Bimonthly Data Protection and Privacy Bulletin - May 2025

Latest News from Türkiye and the World!

Developments in Türkiye

Guidelines on the Protection of Personal Data in the Payment and Electronic Money Sector Published

The “Guidelines on Good Practices for the Protection of Personal Data in the Payment and Electronic Money Sector” have been published jointly by the Turkish Personal Data Protection Authority (“Authority”) and the Turkish Payment and Electronic Money Institutions Association within the scope of the Law on the Protection of Personal Data No. 6698 (“DP Law”). The Guidelines aim to assist service providers in aligning sector-specific dynamics with the provisions of the DP Law, and include illustrative explanations concerning the processing of high- risk data categories such as identity verification data, transaction history, and location data. The document also offers guidance on assessing regulatory obligations—such as Know Your Customer (KYC) procedures—from a data protection perspective, and sets out clarifications on the distinction between data controllers and data processors. It is assessed that the Guidelines contribute to both legal compliance and user trust across all stakeholders in the sector, and reflect a strict and centralized data governance model.

You may access the Guidelines here.

Recommendations on Ensuring Privacy in Mobile Applications Updated

The “Recommendations on Ensuring Privacy in Mobile Applications,” initially published by the Authority in 2023, have been updated in line with the amendments introduced by the 8th Judicial Reform Package to the DP Law. The revised Recommendations provide a detailed assessment of the risks associated with personal data processing activities carried out through mobile applications.

They also clarify the respective obligations of stakeholders such as application developers, advertising networks, and device manufacturers acting as data controllers or data processors. In addition, the document outlines key considerations for individuals prior to and during the use of applications and suggests security measures such as the use of strong passwords and multi-factor authentication. The Recommendations aim to enhance privacy awareness and maintain up-to-date data protection measures within the mobile ecosystem.

You may access the Recommendations here.

Guidelines on the Processing of Turkish Identity Numbers Updated

The Authority has updated the Guidelines on the Processing of Turkish Identity Numbers, which were originally published in early 2024 to set out the principles and procedures regarding the processing of Turkish Republic identity numbers, considered personal data under the DP Law. The updated Guidelines, released in April 2025, emphasize that the Turkish identity number, by its nature, has the potential to provide access to other personal data belonging to the data subject and therefore must be processed with the utmost care. Data controllers—particularly in sectors such as e-commerce, transportation, insurance, electronic communications, and public services—are reminded to use Turkish identity numbers only where strictly necessary, to consider less intrusive alternatives, and to implement appropriate technical and administrative measures. The

Guidelines serve as a practical resource with sector-specific examples and references to relevant legislation.

You may access the Guidelines here.

Guidelines on the “Right to be Forgotten” Updated

The Authority has updated its Guidelines titled “Evaluation of the Right to be Forgotten in the Context of Search Engines,” which were initially published in October 2021, in line with the recent amendments to the DP Law. As of April 2025, the updated document elaborates on the legal grounds and procedural requirements for individuals to request the de-indexing of content that appears in search engine results when queried by their name and surname. It sets out the assessment criteria employed by the Personal Data Protection Board (“Board”) in handling such requests. Informed by decisions of the Court of Justice of the European Union and Turkish courts, the Guidelines clarify the scope and limitations of the right to be forgotten, emphasizing that this right is not absolute but rather exceptional. Additionally, pursuant to the Board’s Decision dated 23 June 2020 and numbered 2020/481, search engines are recognized as data controllers. The Guidelines outline applicable legal remedies, implementation principles, and concrete evaluation criteria, serving as a key reference for limiting the dissemination of personal data via search engines.

You may access the Guidelines here.

Guidelines on Personal Data Security Updated

The Authority has updated the “Guidelines on Personal Data Security,” originally issued in January 2018, following the recent amendments to the DP Law in April 2025. The Guidelines comprehensively outline the technical and administrative measures that must be taken by data controllers in order to prevent unlawful access to or processing of personal data and to ensure their secure storage.

Topics covered include technical safeguards such as risk analysis, access control, penetration testing, encryption, logging, and data backup, as well as administrative measures such as the development of internal policies, use of confidentiality undertakings, and awareness-raising trainings.

You may access the Guidelines here.

Guidelines on Deletion, Destruction or Anonymization of Personal Data Updated

The “Guidelines on the Deletion, Destruction or Anonymization of Personal Data,” first published in November 2017, have been updated by the Authority as of April 2025. The Guidelines set forth the methods by which personal data may be deleted, destroyed or anonymized once the purpose of processing ceases to exist. The updated version provides technical explanations specific to different environments and processing scenarios, and outlines applicable practices and safeguards. In addition, the Guidelines address the selection of anonymization techniques, implementation examples, and risk mitigation measures against re-identification.

You may access the Guidelines here.

Updated Explanatory Note on the DP Law and Glossary of Data Protection Terminology

The Authority has updated its booklet titled “Explanatory Note on the Law on the Protection of Personal Data and Glossary of Data Protection Terminology,”originally published in March 2019. The updated publication includes the full text of each article of the DP Law, accompanied by its legislative rationale, implementation notes, and relevant secondary legislation references. The revised version particularly reflects recent legal amendments and stands out as one of the Authority’s primary interpretative resources. The glossary section has also gained prominence by supporting accurate understanding and appropriate use of data protection terminology.

You may access the publication here.

“DP Law Glossary” Published for the First Time

In April 2025, the Authority published, for the first time, its dedicated “Glossary of Terms Related to the Protection of Personal Data.” The glossary compiles definitions of one hundred key concepts derived not only from the KVKK and its secondary legislation, but also from international sources such as EU regulations, guidelines of the European Data Protection Board, and opinions of the European Data Protection Supervisor. The publication aims to promote conceptual clarity and terminological consistency for data controllers, practitioners, and individuals alike.

You may access the Glossary here.

Guidelines on Preparing a Personal Data Processing Inventory Updated

The Authority has updated the “Guidelines on Preparing a Personal Data Processing Inventory,” originally published in April 2019, as of March 2025. The updated Guidelines provide data controllers with methodological guidance on how to prepare a data inventory to comply with their registration obligations under VERBIS, the Data Controllers’ Registry Information System. The Guidelines include a list of 46 example activities frequently conducted by organizational units such as human resources, accounting, support services, and IT, thereby strengthening its practical dimension. An illustrative Personal Data Processing Inventory template is also annexed to the Guidelines.

You may access the Guidelines here.

Guidelines on Fulfilling the Obligation to Inform Updated

The Authority has updated its “Guidelines on Fulfilling the Obligation to Inform” in March 2025 following the recent amendments to the DP Law. The Guidelines clarify how and in what format data controllers should fulfill their obligation to inform data subjects, as well as the required content, presentation method, timing, and use of layered notices. The updated version aims to address the most frequently encountered issues in practice and to reinforce the principle of transparency.

You may access the Guidelines here.

2024 Annual Activity Report Published by the Authority

The Authority has published its 2024 Annual Activity Report, which includes statistical data and operational highlights within the framework of its 2024–2028 Strategic Plan. In 2024, a total of 8,275 applications were received, resulting in 862 data controllers being fined, with the total amount of administrative fines reaching TRY 552,188,101. The most common complaint was the unlawful processing of personal data by data controllers. Among the sectors receiving the highest number of complaints were services, media, and telecommunications. In addition, out of 86 undertaking applications submitted in relation to cross-border data transfers, only 10 were approved while 76 were rejected— demonstrating the Authority’s stringent and risk-based approach to international data transfer mechanisms.

Data Breach Notifications Filed by Adidas and Christian Dior

As of May 2025, the Authority has published data breach notifications submitted by Adidas Spor Malzemeleri Satış ve Pazarlama A.Ş. and Christian Dior Couture S.A. According to the notification submitted by Adidas, a cybersecurity incident identified on 17 May 2025 involved a third party claiming to possess customer data. Following the investigation, it was confirmed that approximately 544,395 individuals were affected, and that personal data such as names, email addresses, and phone numbers may have been compromised. In the notification submitted by Christian Dior, it was reported that unauthorized access had occurred to the CRM database, a ransom demand had been issued in exchange for exfiltrated customer data, and although access was blocked, the risk of misuse or disclosure of the data persisted.

Global Developments

EDPB Opens Draft Guidelines on Blockchain for Public Consultation

The European Data Protection Board (EDPB) has released a draft version of its Guidelines on the processing of personal data through blockchain technologies for public consultation. The Guidelines include recommendations for data controllers and processors and focus on safeguarding data subjects’ rights in decentralized processing environments.

ICO Publishes Draft Guidance on Encryption

The UK Information Commissioner’s Office (ICO) has published an updated draft guidance document on encryption, which contains technical specifications and good practices. The ICO has invited public feedback on the draft until 24 June 2025.

CNIL Issues Guidance on Lawful Use of Databases

The French data protection authority (CNIL) has published a new directive outlining the legal requirements for the creation, sharing, and reuse of databases. The guidance emphasizes the importance of citing sources, maintaining sufficient documentation, and minimizing the inclusion of sensitive data.

Irish DPC Reviews Meta’s AI Training-Related Data Processing

The Irish Data Protection Commission (DPC) has conducted a review of Meta’s data processing practices in the context of training artificial intelligence models. The DPC’s findings focus on the clarity of processing purposes and compliance with transparency obligations under the GDPR.

IAPP Releases Infographic on 2025 AI Governance Professional Report

The International Association of Privacy Professionals (IAPP) has published an infographic summarizing its “2025 AI Governance Professional Report,” which outlines the roles, responsibilities, and organizational placement of professionals working in AI governance. The infographic aims to visually communicate the evolving structure of the AI governance field.

Italian DPA Imposes €5 Million Fine on Replika

The Italian Data Protection Authority, Garante, has imposed a €5 million administrative fine on the developer of the AI-based chatbot Replika for processing user data without a valid legal basis and for failing to implement a proper age verification mechanism to protect minors. Garante also announced that a separate investigation will be initiated regarding the chatbot’s training of generative AI models.European Commission Releases Draft Guidance on Child Protection under DSA

The European Commission has opened for public comment a draft guidance document on protecting children online under the Digital Services Act (DSA). The draft includes principles on age-appropriate design, a prohibition on profiling-based advertising, a risk-based approach, and transparent governance. The public consultation is open until 10 June 2025.

UK Researchers Warn of Deepfake Threats to Children

A recent UK study has shown that as few as 20 images may be sufficient to generate deepfakes of children. The report highlights the risks of oversharing children’s images on social media, citing identity theft and exploitation. Parents are advised to use strong passwords, increase digital privacy awareness, and employ content filtering tools.

Tsinghua University Launches the World’s First AI-Powered Virtual Hospital The AIR Institute at Tsinghua University in China has introduced “Agent Hospital,” the world’s first fully AI-powered virtual hospital. The system, operated by 42 AI-supported virtual doctors across 21 specialties, simulates the entire clinical cycle from diagnosis to follow-up. In its first week, the hospital evaluated 10,000 virtual patients and reported a diagnostic accuracy rate of 93.06%.