In current society, where the internet and technology are continuously increasing and rising, the concept of personal data has reached a critical juncture. Personal data protection refers to the safeguarding of processed data from intrusions into the private lives, personal rights, and so on of the individuals concerned. Since it is based on logic, it must be legally safeguarded in a precise and detailed manner. We have summarized the major advancements in this subject in the globe and in our country in January below.


On January 18, The Information Technologies and Communication Authority (“BTK”) published in the Official Gazette number 31723 significant revisions to the Consumer Rights Regulation on the Electronic Communications Industry (“Regulation”). Article 4 on the protection of personal data reads as follows; 

  • “It is necessary to have the original identity document or equivalent documents required for the establishment of the subscription agreement. In addition to the subscription agreement, the operator is required to obtain a copy of the required identity document or equivalent documents when establishing the subscription agreement. The operator makes a copy of this document on the originals and only in the form of a transfer to the appropriate electronic media.” 

This article aims to prevent illegal transactions made by using other people’s identity cards by not taking photocopies of The Republic of Türkiye Identity Card (with chip) or Passport (with chip) documents used in the process of verifying the applicant’s identity.


The Wiesbaden Administrative Court (“Court”) issued a remarkable interim injunction international data transfers in early December 2021, as published on December 26, 2021.

The Danish-originated Cybot (“COOKIEBOT”) cookie permissions management platform is used on the Rhein-Main University site, which was brought to court by a user, to store users’ cookie preferences, but the cloud (hosting) provider of the said company is Akamai Tech, based in the United States (“USA”). Inch. (“AKAMAI”) the company, which claims that the data obtained by the company is also transferred to the Akamai company; The court ruled that the Cookiebot company processes data such as “IP address” and “Cookie key” for each user, because the full IP address and cookie keys are personal data under GDPR, and the transfer of the information to the US-based company Akamai constitutes an illegal data transfer to a third country. It has issued an interim injunction prohibiting the use of this cookie management service until the court’s final decision, as an explanation that the data was transcribed.

The defendant has the right to appeal the Court’s decision because it is an interim injunction. Although the decision is not final judgement, it is a significant decision for most cookie service providers and internet access companies working with third countries in terms of the importance of carefully documenting, concluding, and signing data processing agreements and agreements made between parties regarding personal data.


A decision was published in the Official Gazette dated January 20, 2022, and numbered 31725 regarding the “Black List” practices used in the car rental sector, which are in violation of the Personal Data Protection Law (“KVKK”).

Black List: it is an application that results from the processing of personal data of customers received through contracts, positive or negative situations encountered during the contractual relationship, and personal evaluations of customers by companies or individuals operating in the car rental sector, using various applications and software.

Within the scope of the notification received by the Personal Data Protection Committee (“Committee”), in the research conducted in accordance with KVKK Article 15;

  • It has been discovered that it is not aware that the personal data provided by renters to car rental companies and real people to whom they are customers, as well as the positive or negative evaluations made during the car rental process, are processed in software with a blacklist feature and that the data in question is transferred to other car rental companies via this software.

Concerning the facts discovered by the Committee in the aforementioned event;

According to Article 3 of the KVKK, car rental companies and their real persons are considered “data supervisors” since they hold the personal data of their customers, as well as are software companies that provide the “blacklist” feature accepted as “data supervisor partnership” because of the data flow in question, 

It has been determined that the blacklist application used in the car rental sector violates the general principles in Article 4 of the Law, the processing conditions of personal data in Article 5, and the regulations regarding data transfer in Article 8 of the law, in which personal data is processed and transferred.

To put an end to this illegality, it has decided to fulfill the data supervisors’ obligations regarding data security outlined in Article 12 of the Law.

The comittee’s decision has the “Principal Decision” feature. As a result, it is critical that the decision regarding the violation of the KVKK’s basic rules be carried out immediately by supervisory authorities working in the car rental sector. The violation of the basic rules has clearly demonstrated the importance of regulating the protection of personal data in detail, as well as the regular operation of the control mechanism.


The Regulation on Inquiry of Goods, Rights, or Claims over the National Judicial Network Information System (“Regulation”), which became effective on January 22, and the National Judicial Network Information System (“UYAP”) in accordance with Articles 8 and 78 of the Execution and Bankruptcy Law No. 2004. It contains detailed regulations on the issues concerning the creditor’s questioning of the debtor’s property, rights, or receivables. This Regulation is especially significant since it complies with the Law on the Protection of Personal Data (“KVKK”).

Regarding the first item, it has been regulated what the data to be processed consists of, for what purpose it is processed, and it should be limited within the area envisaged to be used, and a framework has been drawn in accordance with the general principles of personal data processing with these articles and Article 4 of the Law on the Protection of Personal Data.

Another significant aspect of the issuance of this Regulation as a separate regulation is the provision in the first paragraph of Article 5 of the KVKK that the processing and transfer of personal data are only permitted with the person’s explicit consent. 

Given that the aforementioned inquiry is not governed by such a Regulation, it will constitute a violation of the law since the processing and transfer of data are planned for a situation that is not subject to the person’s consent.

The inquiry made with the Regulation entered into force in order to prevent illegality; in the second paragraph of the same article, the processing and transfer of personal data are clearly stipulated in the law and it is compulsory for the data supervisor to fulfil its legal obligations, which is subject to the exception provisions and has become lawful.


Looking at the aforementioned decisions, it is clear that there are precedents in the international arena as well as national regulations regarding personal data protection in January. Regulations on the protection of personal data in international and domestic law strengthen legislation on a daily basis, preventing unlawful acts that may arise from legal gaps. As a result, it is critical for institutions to update their personal data organizational structures in response to relevant decisions.


*Legal Warning*

This post is for the purpose of exchanging information and experiences, and it does not provide a legal guarantee regarding the accuracy or timeliness of the material contained in the articles. Celikbaş Law Office assumes no responsibility for any losses incurred as a result of the use of any information or other content contained in this article, whether direct or indirect.

According to the relevant regulations of the Union of Bar Associations of the Republic of Türkiye, the content given on this site is for informational purposes only and does not constitute an advertisement, offer, legal advice, or consulting. The transmission of this information does not constitute the establishment of an attorney-client relationship. Because this information may not represent the most recent legal developments, readers should contact with a lawyer about the current situation. 

Leave a Comment

Your email address will not be published. Required fields are marked *