Lawyers Burak Özdağıstanli

    Burak Ozdagistanli is a partner at Ozdagistanli Ekici Attorney Partnership where he leads the firm’s data protection and cyber security team. Ozdagistanli Ekici is a leading independent firm in Istanbul that is ranked in several respected and well-known legal publications in data and technology, including GDR100. The firm is well-known for sound business advice and a great understanding of their clients’ businesses.

    Burak has extensive experience and is a well-known expert in the field of privacy. He provides advice to the world’s leading data-driven companies in different sectors on a daily basis.

    Among other roles, he is a founding board member of the Data Protection Association in Turkey and the former General Secretary of the Istanbul Bar Association’s Data Protection Commission.

    He also served as the Publications Advisory Board of the International Association of Privacy Professionals (“IAPP”) and Istanbul KnowledgeNet Chapter Co-Chair. He is also a Fellow of Information Privacy (“FIP”) and he holds CIPP/E and CIPM certificates by the IAPP. As of 2023, he will serve on the Privacy Section Advisory Board of the IAPP.

    He has an LL.M. degree in technology law, and he is working on his PHD thesis on legal characteristics of personal data and the legal basis of consent.

    Practice Areas & Work Department

    Technology, Media and Telecom

    Data Protection

    Electronic Commerce







    Istanbul Bar Association

    Former General Secretary – Istanbul Bar Association Data Protection Committee

    Founding Board Member – Data Protection Association - Turkey

    International Association of Privacy Professionals (IAPP)

    IAPP – Privacy Bar Section Board Member (2023 – 2025)

    IAPP – Publications Advisory Board Member (2017-2019)

    IAPP – KnowledgeNet Chapter Co-Chair – Istanbul (2017-2019)

    ITechLaw Association


    INPLP – International Network of Privacy Law Professionals

    Awards & Recognitions

    WWL Data 2021 - 2022 - 2023

    Chambers Fintech 2021 - 2022 - 2023

    Transferring the Health Data of a Data Subject to the Public Institution

    In its decision numbered 2022/790, the Personal Data Protection Board addressed a complaint concerning the transfer of a data subject's health data to a public institution for an ongoing administrative lawsuit. The complaint alleged that the transfer of the data subject's health data from a university hospital to the public institution constituted an unlawful processing of personal data. The Board determined that the transfer violated data protection principles and instructed the data controller to take corrective actions, including disciplinary measures and data destruction. The data subject was also advised to apply for correction through the provincial health directorate. The Board emphasized the importance of timely response to data subject requests.
    Burak Özdağıstanli

    The Intellectual Property Review - 2

    Turkish law provides effective enforcement procedures for protecting intellectual property (IP) rights. Cease-and-desist letters are advised, followed by civil or criminal court actions and potential customs confiscation. Specialized IP courts handle civil and criminal cases. Evidence collection involves expert examinations and search warrants. Preliminary injunctions are available. Written documents play a key role in IP litigation. Defence strategies include challenging distinctive character and prior rights. Remedies include cessation of infringing acts, confiscation, and compensation. Appellate review is possible, and alternative dispute resolution methods like mediation and arbitration are encouraged. AI-related patent ownership and changes to domain name dispute resolution are emerging trends.
    Burak Özdağıstanli

    The Intellectual Property Review - 1

    Turkey is a significant jurisdiction for intellectual property (IP) law. IP cases are handled by specialized IP courts in major cities. Turkish IP law aligns with EU law and international standards, providing strong protection. Key treaties and conventions are enacted into local law. Trademarks, copyrights, industrial designs, patents, and geographical indications are protected under specific laws. Trademarks distinguish products/services, copyrights protect original works, industrial designs safeguard product appearances, and patents secure inventions. IP registration processes involve applications, examination, opposition, and registration. Protection durations vary. Recent developments include regulations on electronic commerce intermediary service providers and the launch of the TRABIS network.
    Burak Özdağıstanli

    Processing of Personal Data of the Child without the Explicit Consent of the Parent

    The Personal Data Protection Board assessed a complaint about a marketing company processing a child's personal data without explicit parental consent. The company's self-employed entrepreneur sent a promotional brochure to an 8-year-old child, allegedly processing the child's data unlawfully. The Board clarified that the entrepreneur acted independently as a data controller, and the company had no involvement in the data processing. The argument that personal data was provided by the data subject was rejected, as it didn't meet the exception provision. Processing the child's name and address for marketing purposes didn't fulfill the conditions in the law, resulting in a fine. The company was instructed to obtain explicit consent and comply with data protection regulations.
    Burak Özdağıstanli

    Transferring Personal Data Abroad Without Obtaining Explicit Consent / May 17, 2023

    In its decision, the Personal Data Protection Board addressed a complaint regarding the unauthorized transfer of personal data from a bank to an insurance company. The complaint alleged that the bank shared the data subject's phone number without explicit consent. The Board determined that the transfer violated the Law on the Protection of Personal Data and the principle of obtaining explicit consent. The data controller failed to provide evidence of informed consent or a lawful basis for the transfer. Sharing personal data without the customer's instruction, even with explicit consent, is prohibited. As a result, the Board imposed a fine on the bank for breaching data protection obligations.
    Burak Özdağıstanli

    Continuing to Process Personal Data of the Employee by the Employer After the Termination of the Employment Contract

    The Personal Data Protection Board evaluated a complaint about the employer continuing to process the personal data of the data subject after the termination of their employment contract. The complaint stated that the data controller company used the data subject's photos and phone number for promotional purposes and communication with courier companies after the contract ended. The Board found that using the photos for advertising purposes and processing the phone number without proper notification violated the principle of accuracy and up-to-date information. Consequently, an administrative fine of TRY 250,000 was imposed on the data controller, and they were instructed to delete the unlawfully processed data and provide a report to the data subject's representative.
    Burak Özdağıstanli

    Transferring Personal Data Abroad Without Obtaining Explicit Consent

    The Personal Data Protection Board has imposed an administrative fine of TRY 950.000 (approx. EUR 44.246) on a technology company for transferring personal data abroad without explicit consent from the data subjects, and not responding to their request within the legally specified period. The board stated that the company violated the Law on the Protection of Personal Data and failed to take necessary technical and administrative measures to ensure appropriate security level. Moreover, the company did not submit a commitment to provide adequate protection in the country to which the transfer would be made. The Board instructed the company to make necessary arrangements and inform the Board.
    Burak Özdağıstanli

    Sharing the Photos Taken During Surgery

    The Personal Data Protection Board evaluated the complaint application about sharing the photos taken during surgery of the data subject and published on the social media account by a doctor who works in the data controller hospital in its decision dated 29.06.2022 and numbered 2022/630.
    Burak Özdağıstanli

    Sending Order Information to Erroneous Email Address

    The Personal Data Protection Board evaluated the complaint application regarding sending the order information of a third party from the e-commerce website which is the data controller to the data subject in its decision dated 03.08.2022 and numbered 2022/774.
    Burak Özdağıstanli

    Failure to Provide the Privacy Policy and Explicit Consent Wording for Cookies

    The Personal Data Protection Board evaluated the complaint application regarding the failure of the data controller to provide the privacy policy and explicit consent wording for cookies on the website of a gaming platform in its decision dated 23.12.2022 and numbered 2022/1358.
    Burak Özdağıstanli

    Administrative Fines to be Imposed in 2023 under the Personal Data Protection Law

    The Personal Data Protection Board in Turkey has published the lower and upper limits of the administrative fines that may be imposed for violating the Law on Protection of Personal Data No. 6698 in 2023. These administrative fines are regulated in Article 18 "Misdemeanors" of the DPL, and apply to those who fail to fulfill their obligations, including the obligation to inform and the obligations related to data security. The minimum and maximum amounts of the fines are determined by the DPL and updated annually in line with the revaluation rate, and the fines for 2023 have been published by the Personal Data Protection Authority.
    Burak Özdağıstanli

    Regulation on E-Commerce Intermediary Service Providers and E-Commerce Service Providers

    Turkey's amended Law on the Regulation of Electronic Commerce has introduced a new Regulation on Electronic Commerce Intermediary Service Providers and Electronic Commerce Service Providers. The new rules set out the obligations of electronic commerce intermediary service providers (ETAHS) and electronic commerce service providers (ETHS) concerning the provision and verification of information, the handling of orders, the regulation of unlawful content and unfair commercial practices, and the establishment and amendment of intermediation agreements. The regulation also establishes requirements for the advertising and discount budgets of large and very large ETAHS and ETHS and the creation of an electronic commerce license.
    Burak Özdağıstanli

    Turkish Data Protection Authority Started Enforcement Against Foreign Controllers

    The Turkish Data Protection Authority (DPA) is investigating unregistered foreign controllers for non-compliance with VERBIS registration requirements. Foreign controllers collecting personal data from Turkey must appoint a local representative and register with VERBIS. Fines, calculated based on Law No. 5326, range from TRY 53,572 to TRY 2,678,863 (approx. USD 2,880 - USD 144,000). Non-compliant controllers may face additional fines or restricted data processing operations under the Law on Protection of Personal Data.
    Burak Özdağıstanli