Menu

    Lawyers Burak Özdağıstanli

    Burak Özdağıstanli

    Özdağıstanli Ekici Attorney Partnership
    [email protected]

    Burak Ozdagistanli is a partner at Ozdagistanli Ekici Attorney Partnership where he leads the firm’s data protection and cyber security team. Ozdagistanli Ekici is a leading independent firm in Istanbul that is ranked in several respected and well-known legal publications in data and technology, including GDR100. The firm is well-known for sound business advice and a great understanding of their clients’ businesses.

    Burak has extensive experience and is a well-known expert in the field of privacy. He provides advice to the world’s leading data-driven companies in different sectors on a daily basis.

    Among other roles, he is a founding board member of the Data Protection Association in Turkey and the former General Secretary of the Istanbul Bar Association’s Data Protection Commission.

    He also served as the Publications Advisory Board of the International Association of Privacy Professionals (“IAPP”) and Istanbul KnowledgeNet Chapter Co-Chair. He is also a Fellow of Information Privacy (“FIP”) and he holds CIPP/E and CIPM certificates by the IAPP. As of 2023, he will serve on the Privacy Section Advisory Board of the IAPP.

    He has an LL.M. degree in technology law, and he is working on his PHD thesis on legal characteristics of personal data and the legal basis of consent.


    Practice Areas & Work Department

    Technology, Media and Telecom

    Data Protection

    Electronic Commerce

    Fintech

    Gaming


    Languages

    Turkish

    English

     
    Memberships

    Istanbul Bar Association

    Former General Secretary – Istanbul Bar Association Data Protection Committee

    Founding Board Member – Data Protection Association - Turkey

    International Association of Privacy Professionals (IAPP)

    IAPP – Privacy Bar Section Board Member (2023 – 2025)

    IAPP – Publications Advisory Board Member (2017-2019)

    IAPP – KnowledgeNet Chapter Co-Chair – Istanbul (2017-2019)

    ITechLaw Association

    VideoGameBarAssociation

    INPLP – International Network of Privacy Law Professionals


    Awards & Recognitions

    WWL Data 2021 - 2022 - 2023

    Chambers Fintech 2021 - 2022 - 2023

    Data Breach Notification Process: A Short Comparison Between EU and Turkish Law

    The General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”) and Law No. 6698 on Protection of Personal Data (“DPL”) of Turkey are the key pieces of legislation applied in the relevant jurisdictions.
    Burak Özdağıstanli

    Kişisel Verileri Koruma Kurumu’ndan Yeni Rehber: Genetik Veri İşlenirken Dikkat Edilmesi Gerekenler

    Genetik Verilerin İşlenmesinde Dikkat Edilmesi Gereken Hususlara İlişkin Rehber (“Rehber”), 13 Ekim 2023 tarihinde Kişisel Verileri Koruma Kurumu (“Kurum”) tarafından resmi internet sitesinde yayınlanmıştır. 6698 sayılı Kişisel Verilerin Korunması Kanunu’nda (“Kanun”) genetik veriler, ayrı bir şekilde tanımlanmamakla birlikte, özel nitelikli kişisel veri olarak kabul edilmektedir. Bu bağlamda, genetik verilerin kullanım alanları, Rehber’de (i) sağlık alanında teşhis ve tedavi amaçlı genetik analiz, (ii) üstsoy ve alt soy tespiti amaçlı genetik analiz ve (iii) genetik yatkınlık tespiti amaçlı genetik analiz olarak sıralanmaktadır.
    Burak Özdağıstanli

    Turkish Data Protection Authority’s Recommendations on Sending Verification Codes in Stores

    Turkish Personal Data Protection Authority published an announcement on November 13, 2023, regarding personal data processing activities where a verification code is sent to data subjects via SMS while shopping in stores. The Announcement focuses on the data controllers’ non-compliant data processing practices during face-to-face shopping and provides several recommendations.
    Burak Özdağıstanli

    Kişisel Verileri Koruma Kurumu’ndan Yeni Rehber: Genetik Veri İşlenirken Dikkat Edilmesi Gerekenler

    Genetik Verilerin İşlenmesinde Dikkat Edilmesi Gereken Hususlara İlişkin Rehber (“Rehber”), 13 Ekim 2023 tarihinde Kişisel Verileri Koruma Kurumu tarafından resmi internet sitesinde yayınlanmıştır. 6698 sayılı Kişisel Verilerin Korunması Kanunu’nda genetik veriler, ayrı bir şekilde tanımlanmamakla birlikte, özel nitelikli kişisel veri olarak kabul edilmektedir. Bu bağlamda, genetik verilerin kullanım alanları, Rehber’de (i) sağlık alanında teşhis ve tedavi amaçlı genetik analiz, (ii) üstsoy ve alt soy tespiti amaçlı genetik analiz ve (iii) genetik yatkınlık tespiti amaçlı genetik analiz olarak sıralanmaktadır.
    Burak Özdağıstanli

    New Guideline from the Data Protection Authority: Considerations When Processing Genetic Data

    The Guideline on Matters to Consider when Processing Genetic Data ("Guideline") was published by the Personal Data Protection Authority ("Authority") on its official website on October 13, 2023. While genetic data is not defined separately under the Law No. 6698 on the Protection of Personal Data ("Law"), it is categorized as one of the special categories of personal data.
    Burak Özdağıstanli

    Turkish Data Protection Board Fines a Private Healthcare Institution for a Mandatory Checkbox

    Turkish Personal Data Protection Board (“Board”) evaluated a complaint regarding a private health institution obtaining explicit consent from patients unlawfully, in its decision dated 02.05.2023 and numbered 2023/692.
    Burak Özdağıstanli

    Turkish Data Protection Board Fines a Private Hospital for Making Videos about Patients’ Treatments

    Turkish Personal Data Protection Board (“Board”) evaluated a notice regarding a private hospital obtaining explicit consent from patients for processing personal data, including health data, within the scope of advertising and promotion activities in its decision dated 11.05.2023 and numbered 2023/787. In the notice, the data subject demanded action to be taken by stating that the private hospital data controller, through the patient consent forms, request explicit consent from the patients in order to share their photographs and videos with the contracted media organs for advertising and promotion purposes.
    Burak Özdağıstanli

    A Fitness Center Processing Data Subject’s Blood Type

    The Personal Data Protection Board assessed a complaint against a fitness center for processing blood type information without explicit consent, a special category of personal data. The Board imposed a fine of TRY 100.000 on the fitness center for not meeting obligations under Article 12 of the Law No. 6698 on the Protection of Personal Data. The center was instructed to provide a privacy notice and explicit consent separately as per the law and related guidelines. Allegations of improper data storage and unauthorized access to security camera footage were unproven.
    Burak Özdağıstanli

    VERBIS'e Kayıt Şartlarında Değişiklik

    Bugün Resmi Gazete’de yayımlanan Kişisel Verileri Koruma Kurulu’nun (“Kurul”) 06 Temmuz 2023 tarihli ve 2023/1154 sayılı kararıyla Veri Sorumluları Sicili’ne (“VERBİS”) kayıt yükümlülüğüne istisna getirilmesine kriter olarak kabul edilmiş olan “yıllık mali bilanço toplamı” tutarında, ülkemizdeki ekonomik koşullar doğrultusunda yeniden değerlendirme yapılmıştır.
    Burak Özdağıstanli

    Changes to the Requirements for Registration to VERBIS

    The Turkish Personal Data Protection Board amended the exemption limit for Data Controllers Registry (VERBIS) registration due to economic conditions. The new limit is 100.000.000 Turkish Liras for the annual financial balance sheet, up from the previous 25.000.000 Turkish Liras. Data controllers with less than 50 employees and an annual financial balance sheet total below TRY 100.000.000 are exempt from VERBIS registration. The effective date is 25 July 2023, and the exception applies only to local data controllers, not foreign ones.
    Burak Özdağıstanli

    Enerji Sektöründe Siber Güvenlik Yetkinlik Modeli Yönetmeliği

    06.06.2023 tarihli 32213 sayılı Resmi Gazete'de yayınlanan Enerji Sektöründe Siber Güvenlik Yetkinlik Modeli Yönetmeliği yürürlüğe girdi. Bu yönetmelikle 13.07.2017 tarihli Enerji Sektöründe Kullanılan Endüstriyel Kontrol Sistemlerinde Bilişim Güvenliği Yönetmeliği yürürlükten kaldırıldı. Enerji piyasasında lisans sahibi tüzel kişilerin (Yükümlü Kuruluşlar) endüstriyel kontrol sistemlerinin güvenliği ve güvenilirliği için belirli hükümler düzenlendi. Yönetmelikte, yetkinlik modeli, enerji alt sektörlerine göre farklılık gösteriyor ve üç temel yetkinlik seviyesinden oluşuyor. Yükümlü Kuruluşlar belirlenen seviyeye bağlanan ve zorunlu olarak gerçekleştirmeleri gereken maddeleri hedeflenen sürede tamamlamakla yükümlüdür. Yönetmelik, sektörün siber güvenlik açısından etkin koruma sağlamasını amaçlamaktadır.
    Burak Özdağıstanli

    Regulation on Cyber Security Competency Model in the Energy Sector

    The Regulation on Cyber Security Competency Model in the Energy Sector (“Regulation”) was published by the Energy Market Regulatory Authority (“Authority”) in the Official Gazette dated 06.06.2023 and numbered 32213. The Regulation has entered into force on the publishing date and the Regulation on Information Security in Industrial Control Systems Used in the Energy Sector (“Repealed Regulation”) dated 13.07.2017 was repealed with the Regulation and that all references to the Repealed Regulation would be deemed to have been made to the Regulation.
    Burak Özdağıstanli

    Sending Invoices Issued to Third Parties to a Data Subject’s E-Mail Address

    The Personal Data Protection Board addressed a complaint about the improper processing of personal data through e-invoice sending to a data subject's email. Despite previous instructions to implement security measures, the data controller continued sending third-party invoices to the data subject. This lack of verification mechanisms and proactive approach violates the principle of accuracy and up-to-dateness under the Law on the Protection of Personal Data No. 6698. Consequently, the Board imposed an administrative fine of TRY 200,000 (approx. EUR 6,954) and instructed the data controller to prevent such data transmission in the future.
    Burak Özdağıstanli

    Sending SMS for Marketing Purposes Without Explicit Consent

    The Personal Data Protection Board imposed a fine of TRY 30,000 on a data controller for processing personal data without explicit consent and failing to inform the data subject. The data controller sent marketing messages without fulfilling legal obligations. Although the data controller apologized and made corrections, the Board determined a data breach and a lack of necessary security measures. The fine was imposed for non-compliance with data protection laws.
    Burak Özdağıstanli

    Sending Commercial Electronic Message Without Obtaining Consent

    The Personal Data Protection Board assessed a complaint regarding a data controller sending unsolicited commercial emails to a lawyer's work email address without consent. The Board found that the email address was publicly available due to the lawyer's own actions, but this does not justify processing the personal data for any purpose. Since lawyers are not considered traders or merchants, prior consent is required to send commercial emails. The data controller failed to fulfill obligations under the law, resulting in a fine of TRY 150,000. The data controller must also respond to unanswered information requests and provide evidence of data deletion.
    Burak Özdağıstanli

    Sharing Statements Received from a Data Subject During a Job Interview

    The Personal Data Protection Board addressed a complaint where a company shared a data subject's job interview information with their current employer. The Board found that this sharing violated the Personal Data Protection Law and imposed a fine of TRY 100,000 on the data controller. It was clarified that the data controller's obligation to respond to the data subject's application was not affected by an ongoing investigation. The Board also emphasized the need for the data controller to comply with the provisions of the law and warned them accordingly.
    Burak Özdağıstanli

    Data Subject Requests Under Turkish Data Protection Law

    The Law on Protection of Personal Data in Turkey grants data subjects certain rights similar to those in the General Data Protection Regulation. These rights include the right to know if personal data is being processed, the purpose of processing, and the recipients of data transfers. Data subjects also have the right to rectify or erase their data, object to automated decision-making, and seek compensation for unlawful processing. The exercise of these rights is subject to specific requirements outlined in the Communiqué on The Procedures and Principles of Application to Data Controller. Valid data subject requests must contain certain information and can be submitted through various methods. Data controllers are obligated to respond to valid requests within 30 days. Failure to comply with valid requests may result in administrative fines.
    Burak Özdağıstanli

    Turkey Cracks Down on Rise of Greenwashing in Ads

    Greenwashing is the practice of presenting a product, brand, or institution as environmentally friendly through misleading ads and claims. It challenges transparency in consumer decision-making. In Turkey, misleading ads are regulated under the Regulation on Commercial Advertising and Unfair Commercial Practices, forbidding misleading information on environmental impact. The Advertisement Board oversees and sanctions commercial advertising, including cases of greenwashing. Recent examples include fines imposed on companies for unproven energy-saving claims, false plant-based product statements, unverified CO2 emission savings, and misleading eco-friendly packaging claims. Compliance with regulations and transparency are essential to avoid penalties and protect consumers.
    Burak Özdağıstanli

    Transferring the Health Data of a Data Subject to the Public Institution

    In its decision numbered 2022/790, the Personal Data Protection Board addressed a complaint concerning the transfer of a data subject's health data to a public institution for an ongoing administrative lawsuit. The complaint alleged that the transfer of the data subject's health data from a university hospital to the public institution constituted an unlawful processing of personal data. The Board determined that the transfer violated data protection principles and instructed the data controller to take corrective actions, including disciplinary measures and data destruction. The data subject was also advised to apply for correction through the provincial health directorate. The Board emphasized the importance of timely response to data subject requests.
    Burak Özdağıstanli

    The Intellectual Property Review - 2

    Turkish law provides effective enforcement procedures for protecting intellectual property (IP) rights. Cease-and-desist letters are advised, followed by civil or criminal court actions and potential customs confiscation. Specialized IP courts handle civil and criminal cases. Evidence collection involves expert examinations and search warrants. Preliminary injunctions are available. Written documents play a key role in IP litigation. Defence strategies include challenging distinctive character and prior rights. Remedies include cessation of infringing acts, confiscation, and compensation. Appellate review is possible, and alternative dispute resolution methods like mediation and arbitration are encouraged. AI-related patent ownership and changes to domain name dispute resolution are emerging trends.
    Burak Özdağıstanli