Personal Data Protection Bulletin - 2025 Third Quarter

Current Developments from Türkiye

The Personal Data Protection Authority Updated and Republished Its Guidelines on the Use of Cookies on Websites

The Personal Data Protection Authority (Authority) updated in July 2025 the current version of its Guideline on Cookie Practices (Guideline), which was originally published in June 2022. The Guideline aims to provide guidance to data controllers that process personal data through cookies on desktop and mobile websites, as well as web-based applications. In this context, it comprehensively addresses the obligations that data controllers should consider during the use of cookies, such as obtaining explicit consent, fulfilling the obligation to inform, identifying types of cookies, and processing personal lawfully.

You can access the updated Guideline published by the Authority in Turkish here.

Key Actions

• Data controllers should review their cookie policies and cookie management tools used on their websites and mobile applications in line with the updated principles of the Guideline and ensure consistency between cookie types requiring explicit consent and the relevant privacy notices. It is also important that consent mechanisms are designed to provide users with equal access to choices and that pre-ticked consent boxes are removed.

The Authority Published an Announcement on the Processing of Personal Data Belonging to Debtors’ Relatives by Creditors’ Attorneys

The Authority, issued an announcement in response to complaints regarding creditors’ attorneys sharing debt-related information about debtors by accessing the phone numbers of the debtors’ relatives. The Authority evaluated that such disclosures would be deemed contrary to the Law on the Protection of Personal Data No. 6698 (KVKK) in cases where explicit consent is not obtained or where none of the lawful processing conditions stipulated under the KVKK are met. Accordingly, the Authority emphasized that personal data belonging to third parties may only be processed without harming fundamental rights and freedoms and within the conditions set forth under the KVKK; that data controllers are obliged to take necessary technical and administrative measures to prevent unlawful access and processing; and that administrative fines may be imposed depending on the nature of the violations.

You can access the public announcement published by the Authority in Turkish here, and our announcement on this matter here.

Harmonization of the KVKK with the EU General Data Protection Regulation to Be Completed in 2026 under the 2026–2028 Medium-Term Program

The Medium-Term Program (2026-2028), which constitutes a core policy document that provides the macroeconomic policy framework with a three-year perspective by ensuring the integrity of objectives, policies, and resources among Türkiye’s development plan, annual program, and central government budget, was published in the Duplicate Official Gazette dated 7 September 2025 and numbered 33010. Accordingly, it is envisaged that the efforts to align the KVKK with the European Union General Data Protection Regulation (GDPR) are planned to be completed by the third quarter of 2026. The Program further aims for Türkiye to accede to the Council of Europe Convention 108+ (CETS No. 223), to enact a Artificial Intelligence Law, to adopt framework regulations on artificial intelligence systems, and to join the Council of Europe’s Convention on Artificial Intelligence. In addition, the secondary legislation of the Cybersecurity Law, the enactment of the Open Data Law, and the development of a national data strategy are also included in the agenda.

You can access the Medium-Term Program in Turkish here.

Exemption Criteria for VERBİS Registration Obligation of Data Controllers Whose Main Activity Involves Processing Special Categories of Personal Data Amended

With the decision of the Personal Data Protection Board (Board) dated 4 September 2025 and numbered 2025/1572, the exemption criteria for the obligation of data controllers whose main activity involves processing special categories of personal data to register with the Data Controllers’ Registry Information System (VERBİS) were revised. Accordingly, data controllers with fewer than 10 employees and an annual financial balance sheet total below TRY 10 million are now exempted from the VERBİS registration obligation. In addition, to facilitate data controllers’ registration and notification processes in line with the recent amendments, the “VERBİS Guide” and the “Questions on VERBİS” documents have been updated.

You can access the Board’s decision in Turkish here, the updated VERBİS Guide in Turkish here, the updated Questions on VERBİS document in Turkish here, and our announcement on this matter here.

The Authority Published Its E-Book Titled “An Expert Perspective on Personal Data Protection II”

The Authority has released its e-book titled “An Expert Perspective on Personal Data Protection II: Compilation of Expertise Theses”, which compiles 13 expert theses prepared within the Authority. The publication includes analyses on a broad range of current topics, such as the Authority’s legal status as an independent administrative body, the limits of the right to be forgotten in artificial intelligence (AI) systems, the protection of children’s personal data in the context of social media, administrative fines imposed by data protection authorities in comparative law, data protection regulations in the Asia-Pacific region, digital identity legislation, the comparison of data subject rights under the GDPR and the KVKK, the assessment of legitimate interest, and personal data breach notification procedures.

You can access the e-book published by the Authority in Turkish here.

The Board’s Principle Decisions Booklet Updated

In June 2025, the Authority published an updated version of the Booklet of the Board’s Principle Decisions. The updated booklet includes seven key decisions adopted by the Board between 2017 and 2021, covering matters such as data security on websites and applications providing guidance services, protection of personal data in service areas such as counters, desks and offices, processing of personal data by personnel beyond their authorization, processing activities related to advertising messages and calls, software enabling the unlawful inquiry of personal data, disclosure of third parties’ personal data, and blacklisting practices in the car rental sector.

You can access the e-book published by the Authority in Turkish here.

The Ministry of National Education Published the “Artificial Intelligence Ethics Recommendations” Booklet

The Ministry of National Education (MoNE) published an e-book titled “Artificial Intelligence Ethics Recommendations” within the scope of the AI in Education Policy Document and Action Plan (2025–2029), with the aim of guiding the safe, ethical, and responsible integration of AI technologies into the education system. The study was prepared to enhance awareness among education stakeholders, promote a culture of responsible use, and foster a critical approach to technology. In addition to general recommendations, it includes specific suggestions for developers, manufacturers, and service providers under the headings of Data Protection and Privacy, Transparency and Explainability, Human Oversight and Control, Child Safety, Ethical and Pedagogical Alignment, Accessibility and Inclusiveness, Cooperation with Third Parties, and Ethical Obligation. The booklet also addresses specific recommendations for students, teachers, administrators, and parents.

You can access the e-book published by the MoNE in Turkish here.

A Legislative Proposal Submitted to the Grand National Assembly of Türkiye Suggesting an Exemption for Lawyers under the KVKK

The legislative proposal numbered 2/3268, titled the “Draft Law on the Amendment of the Law on the Protection of Personal Data No. 6698” (Draft Law), has been submitted to the Grand National Assembly of Türkiye. The Draft Law proposes that personal data processed by lawyers in the course of their professional activities be exempted within the scope of Article 28/1-(d) of the KVKK. The Draft Law envisages the insertion of the phrase “lawyers within the scope of their professional activities” into the provision which currently provides that “the processing of personal data by judicial authorities or enforcement authorities in relation to investigation, prosecution, trial or execution proceedings” Through this amendment, it is aimed to eliminate the difficulties faced by lawyers in accessing personal data while performing their professional activities due to the provisions of the KVKK. In the reasoning of the Draft Law, it is stated that this situation affects lawyers’ defense duties and, therefore, undermines the right to a fair trial.

You can access the text of the Draft Law in Turkish here.

Amendments to the Regulation on Private Health Insurance Regarding Personal Data

With the Regulation Amending the Regulation on Private Health Insurance published in the Official Gazette dated 20 October 2025 and numbered 33053, personal data processing procedures within the scope of private health insurance have been aligned with the KVKK. Under the amendment, the provisions regarding data processing, sharing, and retention processes have been updated, while specific regulations have been introduced concerning the conditions for processing health data, the retention period of data following the termination of insurance coverage, and the obligation of confidentiality.

You can access the full text of the Regulation in Turkish here and our announcement on this matter here.

Vehicle Tracking Systems, Cameras, Recording Devices, and Emergency Buttons Made Mandatory for Commercial Vehicles

Significant amendments concerning technical requirements for vehicles under the Highway Traffic Regulation were published in the Official Gazette dated 19 August 2025 and numbered 32991 and entered into force on the same date. Pursuant to the amendments, as of 1 December 2025, it has become mandatory for commercial vehicles such as taxis, minibuses, intra-city buses, school buses, and staff transport vehicles to be equipped with a vehicle tracking system, camera, recording device, and emergency button. As the Regulation requires the continuous processing of image, audio, and location data, it creates an area in which data controllers’ obligations under the KVKK are significantly expanded.

You can access the full text of the amendment of the Regulation in Turkish here.

Key Actions

• Data controllers engaged in transportation activities should prepare or revise compliance documents such as privacy notices, data retention and destruction policies regarding the processing of in-vehicle image and location data and ensure that the systems operate solely for specific purposes and in accordance with the principle of proportionality.

Biometric Authentication System Made Mandatory for Special Education and Rehabilitation Centers

Amendments to the Regulation on Private Education Institutions of the Ministry of National Education were published in the Official Gazette dated 11 July 2025 and numbered 32953 and entered into force on the same date. Under the new regulation, it has become mandatory, as of 1 December 2025, for special education schools and special education and rehabilitation centers to conduct attendance tracking of individuals with special needs and educational staff through a Biometric Authentication System (BAS). The data obtained through facial recognition technology within the scope of the BAS will be retained for a minimum period of 90 days together with camera system recordings.

Pursuant to the regulation, the biometric data obtained through the BAS may be processed only by providing information to the relevant persons within the scope of the KVKK and by obtaining an informed consent form. All data obtained through this system will be retained in the records of the MoNE and the respective institutions; and the obligations regarding the installation, use, and data security of the system will rest with the institutions.

You can access the full text of the amendment to the Regulation in Turkish here.

The Advertisement Board Imposed a Suspension Penalty on Trendyol Due to the Lack of Choice in In-App Advertising Notifications

In its decision numbered 2024/4177, the Advertisement Board determined that advertising notifications were sent to consumers through the Trendyol mobile application without their consent. The investigation revealed that users could not manage in-app notification preferences in detail, that only options for e-mail/SMS/phone notifications were provided; and that marketing-related in-app notifications could only be disabled through device settings. It was evaluated that this situation adversely affected the consumer’s will in making decisions.

The Advertisement Board concluded that the practice in question violated the prohibition on deceptive interface/choice steering set out in paragraph 22, Annex A of the Regulation on Commercial Advertisements and Unfair Commercial Practices, and that the promotions were misleading to the average consumer. Accordingly, the Board decided to suspend the relevant commercial practices.

You can access the Advertisement Board Press Bulletin containing the decision in Turkish here.

Current Developments From the World

Data Act Became Applicable as of 12 September 2025

Following its adoption on 13 December 2023 and entry into force on 11 January 2024, the Regulation (EU) 2023/2854 on harmonized rules on fair access to and use of data (Data Act) became largely applicable as of 12 September 2025. The Data Act introduces rules on fair access to, and use of data generated by connected products and related services within the EU.

As of this date, key obligations regarding data access, sharing, cloud service switching, and contractual fairness are now in effect. The framework aims to empower users, facilitate innovation, and ensure safeguards around trade secrets and unlawful third-country data requests. It complements the GDPR by supporting secure and responsible data use across the digital ecosystem.

You can access the Data Act here.

Key Actions

• Data controllers should evaluate their data-sharing contracts and cloud service arrangements to ensure compliance with the Data Act’s fair access and portability requirements. Technical teams should begin mapping datasets subject to sharing obligations and implement controls to protect trade secrets and confidential information.

The European Accessibility Act Became Applicable as of 28 June 2025

As of 28 June 2025, Directive (EU) 2019/882 on the accessibility requirements for products and services (European Accessibility Act or EAA) became applicable, introducing harmonized requirements for private businesses offering key digital products and services. It reinforces consumers’ right to access technology on equal terms and applies to any organization targeting EU users, regardless of location.

The EAA covers products and services such as e-readers, computers, ticketing platforms, and self-service terminals, and, notably, requires transactional websites and apps to be accessible. Key obligations include accessible interfaces, inclusive customer support, and updated accessibility statements. While Member States have some flexibility in implementation, non-compliance may result in financial penalties or service restrictions.

You can access the EAA here.

Provisions on General Purpose AI Models under the EU Artificial Intelligence Act Became Applicable and The European Commission Published the Final Version of the Code of Practice

As of 2 August 2025, the provisions of the Artificial Intelligence Act (AI Act) concerning General-Purpose Artificial Intelligence (GPAI) models, laid out in Chapter V, became applicable.  These provisions introduce specific obligations for GPAI providers, including documentation and transparency duties, a public summary of training content, compliance with EU copyright, systemic risk management measures, cooperation with EU and national authorities, and the designation of a representative for non-EU providers.

In support of these obligations, the European Commission published the final version of the Code of Practice for GPAI on 10 July 2025. The Code, which is voluntary, serves as a preparatory framework to help GPAI providers align with upcoming legal requirements under the AI Act. Additional resources, including a dedicated guidance page for GPAI providers and a template for publishing training data summaries, have also been made available by the European Commission.

You can access the GPAI Code of Practice here, the GPAI training data summary template here and our announcement on this matter here.

Key Actions

• Organizations developing or using AI models should review documentation, training data summaries and copyright compliance processes in line with the AI Act and the Code of Practice for GPAI. Non-EU providers should also consider appointing an EU representative to ensure regulatory communication and risk oversight.

The European Data Protection Supervisor Published Revised Guidance on Generative Artificial Intelligence

On 28 October 2025, the European Data Protection Supervisor (EDPS) released an updated version of its Guidance on Generative AIto help EU institutions, bodies, offices, and agencies ensure compliance with Regulation (EU) 2018/1725 (EU Institutions Data Protection Regulation). The revised guidance clarifies the definition of generative AI, introduces a compliance checklist for data controllers, and provides further details on the allocation of the roles and responsibilities between controllers, joint controllers, and processors.

You can access the press release published by the EDPS here.

European Commission Recognizes the European Patent Organization in Its First Adequacy Decision for an International Organization

On 15 July 2025, the European Commission adopted its first-ever adequacy decision for an international organization, recognizing that the European Patent Organization (EPO) ensures a level of data protection essentially equivalent to that within the EU. This decision, adopted as Commission Implementing Decision (EU) 2025/1382, enables personal data transfers from the EU/European Economic Area to the EPO without need for additional safeguards such as Standard Contractual Clauses (SCCs). The Commission’s assessment found that the EPO’s June 2021 Data Protection Rules provide safeguards comparable to those under the GDPR.

You can access the Commission decision here.

The Dutch Data Protection Authority Has Published Guidance on Meaningful Human Intervention in Automated Decision-Making

On 23 July 2025, the Dutch Data Protection Authority (AP) published new guidance on ensuring “meaningful human intervention” in decision using automated systems. The guidance emphasizes that human involvement must not be merely symbolic; it should genuinely influence the outcome. It also notes that individuals tasked with reviewing decisions must have sufficient knowledge, authority and time to carry out their role effectively. Through practical tools and sample questions, the AP aims to support organizations in designing meaningful ensuring robust human oversight of AI-based decisions.

You can access the guidance published by the AP here.

Key Actions

• Organizations that rely on automated decision-making should review their governance frameworks to ensure that human oversight is genuinely effective rather than merely procedural. Individuals tasked with reviewing or overriding automated outcomes should be trained, authorized, and given sufficient time to exercise independent judgment, in line with the AP’s guidance.

The Court of Justice of the European Union Clarifies When Pseudonymized Data Are “Personal Data”

The Court of Justice of the European Union (CJEU) has issued an important ruling in a case between the Single Resolution Board (SRB) and the EDPS, clarifying when information counts as personal data and how individuals must be informed about its use. On 4 September 2025, the CJEU ruled in Case C-413/23 P that pseudonymized data transferred by the SRB to Deloitte constituted personal data because they reflect a person’s views and can be linked back to their identity. The CJEU emphasized that event where a recipient lacks access to identifying information, data must still be considered personal if the controller can attribute them to individuals. The judgement clarified that the SROB was required to inform data subjects that their information might be shared with Deloitte, regardless of whether Deloitte could identify them directly.  

You can access the CJEU judgment here.

Key Actions

Data controllers should reassess whether datasets previously considered anonymized or pseudonymized may, in fact, constitute personal data when they can be indirectly linked to individuals. It is essential to ensure that data subjects are properly informed about data sharing activities, even when recipients cannot directly identify them.

Austrian Federal Administrative Court Upheld a €1.5 Million Fine Against IKEA for Unlawful and Excessive Video Surveillance

The Austrian Federal Administrative Court (BVwG) upheld a €1,500,000 fine imposed on IKEA for conducting unlawful and disproportionate video surveillance in one of its stores. It was determined that the surveillance system had recorded customers during payment transactions, including while entering their PIN codes. The Court ruled that the processing activity in question violated the provisions of the GDPR as it was carried out without a valid legal basis and in breach of the principle of data minimization. The Court further held that the company acted with gross negligence by operating the cameras without implementing appropriate technical and administrative measures and by failing to remedy known compliance deficiencies. The fine, representing only 0.21% of IKEA’s annual turnover, was considered proportionate given the scope and seriousness of the infringement.

You can access the decision issued by the BVwG here.

Italian Supervisory Authority Sanctions Employer for Using Private Chat Content in Disciplinary Proceedings  

The Italian Supervisory Authority (Italian SA) issued a significant decision restricting employers from using employees’ private social media and messaging content in disciplinary proceedings. The case concerned an employee who was dismissed after the employer accessed WhatsApp and Facebook messages in which the employee had criticized the company. The Italian SA found that collecting and using such private communications violated the GDPR principles of lawfulness, purpose limitation, and data minimization. The Italian SA emphasized that personal data available online is not freely usable for any purpose, and that even information shared within restricted groups carries a reasonable expectation of privacy. The company was fined €420,000, with the Italian SA underlining that an employer’s legitimate interest cannot override an employee’s fundamental right to privacy in their private chats.

You can access the summary of the decision issued by the Italian SA here.

Key Actions

• Employers and HR departments should refrain from processing employees’ private messages in disciplinary contexts and review monitoring and surveillance policies to ensure compliance with the principles of lawfulness, purpose limitation and data minimization.

To download the bulletin in pdf format, click here.