Bimonthly Data Protection and Privacy Bulletin – March 2025

Latest News from Türkiye and the World!

Developments in Türkiye

Cybersecurity Law Entered into Force

- Following the establishment of the Cybersecurity Authority under the Presidency, the Draft Cybersecurity Law, which had been submitted to the Grand National Assembly of Türkiye (“GNAT”), was adopted by the General Assembly on 12 March 2025. The Law, as adopted by the GNAT, entered into force upon its publication in the Official Gazette dated 19 March 2025 and numbered 32846.

- The new legislation aims to develop and implement Türkiye’s national cybersecurity strategy under a more centralized framework. Public and private sector entities are obliged to use only those products and services approved by the Cybersecurity Authority. The Law introduces mandatory requirements for the implementation of cybersecurity measures, retention of log records, and reporting of vulnerabilities. It also sets out strategic objectives for the protection of critical infrastructures, and introduces mechanisms for cybersecurity audits and exercises. Moreover, the Law stipulates severe criminal sanctions and administrative fines for offences such as data breaches and cyberattacks, and subjects certain transactions of companies operating in the field of cybersecurity to the prior approval of the Authority. It is considered that the Law adopts a more stringent and centralized model compared to international instruments.

- You may access our information note on the Law here.

Updated Guidelines on the Processing of Sensitive Data

- The updated Guidelines on the Processing of Sensitive Data (“Guidelines”) have been published by the Personal Data Protection Authority (“Authority”) on 26 February 2025.

- The Guidelines introduce new procedural and substantive rules regarding the processing of sensitive data, in line with the recent amendments to Article 6 of the Personal Data Protection Law No. 6698 (“DP Law”). Eight legal bases for processing other than explicit consent have been detailed, and the distinction between data concerning health and sexual life and other categories of sensitive data has been removed. The Guidelines clarify the conditions for lawful processing based on grounds such as public disclosure, actual impossibility, protection of public health, confidentiality obligations, and social security. Furthermore, the Guidelines impose significant obligations on data controllers concerning the updating of personal data inventories, revision of data retention and destruction policies, and restructuring of explicit consent procedures. Beyond setting out the legal framework, the Guidelines also offer practical guidance supported by case examples and decisions of the Personal Data Protection Board (“Board”).

Personal Data Breach at TürkNet Following Cyberattack

- In a public statement, TürkNet announced that as a result of a cyberattack, the personal data of 2.8 million users — including full names, phone numbers, addresses, and IP information — were unlawfully accessed. It was further stated that user passwords remained protected due to end-to-end encryption, and that all necessary notifications and applications had been duly submitted to the relevant authorities.

Remarks by the President of the Authority, Prof. Dr. Faruk Bilir, on the Activities of the Board

- During an in-service training session on the Personal Data Protection Law hosted by Selçuk University, the President of the Authority, Prof. Dr. Faruk Bilir, shared an overview of the Board’s activities since 2017. He stated that a total of TRY 974,559,000 in administrative fines had been imposed as a result of audits carried out by the Board since 2017; of 47,038 complaints and notices received, 45,263 had been concluded; 1,545 standard contractual clauses had been submitted to the Authority for international data transfers; and 10 undertakings for international transfers had been approved.

Updated Sectoral Guidelines for the Banking Sector has been published

- The Guidelines on the Protection of Personal Data in the Banking Sector, jointly prepared by the Authority and the Banks Association of Türkiye, were published on 8 January 2025. The Guidelines set out best practices for ensuring compliance with the DP Law and secondary legislation, particularly with regard to international data transfers, explicit consent mechanisms, the notion of banking secrecy, relationships with data processors and affiliates.

- Updated in line with the amendments to Article 9 of the DP Law, the Guidelines explain how data transfers abroad can be lawfully conducted in the banking sector through adequacy decisions, appropriate safeguards (including binding corporate rules, standard contractual clauses, and undertakings), exceptional derogations, and sector-specific legal provisions. The Guidelines also address data sharing between banks, the roles of banks acting as intermediaries, structuring of data controller–data processor relations with service providers, and data processing activities in open banking and segmentation. In addition, the Guidelines clarify the scope of data controllership and boundaries of data processing specific to the banking sector and provide concrete guidance on data mapping, fulfillment of information obligations, and implementation of technical and organizational security measures, in line with the Board’s precedents.

Cooperation Protocol has been signed between the Authority and the Capital Markets Board

- A cooperation protocol concerning the protection of personal data has been signed between the Authority and the Capital Markets Board (“CMB”). According to the public announcement, a Coordination Committee will be established under the protocol to enhance mutual coordination, information exchange, and cooperation between the Authority and the CMB.

Guidelines on International Data Transfers have been published

- The Guidelines on International Data Transfers have been published by the Authority on 2 January 2025.

- You may access our information note on the Guidelines here.

- The Guidelines elaborate on the procedural steps to be followed for transfers abroad, address the requirements regarding standard contractual clauses, and provide detailed guidance on international transfer mechanisms.

Simultaneous “Panel” Operation Conducted in 25 Provinces

- In a statement issued by the Istanbul Police Department’s Cyber Crimes Unit, it has been announced that 69 suspects were detained and 44 individuals were arrested during the “Panel” operation conducted under the coordination of the Cyber Crimes Unit.

- According to the statement, account credentials and sensitive information obtained through phishing attacks were combined with previously leaked personal data and used to create illegal inquiry platforms, known as “checker panels,” through which various personal data belonging to Turkish citizens — including full names, national ID numbers, land registry records, criminal records, and address information — could be queried in exchange for payment. It was further established that such panels were used for blackmail and threats.

Increase in Administrative Fines Under the DP Law

- For 2025, the administrative fines prescribed under the DP Law have been increased by 43.93% in line with the revaluation rate.

- The updated fines entered into force as of 1 January 2025.

Global Developments

EDPB Launches 2025 Coordinated Enforcement Action on the Right to Erasure (Right to Be Forgotten)

- On 5 March 2025, the European Data Protection Board (“EDPB”) has launched its 2025 Coordinated Enforcement Framework.

- The initiative, based on the right to erasure (commonly referred to as the right to be forgotten), which has been identified by the EDPB as one of the most frequently raised issues by data subjects, will involve 32 data protection authorities within the EU participating in a coordinated enforcement effort. The authorities will assess how data controllers handle and respond to erasure requests submitted by data subjects.

- Throughout the year, evaluations will be conducted and shared by the EDPB, followed by consultations with the 32 supervisory authorities to ensure in-depth assessments at both EU and national levels.

South Korean Data Protection Authority Suspends DeepSeek

- The South Korean data protection authority has temporarily suspended the operations of DeepSeek as of 15 February 2025. The suspension will remain in effect until the deficiencies identified in DeepSeek’s privacy policies and its noncompliance with South Korean data protection law are rectified.

OECD Global Partnership on AI Publishes Report on AI Training

- The published report examines how organizations collect and use data to train artificial intelligence systems, focusing particularly on the implications for intellectual property rights. The report specifically addresses the issue of data scraping.

Declaration on Inclusive and Sustainable AI Adopted at AI Action Summit

- The “Declaration on Inclusive and Sustainable Artificial Intelligence” (“Declaration”) has been adopted at the AI Action Summit held in Paris. The Declaration promotes a human rights-based approach to the development of artificial intelligence.

- On 11 February, the data protection authorities of South Korea, France, the United Kingdom, Ireland, and Australia have jointly issued a statement aimed at mitigating the risks associated with the use and development of artificial intelligence.

OECD has published the Report on the Economic Implications of CrossBorder Data Transfers

- The OECD has published a report that examines the risks and economic implications of regulations governing cross-border data transfers. The report aims to identify the potential economic impacts and opportunity costs associated with different data flow and data localization regimes.

CNIL has issued Guidance on the Lawful Use of Databases

- The French data protection authority (CNIL) has published guidance concerning the lawful use of databases. The guidance emphasizes that when creating, reusing, or sharing databases, it must be ensured that the databases are not unlawful; sources must be properly cited; data must be adequately documented; and the databases must not contain sensitive data.

Review of Cookie Practices by the UK data protection authority ICO

- The UK Information Commissioner’s Office (ICO) has announced that it will review the cookie practices of the 1,000 most visited websites to assess their compliance with data protection regulations relating to the use of cookies.

UK and Japan have announced Cooperation on Digital Infrastructure, Regulation, and Data Governance

- The United Kingdom and Japan have announced a bilateral initiative to jointly work on matters concerning digital infrastructure, regulatory frameworks, and data governance.

TikTok has been banned in the United States, the Ban has been temporarily suspended by President Trump

- On 19 January 2025, TikTok was banned nationwide in the United States in accordance with the “Protecting Americans from Foreign Adversary Controlled Applications Act” (“Act”), which was adopted in April 2024. The Act requires that TikTok be sold by its parent company ByteDance to an entity approved by the United States.

- Following his inauguration, President Trump has exercised his authority under the Act to temporarily suspend the ban and issued an executive order on 20 January 2025 postponing the ban for a period of 75 days.

- ByteDance filed a petition with the Supreme Court, claiming that the Act constituted an unlawful restriction on its and its users’ freedom of expression under the First Amendment. However, on 17 January, the Supreme Court upheld the Act, finding that the federal government’s national security concerns were legitimate. The justification for the Act was based on the national security risks posed by the potential for the Chinese government to coerce ByteDance into handing over personal data and manipulating the platform’s algorithms for propaganda purposes.