A BRIEF ASSESSMENT OF THE YEAR 2024
The year 2024 has been a particularly eventful one in terms of Personal Data Protection Law. Therefore, before assessing the developments expected in 2025, we would like to briefly review the most significant events, decisions, and administrative fines that have emerged both in our country and on the global agenda throughout 2024. Accordingly;
- Throughout 2024, the most notable developments in our country have been the amendments to the Personal Data Protection Law (“KVKK”) and the introduction of new regulations concerning the transfer of data abroad from Turkey. In the later months of 2024, to facilitate the implementation of these amendments, the KVKK Regulation and the Standard Contracts, which form the fundamental framework for cross-border data transfers, were published.
- According to the data provided by the Personal Data Protection Authority (“Authority”), a total of 281 personal data breaches and 1,345 Standard Contracts were reported to the Authority in 2024. Out of the 8,186 notifications and complaints submitted to the Authority, 6,958 were concluded. As a result of the decisions and announcements published by the Authority, administrative sanctions amounting to 552,668,000 Turkish Liras were imposed.
- In addition to the developments, decisions, and announcements concerning the KVKK in our country, significant developments in the field of personal data protection law have also taken place at the international level.
- The most significant of these developments was the decision issued by the Irish Data Protection Authority concerning the globally renowned company, LinkedIn. In this decision, the Irish Data Protection Authority imposed a €310 million fine on LinkedIn for processing user data for analytics and advertising purposes in violation of the General Data Protection Regulation (“GDPR”). This decision ranked among the top 10 highest data breach fines worldwide.
As we have examined in detail in our article titled “Fundamental Reforms in the Personal Data Protection Law,” it is evident that 2024 has marked the beginning of a new era for the KVKK in our country. With these reforms, we believe that our legislation will continue to be increasingly aligned with the GDPR throughout the year.
2025 AGENDA FOR THE PERSONAL DATA PROTECTION LAW (KVKK)
The early months of 2025 have proven to be exceptionally active from the perspective of Personal Data Protection Law, with several decisions, announcements, and communications issued by the Authority. Our assessments concerning these developments are outlined below as follows:
THE GUIDELINE ON CROSS-BORDER DATA TRANSFER HAS BEEN PUBLISHED
With the beginning of 2025, the Authority published the highly anticipated “Guideline on the Transfer of Personal Data Abroad” (“Guideline”). The Guideline divides cross-border data transfer activities into three main criteria for evaluation, with the following key points to be carefully considered:
- The data controller and/or the data exporter must be subject to the applicable law for the respective personal data activities.
- The personal data processed by the data exporter must be transmitted or made accessible. (For example, granting access to a bank account, sending a password, etc.)
- The data controller and/or the data exporter being located in a third country, regardless of whether they are subject to the Law.
2025 KVKK ADMINISTRATIVE FINES
The administrative fines for offences specified under the KVKK in 2025 have increased by 43.93% compared to the previous year. The administrative fines for 2025 are as follows;
- Failure to fulfil the obligation of informing (KVKK Art. 10) 68,083 TL – 1,362,021 TL
- Failure to fulfil obligations regarding data security (KVKK Art. 12) 204,285 TL – 13,620,402 TL
- Failure to comply with Board decisions (KVKK Art. 15) 340,476 TL – 13,620,402 TL
- Violation of registration and notification obligations with the Data Controllers Registry (KVKK Art. 16) 272,380 TL – 13,620,402 TL
- Failure to fulfill the notification obligation (KVKK Art. 9) 71,965 TL – 1,439,300 TL
THE GUIDELINE ON BEST PRACTICES FOR THE BANKING SECTOR HAS BEEN PUBLISHED
Another guideline published in 2025 is the update of the “Guideline on Best Practices for the Banking Sector in Relation to the Protection of Personal Data,” developed in cooperation between the Authority and the Banks Association of Turkey. This update highlights the requirements for cross-border data transfers within the banking sector and ensures alignment with the comprehensive amendments made to Article 9 of the KVKK. It also incorporates updates on issues such as adequacy decisions and occasional transfers.
PUBLIC ANNOUNCEMENT REGARDING THE OBLIGATION TO INFORM IN MEDIATION
The Authority has issued a public announcement concerning the fulfilment of the obligation to inform in mediation activities. In summary, the announcement underscores that mediators are deemed data controllers under the KVKK and, as such, bear the responsibility to inform the parties involved regarding the processing of personal data.
Moreover, it is important to emphasize that, pursuant to the Mediation Law, the provision of information by the mediator at the outset of the mediation process does not constitute the fulfilment of the obligation to inform as prescribed under Article 10 of the KVKK. It has been clearly stated that the mediator is required to provide a separate notification in accordance with the provisions of the KVKK.
JANUARY 28 DATA PROTECTION DAY
January 28, the anniversary of the 108th “Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data”, to which Turkey is a party, has been celebrated in our country, as it has every year since the European Council declared it as Data Protection Day.
SUPREME COURT OF APPEAL’S DECISION: IMPRISONMENT SENTENCE FOR THE DEFENDANT WHO VIOLATED THE KVKK
The 12th Criminal Chamber of the Court of Appeals, with its decision numbered 2017/150 E. and 2017/6231 K., ruled that the defendant should be convicted for continuing to publish the victim’s personal data without consent by failing to delete the photographs requested by the victim after their separation. The Court stated that this conduct violated Article 136/1 of the Turkish Penal Code regarding the unlawful disclosure or acquisition of data, and accordingly, overturned the acquittal decision issued by the local court.
SUPREME COURT’S DECISION ON NON-PECUNIARY DAMAGES FOR KVKK VIOLATION
In its decision numbered 2019/979 E. and 2019/2679 K., the 4th Civil Chamber of the Court of Appeals ruled that the personal data of the victim, whose identity information was used without permission and whose signature was forged to open a phone line in their name, had been used without consent. The Court determined that this constituted an infringement on the victim’s personality rights and awarded the victim appropriate non-pecuniary damages.
TRABZON UNIVERSITY DATA BREACH NOTIFICATION
The data breach notification from the Rectorate of Trabzon University, which was the only breach reported in January 2025, outlines that a breach occurred between 01.01.2025 and 06.01.2025. During this period, certain personnel and student information was sold by cyber attackers on illegal online platforms. The personal data affected by the breach included identification, date of birth, parents’ names, contact and personnel information, and location data. Additionally, the number of affected records was reported to be 25,237.
ORGANİK HABERLEŞME TEKNOLOJİLERİ BİLİŞİM SANAYİ TİC. LTD. ŞTİ. DATA BREACH NOTIFICATION
In the data breach notification submitted to the Authority on 04.02.2025 by Organic Haberleşme Teknolojileri Bilişim Sanayi Ticaret Limited Şirketi, it was reported that the breach was detected through a message sent via the WhatsApp communication application by an unknown individual. The message indicated that data under the responsibility of the data controller had been intercepted, and a ransom was demanded in return. The breach was identified on 01.02.2025, and it was confirmed that the breach had been terminated. Additionally, the number of affected subscribers and members was reported to be 1,090.
AFYON KOCATEPE UNIVERSITY DATA BREACH NOTIFICATION
In the data breach notification, it was reported that the breach occurred when the data processor accessed the remote education system data using the password of the “system_admin” user account, which is under the responsibility of the data controller, the university. The number of individuals affected by the breach was reported to be 26,438.
ASİLKAR HIZLI KARGO TAŞIMACILIK TİC. A.Ş. DATA BREACH NOTIFICATION
In the most recent data breach reported to the Authority in February, it was summarized that unauthorized individuals intercepted system users’ usernames and password information, gaining access to user accounts via remote connection to the terminal servers of the service provider Ajannet Bilişim Hizmetleri Sanayi Ticaret Ltd. Şti.. As a result of the attack, unauthorized access was gained to the names and surnames of 16 employees/users, which were only used as file names. It was also emphasized that, since the unauthorized access was limited to the terminal server, the data in those files could not be accessed through the program without additional usernames and password information.
GUIDELINE ON THE PROCESSING OF SENSITIVE PERSONAL DATA PUBLISHED
At the end of February, the highly anticipated “Guideline on the Processing of Sensitive Personal Data” (“Guideline”) was published. This guideline, which addresses uncertainties regarding the processing of sensitive personal data and the new processing conditions following the legislative change, particularly focuses on the updates made to Article 6 of the Law. The guideline, supported by examples, covers the following key points;
- The conditions for processing sensitive personal data have been expanded and clarified,
- The conceptual distinction regarding health data and data on sexual life, which existed under the previous law, has been removed,
- It has been emphasized that new information texts must be prepared in accordance with the current legislation,
- It has been stated that data, which could only be processed with the explicit consent of the data subject under the previous regulation, can now be processed without the need for explicit consent from the data subject if any of the existing processing conditions under the new regulation are met.
Following these legislative updates, the third section of the Guideline provides recommendations to ensure compliance with the new legal framework. It is strongly advised that data controllers immediately draft updated information notices in accordance with the current legislation to prevent any potential data breaches.
GUIDELINE PUBLISHED ON THE PROTECTION OF PERSONAL DATA IN THE FIELD OF ARTIFICIAL INTELLIGENCE
We would like to address the “Recommendations on the Protection of Personal Data in the Field of Artificial Intelligence” guideline, published by Authority, which deals with an increasingly significant issue in our rapidly advancing world. The document emphasizes the need to safeguard the fundamental rights and freedoms of individuals, as well as human rights, social, and ethical values within society, while minimizing potential risks in the process of using and applying artificial intelligence. Furthermore, it provides recommendations that individuals interacting with artificial intelligence systems should be informed regarding the rationale for personal data processing activities, the specific methods used in processing personal data, and the potential outcomes/risks. It also underscores the necessity of designing an effective data processing consent mechanism in cases where appropriate.
Bibliography:
The relevant decisions, announcements and news may be reached from the following links:
(only available in Turkish)
https://kvkk.gov.tr/SharedFolderServer/CMSFiles/4eba766b-7425-4cd4-97f5-cb09c4cf4ef9.pdf
https://www.enforcementtracker.com
https://www.kvkk.gov.tr/Icerik/8142/Kisisel-Verilerin-Yurt-Disina-Aktarilmasi-Rehberi
https://www.coe.int/en/web/data-protection/data-protection-day
https://www.lexpera.com.tr/ictihat/yargitay/12-ceza-dairesi-e-2017-150-k-2017-6231-t-13-9-2017
https://www.lexpera.com.tr/ictihat/yargitay/4-hukuk-dairesi-e-2019-979-k-2019-2679-t-8-5-2019
https://www.kvkk.gov.tr/SharedFolderServer/CMSFiles/70f95c73-06a2-44dc-81e9-34201bdd7f5c.pdf
*Legal Warning*
This post is for the purpose of exchanging information and experiences, and it does not provide a legal guarantee regarding the accuracy or timeliness of the material contained in the articles. Celikbaş Law Office assumes no responsibility for any losses incurred as a result of the use of any information or other content contained in this article, whether direct or indirect. According to the relevant regulations of the Union of Bar Associations of the Republic of Türkiye, the content given on this site is for informational purposes only and does not constitute an advertisement, offer, legal advice, or consulting. The transmission of this information does not constitute the establishment of an attorney-client relationship. Because this information may not represent the most recent legal developments, readers should contact a lawyer about the current situation.