, diagnoses, and treatment records are all considered health data. When it comes to criminal convictions, only finalised sentences are considered sensitive personal data, not all criminal records.
ii. Actions Required for Compliance with the DP Law
The final section of the Guideline offers recommendations for data controllers, including:
- updating the personal data inventory;
- reviewing processes that rely on explicit consent and aligning them with the new legal bases for data processing;
- revising privacy notices to reflect necessary changes;
- updating data retention and deletion policies;
- implementing necessary measures to ensure data security.
You can find our article here for detailed information.
Data Breach Notifications
- Organik Haberleşme Teknolojileri Bilişim Sanayi Ticaret Limited Şirketi notified a data breach caused by a ransomware-attack. Subscribers and members were affected, and their identity and contact information was compromised.
- Afyon Kocatepe Üniversitesi notified a data breach caused by an unauthorised access. Employees, users, customers and students were affected, and their identity, contact information and visual and audio records were compromised.
- Asilkar Hızlı Kargo Taşımacılık Ticaret Anonim Şirketi notified a data breach caused by an unauthorised access. The shipment recipient's name, surname, address, and shipment contents were compromised.