October 2023 – In September 2023, the Turkish Personal Data Protection Authority (the “DPA”) published six data breach notifications but did not publish any decisions.
Countdown begins: Turkish DP Law to undergo amendments to align with GDPR standards
Turkey is set to change its data protection rules, as outlined in the Medium-Term Program announced on 6 September 2023. In this respect, the Turkish Data Protection Law (“DP Law”) will be amended within the next year, with the changes expected to take effect in the fourth quarter of 2024. These amendments aim to bring the DP Law in line with the European Union’s General Data Protection Regulation (GDPR) and other EU legislation.
Highlights from the 3rd Personal Data Protection Summit
On 20 September 2023, the 3rd Personal Data Protection Summit was held, focusing on “global developments in data governance”. During the summit, the President of the DPA announced the initiation of a study on artificial intelligence within the context of personal data protection. Key statistics and achievements since 2017 were also shared, including:
- Out of 35,592 notifications, applications and complaints, the DPA has resolved 33,639.
- The DPA received 1,189 data breach notifications, with 277 published on the DPA’s website.
- As a result of the investigations, a total administrative fine of approximately TRY 291 million (approx. EUR 10 million was imposed.
- The DPA provided 1,040 legal opinions within the scope of the DP Law.
- The DPA approved seven written undertakings with sufficient qualifications for the transfer of personal data abroad.
September agenda of the DPA
The DPA had a packed agenda in September, hosting several insightful seminars:
- On 6 September, the seminars “Personal Data Security and Protection of Privacy in IoT Applications” and “Personal Data Security in Cloud Computing” delved into the increasing integration of IoT applications in daily The seminar emphasised the importance of prioritising individual privacy in IoT use and addressed data security issues in cloud computing, especially when using foreign infrastructure-based cloud services.
- On 26 September, the seminar “The Position of Lawyers under the DP Law” clarified the DPA’s unique evaluation of each legal The main criterion for determining if a lawyer acts as a data controller is their role in the data processing activity and their independent authority in decision making regarding that activity. Concerning the data controllers’ obligation to inform, the seminar stressed the need to provide information before initiating data processing.
- On 27 September, the seminars “Risk-Based Approach” and “Evaluation of Targeted Advertising Practices in terms of DP Law” addressed the definition of risk from the data protection perspective and emphasised the importance of a risk -based approach. The concept of targeted advertising was also highlighted, underscoring the importance of considering the DP Law’s provisions to empower data subjects against targeted advertising practices.
- On 29 September, the event “Data Security in the Threat Ecosystem” at the Information and Communication Technologies
Authority discussed the DPA’s Guidelines on Personal Data Security as a roadmap. The seminar covered
The Board announced the following data breach notification in September:
Data Controller | Affected Data Subjects | Affected Personal Data | Number of Data Subjects |
Hotiç Ayakkabı Sanayi ve Ticaret | Customers | Communication Data | 1,926,889 |
Doğan Trend Otomotiv Ticaret Hizmet ve Teknoloji |
N/A |
N/A |
N/A |
Suzuki Motorlu Araçlar Pazarlama |
N/A |
N/A |
N/A |
Defacto Perakende Ticaret |
Customers |
Identity, Communication and Customer Transaction Data |
Approx. 2,686 |
Elca Kozmetik |
Customers and Potential Customers |
Identity and Communication Data |
Approx. 83,185 |
Telcoset İleri Teknoloji Stratejik İş Geliştirme Danışmanlık | Employees, Employees of Legal Person (Customers, Potential Customers and Suppliers), Suppliers and Supplier’s Authorised Person | Identity, Communication, Personnel Information, Legal Transaction, Transaction Security, Professional Experience, Health Data and Convictions and Security Measures Data | Approx. 1,000 |