Two-Minute Recap of Recent Developments in Turkish Data Protection Law - March 2025

The DPA Updates Biometric Data Guidelines

The Turkish Data Protection Authority (“DPA”) updated its “Guidelines on Issues to be Considered in the Processing of Biometric Data” in March 2025. This update was carried out in line with the amendments made to the Law on the Protection of Personal Data No. 6698 in 2024. The new version of the guideline elaborates on key aspects of biometric data processing. In particular, it clarifies the exceptional circumstances under which biometric data may be processed without explicit consent and outlines the assessments that data controllers must undertake in such cases. Additionally, it updates the criteria to be considered when transferring biometric data abroad and provides a more comprehensive explanation of the technical and administrative methods to be followed in the deletion, destruction, or anonymization of such data. Furthermore, the guideline refines technical standards related to biometric data security, such as risk assessment, encryption, and access management.

Board Decision on Cross-Border Personal Data Transfers

According to the announcement published on March 13, 2025, the Personal Data Protection Board (“Board”) reviewed and approved three separate undertakings submitted by VF Ege Giyim Sanayi ve Ticaret Limited Şirketi for the transfer of personal data abroad. The evaluation was conducted under subparagraph (ç) of Article 9(4) of the Law on the Protection of Personal Data No. 6698. This provision stipulates that in the absence of an adequacy decision, personal data may be transferred to a foreign country if a written undertaking providing sufficient safeguards for data protection is submitted and approved by the Board.

Upon review, the Board found no procedural or substantive deficiencies in the documents provided by the company and granted approval for the data transfers on March 12, 2025. With this decision, the data transfers in question have been placed on a lawful basis.

IMM on Data Security

In March 2025, the Istanbul Metropolitan Municipality (“IMM”) responded to allegations regarding personal data security, stating that all data processing activities are carried out in compliance with Türkiye’s Personal Data Protection Law. The statement emphasized that all data is processed exclusively on IMM’s local servers, with no data being sold or transferred abroad. It also clarified that personal data collected through the “İstanbul Senin” and “İstanbulkart” applications is used solely for planning public services, with proper attention given to explicit consent procedures and processed securely under a protocol signed with the Ministry of Interior. IMM highlighted its commitment to data- driven smart city management and confirmed the regular implementation of technical and administrative measures to ensure the protection of personal data.

The DPA announced the following data breach notifications in March: