Turkish Parliament Approves New Child Protection Rules for Social Media and Gaming Platforms
On 22 April 2026, the Turkish Parliament approved a new legislative package introducing additional obligations for social media providers and online gaming platforms aimed at strengthening child protection measures in digital services, including restrictions targeting social media access for children under the age of 15. The legislation was subsequently published in the Official Gazette dated 1 May 2026 and numbered 33240.
The new framework introduces age verification requirements, parental control tools, child-specific services, and measures targeting misleading advertisements directed at children. It also establishes new compliance obligations for gaming platforms, including age-rating requirements, removal of inappropriate content, and mandatory parental approval mechanisms for certain paid transactions.
Foreign-based gaming platforms exceeding 100,000 daily users in Türkiye will be required to appoint a local representative in Türkiye. Non-compliance may result in administrative fines, advertising restrictions, and bandwidth throttling measures. The new rules will enter into force six months after their official publication.
DPA and Gendarmerie Sign Cooperation Protocol on Personal Data Practices
On 16 May 2026, the Turkish Personal Data Protection Authority (“DPA”) announced that it had signed a cooperation and information-sharing protocol with the Turkish Gendarmerie General Command. The protocol aims to strengthen coordination between the two institutions regarding the lawful processing of personal data in areas falling within the Gendarmerie’s duties and authority.
According to the announcement, the cooperation framework will focus on increasing awareness among Gendarmerie personnel, providing training on personal data practices, promoting consistent implementation standards, and facilitating mutual exchange of knowledge and experience. The protocol also aims to establish active and effective coordination between the parties in relation to personal data processing activities carried out within the Gendarmerie’s operational scope.
The DPA announced the following data breach notifications in April:
| Data Controller (and sector) | Affected Data Subjects | Affected Personal Data Categories | Number of Data Subjects |
| Vimeo.com
|
Individuals associated with affected Vimeo account data | Not yet been determined
*The incident may potentially involve account and content-related data, including names, email addresses, photographs and video content, considering Vimeo’s activities as a video hosting and collaboration platform. |
Not yet been determined
*The Authority’s investigation into the incident is currently ongoing. |
| Türk Nippon Sigorta A.Ş. | Clients | · Identity Data (name and surname),
· Vehicle registration plate information. |
193
*The Authority’s investigation into the incident is currently ongoing. *Data subjects seeking further information about the incident may contact the Controller’s call centre.
|
| English Time Eğitim Kurumları A.Ş.
|
Employees, students, users, subscribers and clients | For Students:
· Identity Data (name, surname, gender, date of birth), · Contact Data (email address, phone number) · Location Data (address information), · Transaction Data (registration date, agreement and payment information). For Other Data Subjects: · Identity Data, · Contact Data, · Location Data · Personnel Data.
|
300.000
*The Authority’s investigation into the incident is currently ongoing. |
| Batıgroup Dental Diş Ürünleri Ticaret A.Ş. | Employees and clients | For Employees:
· Identity Data (name, surname, identification number), · Contact Data, · Location Data (address) · Personnel Data (employment start date, department, title/position, payroll and leave information, promotion and organisational information, signature authorisation categories), · Financial Data (salary and salary increase information). For Clients: · Identity Data (name-surname/company name, tax number) · Contact Data, · Location Data (address), · Transaction Data (customer account and transaction information, receivables records, invoice and order information), · Financial Data (pricing, discount and payment information). |
Not yet been determined.
*The Authority’s investigation into the incident is currently ongoing.
*Data subjects seeking further information about the incident may contact the kvkk@aydemir.av.tr e-mail address. |
