- Home
- News & Insights
Search by
Latest
A New Era for Cybersecurity in Türkiye: Appointment of First Head of Cybersecurity Announced
On 24 October 2025, Ümit Önal was appointed as the head of Türkiye’s Cybersecurity Presidency, pursuant to Articles 2 and 3 of Presidential Decree No. 3, as published in the Official Gazette No. 33057. What regulations have been in place so far? Türkiye’s primary cybersecurity framework is established under Law No. 7545 on Cybersecurity ("Cybersecurity Law"), which sets out the key principles and obligations in the field of cybersecurity. The Cybersecurity Law, effective since 19 March 2025, established the Cybersecurity Presidency (in Turkish: Siber Güvenlik Başkanlığı) as an independent authority to oversee the implementation of national cybersecurity policy. However, until this appointment
Quick Read: Data Protection Law Updates in Türkiye – September 2025
In September 2025, the Turkish Personal Data Protection Authority (the “DPA”) issued one decision, organised several events, and announced one data breach notification. Below is a summary of key developments. New Exemption Criteria for VERBIS Registration On 4 September 2025, the DPA published Decision No. 2025/1572 (the “Decision”), introducing a new exemption from the requirement to register with the Data Controllers’ Registry (“VERBIS”). Under this Decision, data controllers whose main activity involves processing sensitive (special category) personal data are exempt from VERBIS registration if they employ fewer than 10 people and have an annual balance sheet total below TRY 10 million (approx.
Verbis Yükümlülüğünde Yeni İstisna Kriteri
Ekim 2025 – 01 Ekim 2025 tarihli Resmî Gazete ile yayımlanan Kişisel Verileri Koruma Kurumu’nun (“Kurum”) 2025/1572 sayılı Kararı (“Karar”) ile Veri Sorumluları Sicili (“VERBİS”) kayıt yükümlülüğüne tabi veri sorumluları kapsamına dair yeni bir istisna ölçütü duyuruldu. Kurum tarafından ana faaliyet konusu özel nitelikli kişisel veri işleme faaliyeti yürüten veri sorumluları için hiçbir istisna uygulanmaksızın VERBİS yükümlülüğü olduğu düzenlenmekteydi. Yayınlana n Karar ile ana faaliyet konusu özel nitelikli kişisel veri işleme faaliyeti olmasına karşın çalışan sayısı 10 kişiden az ve yıllık mali bilanço toplamı 10 milyon Türk Lirasından az olan gerçek
Update on VERBIS Registration in Türkiye: New Exemption Criterion
With the Decision of the Turkish Personal Data Protection Authority (“DPA”) numbered 2025/1572 (“Decision”), published in the Official Gazette dated 1 October 2025, a new exemption criterion has been introduced regarding the scope of data controllers obliged to register with Türkiye’s Data Controllers’ Registry (“VERBIS”). Previously, the DPA stipulated that data controllers whose main activity involves the processing of special categories of personal data were subject to VERBIS registration without exemption. With the newly published Decision, data controllers (natural or legal persons) whose main activity involves the processing of special categories of personal data, but who employ fewer than
Quick Read: Data Protection Law Updates in Türkiye – August 2025
In August 2025, the Turkish Personal Data Protection Authority (the ‘DPA’) published one announcement, issued two global updates bulletins, organised two seminars, and disclosed two data breach notifications. DPA Announcement: Unlawful Sharing of Debtors’ Relatives’ Contact Information On 20 August 2025, the DPA published an announcement entitled “Public Announcement Regarding the Sharing of Debt Information by Accessing the Telephone Numbers of Relatives of Individuals Who Owe Money, as Provided by Creditors’ Representatives.” In its announcement, the DPA states that when creditors’ attorneys or representatives access the contact details of debtors’ relatives and disclose debt-related
Quick Read: Data Protection Law Updates in Türkiye – July 2025
In July 2025, the Turkish Personal Data Protection Authority (the ‘DPA’) published several bulletins, organised two seminars, and announced three data breach notifications. Selected Global Updates Bulletins On 1 July 2025, the DPA published its 45th Selected Updates Bulletin, covering recent global developments in data privacy, technology, and artificial intelligence. Key highlights included: the UK’s adoption of comprehensive amendments to its data protection legislation; annual reports and AI-related guidance issued by the Irish and French authorities; the OECD’s emphasis on privacy-enhancing technologies in AI systems; the introduction of new U.S. rules on children’s
Quick Read: Data Protection Law Updates in Türkiye – June 2025
In June 2025, the Turkish Personal Data Protection Authority (the “DPA”) organised several events, announced five data breach notifications, and published one principal decision. In addition, two other regulatory developments were introduced. The first strengthened oversight of electric vehicle advertising to ensure transparency and prevent misleading claims. The second established a national monitoring framework for digital accessibility compliance. Turkish DPA flags mandatory SMS verification in purchases On 26 June 2025, the DPA issued its Principle Decision No. 2025/1072, addressing the widespread use of mandatory SMS verification codes during consumer transactions such as registration, payment, and
Heightened Regulatory Scrutiny on Electric Vehicle Advertisements in Türkiye
On 12 June 2025, the Turkish Ministry of Trade’s Advertising Board (“Board”) intensified its oversight of commercial advertising practices, with a particular focus on electric vehicle (“EV”) promotions. During its 358th meeting, the Board reviewed 103 cases, 92 of which were found to be in breach of advertising regulations. As a result, the Board: issued suspension orders for the non-compliant advertisements, imposed administrative fines totalling TRY 15.8 million (approx. EUR 340,000), and ordered access restrictions for eight cases. Enforcement Summary – First half of 2025 In the first six months of 2025, the Board reviewed 838 advertising cases, finding 753
Turkish DPA flags mandatory SMS verification in purchases
On 26 June 2025, the Turkish Personal Data Protection Authority (“DPA”) published its Principle Decision numbered 2025/1072 (“Principle Decision”) in light of the widespread use of mandatory SMS verification codes requested from data subjects (e.g., consumers) during various product and service transactions (e.g., payment, registration, or membership processes). The DPA underlined the non-compliance risk of such SMS verification processes under the Personal Data Protection Law No. 6698 (“DP Law”) and cautioned that data controllers could be subject to sanctions. Background Numero us complaints were submitted to the DPA concerning service providers (e.g., retail stores) that request data subjects’
Quick Read: Data Protection Law Updates in Türkiye – May 2025
In May 2025, The Turkish Personal Data Protection Authority (the “DPA”) organised and/or participated in both local and international events and announced four data breach notifications. DPA Event Highlights 1. Conference on European Data Protection Authorities The President of the DPA attended the 33rd Conference of European Data Protection Authorities held between 6–9 May. The conference featured panels on various topics including the impact of emerging technologies— particularly artificial intelligence—on personal data protection, the importance of international cooperation in the field of data protection, and the protection of children's personal data. 2. 2nd National Symposium on the Protection
New Guidelines on Personal Data Protection in the Payment and e-Money Sector
On 11 April 2025, the Turkish Data Protection Authority (“DPA”) and the Turkish Payment and Electronic Money Institutions Association released the Best Practices Guidelines on the Protection of Personal Data in the Payment and Electronic Money Sector (“Guidelines”). This is the first set of sector-specific guidance in Türkiye addressing how personal data should be processed within the payment and e-money ecosystem. The Guidelines serve as a practical tool for data controllers and data processors to ensure compliance with Turkish Law No. 6698 on the Protection of Personal Data (the "DP Law").Click on the image below or use the following link to read our overview in Turkish.
Quick Read: Data Protection Law Updates in Türkiye – March 2025
March 2025 marked another active month in Türkiye’s data protection, cybersecurity, and digital regulation landscape. The Turkish Personal Data Protection Authority (the “DPA”) released new data breach notifications and approved an international data transfer undertaking. Meanwhile, Türkiye enacted a new Cybersecurity Law, and the Information and Communication Technologies Authority (“ICTA”) proposed a draft regulation targeting OTT service providers, introducing notable obligations related to local presence, data security, and privacy. Cybersecurity Law No. 7545: A New Era in Digital Defence On 19 March 2025, Türkiye enacted Cybersecurity Law No. 7545, introducing a comprehensive legal framework aimed