Two-Minute Recap of Recent Developments in Turkish Personal Data Protection Law –May 2024
In May, the Turkish Data Protection Authority (“Authority”) published a draft regulation and draft documents, approved two written undertakings, and announced 13 data breach notification.
Draft Regulation open for public comments
On 9 May 2024, the Draft Regulation on the Procedures and Principles Regarding the Cross-Border Transfer of Personal Data (“Draft Regulation”) was opened for public comments (until 20 May 2024).
The Draft Regulation provides alternative cross-border transfer mechanisms for data controllers and processors. Within their scope, personal data may be transferred abroad without explicit consent provided there is compliance with one of the three following conditions: (i) Existence of an adequacy decision, (ii) existence of the appropriate safeguards, (iii) in the absence of the prior two conditions, applicable specific derogations.
We expect the Authority to consider these comments and publish the final version of the regulation.
You can read our short article on this issue here.
Draft documents are published
On 17 May 2024, and in line with the Draft Regulation, the Authority published a Public Announcement on Draft Documents regarding Standard Contracts and Binding Corporate Rules. A total of eight documents (e.g., standard contracts, application forms and guidelines) were opened for public consultation until 27 May 2024. We expect publication of the final versions soon given the Authority has now collected, and is currently evaluating, the public comments.
You can read our short article on this issue here.
Two undertaking letters approved by the Authortity
On May 2, 2024, the Authority approved an undertaking letter submitted by Bosch Termoteknik on 15 February 2024. On May 28, 2024, the Authority also made a decision to approve the undertaking letter submitted by Huawei. With the acceptance of each, these companies will be able to transfer personal data abroad.
The DPA announced the following data breach notifications in April:
| Data Controller (and sector) | Affected Data Subjects | Affected Personal Data | Number of Data Subjects |
| Abi International (import/export) | Employees, customers and potential customers | identity, communication, location, personal, legal, customer, physical space security, transaction security, risk management, finance, professional experience, marketing, audio-visual records, clothing, health information, biometric data, criminal convictions and security measures | N/A |
| Akıl (plastics) | Employees, customers and potential customers | identity, communication, location, personal, legal, customer, physical space security, transaction security, risk management, finance, professional experience, marketing, audio-visual records, clothing, health information, biometric data, criminal convictions and security measures | N/A |
| Armoni (plastics) | Employees, customers and potential customers | identity, communication, location, personal, legal, customer, physical space security, transaction security, risk management, finance, professional experience, marketing, audio-visual records, clothing, health information, biometric data, criminal convictions and security measures | N/A |
| Hamra Global (import/export) | Employees, existing and potential customers | identity, communication, location, personal, legal, customer, physical space security, transaction security, risk management, finance, professional experience, marketing, audio-visual records, clothing, health information, biometric data, criminal convictions and security measures | N/A |
| Karcam (plastics and glass) | Employees, existing and potential customers | identity, communication, location, personal, legal, customer, physical space security, transaction security, risk management, finance, professional experience, marketing, audio-visual records, clothing, health information, biometric data, criminal convictions and security measures | N/A |
| Titiz (baby and health products) | Employees, existing and potential customers | identity, communication, location, personal, legal, customer, physical space security, transaction security, risk management, finance, professional experience, marketing, audio-visual records, clothing, health information, biometric data, criminal convictions and security measures | N/A |
| Titiz Gayrimenkul (real estate) | Employees, existing and potential customers | identity, communication, location, personal, legal, customer, physical space security, transaction security, risk management, finance, professional experience, marketing, audio-visual records, clothing, health information, biometric data, criminal convictions and security measures | N/A |
| T-Soft (IT) | Employees, users, subscribers, customers | N/A | Approximately 1 million |
| Pınar (textiles) | Customers | identity (name, surname), contact (mobile phone number, e-mail address) and customer transaction (shopping history of natural and legal persons) | 36,956 |
| Alexion (pharmaceutical) | principal investigators, research centre staff, persons assigned for the research study and clinical trial participants/volunteers | participant ID (key-coded identifier), study name, status, open consent date, screen failure date, randomized date, arm/cohort/start, first dose date, current dose date, last dose date, last visit date, number of screenings, previous participant ID, age, sex, race, ethnicity, randomized end of period, reason for discontinuation of treatment, date of discontinuation of treatment, reason for discontinuation of study, date of discontinuation of study, completed study, date of completion of study, date of death, SDVTier, participant ID, year of birth, laboratory results, value in range, laboratory date, medications used, medical history, field staff information, UserOID, login name, screen name, full name, user role, country, corporate contact information (address, e-mail, fax, telephone, license number) | 607 |
| Asimetrik (sound, light and vision) | customers and potential customers | name, surname, address, TR ID numbers if entered correctly, phone numbers, date of birth if entered by the customer, e-mail address, customers’ last order information | 26,968 |
| Lizay (jewellery) | subscribers/members, customers and potential customers | identity, communication and location | 34,602 |
| Aker (retail) | employees and customers | identity (name, surname), contact (e-mail address, mobile phone number), identity (name, surname, TRKN), contact (e-mail address, mobile phone number), transaction security and customer transaction information | 25,735 |
