Advertising Board Sanctions Getir for Requiring Card Data Registration

The Turkish Ministry of Trade’s Advertising Board (“the Board”) sanctioned Getir Perakende Lojistik Anonim Şirketi (“Getir”)—a company offering online grocery and food delivery services—for not allowing users to complete purchases without saving their credit card information. Upon review, the Board found that during the payment process, customers were required to add their credit card information to the system via the “Add Card” screen, making card registration mandatory in order to finalize a purchase. This practice was deemed to involve consumers in a transaction they would not otherwise opt into, thereby violating consumer protection regulations. The Board ordered Getir to cease the relevant advertising practices.

Turkish Council of State Annuls DPA’s Regulation on Certification of Data Protection Officers

In a recent judgment, the Turkish Council of State annulled the Turkish Personal Data Protection Authority’s (“DPA”) 2021 regulation introducing a certification program for “Data Protection Officers”. .The court found that the DPA had overstepped its legal authority by establishing a role and related certification procedures not grounded in the Personal Data Protection Law No. 6698 (“KVKK”).

Although the DPA had previously clarified that the VKG role was voluntary and distinct from the EU’s DPO under the GDPR, the regulation faced legal challenges. Among the main objections was that the certification scheme could encroach upon the exclusive domain of legal professionals as defined under Article 35 of the Attorneys’ Act.

The Council of State concluded that the DPA lacked a clear legislative mandate to create such a certification framework and criticized the regulation for failing to provide a defined legal basis or a clear description of the certified role. The court also emphasized that the regulation undermined the principles of legal certainty and the hierarchy of norms, ultimately ruling that it was incompatible with Türkiye’s administrative law framework.

DPA’s New Bulletin Has Been Published

The DPA has released its latest awareness bulletin, which is published quarterly, under the title Democracy, Privacy, and Resistance: In the Aftermath of July 15. The bulletin features a prominent article authored by DPA President Prof. Dr. Faruk Bilir, titled The Expectation of Privacy. In this article, the right to privacy is examined from various perspectives, covering topics such as The Challenge of Protecting Private Life in Public Spaces, the landmark case Katz v. United States, The Subjective and Objective Nature of the Concept of Privacy Expectation, and The European Court of Human Rights’ Approach to the Concept of Reasonable Expectation of Privacy.

Another article in the bulletin, titled The Right to Request the Protection of Personal Data in Terms of the Restriction of Fundamental Rights and Freedoms During States of Emergency, explores the boundaries of limiting fundamental rights under extraordinary circumstances.

The DPA announced the following data breach notifications in July: