In The Know.

  • Home
  • Insights
  • Two-Minute Recap of Recent Developments in Turkish Personal Data Protection Law – April 2022

Search by

Two-Minute Recap of Recent Developments in Turkish Personal Data Protection Law – April 2022

May 2022 – In April 2022, the Turkish Personal Data Protection Board (“Board”) issued a principle decision, published a public announcement and announced five data breach notifications. In addition, the Constitutional Court of Turkey (“Constitutional Court”) issued two judgments on the protection of personal data.

The Board reminds data controllers of the obligation to register with VERBIS

On 21 April, the Board made an announcement and reminded data controllers of the obligation to register with the Data Controllers’ Registry (“VERBIS”). In its announcement, the Board underlined that the deadline for the fulfilment of the obligation to register with VERBIS was 31 December 2021, and that the Board has the authority to impose administrative sanctions against data controllers that have not fulfilled this obligation. As a result, the Board announced that it may impose administrative monetary fines ranging from TRY 53,576 to TRY 2,678,866 (approx. EUR 3,404 to EUR 170,161) on data controllers who do not comply with the registration obligation.

More steps for authentication and safer data protection!

Based on several complaints against municipal authorities, the Board issued a principal decision evaluating the systems used by the authorities that requires only single-step authentication for real estate tax payment and/or debt inquiry services provided online.

The Board underlined the importance of organisational and technical measures during the processing of personal data and evaluated the municipal authorities’ practices for login processes on their websites. During the login process, the system requires only single-step authentication to access real estate information.

In its decision, the Board stated that:

  • In case of remote access to personal data, data controllers must implement two-step authentication control in order ensure data security in accordance with the Guidelines of Personal Data Security.
  • Data controllers may implement identity validation through two-step authentication methods (i.e., after the first step, verification is completed with a system such as a personalised SMS, code or a password sent to the user’s e-mail or phone).

As a result, this principle decision demonstrates the two-step authentication method necessary to ensure data security not only for municipal authorities but for all data controllers who provide online services that include personal data.

Warning: Employee fingerprints captures employers

On 19 April, the Constitutional Court concluded a case involving a municipality that wanted to process employee biometric data to track employee shifts. As a result, the Constitutional Court ruled that processing fingerprint data to track employee shifts without explicit consent or authorisation by law violates the right to request the protection of personal data.

As background to the case:

  • The Applicant filed an objection to the municipality on the ground that fingerprints are considered personal data that enables the physical identification of an individual, and accordingly it should remain within the scope of the privacy of their private life.
  • The Municipality rejected this objection on the ground that it established the relevant system to monitor the working hours of employees to contribute to the public interest.

In conclusion, the Constitutional Court stated that since fingerprint data is considered sensitive personal data, the municipality can only process such sensitive data if (i) the data subject provides their explicit consent or (ii) such processing activity is stipulated under law. However, in this concrete case, it was determined that the Applicant did not provide explicit consent to process their fingerprints and that no law stipulates such data processing activity. Accordingly, the data processing activity of the municipality was deemed unlawful.

From the Constitutional Court: “Personal letters of inmates must remain personal.”

On 7 April, the Constitutional Court concluded a case on the recording of personal letters of inmates through the Official National Judiciary Informatics System, which is an e-justice system that covers all judicial institutions and other governmental departments. In its decision, the Constitutional Court unanimously ruled that the right to privacy and freedom of communication of the Applicant had been violated. For detailed information, please see our article here.

The Board announced the following data breach notifications in April

Data Controller

Affected Data Subjects

Affected Personal Data

Number of Data Subjects

Keyubu İnternet ve Bilişim Hizmetleri


Identity, Communication, Customer Transaction, Transaction Security Information


Paketman E-Ticaret Sanayi Ticaret Anonim Şirketi


Identity, Communication, Location Information


Magna Ventures Yazılım ve Teknoloji Girişimleri Ticaret Anonim Şirketi

Member Users

Identity, Communication Information


Villacım Emlak Turizm İnşaat Sanayi ve Ticaret Limited Şirketi


Identity, Communication Information


Yıldızlar Yatırım Holding AŞ, Yıldız Demir Çelik Sanayi AŞ, Yıldız Entegre Ağaç Sanayi AŞ ve İstanbul Gübre Sanayi AŞ (İGSAŞ)





For more information please contact Ceren Ceyhan, Associate, at, and Legal Trainee Hatice Nur Arslan, at