BULLETIN ON THE PROTECTION OF PERSONAL DATA

Leave a Comment / Data Protection Newsletter / By

 

Atty. Nil Merve Çelikbaş Şeker, L.LM.

In the closing days of 2025, a significant number of principle decisions, guidelines, judicial rulings, and legislative amendments issued by the Personal Data Protection Authority (“Authority”) and the high courts have been reflected in the public sphere, directly affecting practice in the field of personal data protection. In particular, the protection of children’s personal data, the processing of special categories of personal data, biometric data, the use of artificial intelligence, cross-border data transfers, camera and surveillance practices, the limits of data processing within employment relationships, and the updated amounts of administrative fines have emerged as the principal issues that data controllers are required to reassess before entering 2026.

In this Bulletin, the current practices of the Authority, along with decisions of the Constitutional Court, the Council of State, and the Court of Cassation, as well as the contemporary approaches adopted by international data protection authorities, are addressed collectively, highlighting developments that merit particular attention from data controllers and practitioners.

Accordingly, in this issue of our Bulletin on the Protection of Personal Data, we provide a concise overview of the following topics:

  • Expansion of the VERBİS Exemption for Data Controllers Processing Special Categories of Personal Data,
  • Cyber Espionage Operation Against Unlawful Query Systems Conducted Under the Coordination of the National Intelligence Organization (MİT),
  • Publication of the “Guidelines on Generative Artificial Intelligence and the Protection of Personal Data”,
  • Installation of Cameras Covering Apartment Entrances Deemed a Violation of the Right to Privacy,
  • A Landmark Decision of the Council of State on Time Tracking Through Fingerprint Systems,
  • The Authority’s Administrative Sanction and Enforcement Data in the Field of Personal Data Protection,
  • Reminder Issued by the Authority on Cybersecurity Awareness,
  • Court of Cassation Decision Assessing Face ID Security Vulnerabilities as Defective Products,
  • Principle Decision Regarding the Collection of Identity Photocopies in Hotels,
  • Finalization of Administrative Fines under the PDPL for 2026,
  • The First Board Approval Regarding the Transfer of Personal Data Abroad,
  • Significant Amendments to the Regulation on Personal Health Data,
  • Recent Decisions of the Court of Cassation on Personal Data and the Right to Private Life,
  • A Judicial Approach Allowing the Use of Artificial Intelligence in a Limited and Explicit Manner,
  • An Important Reasoned Decision Emphasis by the Constitutional Court Concerning PDPL Fines Imposed on Attorneys,
  • Data Breach Notifications
  • Developments from Around the World.

We wish you an enjoyable and informative read.

EXPANSION OF THE VERBIS REGISTRATION EXEMPTION FOR DATA CONTROLLERS PROCESSING SPECIAL CATEGORIES OF PERSONAL DATA

With the decision of the Personal Data Protection Board (“Board”) published in the Official Gazette, the exemption criteria regarding the obligation to register with the Data Controllers’ Registry (VERBIS) for data controllers whose principal activity consists of processing special categories of personal data have been reevaluated. Accordingly, it has been resolved that natural or legal person data controllers whose principal activity involves the processing of special categories of personal data, but who employ fewer than 10 employees on an annual basis and whose annual financial balance sheet total is below TRY 10 million, shall also be exempt from the obligation to register with and notify VERBIS.

In its reasoning, the Board emphasized that the data controllers qualifying as micro-enterprises possess limited human and financial resources, process a relatively smaller volume of personal data, and that, therefore, the obligation to register with the Registry should be assessed primarily on the basis of employee headcount and financial balance sheet criteria. Within this framework, the VERBıS registration obligation has been lifted for clinics, pharmacies, and physicians providing healthcare services that meet the said conditions.

CYBER ESPIONAGE OPERATION AGAINST ILLEGAL QUERY SYSTEMS COORDINATED BY THE NATIONAL INTELLIGENCE ORGANIZATION

Under the coordination of the National Intelligence Organization of Türkiye (Milli İstihbarat Teşkilatı – “MİT”), and in cooperation with the Gendarmerie General Command, the National Cyber Incident Response Center (USOM), and the Financial Crimes Investigation Board (MASAK), a comprehensive cyber operation has been conducted against illegal query systems targeting the personal data of citizens of the Republic of Türkiye.

Within the scope of the investigation carried out by the Ankara Chief Public Prosecutor’s Office, detention orders were issued against suspects who unlawfully accessed personal data. As a result of simultaneous operations executed across multiple provinces, the administrators and developers of illegal query panels were apprehended. Following technical and financial examinations, it was determined that the unlawfully obtained personal data had been transferred abroad and used in cyber espionage activities. Consequently, numerous websites and digital communication channels were blocked from access.

This development constitutes a current and concrete reflection of the coordinated and resolute efforts of public authorities in combating unlawful activities and safeguarding the protection of personal data.

“GUIDELINES ON GENERATIVE ARTIFICIAL INTELLIGENCE AND THE PROTECTION OF PERSONAL DATA” PUBLISHED

With the publication of the Guidelines on Generative Artificial Intelligence and the Protection of Personal Data by the Authority, the fundamental principles and obligations governing the lawful processing of personal data within generative artificial intelligence systems have been set out. The Guidelines address, in a practice-oriented manner and within the framework of 15 key questions, critical issues such as the legal grounds for data processing, cross-border transfers of personal data, the exercise of data subject rights, and the responsibilities of data controllers.

PLACEMENT OF A CAMERA DIRECTLY VIEWING A RESIDENTIAL UNIT ENTRANCE DEEMED A VIOLATION OF THE RIGHT TO PRIVACY

The 12th Criminal Chamber of the Court of Cassation upheld as lawful the sentence of 2 years and 6 months’ imprisonment imposed under Article 134 of the Turkish Penal Code for the offense of violation of the right to privacy, arising from an apartment manager’s installation of a security camera positioned to directly view the entrance door of a residential unit and record footage. In its reasoning, the Court emphasized that recording images of individuals entering a dwelling by exceeding the scope of authority derived from the managerial role constitutes an infringement of the right to protection of private life. The defense arguments alleging the absence of criminal intent were found unsubstantiated and were accordingly dismissed.

SIGNIFICANT COUNCIL OF STATE DECISION ON TIME AND ATTENDANCE MONITORING THROUGH FINGERPRINT SYSTEMS

The 12th Chamber of the Council of State held that monitoring employees’ entry to and exit from the workplace through fingerprint recognition systems constitutes an unlawful practice within the scope of the right to protection of personal data. In its reasoning, the Court emphasized that fingerprints qualify as special categories of personal data under Law No. 6698 and that the processing of such data requires either an explicit statutory basis or the explicit consent of the data subject.

The Court further underlined that, where less intrusive alternatives such as card-based or password-based systems are available, the processing of biometric data fails to satisfy the principle of proportionality. On these grounds, the Council of State upheld the administrative court’s decision annulling the practice of time and attendance monitoring through fingerprint systems (Council of State, 12th Chamber, E. 2018/4535 K. 2022/633; E. 2023/1904 K. 2023/6074).

ADMINISTRATIVE SANCTIONS AND ENFORCEMENT DATA OF THE PERSONAL DATA PROTECTION BOARD

As a result of the examinations and audits conducted since the commencement of its activities in 2017, the Personal Data Protection Board has imposed a total of TRY 1.265 billion in administrative fines on data controllers. During this period, of the 56,896 complaints and notices submitted to the Board, 54,793 have been concluded, and out of 1,872 reported personal data breaches, 383 have been disclosed to the public.

Within the scope of cross-border transfers of personal data, more than 3,000 standard contractual clauses have been notified to the Board, and 13 undertakings have been approved. In addition, with a view to guiding practice, the Board has issued 1,336 legal opinions, 332 decisions, and 9 principle decisions, thereby establishing a significant body of case law and guidance in the field of personal data protection.

REMINDER FROM THE AUTHORITY REGARDING CYBERSECURITY AWARENESS

In a public statement issued by the Authority on the occasion of October being designated as “Cybersecurity Awareness Month,” it was emphasized that cybersecurity awareness plays a critical role in ensuring the protection of personal data and information security. In this context, the Authority underlined the importance of using strong and unique passwords, implementing multi-factor authentication mechanisms, ensuring recipient confidentiality in bulk email communications, raising employee awareness against phishing attacks, keeping security software up to date, and defining access authorizations strictly on a need-to-know basis tied to job duties.

In addition, the use of screen-lock mechanisms, precautionary measures during screen sharing in online meetings, and the retention of personal data only for the period strictly necessary were reiterated as integral components of data security.

COURT OF CASSATION DECISION ON THE CLASSIFICATION OF A FACE ID SECURITY VULNERABILITY AS A DEFECTIVE PRODUCT

In its decision dated 16 April 2025 and numbered E. 2024/2803, K. 2025/2178, the 3rd Civil Chamber of the Court of Cassation held that the security vulnerability arising from the Face ID (facial recognition) system of an iPhone, whereby the device could be unlocked by mistaking the claimant’s face for that of his sibling, constituted a defective product within the scope of consumer law.

The court of first instance accepted that this malfunction infringed upon the claimant’s personal rights and awarded TRY 5,000 in non-pecuniary damages; the decision was subsequently upheld by the Regional Court of Appeal at the appellate stage. The Court of Cassation rejected the grounds of appeal, finding that the amount of non-pecuniary damages awarded was proportionate and consistent with the facts of the case and its particular circumstances, and thereby affirmed the judgment.

This decision is significant in that it highlights the potential legal consequences of security vulnerabilities in biometric authentication systems from the perspectives of both consumer protection law and the safeguarding of personal rights.

PRINCIPLE DECISION REGARDING THE TAKING OF IDENTITY DOCUMENT PHOTOCOPIES IN HOTELS

With the principle decision published by the Board, it has been explicitly established that the practice of taking photocopies of identity documents from guests within the scope of service provision by accommodation facilities is unlawful. The Board emphasized that, although accommodation facilities are obliged under the relevant legislation to verify identity information and record certain data, this obligation does not extend to taking photocopies of identity documents.

The decision underlined that obtaining identity document photocopies constitutes excessive data processing, lacks a clear legal basis, and leads to the unnecessary processing of special categories of personal data. Within this framework, it was stated that accommodation facilities must refrain from requesting identity document photocopies, must destroy any photocopies previously obtained, and must record identity information solely to the extent permitted by applicable legislation. It was further reminded that practices contrary to these principles may be subject to administrative sanctions.

ADMINISTRATIVE FINES UNDER THE KVKK FOR 2026 HAVE BEEN FINALIZED

Pursuant to the 25.49% revaluation rate determined under Turkish Tax Procedure Law No. 213 and finalized by the Communiqué published in the Official Gazette dated 27 November 2025, the administrative fine amounts set forth under Article 18 of the Personal Data Protection Law No. 6698 (“KVKK”) have been updated for the year 2026, within which framework; violation of the obligation to inform may give rise to an administrative fine ranging between TRY 85,437 and TRY 1,709,200, violation of data security obligations may result in an administrative fine ranging between TRY 256,357 and TRY 17,092,242, non-compliance with the decisions of the Personal Data Protection Board may be sanctioned with an administrative fine ranging between TRY 427,263 and TRY 17,092,242, failure to comply with VERBİS registration and notification obligations may lead to an administrative fine ranging between TRY 341,809 and TRY 17,092,242, failure to fulfil the notification obligation regarding standard contractual clauses for cross-border data transfers may result in an administrative fine ranging between TRY 90,308 and TRY 1,806,377. These updated amounts significantly increase the financial exposure of data controllers and underscore the necessity of reassessing compliance practices before the beginning of 2026.

FIRST BOARD AUTHORIZATION REGARDING THE TRANSFER OF PERSONAL DATA ABROAD

The Personal Data Protection Board has rendered its first authorization decision within the scope of the new cross-border data transfer regime introduced by the amendments made to Law No. 6698 in 2024, within which framework; the agreement executed between the Directorate General of Migration Management of the Ministry of Interior and the United Nations High Commissioner for Refugees (UNHCR), which does not qualify as an international treaty, was assessed pursuant to Article 9/4(a) of the KVKK and Article 11 of the Regulation on the Procedures and Principles Regarding the Transfer of Personal Data Abroad, and was deemed appropriate on 21 October 2025.

The said decision is of particular significance in that it constitutes the first concrete application by the Board of the newly introduced cross-border data transfer mechanisms, and establishes a precedential framework, especially with regard to personal data transfers carried out by public institutions in cooperation with international organizations.

SIGNIFICANT AMENDMENTS TO THE REGULATION ON PERSONAL HEALTH DATA

With the amendments introduced to the Regulation on Personal Health Data, the procedures and principles governing the processing of and access to personal health data have been aligned more strictly with the processing conditions set forth under Article 6 of Law No. 6698.

Within this framework, the provision regulating attorneys’ access to their clients’ health data under Article 10 has been repealed, and it has been stipulated that access conditions shall be reassessed within the scope of the KVKK and the relevant legislation. The access of healthcare professionals to health data has been limited in accordance with Article 6/3 of the KVKK, and the duration of such access has been defined in a clear and explicit manner. In emergency service admissions, treating physicians have been granted broader access, provided that such access remains strictly limited to the healthcare service rendered. The security settings of the e-Nabız system have been updated, and the code-based verification requirement has been abolished for detainees and convicted persons. With respect to children’s health data, access has been made subject to custody status and court-ordered protective measures, and it has been regulated that a parent without custody may only receive filtered and limited data. Access to the health data of individuals holding disability reports has been enabled for caregivers. Finally, the data retention period for the health data of deceased persons has been extended from 20 years to 30 years.

RECENT DECISIONS OF THE COURT OF CASSATION ON PERSONAL DATA AND THE RIGHT TO PRIVATE LIFE

In the first decision, the 12th Civil Chamber of the Court of Cassation found lawful the rejection of a request seeking the investigation of immovable properties that originally belonged to the debtor but were subsequently transferred to third parties within the scope of enforcement proceedings. In its reasoning, the Court emphasized that enforcement offices do not bear an obligation to collect asset information belonging to third parties, that such asset-related information constitutes personal data, and that Article 28/1(d) of the KVKK cannot be interpreted broadly so as to unduly restrict the right to the protection of personal data. It was further underlined that attorneys may obtain such information themselves within the scope of the powers granted under the Attorneyship Law, and the appellate decision was therefore upheld.

In another decision, the 12th Criminal Chamber of the Court of Cassation held that the disclosure of a person’s mobile phone number to third parties without the knowledge and consent of the data subject constitutes a criminal offence under Article 136/1 of the Turkish Penal Code. In the concrete case, the act of providing a phone number not belonging to the perpetrator to another person without permission was assessed as the unlawful disclosure of personal data, and the conviction rendered by the first-instance court was affirmed.

In a further ruling, the 12th Criminal Chamber assessed that even a photograph published on a publicly accessible social media profile, if obtained and shared on another account without the data subject’s consent, falls within the scope of the unlawful acquisition and dissemination of personal data. Despite the acquittal rendered by the court of first instance, at the appellate and cassation stages it was held that the public accessibility of the photograph alone does not constitute a ground of lawfulness. The act was deemed to constitute an offence under Article 136/1 of the Turkish Penal Code, and the imposed custodial sentence was upheld.

Finally, the 12th Criminal Chamber of the Court of Cassation qualified the act of a photographer displaying wedding photographs to customers at the studio without the couple’s consent as the unlawful transfer of personal data to third parties. Emphasizing that wedding photographs constitute personal data, the Court accepted that their exhibition violated the principles of the protection of private life and personal data, and unanimously upheld the sentence of 1 year and 8 months’ imprisonment imposed on the photographer.

A COURT’S OPEN YET RESTRICTED APPROACH TO THE USE OF ARTIFICIAL INTELLIGENCE

In its reasoned decision dated 15.05.2025 (E. 2023/856, K. 2025/415), the Istanbul 14th Commercial Court of First Instance set out, in a detailed and transparent manner, how artificial intelligence tools were utilised during the judicial proceedings.

The Court stated that artificial intelligence was used solely as a technical research instrument, limited to the verification of foreign (Dutch) court decisions forming the basis of the dispute, access to foreign law sources, and the translation of Dutch legal texts into Turkish. It was expressly underlined that such use was compatible with the principles of procedural law as well as with the Ethical Principles on the Use of Artificial Intelligence Systems adopted by the Public Officials Ethics Board.

The Court emphasized that benefiting from technological tools is legitimate within the scope of the right to be tried within a reasonable time; however, it made clear that artificial intelligence outputs were not directly relied upon as the basis of the judgment, and that all information obtained through such tools was separately verified by the judge. It was further noted that any potential translation errors could be subject to judicial review at the appellate stage.

The reasoned decision also expressly demonstrated that the principles of transparency, accountability, confidentiality, and the protection of personal data were duly observed, that artificial intelligence was not used in any decision-making capacity at any stage of the proceedings, and that legal interpretation, assessment of evidence, and the final judgment remained entirely within the responsibility and discretion of the judge.

THE CONSTITUTIONAL COURT’S EMPHASIS ON THE RIGHT TO A REASONED DECISION IN THE CONTEXT OF KVKK ADMINISTRATIVE FINES IMPOSED ON ATTORNEYS

The Constitutional Court has ruled that the right to a reasoned decision was violated in proceedings initiated against an administrative fine imposed on an attorney pursuant to the Law on the Protection of Personal Data (KVKK).

Following the sending of four SMS messages to the debtor’s son within the scope of an enforcement file, the Personal Data Protection Authority conducted an investigation and imposed an administrative fine of TRY 50,000 on the attorney on the grounds that the processing of the relevant phone number was not based on any lawful data processing condition. The attorney objected to the sanction, arguing that explicit consent had been obtained and recorded in a meeting minute, that the document could not be submitted to the Authority due to pandemic-related circumstances, but that it had nevertheless been duly presented before the court.

The Criminal Judgeship of Peace found the substance of the administrative sanction to be lawful; however, on the basis that no justification had been provided for departing from the statutory minimum, it reduced the amount of the fine to TRY 27,037. The objections of the parties were rejected as final, and the matter was subsequently brought before the Constitutional Court.

In its assessment, the Constitutional Court determined that the applicant’s arguments and evidence capable of affecting the outcome of the case had not been examined or assessed in a reasoned manner at any stage of the proceedings, and that the objections had been dismissed through abstract and formulaic reasoning. On this basis, the Court concluded that the right to a reasoned decision had been violated.

This judgment once again demonstrates that, in the context of KVKK administrative sanctions, not only the outcome of the penalty but also the quality, sufficiency, and substantive content of judicial reasoning in the course of judicial review are protected under constitutional guarantees.

DATA BREACH NOTIFICATIONS

In the first incident, a ransomware intrusion attempt was detected on 15 October 2025 within the systems of İstanbul Golf İhtisas Spor Kulübü. It was announced that members’ identity, contact, address, and personnel-related data may have been affected, while the exact number of affected data subjects has not yet been determined.

In another incident, ransomware was deployed on the servers of Beyçelik Holding A.Ş. and its group companies on 4 December 2025. It was reported that examinations were ongoing with respect to the categories of affected data subjects and personal data.

In a further ongoing case, Dem İlaç Sanayi ve Ticaret A.Ş. was subjected to a ransomware attack on 7 December 2025, with allegations that approximately 1 TB of data had been exfiltrated. It was stated that multiple categories of personal data belonging to employees and customers may be at risk.

Similarly, in a cyberattack affecting Sinch AB between 28–30 August 2025, it was disclosed that the identity, contact, and limited financial data of 716 users were compromised.

In another breach, unauthorized access was obtained through a brute-force attack on the portal system of Balıkesir Uludağ Turizm Taş. İnş. Tic. Ltd. Şti., and it was indicated that identity and contact data of employees, members, and customers may have been unlawfully accessed.

Subsequently, it was reported that DMR Otomotiv Kiralama Sanayi ve Ticaret Ltd. Şti. was affected by the ransomware attack that occurred within its group company, Dem İlaç, giving rise to risks across extensive categories of personal data.

In another significant incident, the compromise of administrator credentials of the email marketing system of Mango T.R. Tekstil Tic. Ltd. Şti. resulted in the exposure of the contact and location data of 4,349,620 customers in Mango Turkey.

It was also announced that Pharmada İlaç Sanayi ve Ticaret A.Ş. was impacted by the ransomware attack originating from Dem İlaç, and that investigations concerning numerous categories of personal data were still ongoing.

In a separate case, unauthorized access was gained to the customer database of Cleverbridge GmbH via an API vulnerability, affecting the identity, contact, and payment data of 1,235 customers.

Finally, in the most recent incident, it was disclosed that the compromise of an administrator account at Haydigiy E-Ticaret Tekstil Sanayi ve Ticaret Ltd. Şti. may have resulted in the exposure of customers’ and members’ contact, location, and financial data, while the exact number of affected individuals has not yet been clarified.

INTERNATIONAL DEVELOPMENTS

In France, the administrative fine of EUR 8 million imposed on Apple for keeping the “personalised advertising” setting enabled by default on iPhones was upheld by the court. The court held that valid consent could not be deemed to exist, particularly due to the difficulty users faced in disabling the relevant setting.

In another decision, the Spanish data protection authority imposed an administrative fine of EUR 10,000 on a school for using a student’s photograph on posters without obtaining parental consent. It was emphasized that a general communication consent was not sufficient for such use.

In the United States, Google announced that it would pay USD 190 million in attorney fees under a USD 1.4 billion privacy settlement concluded in Texas. The lawsuit was based on allegations concerning location tracking and the collection of biometric data.

In a further development, the Belgian data protection authority found that a former employer’s disclosure of information about a job candidate via telephone without consent constituted a violation of the GDPR. The authority explicitly stated that verbal disclosure also qualifies as personal data processing.

Moreover, the European Data Protection Board (EDPB) published its Recommendation No. 2/2025, stating that, as a general rule, forcing users to create an account in e-commerce transactions is unlawful. It was underlined that the default option should be guest checkout.

Finally, the Italian data protection authority imposed an administrative fine of EUR 10,000 on a nursery for publishing photographs depicting children in sensitive situations, emphasizing that parental consent may not be used in a manner contrary to the best interests of the child.

BIBLIOGRAPHY

The relevant decisions, announcements and news may be reached from the following links:

(only available in Turkish)

https://www.resmigazete.gov.tr/eskiler/2025/10/20251001-4.pdf

https://www.hurriyet.com.tr/gundem/mitten-operasyon-kisisel-verileri-yasa-disi-yollarla-ele-geciren-3-kisi-yakalandi-42967118

https://www.kvkk.gov.tr/SharedFolderServer/CMSFiles/MTY5MjNmNmIwZWY3YTE.pdf

https://www.linkedin.com/posts/privacyturkey_%C3%BCretken-yapay-zek%C3%A2-ve-ki%C5%9Fisel-verilerin-korunmas%C4%B1-activity-7398619522074677248-thir/?utm_source=share&utm_medium=member_desktop&rcm=ACoAADWHGm0B4qrox25GAFmhu1wFwvMWIRnJSHo

https://www.aa.com.tr/tr/gundem/yargitay-daire-girisine-kamera-yerlestirip-kayit-alan-apartman-yoneticisine-verilen-cezayi-onadi/3734516

https://www.lexpera.com.tr/ictihat/danistay/12-d-e-2023-1904-k-2023-6074-t-27-11-2023

https://www.lexpera.com.tr/ictihat/danistay/12-d-e-2018-4535-k-2022-633-t-23-2-2022

https://www.trthaber.com/haber/ekonomi/petshoplarda-yaban-hayvani-satisi-icin-ruhsat-sarti-927344.html

https://www.linkedin.com/posts/privacyturkey_kvkk-privacy-taesrkiye-activity-7401667682233966592-srvq/?utm_source=share&utm_medium=member_desktop&rcm=ACoAADWHGm0B4qrox25GAFmhu1wFwvMWIRnJSHo

https://www.kvkk.gov.tr/SharedFolderServer/CMSFiles/15338972-7ea7-4602-9a34-2028f8c0630f.pdf

https://www.lexpera.com.tr/ictihat/yargitay/3-hukuk-dairesi-e-2024-2803-k-2025-2178-t-16-4-2025

https://www.resmigazete.gov.tr/eskiler/2025/12/20251209-11.pdf

https://www.cottgroup.com/tr/mevzuat/item/yeniden-degerleme-oranina-gore-2026-yili-kvkk-idari-para-cezalari

https://www.resmigazete.gov.tr/eskiler/2025/11/20251127-4.htm

https://www.linkedin.com/posts/celikbas-law-office_administrative-fines-activity-7396853136210071552-ndNK?utm_source=share&utm_medium=member_desktop&rcm=ACoAADWHGm0B4qrox25GAFmhu1wFwvMWIRnJSHo

https://www.kvkk.gov.tr/Icerik/8538/uluslararasi-sozlesme-niteliginde-olmayan-anlasma-ile-yurt-disina-kisisel-veri-aktarimina-izin-verilmesi-hakkinda-duyuru

https://www.resmigazete.gov.tr/eskiler/2025/12/20251203-2.htm

https://www.lexpera.com.tr/ictihat/yargitay/12-hukuk-dairesi-e-2022-13128-k-2023-785-t-13-2-2023

https://www.aa.com.tr/tr/gundem/yargitay-herkese-acik-hesaptan-alinan-fotograflarin-paylasilmasini-kisisel-veri-ihlali-saydi/3663310

https://www.lexpera.com.tr/ictihat/yargitay/12-ceza-dairesi-e-2022-8141-k-2025-4290-t-12-5-2025

https://www.aa.com.tr/tr/gundem/yargitaydan-dugun-fotograflarini-musterilerine-izinsiz-gosteren-fotografciya-mahkumiyet-karari/3745642

https://www.linkedin.com/posts/privacyturkey_yapayzeka-privacy-ai-activity-7406402405099270145-ZfZz/?utm_source=share&utm_medium=member_desktop&rcm=ACoAADWHGm0B4qrox25GAFmhu1wFwvMWIRnJSHo

https://www.lexpera.com.tr/ictihat/adli-yargi-ilk-derece-mahkemeleri/istnbl-14-asliye-ticaret-mahkemesi-e-2023-856-k-2025-415-t-15-5-2025

https://kararlarbilgibankasi.anayasa.gov.tr/BB/2022/5840

https://www.kvkk.gov.tr/Icerik/8466/Kamuoyu-Duyurusu-Veri-Ihlali-Bildirimi-Istanbul-Golf-Ihtisas-Spor-Kulubu

https://www.kvkk.gov.tr/Icerik/8557/kamuoyu-duyurusu-veri-ihlali-bildirimi-beycelik-holding-a-s-ve-grup-sirketleri

https://www.kvkk.gov.tr/Icerik/8558/kamuoyu-duyurusu-veri-ihlali-bildirimi-dem-ilac-sanayi-ve-ticaret-a-s

https://www.kvkk.gov.tr/Icerik/8385/Kamuoyu-Duyurusu-Veri-Ihlali-Bildirimi-Sinch-AB

https://www.kvkk.gov.tr/Icerik/8561/kamuoyu-duyurusu-veri-ihlali-bildirimi-balikesir-uludag-turizm-tas-ins-tic-ltd-sti

https://www.kvkk.gov.tr/Icerik/8559/kamuoyu-duyurusu-veri-ihlali-bildirimi-dmr-otomotiv-kiralama-sanayi-ve-ticaret-limited-sirketi

https://www.kvkk.gov.tr/Icerik/8467/Kamuoyu-Duyurusu-Veri-Ihlali-Bildirimi-Mango-T-R-Tekstil-Tic-Ltd-Sti-

https://www.kvkk.gov.tr/Icerik/8560/kamuoyu-duyurusu-veri-ihlali-bildirimi-pharmada-ilac-sanayi-ve-ticaret-a-s

https://www.kvkk.gov.tr/Icerik/8460/Kamuoyu-Duyurusu-Veri-Ihlali-Bildirimi-Cleverbridge-GmbH

https://www.kvkk.gov.tr/Icerik/8465/Kamuoyu-Duyurusu-Veri-Ihlali-Bildirimi-Haydigiy-E-Ticaret-Tekstil-Sanayi-ve-Ticaret-Limited-Sirketi

https://gdprhub.eu/index.php?title=CE_-_473833&mtc=today

https://gdprhub.eu/index.php?title=AEPD_(Spain)_-_EXP202316921&mtc=today

https://www.reuters.com/legal/government/google-pay-190-million-legal-fees-texas-law-firms-privacy-settlement-2025-10-24/

https://gdprhub.eu/index.php?title=APD/GBA_(Belgium)_-_200/2025&mtc=today

https://www.edpb.europa.eu/our-work-tools/documents/public-consultations/2025/recommendations-22025-legal-basis-requiring_en

https://gdprhub.eu/index.php?title=Garante_per_la_protezione_dei_dati_personali_(Italy)_-_10162731&mtc=today

*Legal Warning*

This post is for the purpose of exchanging information and experiences, and it does not provide a legal guarantee regarding the accuracy or timeliness of the material contained in the articles. Celikbaş Law Office assumes no responsibility for any losses incurred as a result of the use of any information or other content contained in this article, whether direct or indirect. According to the relevant regulations of the Union of Bar Associations of the Republic of Türkiye, the content given on this site is for informational purposes only and does not constitute an advertisement, offer, legal advice, or consulting. The transmission of this information does not constitute the establishment of an attorney-client relationship. Because this information may not represent the most recent legal developments, readers should contact a lawyer about the current situation.

Leave a Comment

Your email address will not be published. Required fields are marked *