In The Know.

  • Home
  • Insights
  • Two-Minute Recap of Recent Developments in Turkish Personal Data Protection Law – August 2021    

Search by

Two-Minute Recap of Recent Developments in Turkish Personal Data Protection Law – August 2021    

September 2021 – In August 2021, the Turkish Personal Data Protection Board (the “Board”) published a total of twenty decisions and announced seven data breach notifications. The Board clearly continued its focus on data breaches, as all but one of its decisions announced during August relate to data breaches.

The Board also announced that the First International Personal Data Protection Congress on "Developments in the World and Turkey" will be held on 12–14 November 2021. You can access detailed information about the congress, which will be held online in Turkish and English, here (in Turkish only).  

The Board penalises a game company

In August, the Board published a decision regarding a data breach of a computer game company. As a result, the Board imposed a total fine of TRL 130,000 (approximately EUR 13,237) on the Game Company—TRL 100,000 (approximately EUR 10,183) for failure to take the necessary technical and organisational measures to ensure data security, and TRL 30,000 (approximately EUR 3,054) for failure to fulfil the obligation to notify the Board within 72 hours.

In its defence, the Game Company stated that during a routine security control it discovered that a folder containing source code and data files had been uploaded to a website without authorisation by a former web developer employee, immediately after the individual’s employment relation had been terminated by the Game Company.

In its decision the Board ruled that the former employee's ability to transfer personal data to a portable storage device and upload it to a website is an indication of a "security vulnerability". Further, as it took the Game Company nearly two years after the incident to identify the data breach, the Board concluded that the Game Company did not regularly carry out security controls, and thus the technical and organisational measures taken by the data controller were inadequate. In its decision, the Board also highlighted that data controllers are obliged to make adopt all employees the principle of “everything which is not forbidden is allowed”.

Requests of Turkish citizens to stop the transfer of their personal data abroad are denied

The Board also made a public announcement in August concerning the numerous requests it has received from Turkish citizens residing outside of Turkey to prevent the transfer of their personal data to institutions and organisations in other countries, especially EU member countries.

In its announcement, the Board rejects these requests and states that data subjects must make an application to data controllers regarding their rights as the first step.. After the first procedural requirement, if a data subject does not provide a response within 30 days or if the response does not satisfy  the data subject, the data subject has the right to apply to the Board.

The Board also stated that the competent authority in this area is the Revenue Administration, which is affiliated to the Ministry of Treasury and Finance, in terms of the implementation of the provisions of the "Multilateral Competent Authority Agreement on the Automatic Exchange of Financial Account Information" in Turkey. In this respect, the application under the above-mentioned Agreement must be submitted to the competent authority. From the date of its public announcement, the Board has not assessed any application or provided any further response in this regard.

The Board announced the following data breach notifications in August  

Data Controller

Affected Data Subjects

Affected Personal Data

Number of Data Subjects

MNG Kargo Yurtiçi ve Yurtdışı Taşımacılık AŞ

Cargo Recipients

Name-surname, address, phone number


Sinoz Kozmetik Sanayi Ticaret AŞ

Customers/Potential Customers

Name, surname, e-mail, and mobile phone information


Pied Piper Fansub (

Users and Subscribers/Members

Identity, communication, location, personnel, transaction security, professional experience, political thought, philosophical belief, religion, sect and other beliefs, sexual life, genetic data, and other data


Subway International B.V.


Name, surname, e-mail address, password of remote order account, phone number, address, and information about previous orders


Oriflame Kozmetik Ürünleri Ticaret Limited Şirketi

Employees and Customers

Name, surname, e-mail, and phone information


Motor Trend Group LLC

Users and Members/Subscribers

Identity, gender, date of birth, email address, identification data (e.g., usernames and passwords), general information about the estimated geographical location, and information on answers to password reset security questions for approximately five people


Timurlar Sigorta Aracılık Hizmetleri Ltd. Şti.

Customers/Potential Customers

Name, surname, identity number, telephone number, date of birth, address, and occupation information


 For more information please contact Ceren Ceyhan, Associate, at, and Ertuğrul Keçeli, Legal Intern, at