Read the full report here: https://gun.av.tr/annual-reviews/data-protection-and-privacy-law-in-turkiye-key-developments-and-predictions-2025
In this year’s report, we focus on the latest developments in the field of personal data protection, recent decisions, and published guidelines, as well as the fundamental regulations and principles of personal data protection law. Additionally, we analyse key developments in Turkiye, current significant issues in this area, and expectations, evaluations, and trends for the future.
The year 2024 has once again been marked by significant developments in personal data protection. We have witnessed the long-anticipated amendments to the Law on the Protection of Personal Data No. 6698 (“Law”) coming into effect, secondary legislation efforts, and the Personal Data Protection Authority’s (“Authority”) guidance and publications aimed at providing direction to data controllers. Additionally, efforts were made to enhance awareness and effectiveness in personal data protection, ensure the effective implementation of the Law, and establish the proper relationship between the Law and other legal fields it intersects with, particularly competition law.
With the impact of regulations in the EU resonating in our country, discussions surrounding artificial intelligence (AI), although not yet at the desired level of maturity, have gained more prominence in 2024. In the new digital era that has taken hold worldwide, the steps to be taken in personal data protection and how to strike a balance between technology and privacy will continue to be key topics on the agenda in the coming years.
While we continue to witness positive developments each year in terms of compliance with the Law, the amendments introduced in 2024 made the second half of the year particularly intense for data controllers, as they focused on extensive compliance efforts, especially regarding cross-border data transfers.
Digital platforms, which play an increasingly central role in users’ lives and pose privacy threats and risks due to large-scale data collection, processing, and sharing, remain a focal point for the Personal Data Protection Board (“Board”), as they do worldwide. With the growth of the digital economy, the data collection and processing activities of digital platforms have created a significant intersection between data protection and competition law. Notably, the competition investigation conducted by the Turkish Competition Authority against social network provider META is expected to have implications in the field of personal data protection as well.
The statistics in the information note published by the Board regarding its activities in 2024 indicate an increase in the number of notices, complaints, and applications compared to the previous year. While the Board continued its examinations intensively throughout 2024, only two of its decisions were publicly announced.
As a result of emerging practical needs and the objective of aligning the Law with the European Union’s General Data Protection Regulation (“GDPR”), significant legislative amendments were introduced in the field of personal data protection in 2024. The amendments, which came into force on June 1, 2024, marked the beginning of a new era in personal data protection, with compliance required by September 1, 2024. Within this framework, the “Regulation on the Procedures and Principles for Cross-Border Transfers of Personal Data” was published on July 10, 2024. The limited timeframe for compliance has posed challenges for both data controllers and practitioners, and for many data controllers, the compliance process is still ongoing.
In 2024, the Board continued to publish various guidelines, documents, and information notes to raise awareness in the field of data protection and provide guidance to practitioners. The Guideline on the Processing of Turkish Republic Identity Numbers outlined key considerations regarding the processing of Turkish ID numbers, which, due to their potential to grant access to other personal data, could lead to significant risks and harm if mishandled. Meanwhile, the Guideline on the Protection of Personal Data in Election Activities reminded public authorities, political parties, candidates, and voters of their obligations and rights under the Law. Additionally, the Authority published several informative materials aimed at practitioners, including the Deepfake Information Note, the Information Note on the Legal Basis for Personal Data Processing Stipulated by Law, the Information Note on the Temporal Application of Misdemeanors under Law No. 6698, the Information Note on Chatbots (Example: ChatGPT), and the Most Common Mistakes in Complaints and Notifications Submitted to the Board. These publications provided practical insights to help ensure compliance with data protection regulations.
As part of cross-border data transfers, the Standard Contract Notification Module system was established, allowing data controllers to electronically notify the Authority of standard contractual clauses, which are one of the appropriate safeguards regulated under the Law.
In 2024, the Board imposed administrative fines totaling 552,668,000 Turkish liras, with the majority of these penalties being issued against data controllers who failed to fulfil their obligation to register with the data controllers’ registry and submit the required notifications despite being subject to this requirement.
In its Public Announcement regarding the Data Controllers’ Registry published in August 2024, the Authority stated that the Board had initiated ex officio investigations into data controllers who failed to fulfill their registration and notification obligations. As of August 1, 2024, the Board had imposed 503,935,000 Turkish liras in administrative fines on both domestic and foreign natural and legal person data controllers who were subject to this obligation but had not complied.
As a result of the developments regarding the cross-border data transfers a total of 1,345 standard contracts were notified to the Board in 2024 (based on the Authority's records for the June–December period). These figures indicate that compliance efforts are still ongoing among data controllers.