April 2025 – March 2025 marked another active month in Türkiye’s data protection, cybersecurity, and digital regulation landscape. The Turkish Personal Data Protection Authority (the “DPA”) released new data breach notifications and approved an international data transfer undertaking. Meanwhile, Türkiye enacted a new Cybersecurity Law, and the Information and Communication Technologies Authority (“ICTA”) proposed a draft regulation targeting OTT service providers, introducing notable obligations related to local presence, data security, and privacy.
Cybersecurity Law No. 7545: A New Era in Digital Defence
On 19 March 2025, Türkiye enacted Cybersecurity Law No. 7545, introducing a comprehensive legal framework aimed at strengthening national cyber resilience. The law aims to protect critical infrastructure, enhance data security, and establish structured incident response mechanisms. Key provisions of the Cybersecurity Law include:
- Cybersecurity Board: Formation of a Cybersecurity Board responsible for coordinating Türkiye’s national cybersecurity policies and strategies.
- Critical Infrastructure Protection: Mandated implementation of stringent security protocols—such as vulnerability assessments and risk analyses—in critical sectors including energy, healthcare, finance, and communication.
- Cyber Incident Response Teams (SOME Teams): Obligation for key institutions to establish dedicated teams to detect and mitigate cyber threats.
- Compliance and Certification: Obligation for cybersecurity service providers to obtain certification from the Cybersecurity Board to ensure compliance with standardised security practices.
- Data Privacy: Emphasis on stringent data protection measures, ensuring the confidentiality and integrity of sensitive information.
- Mergers and Acquisitions Oversight: Necessity for companies operating in the cybersecurity sector to notify and/or obtain approval from the Cybersecurity Presidency for mergers, divisions, share transfers, or sales.
You can find our detailed review on Cybersecurity Law here.
Proposed OTT Regulation: What Global Platforms Must Know
On 24 March 2025, the ICTA announced proposed amendments to the Authorisation Regulation in the Electronic Communications Sector targeting over-the-top (OTT) service providers—namely, platforms offering communication services over the internet independently from telecom operators.
The draft regulation defines OTT services as communication services involving interpersonal voice, written, or visual communications provided via publicly available software, independent of the underlying internet service or network operator.
The draft regulation aims to introduce several significant obligations for OTT service providers—obligations that are considered essential for the continuation of their operations in Türkiye. Accordingly:
- Local Presence Requirement: The proposed changes would require platforms such as WhatsApp, Facebook, WeChat, and TikTok to establish a legal presence in Türkiye by 1 January 2026. Non-compliance may result in bandwidth throttling and administrative fines up to TRY 30 million (approx. EUR 720,000).
- Direct Blocking Authority: The ICTA would gain authority to block access to services in situations deemed critical to the public interest.
- Data Protection Provisions: The draft regulation grants the ICTA the discretion to impose additional requirements related to information security and personal data protection.
The draft regulation is open for public consultation until 28 April 2025. You can access it (in Turkish only) here.
DPA Approves International Data Transfers for VF Ege Giyim
On 13 March 2025, the DPA announced approval of three cross-border data transfer undertakings submitted by VF Ege Giyim. After review, the DPA found no procedural or substantive deficiencies, officially granting permission for the said transfers effective 12 March 2025.
DPA Releases 7th Bulletin: AI, Cooperation, and Data Day Highlights
The DPA published the 7th edition of its bulletin on 17 March 2025, covering developments from December 2024 to February 2025. The issue features:
- International cooperation under Convention 108,
- An official visit by the Georgian Personal Data Protection Authority to the Turkish DPA,
- Events celebrating Data Protection Day on January 28,
- Evaluations on the intersection of artificial intelligence and privacy.
A standout feature was the event titled “44 Years of Data Protection: The Age of Artificial Intelligence from a Privacy Perspective,” where representatives from the Ministry of Justice, academia, and both public and private sectors shared insights on the evolution of Türkiye’s privacy framework in light of emerging technologies like AI.
Data Breach Notifications
- Anadolu Anonim Türk Sigorta Şirketi notified the DPA that a breach affected customers’ personal data. Accordingly, customers’ identity, contact health and insurance-related data were compromised.
- Bilfen Eğitim Kurumları notified the DPA regarding unauthorised access to personal data of students, student parents, and employees. Identity, contact, health, transaction security data, professional information and audio/visual recordings were affected.
- TurkNet İletişim Hizmetleri notified the DPA of a breach that affected customers and members personal data. Accordingly, identity, contact, customer information and transaction security-related data were compromised.
- Nevşehir Hacı Bektaş Veli University notified the DPA regarding an unauthorised access of personal data of students and employees.