TÜBİTAK Defines Strict IT Criteria for Crypto Providers to Protect Personal Data

TÜBİTAK BİLGEM has issued a technical framework for Crypto Asset Service Providers (KVHS), emphasizing their obligations as data controllers under Turkish data protection law. The newly published criteria set minimum standards for wallet security, access management, data logging, and system continuity—all essential for safeguarding personal data processed through digital asset platforms. Beyond IT infrastructure, the guidelines address how service providers must implement technical and organizational measures aligned with the Law No. 6698 on the Protection of Personal Data. Seen as a de facto engineering manual for the crypto sector, the document is expected to play a central role in Capital Markets Board of Türkiye’s licensing procedures and compliance oversight.

Turkish High Court Rules: Accessing Call Logs Without Consent Breaches Personal Data Law

The Turkish Court of Cassation has ruled that accessing a former partner’s mobile phone call records without consent constitutes unlawful acquisition of personal data, rather than a violation of communication privacy. Citing Article 136 of the Turkish Penal Code, the court emphasized that any personal data—regardless of how it is stored or acquired—remains protected under the law. Even when such data is accessed through observation or memory, unauthorized use can trigger criminal liability. By overturning the acquittal, the court clarified that the act falls under data protection offenses, not merely privacy violations.

Executive Who Copied Company Data Illegally Cannot Claim Severance

The Turkish Court of Cassation has ruled that a senior executive who copied confidential company data to an external device without authorization is not entitled to severance or notice compensation. Despite an acquittal in the related criminal proceedings, the Court found that the act constituted a clear breach of the duty of loyalty under labor law. Citing forensic reports, internal emails, and confidentiality agreements, the Court emphasized that the employee’s actions fell outside his job responsibilities and violated internal protocols. The decision underscores that unauthorized handling of sensitive data—even without proven malicious use—can justify immediate termination with no severance rights.

Right to Be Forgotten Prevails Over Outdated Allegations

The Court of Cassation has ruled that keeping a 2005 online news article accessible — despite the individual’s acquittal years ago — constitutes a violation of personal rights. Emphasizing the erosion of relevance and absence of public interest, the Court held that the right to be forgotten must be respected when outdated information continues to harm a person’s reputation and control over personal data. The decision underscores that data controllers, including media outlets, must weigh the public’s right to know against an individual’s right to move beyond a stigmatizing past. A key ruling for balancing digital memory with human dignity.

KVKK Releases Comprehensive Glossary of Personal Data Protection Terms

In April 2025, the Turkish Personal Data Protection Authority (“DPA”) published the first edition of its “Glossary of Terms Related to Personal Data Protection.” This resource goes beyond the definitions set out in Law No. 6698 and its secondary legislation—it also compiles key concepts from international sources such as the European Data Protection Board (“EDPB”), the European Data Protection Supervisor (“EDPS”), and the IAPP. Covering 100 selected terms, the glossary aims to resolve terminological ambiguities commonly encountered in data processing practices. By promoting a shared understanding among data controllers, practitioners, and the general public, the glossary contributes to more coherent implementation and better comprehension of data protection rights.

The DPA announced the following data breach notifications in May: