In The Know.

  • Home
  • Insights
  • Two-minute Recap of Recent Developments in Turkish Personal Data Protection Law – October 2022

Search by

Two-minute Recap of Recent Developments in Turkish Personal Data Protection Law – October 2022

November 2022 – In October 2022, the Turkish Personal Data Protection Authority (“DPA”) hosted the 44th Global Privacy Assembly, held a seminar on the future of the digital media industry, and announced three data breach notifications—but did not release any decisions.

On 12 October, the DPA held a seminar on the topic of the future digital media industry, where such subjects as Web3, the metaverse and digital surveillance were discussed. You can watch the seminar here (only in Turkish).

44th Global Privacy Assembly Held in Istanbul!

The DPA hosted the 44th Global Privacy Assembly (“GPA”) in Istanbul from 25–28 October, which brought together data protection authorities, privacy professionals, and many other stakeholders from throughout the world.

This year's event took place under the title “A Matter of Balance: Privacy in The Era of Rapid Technological Advancement”, which highlights the importance of achieving a balance between privacy and technologies based on personal data processing.

Within the sessions during the four-day event, privacy matters were addressed within various contexts, including artificial intelligence, big data, blockchain and cross-border data transferring.

Exclusive Regulation on Insurance Data

On 18 October, the Insurance and Private Pension Regulatory and Supervisory Authority issued the Regulation on the Collection, Maintenance and Disclosure of Insurance Data (“Regulation”). Within the scope of the Regulation, the concept of insurance data has been introduced and defined as all data relating to (i) insurers and insurance companies that are party to the insurance contract, (ii) insured, beneficiaries and other third parties who directly or indirectly benefit from the insurance contract, and (iii) all data that is essential for risk assessment including insurance malpractices.

In short, the Regulation mainly sets forth the following matters:

  • The Insurance Information and Surveillance Center (“Center”) will collect and retain insurance data stored by private legal entities, public institutions, and organisations in its general database;
  • The insurance, reinsurance, and pension companies that are defined as member institutions;
  • The obligations of member institutions, which are mainly to (i) register with the Center, (ii) keep the general database up to date, and (iii) issue their insurance policies with the reference number received from the Center;
  • Personal data processing activities within the scope of the Regulation must comply with Turkish DP Law.

The DPA announced the following data breach notifications in October:

Data Controller

Affected Data Subjects

Affected Personal Data

Number of Data Subjects

Denizli Özel Egekent Hastanesi

Employees, Users, Subscribers, Students, Customers, Patients, Children, and Elders

Identity, Communication, Location, Finance, Personnel Information, Physical Environment, Customer Transaction, Transaction Security Data, Information on Legal Processes, Risk Management Data, Marketing, Audio and Visual Records, and Information on Professional Experience


Infomag Reklam

Users and Subscribers/Members

Identity and Communication Data




For more information please contact Ceren Ceyhan, Associate, at, and Hatice Nur Arslan, Legal Intern, at