Personal Data Protection Authority Publishes Regulations on the Personal Data of Accident Victims and Municipal Live Streaming Practices
The Personal Data Protection Authority (Authority) has published two significant public announcement shaping the implementation of personal data protection legislation.
In this context, the Authority published its Public Announcement on the Live Streaming Practices Conducted by Municipalities for Tourism Promotion Purposes (Public Announcement) on 23 June 2026. The Public Announcement assesses live streaming activities conducted by municipalities in public spaces for tourism promotion purposes under the Personal Data Protection Law No. 6698 (KVKK) and clarifies the applicable legal bases for processing personal data as well as the obligations of data controllers in relation to such activities.
In addition, the Principle Decision on the Processing of Personal Data of Accident Victims dated 20 May 2026 and numbered 2026/1095 (Principle Decision) was published in the Official Gazette dated 1 July 2026 and numbered 33297. The Principle Decision addresses practices involving the unlawful access to and processing of the personal data of accident victims and sets out the obligations of data controllers, as well as the principles governing the protection of data subjects.
Public Announcement on the Live Streaming Practices Conducted by Municipalities for Tourism Promotion Purposes
- The Public Announcement states that live streaming activities constitute the processing of personal data under the KVKK. It stated that images broadcast live over the internet from public spaces, such as streets, squares, parks and waterfronts, by municipalities for tourism promotion purposes constitute the processing of personal data, as they reveal the faces of individuals and vehicle licence plates. The Public Announcement further clarifies that the absence of recording does not alter this assessment.
- In this regard, the legal basis and proportionality of the live streaming activities have been assessed within the scope of the Public Announcement. Additionally, the Public Announcement states that, although the Municipal Law No. 5393 grants municipalities the authority to provide tourism promotion services, it does not constitute an explicit legal basis for the live broadcasting of images of individuals. It further emphasises that, where personal data is processed on the basis of the data controller’s legitimate interests, a fair balance must be struck between the legitimate interests of the data controller and the fundamental rights and freedoms of data subjects, and concludes that live streaming activities conducted in areas where individuals have a reasonable expectation of privacy may be considered contrary to the principle of proportionality.
- The Authority stated that tourism promotion activities should be carried out in a manner that does not enable the identification of individuals and that the same objective may be achieved through the use of images that do not contain personal data or other alternative methods that do not permit individuals to be identified.
- The obligations of data controllers and the risk of administrative sanctions have been reiterated. The Public Announcement further states that municipalities should review their existing live streaming activities in line with these assessments and take the necessary measures, failing which administrative sanctions may be imposed pursuant to Article 18 of the KVKK.
Principle Decision on the Processing of Personal Data of Accident Victims
- The Principle Decision states that activities involving the unlawful access to and use of the personal data of accident victims may fall within the scope of the restrictions set out under the Attorneyship Law No. 1136, as well as Additional Article 6 of the Insurance Law No. 5684. It further stated that, depending on the circumstances of the case, such activities may also constitute a criminal offence under the Turkish Criminal Code and may therefore be reported to the relevant competent authorities.
- The Principle Decision further provides that, where claims management companies unlawfully access personal data processed through various channels within the insurance sector, or where loss adjusters, loss adjustment companies, attorneys or law firms exceed the limits of their authority and process personal data without relying on any of the legal bases set out under the KVKK, data subjects may lodge a complaint with the Personal Data Protection Board, provided that the relevant party can be identified as a data controller.
- The Principle Decision emphasises that the processing of personal data by loss adjusters must remain limited to the performance of their statutory duties under the Insurance Law No. 5684, including loss assessment, reporting and the handling of compensation procedures. Accordingly, loss adjusters are required to use personal data entrusted to them solely for the purposes of carrying out their duties, refrain from sharing such data with unauthorised third parties, and comply with their professional duty of confidentiality.
- The Principle Decision further stated that personal data relating to accident victims may only be processed for limited purposes, including conducting judicial and/or administrative investigations, providing medical treatment to victims and repairing vehicles involved in the accident. It also emphasises that such personal data must not be used for purposes extending beyond the management of post-accident processes.
- The Principle Decision reiterates that data controllers processing the personal data of accident victims must implement the technical and organisational measures required under Article 12 of the KVKK. These include, in particular, providing employees with training and awareness programmes on the protection of personal data, restricting access to personal data in accordance with the principle of least privilege, and establishing role-based access controls and monitoring mechanisms.
- Finally, the Principle Decision stated that data controllers found to be acting contrary to the requirements set out therein may be subject to administrative sanctions pursuant to Article 18 of the KVKK.
All rights of this article are reserved. This article may not be used, reproduced, copied, published, distributed, or otherwise disseminated without quotation or Erdem & Erdem Law Firm's written consent. Any content created without citing the resource or Erdem & Erdem Law Firm’s written consent is regularly tracked, and legal action will be taken in case of violation.
Other Contents
The Regulation Amending the Regulation on Personal Health Data (Amending Regulation) was published in the Official Gazette dated 4 July 2026 and numbered 33300 and entered into force on the date of its publication…
The Constitutional Court’s decision dated 27 January 2026 and numbered 2020/32193 concerning the application of Viennalife Emeklilik ve Hayat A.Ş. was published in the Official Gazette dated 16 June 2026 and numbered 33282…
On 8 June 2026, the Turkish Personal Data Protection Authority (Authority) published its “Public Announcement on Matters to Be Considered in the Use of Security Camera Systems in Apartment Buildings”, clarifying the fundamental principles and obligations…
The Personal Data Protection Authority (Authority), through its “Public Announcement on Matters to be Considered in the Use of Security Camera Systems in Workplaces” published on 8 June 2026, clarified the fundamental principles and obligations to be…
The Personal Data Protection Board’s (Board) Principle Decision No. 2026/921 dated 29 April 2026 on the “Processing of Biometric Data for Attendance Tracking” was published in the Official Gazette dated 2 June 2026 and numbered 33268. The Principle Decision…
The annual report (Report) regarding the 2025 activities of the Personal Data Protection Authority (Authority) published on the Authority’s official website. The Report includes detailed explanations regarding the decisions and principle decisions of the Personal…
Significant amendments are introduced to the Law No. 5651 on the Regulation of Publications on the Internet and Combating Crimes Committed through Such Publications (Law No. 5651) by the Law No. 7578 published in the Official Gazette dated 1 May 2026…
Corporate tax returns for the 2025 fiscal year of taxpayers subject to the calendar year basis were submitted between 1-30 April 2026. Pursuant to the Personal Data Protection Board’s (Board) decision numbered 2023/1154 and dated 06/07/2023, companies with…
The “Principle Decision on the Posting of Debt Information of Apartment/Site Residents in Common Areas” (Principle Decision), dated 18 February 2026 and numbered 2026/348, issued by the Personal Data Protection Board (Board), was published in the Official…
The Principle Decision of the Personal Data Protection Board (Board) dated 18.02.2026 and numbered 2026/347, titled “Principle Decision on the Requirement for Data Controllers to Prepare Explicit Consent and Privacy Notices Separately,” published in the…
With its decision dated 25 December 2025, File No. 2025/141, Decision No. 2025/274, published in the Official Gazette dated 18 March 2026 and numbered 33200, the Constitutional Court annulled certain provisions of the Criminal Procedure Code No. 5271 concerning…
In its recent public announcement, the Personal Data Protection Authority (Authority) has clarified certain ambiguities encountered in practice regarding the notification of personal data processed within the scope of activities carried out under structures such as joint…
The Personal Data Protection Authority (Authority) published a document titled “Agentic AI” considering recent developments in artificial intelligence technologies. The document discusses the main characteristics of agentic AI systems, the AI agents used within these…
On 05.03.2026, the Personal Data Protection Authority (“Authority”) published a document titled “Use of Generative Artificial Intelligence Tools in Workplaces.” The document aims to raise awareness particularly regarding the use of generative artificial intelligence tools…
The Personal Data Protection Board (Board)’s Principle Decision dated 11.02.2026 and numbered 2026/266, titled “Principle Decision on the Use of a Loyalty Card Holder’s Mobile Phone Number or Loyalty Card Number by a Third-Party During Shopping,” was…
On 26.02.2026, the Personal Data Protection Authority (Authority) published an announcement titled “QR Codes and Emerging Risk: Quishing”. The announcement comprehensively addresses the nature of quishing attacks carried out through QR codes, how such…
The Personal Data Protection Authority (Authority) published a public announcement on 29.01.2026, following complaints that public employees were being forced to use foreign-origin messaging applications such as WhatsApp in administrative tasks and that official…
The Public Announcement (Announcement) regarding the Decision of the Personal Data Protection Board (Board) dated 25.12.2025 and numbered 2025/2451 (Decision) was published on 20.01.2026…
The Personal Data Protection Authority (Authority) published a Public Announcement (Announcement) on 14 January 2026 regarding push notifications sent to users via mobile applications…
The Public Announcement (Announcement) regarding the application principles of the Personal Data Protection Board’s (Board) decision dated 04.09.2025 and numbered 2025/1572 was published on 12.01.2026…
The Personal Data Protection Authority published the table showing the amounts of administrative fines imposed within the scope of Article 18 of the Personal Data Protection Law No. 6698 (the Law) increased by the revaluation rate for 2026 in its announcement dated December 31, 2025…
With Law No. 7571 (Law), published in the Official Gazette dated 25.12.2025 and numbered 33118, an amendment has been made to Law No. 6493 on Payment and Securities Settlement Systems, Payment Services and Electronic Money Institutions…
The Principle Decision dated 06.11.2025 and numbered 2025/2120 (Principle Decision) of the Personal Data Protection Board (Board) regarding the processing of photocopies of Turkish identity cards of individuals in the accommodation...
The Personal Data Protection Authority has published a new guide titled “Guide on Generative Artificial Intelligence and the Protection of Personal Data (In 15 Questions)” (Guide) with the aim of evaluating generative artificial intelligence technologies in terms of personal data protection...
Under the Regulation Amending the Regulation on Private Health Insurance (Amending Regulation), published in the Official Gazette dated 20 October 2025 and numbered 33053, extensive amendments have been introduced to the Regulation on Private Health Insurance (Regulation). Within this framework, the...
Under the Personal Data Protection Board’s Decision dated September 04, 2025, and numbered 2025/1572 (Board Decision), the exemption criteria regarding the obligation of data controllers whose main field of activity involves processing special categories of personal data to register with the Data Controllers’...
According to the public announcement published by the Personal Data Protection Authority (Authority), several complaints have been submitted indicating that creditors’ attorneys accessed the phone numbers of relatives of indebted individuals and shared the debt-related personal data of those individuals via phone...
The Personal Data Protection Authority (Authority) has updated the Guide on Cookie Practices, which provides practical recommendations for data controllers processing personal data through cookies on desktop and mobile websites as well as web-based applications...
The Principle Decision of the Personal Data Protection Board (the Board) dated June 10, 2025 and numbered 2025/1072 (the Decision) was published in the Official Gazette dated June 26, 2025 and numbered 32938. The Decision, which includes key findings and obligations regarding the processing of personal data...
The Personal Data Protection Authority (Authority) has updated its publications such as guidelines, assessments and recommendations in line with recent developments in the field of personal data protection...
The Personal Data Protection Authority (the Authority) has published a public announcement on the Use of the Revenue Administration's E-Notification System for Serving Administrative Fines (the Announcement) concerning the method of serving administrative fines imposed under Article 18 of the Personal Data...
The Personal Data Protection Authority (Authority) has updated its publications such as guidelines and recommendations in line with recent developments in the field of personal data protection. The updated publications are summarized below...
The Good Practice Guideline on the Protection of Personal Data in the Payment and Electronic Money Sector (Guideline) is published on 11.04.2025 on the website of the Turkish Personal Data Protection Authority (Authority)...
The Guide on Processing Special Categories of Personal Data (Guide), prepared by the Personal Data Protection Authority (Authority), was published on February 26, 2025...
The Personal Data Protection Authority (the Authority) has published a public announcement regarding the rules to be followed in terms of content and format for standard contracts, which are...
The Personal Data Protection Authority (Authority) has published the Public Announcement on the Fulfillment of the Obligation of Information within the Scope of Mediation Activities (Announcement)...
The Banking Sector Best Practices Guide on Personal Data Protection (Guide), prepared in collaboration with the Personal Data Protection Authority (Authority) and the Banks Association of Turkey, has been updated. The Guide has been aligned with the amendments made to the Code of Criminal Procedure...
The Personal Data Protection Authority (Authority) published the Guide on Cross-Border Transfer of Personal Data (Guide) prepared by the Authority, on 2 January 2025. The Guide details the implementation principles and procedural requirements introduced by the comprehensive amendments to Article 9 of...
The Personal Data Protection Authority (Authority) has published the Information Note (Information Note) on the Application of Misdemeanors in Terms of Time Under the Amendments to the Personal Data Protection Law No. 6698 (KVKK) dated 2 March 2024...
On 08.11.2024, the Personal Data Protection Authority published an Information Note on Chatbots (Example: Chatgpt) (Information Note). According to the Information Note, a chatbot is software that attempts to simulate human conversation with the end-user through an interface, performing tasks and instructions...
By Article 9 of the Law No. 6698 on the Protection of Personal Data (the "Law"), titled "Transfer of Personal Data Abroad," significant amendments have been made by the Law on Amendments to the Criminal Procedure Code No. 7499 and Certain Other Laws. Within the scope of these amendments, "standard...
On 26.08.2024, the Personal Data Protection Authority published a Public Announcement on “Personal Data Processing Activities of Research Companies Using ‘Random Number Dialing and Telephone Interview Method’ for Statistical Research”...
The Regulation on the Procedures and Principles Regarding the Transfer of Personal Data Abroad (Regulation) entered into force through publication in the Official Gazette dated 10.07.2024 and numbered 32598. Important regulations are as follows...
On 17.05.2024, the Turkish Personal Data Protection Authority (Authority) released the draft documents concerning standard contracts and binding corporate rules, which are stipulated as appropriate safeguards for cross-border transfer under the amendments to the Law No. 6698 on the Protection of Personal Data...
On 09.05.2024, the Turkish Personal Data Protection Authority (Authority) published the Draft Regulation on the Procedures and Principles Regarding the Transfer of Personal Data Abroad (Draft) and opened the Draft for public opinion and assessment. In this context, opinions and suggestions regarding the...
On 18.04.2024, it was announced that a cooperation protocol (Protocol) was signed between the Turkish Personal Data Protection Authority and the Personal Data Protection Board of the Turkish Republic of Northern Cyprus...
The Law on Amendments to the Code of Criminal Procedure and Certain Acts numbered 7499 (Law), including Amendments to the Law on Personal Data Protection numbered 6698 (LPDP) was published in the Official Gazette dated 12.03.2024 and numbered 32487...
On 16.02.2024, the Justice Committee of the Turkish Grand National Assembly (TBMM) received the bill (Bill) on the long-awaited amendment to the Law on Personal Data Protection No. 6698 (LPDP). It can be said that the Bill, which introduces regulations similar to the European Union General Data Protection...
On 12.02.2024, the Information Note on Processing of Personal Data on the Legal Ground of Being Stipulated by Laws (Information Note) was published. The Information Note aims to clarify the scope and meaning of the personal data processing legal ground of “being expressly stipulated by law” in Article 5/2(a) of...
On 24.01.2024, the Personal Data Protection Authority published the Guidelines on the Protection of Personal Data in Election Activities (Guidelines). The Guidelines aim to remind public administrations, political parties, candidates, and voters involved in election activities of their obligations or rights under...
On 19.01.2024, the Personal Data Protection Authority published the Deepfake Information Note (Information Note). The purpose of the Information Note is to provide a better understanding of what Deepfake technology is, which is formed from the words deep learning and fake. The key points in the Information Note...
On 16.01.2024, the Personal Data Protection Authority published Guidelines on the Processing of Republic of Türkiye Identity Numbers (Guidelines). The purpose of the Guidelines are to provide guidance to data controllers by setting out the provisions of the legislation envisaging the processing of Turkish...
The Decision of the Personal Data Protection Board Regarding the Exemption of Village Legal Entities from the Registration Obligation in the Data Controllers Registry, dated 14/12/2023 and numbered 2023/2135 (Decision) is published in the Official Gazette dated 12.01.2024 and numbered 32427...
The Personal Data Protection Authority has published a public announcement dated 13.11.2023 regarding the personal data processed in order to send a verification code via SMS to the data subjects during the transactions at the cash register following shopping. You may find a brief explanation of the...
With the decision of the Personal Data Protection Board (Board) dated 06.07.2023 and numbered 2023/1154, the “annual financial balance sheet total” adopted by the Board as an exception criteria to the obligation to register to the Data Controllers’ Registry has been increased from 25 million Turkish Liras to...
The decision by the Irish Data Protection Authority (Authority) dated 12.05.2023 on Meta Platforms Ireland Limited (Meta Ireland) (Decision) has been announced on 22.05.2023. Pursuant to the Decision, an administrative fine of 1.200.000.000 Euros was imposed on Meta Ireland...
The Regulation on the Collection, Storage and Sharing of Insurance Data (Regulation) entered into force through publication in the Official Gazette dated 18.10.2022 and numbered 31987. Some of the important provisions introduced by the Regulation are summarized...
On 05.08.2022, the Personal Data Protection Authority (“Authority”), published Guideline on Banking Sector Good Practices Regarding the Personal Data Protection (“Guideline”). The purpose of the Guideline is guiding data controller banks regarding the personal data processing activities carried out...
On 14.07.2022, the European Parliament Research Service published a briefing (“Briefing”) for the impact assessment (“IA”) of the regulation of the European Parliament and the European Council on harmonised rules on fair access to and use of data (“Data Act”), submitted on 23.02.2022...
The Regulation on Processing of Land Registry and Cadastre Data and Transactions Held in Electronic Environment regulating the procedure and principles regarding the process of the data in the Central Database of the General Directorate of Land Registry and the transactions held in electronic...
The Regulation on Process and Protection of Personal Data by the Social Security Institution (“Regulation”) entered into force through its publication in the Official Gazette dated 19.02.2022 and numbered 31755.
Regulation on Processing of Personal Data and Protection of Confidentiality in the Electronic Communications Sector was Published
The Personal Data Protection Board Ex-Officio Initiated An Investigation against WhatsApp
The Personal Data Protection Authority’s New Resolution
The Board’s Decision Regarding Registration Obligation of Commercial Enterprises Affiliated to Associations, Foundations and Unions to the VERBIS has been Published
The Personal Data Protection Board Announced Its Decision Regarding the WhatsApp Investigation Initiated Ex-Officio