Data Protection Authority Publishes Principle Decision on Third-Party Use of Loyalty Cards

The Turkish Personal Data Protection Authority (the “DPA”) has published a principle decision addressing a common practice in loyalty programmes that allowing a purchase to be processed by a third party simply by providing the cardholder’s mobile phone number or loyalty card number at checkout.

The DPA found that completing transactions without a verification step can lead to unlawful use of personal data and inaccurate records, including situations where purchases and invoices are wrongly attributed to the loyalty cardholder and recorded under their membership account. The DPA also underlined that including a “no third-party use” clause in membership terms is not sufficient on its own- controllers must implement effective safeguards in practice.

Accordingly, controllers are expected to introduce appropriate verification mechanisms to ensure that membership creation, earning/redeeming points, and accessing discounts/promotions occur with the cardholder’s knowledge and consent.

A six-month compliance period applies from the publication date, after which non-compliant practices may trigger regulatory enforcement and administrative fines.

DPA Announcement Regarding the Protection of Personal Data of Children in Their Social Media Use

Regarding the protection of personal data of children in their social media use, the DPA has decided to initiate an ex officio investigation into TikTok, Instagram, Facebook, YouTube, X, and Discord platforms on 20 February 2026 to investigate how children’s personal data is processed and what measures are taken on these social media platforms.

DPA Announcement Regarding X GROK AI Assistant

Following the investigations initiated in January 2026 by the European Commission under the Digital Services Act (the “DSA”), as well as parallel actions taken by several EU Member States concerning potential risks posed by Grok’s AI-generated content, the DPA also moved to act at the national level.

On 11 February 2026, the DPA announced that it had launched an ex officio investigation into X Internet Unlimited Company and X.AI Corporation under Law No. 6698 on the Protection of Personal Data (the “Law”). The investigation focuses on whether the necessary technical and administrative measures were implemented and whether personal data were processed unlawfully, particularly in light of concerns surrounding AI-generated content and its possible implications for fundamental rights.

Notably, this investigation marks one of the first ex officio actions initiated by the DPA in direct response to an AI-related platform development that was already under regulatory scrutiny at the EU level.

DPA Has Launched an Investigation into Google Assistant

On 11 February 2026, following the news that Google Assistant, which is supposed to be activated with the trigger phrases “hey google” or “ok google,” has been recording users’ private conversations without permission due to incorrect triggers, and that this recorded data is being used for personalized advertising and other purposes; the DPA has decided to initiate an investigation into Google LLC on suspicion of violating the Law by failing to take the necessary technical and administrative measures and violating the law while processing personal data.

DPA Warns About “Quishing”

On 26 February 2026, the DPA published a guidance document titled “The Risk of QR Codes: Quishing.” The guidance explains that QR codes, which have become widely used in recent years, can pose various risks to the security and privacy of personal data. In this context, individuals scanning QR codes may unknowingly become targets of ‘phishing’ attacks. The DPA highlights that, “Quishing” (QR phishing) is a phishing method carried out by cyber threat actors using fake or altered QR codes to direct individuals to malicious websites, persuade them to share their personal data, or cause them to install malware on their devices.

Presidential Circular (2026/2) on the Digital Children Action Plan Published

The Presidential Circular No. 2026/2, published in the Official Gazette on 3 February 2026, introduced the Action Plan for Empowering Children in the Digital World (2026-2030), prepared under the coordination of the Ministry of Family and Social Services. The Action Plan sets out a national policy framework aimed at protecting children from digital risks while strengthening their digital literacy, resilience, and safe participation in online environments. It is structured around four strategic objectives focusing on awareness-raising, preventive mechanisms, intervention and support systems, and the strengthening of legal and institutional safeguards. The Action Plan envisages coordinated action by multiple public authorities and stakeholders to ensure that children can benefit from digital opportunities in a secure and rights-based manner.

The “Draft Law on Digital Copyright and Online News Content” Has Been Submitted to the Turkish Grand National Assembly

The bill was submitted to parliament on 10 February 2026. The proposed regulation, comprising 22 articles, aims to address the structural power imbalance between digital platforms and media organizations, establish a fair digital copyright and revenue sharing mechanism for the use of online news content, increase transparency in negotiation processes, and prevent algorithmic discrimination. The bill proposes that digital platforms must pay digital copyright fees to press and media organizations if they use online news content within the scope of “using in a way that creates economic value.”

Turkish Constitutional Court Upholds Administrative Fine for Unlawful Publication of Personal Data

In a decision published on 16 February 2026 dated Official Gazette, the Turkish Constitutional Court ruled that imposing an administrative fine under the Law,  on an online news outlet for publishing a student’s personal data did not violate freedom of expressio.

The case concerned a news article that included a student’s full name, photograph, university placement details and admission score. Following a complaint, the DPA imposed an administrative fine of TRY 30,000 for unlawful processing of personal data. The Court assessed whether penalising the publication of such data was compatible with press freedom. It concluded that publishing the student’s full exam document did not meaningfully contribute to a matter of public interest and that the interference with freedom of expression was proportionate. The decision confirms that, under Turkish law, media organisations may face sanctions where personal data is disclosed without a clear and compelling public interest justification -even in the context of news reporting

Constitutional Court President Announced That They Aim to Implement Artificial Intelligence

Constitutional Court President Kadir Özkaya stated, “We aim to implement artificial intelligence by September 2026. We intend to utilize artificial intelligence in categorizing files before the evaluation phase. Currently, artificial intelligence will not be involved during the substantive review phase of the case.” It was also noted that the vast majority of individual applications ruled inadmissible; thousands of files were decided without proceeding to the substantive examination. These files were deemed inadmissible because they did not meet certain objective criteria; it was stated that artificial intelligence could contribute to the evaluation of criteria that do not require legal assessment and contain objective elements.

The DPA Announced the Following Data Breach Notifications in February