Turkey: Two-Minute Recap Of Recent Developments In Turkish Personal Data Protection Law – January 2024

February 2024 – The Turkish Personal Data Protection Authority (the "DPA") has started 2024 with an active and detailed agenda. In January, the DPA published one decision, issued two sets of guidelines and two announcements, revealed the approval of an application for a written undertaking letter for cross-border data transfer, and announced one data breach notification.

Happy Data Protection Day!

On 28 January 2024, a special event for "January 28 Data Protection Day" was held in collaboration with the DPA and the Justice Academy of Türkiye. The event featured two sessions—"Crimes and Misdemeanors in the Field of Personal Data Protection” and “Evaluation of the DPA's Examination Processes and Judicial Procedures related to DPA Decisions”.

Approval for Celltrion Healthcare's application for cross-border data transfers

On 29 January 2024, the DPA announced that it had approved Celltrion Healthcare's application for a written undertaking letter to transfer personal data abroad.

Introducing Two New Guidelines by the DPA

i. Guideline on Processing of Turkish ID Numbers:

On 16 January 2024, the DPA published a guideline on the issues to be considered in the processing of Turkish identification numbers. This guideline provides detailed information on the processing of Turkish ID numbers in sectors such as e-commerce, cargo, transport, electronic communication, insurance, as well as in services provided by public institutions and organisations.

The guideline stresses that acquiring Turkish ID numbers enables access to additional personal data linked to these numbers, which could lead to considerable negative impacts on data subjects. In line with this assessment, the guideline highlights that despite not being classified as sensitive personal data under the Data Protection Law No.6698 (“DP Law”), Turkish ID numbers hold a critically important status within the broader category of personal data.

You can read the guideline  here (in Turkish only).

ii. Guideline on Personal Data Processing During Electoral Activities:

On 24 January 2024, the DPA published a guideline on the protection of personal data in electoral activities with the intention of reminding public administrations, political parties, candidates, and voters involved in electoral activities of their obligations and rights under the DP Law concerning the various personal data processed within the scope of electoral activities.

You can read this guideline  here (in Turkish only).

Two New Public Announcements

i. Attention on Deepfake Technology

On 19 January 2024, the DPA published an information note on deepfake technology, with details regarding the nature of deepfakes, applications of the technology, the risks it presents to personal data security, methods for its identification, and the strategies that individuals and organisations can employ to mitigate the challenges that it poses.

The note defines the concept of “deepfake” as the application of artificial intelligence techniques to manipulate photos, videos, or audio to imitate or alter people's faces, movements, or voices in a realistic manner. The information note highlights the potential threat of personal data manipulation through deepfake technology, suggesting that it could subject individuals to being manipulated by altering their images or voices.

It also outlines various criteria for detecting deepfake technology, such as robotic expressions and unnatural facial movements, and provides recommendations on what can be done to mitigate these threats, including being cautious about sharing personal data and using applications with oversight.

You can read the DPA's information note on deepfake technology here. (in Turkish only).

ii. Sharing of Financial Account Data of Turkish Citizens Residing Abroad

In a public announcement published by the DPA on 17 January 2024, the sharing of financial account data of Turkish citizens residing abroad with foreign authorities was evaluated. The DPA concluded that this transfer aligns with DP Law due to the Convention on Mutual Administrative Assistance in Tax Matters, to which Türkiye is a party.

You can read the DPA's announcement  here. (in Turkish only).

Update on Administrative Fine Amounts for 2024

On 5 January 2024, the DPA announced the new amounts of administrative monetary fines to be considered for 2024 according to the revaluation rate (i.e., 58.46%). According to the new amounts, the DPA has the authority to impose fines ranging from TRY 47,303 to TRY 9,463,213 (approx. EUR 1,435 to EUR 287,112) for non-compliance with the DP Law.

You can find our article on updated amounts  here.

The DPA announced the following data breach notification in January:

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.