- Home
- News & Insights
Search by
Latest
Quick Read: Data Protection Law Updates in Türkiye – May 2025
In May 2025, The Turkish Personal Data Protection Authority (the “DPA”) organised and/or participated in both local and international events and announced four data breach notifications. DPA Event Highlights 1. Conference on European Data Protection Authorities The President of the DPA attended the 33rd Conference of European Data Protection Authorities held between 6–9 May. The conference featured panels on various topics including the impact of emerging technologies— particularly artificial intelligence—on personal data protection, the importance of international cooperation in the field of data protection, and the protection of children's personal data. 2. 2nd National Symposium on the Protection
New Guidelines on Personal Data Protection in the Payment and e-Money Sector
On 11 April 2025, the Turkish Data Protection Authority (“DPA”) and the Turkish Payment and Electronic Money Institutions Association released the Best Practices Guidelines on the Protection of Personal Data in the Payment and Electronic Money Sector (“Guidelines”). This is the first set of sector-specific guidance in Türkiye addressing how personal data should be processed within the payment and e-money ecosystem. The Guidelines serve as a practical tool for data controllers and data processors to ensure compliance with Turkish Law No. 6698 on the Protection of Personal Data (the "DP Law").Click on the image below or use the following link to read our overview in Turkish.
Quick Read: Data Protection Law Updates in Türkiye – March 2025
March 2025 marked another active month in Türkiye’s data protection, cybersecurity, and digital regulation landscape. The Turkish Personal Data Protection Authority (the “DPA”) released new data breach notifications and approved an international data transfer undertaking. Meanwhile, Türkiye enacted a new Cybersecurity Law, and the Information and Communication Technologies Authority (“ICTA”) proposed a draft regulation targeting OTT service providers, introducing notable obligations related to local presence, data security, and privacy. Cybersecurity Law No. 7545: A New Era in Digital Defence On 19 March 2025, Türkiye enacted Cybersecurity Law No. 7545, introducing a comprehensive legal framework aimed
New Cybersecurity Law in Türkiye
On 19 March, 2025, Türkiye enacted Cybersecurity Law No. 7545 (the “Law”), which introduces comprehensive regulations to enhance cyber resilience in Türkiye. The Law reflects a significant step toward strengthening the security of critical infrastructure, data protection, and incident response mechanisms. Organisations operating in Türkiye must understand these requirements to ensure compliance and mitigate potential risks. What are the main objectives of the Law? The primary objective of the Law is to safeguard Türkiye's national cyber infrastructure against both internal and external threats. The Law emphasises the protection of critical infrastructure, the establishment of response teams, and enhanced
Quick Read: Data Protection Law Updates in Türkiye – February 2025
In February, the Turkish Data Protection Authority ("DPA") published a guideline on the processing of sensitive personal data and issued a notice regarding the implementation of standard contractual clauses. Additionally, the DPA shared two informative notes concerning the use of artificial intelligence. The preparation of cyber security legislation also gained momentum in February, as discussions on the draft Cyber Security Law began in the General Assembly of the Grand National Assembly of Türkiye. AI Applications are Under Radar of the DPA Through its social media account, the DPA published two information notes in February, "Recommendations for the Protection of Personal Data in the Use of AI" and "Key
Standart Sözleşmelerde Dikkat Edilmesi Gereken Hususlar
Mart 2025 – Kişisel Verileri Koruma Kurumu (“Kurum”) 6 Şubat 2025 tarihinde yaptığı duyuru ile Standart Sözleşme hazırlık ve imza süreçlerine ilişkin uygulamada karşılaşılan hataları gidermek amacıyla bu süreçte dikkat edilmesi gereken hususları paylaştı. Yapılan duyuru kapsamında Standart Sözleşmelerin aşağıdaki hususlara dikkat edilerek hazırlanması ve imzalandıktan sonra beş iş günü içerisinde Kurum’a sunulması gerektiği belirtilmiştir. Yer verilen hususlara uygun olmayan Standart Sözleşmelerin geçerli kabul edilmeyeceği vurgulanmıştır. İmza Zorunluluğu: Standart Sözleşme, veri aktarım tarafları veya yetkili temsilcileri tarafından imzalanmalıdır. Eksik imza olması
Key considerations for standard contracts
The Personal Data Protection Authority (“DPA”) issued an announcement on February 6, 2025, outlining key considerations for the preparation and signing processes of Standard Contracts (“SCC”) to address common errors encountered in practice. According to the announcement, SCC must be prepared in compliance with the specified requirements and submitted to the DPA within five business days after signing. It was emphasized that SCCs failing to meet these criteria will not be considered valid. Following the review of Standard Contracts submitted to the DPA the key considerations to be considered have been identified as follows: Signature requirement: The SCC must be signed by the data transfer parties
Quick Read: Data Protection Law Updates in Türkiye – January 2025
As 2025 begins, Türkiye continues to strengthen its data protection framework with new regulatory updates and strategic initiatives. The Turkish Data Protection Authority ("DPA") and Turkish president have introduced significant measures affecting multiple sectors. Key updates from January include; the Turkish president established the Cybersecurity Presidency; the National Intelligence Service carried out a cybersecurity operation against unauthorised data access; the DPA clarified obligations for data processing in mediation activities; the DPA updated the Guidelines on Banking Sector Best Practices; the DPA signed a cooperation protocol with the Turkish Capital Markets Board;
Quick Read: Data Protection Law Updates in Turkey – December 2024
In this edition of Quick Read, we summarise the latest updates in data protection law and sector news in Türkiye. In the past month, the Turkish Data Protection Authority (“DPA”): released Guidelines on Cross-border Data Flows; issued a memorandum regarding temporal application of the new amendment to the DP Law; published its 2024 Activity Report; announced updated administrative fines for 2025; disclosed two data breaches. New guidelines on cross-border data transfers now available On 2 January 2025, the DPA released updated guidelines on cross-border data transfers (“Guidelines”), providing critical clarity for organisations handling international data
Summary of Guidelines on the Transfer of Personal Data Abroad from Türkiye
The Turkish Data Protection Authority has recently published its long-awaited guidelines ("Guidelines") on the conditions for cross-border transfers of personal data. The Guidelines aim to clarify the legal framework for cross-border transfers of personal data, incorporate criteria from European Union regulations and regulators and provide concrete examples. It is crucial for data controllers and processors of personal data with cross-border transfer characteristics to plan their processes in accordance with this Guidelines. Click on one of the images below or use the following links to read our summary in English or in Turkish. Download in English: Download in Turkish
Türkiye establishes Cybersecurity Presidency: Paving the way for a secure digital future
In a landmark move, Türkiye has established the Cybersecurity Presidency (in Turkish: Siber Güvenlik Başkanlığı) under a newly published Presidential Decree on 8 January 2025. This development marks a pivotal moment to enhance the digital security infrastructure of Türkiye and reflects a growing recognition of the critical importance of cybersecurity in today’s interconnected world. Below, we provide an overview of the key aspects of this new institution. What is the Cybersecurity Presidency? The Cybersecurity Presidency is a newly established public legal entity affiliated with the Presidency of Türkiye. With its headquarters in Ankara, the institution will have a special budget and a wide-ranging
Quick Read: Data Protection Law Updates in Turkey – November 2024
In this edition of Quick Read, we summarise the latest updates on data protection law and sector news in Turkey. In this issue: fines imposed on two social media giants; Turkish Data Protection Authority (“DPA”) releases an informative note regarding ChatGPT; president of the DPA attends the 46th Conference of the Global Privacy Assembly; one data breach is announced. Twitch faces fine of TRY 2 million over massive data breach On 16 November 2024, the DPA imposed an administrative fine of TRY 2 million (approximately EUR 55,000) on the social media platform Twitch due to a significant data breach. This fine consists of: TRY 1.75 million Tfor failing