In The Know.

  • Home
  • Insights
  • Two-minute Recap of Recent Developments in Turkish Personal Data Protection Law – May 2023

Search by

Two-minute Recap of Recent Developments in Turkish Personal Data Protection Law – May 2023

June 2023 – In May 2023, the Turkish Personal Data Protection Authority (the “DPA”) published two data breach notifications but did not publish any decisions.

On 3 May 2023, the DPA hosted the "e-safe Personal Data Protection Summit" covering various aspects of personal data protection, including legal, sector-specific, and technological developments. The discussions also emphasised the benefits of artificial intelligence and highlighted data subjects’ rights, specifically the right to object, as outlined in the Personal Data Protection Law (the "DP Law").

Ensuring Compliance: Establishing a Valid Legal Basis for Personal Data Transfers!

In its decision published on 24 April 2023, the DPA emphasised the importance of fundamental principles of explicit consent, particularly based on information and free will. In addition, the DPA issued its findings on the sharing of customer data with relevant institutions in the banking sector. With this decision, the data controller bank, which failed to (i) transfer customer data based on a valid legal basis and (ii) obtain explicit consent based on information and free will, has been subject to an administrative fine of TRY 250,000 (approx. EUR 11,200).


The data subject, which repeatedly received contact from an insurance company on their personal phone, discovered that the data controller bank had shared their phone number with the insurance company. Consequently, the data subject lodged a complaint with the DPA.

Considerations by the DPA:

The DPA evaluated a document entitled “Campaign Communication Preferences Instruction” through which the data subject granted authorisation for receiving messages. Upon examining the instruction, several issues were identified:

  1. ambiguous expressions were used concerning future actions,
  2. consent boxes were pre-selected by default, and
  3. the data subject was not adequately informed about the transfer of their personal data.

As a result, the DPA determined that these practices contradict the fundamental principles of explicit consent, specifically the principles of being "based on information" and "based on free will".

Despite the data controller bank asserting that (i) under Turkish banking law, it had the authority to share specific limited data with the institutions it collaborates with for services and support, and (ii) the data subject had given consent to receive commercial messages, these claims were rejected. The DPA concluded that the data controller had no valid legal basis to transfer the data subject’s contact data to the insurance company, since there was no exemption from the confidentiality obligation under Turkish banking legislation, and explicit consent for such transfer was not obtained in line with the DP Law.

What is the Decision?

As a result, the DPA imposed an administrative fine of TRY 250,000 (approx. EUR 11,200) on the data controller due to (i) lack of a valid legal basis for the data transfer and (ii) failure to implement adequate technical and organisational measures when transferring the data subject’s contact data to a third party.

Enhancing Data Security: Embrace the Power of Identity Verification!

The unauthorised sharing of processed personal data with third parties through unlawful means is a matter of significant concern to both the DPA and the companies involved. The DPA has received numerous complaints on this issue and made decisions accordingly. You can find our article on these decisions here.

Based on the non-discriminatory assessments across sectors made by the DPA during the processing of personal data, data controllers should follow the following principles:

  • Accuracy and timelines: data controllers must ensure that personal data is accurate and kept up to date when necessary.
  • Periodic verification: regular verification of the communication information of data subjects and establishment of the necessary mechanisms to keep data up to date; and
  • Robust identity verification: implementation of robust identity verification mechanisms, as suggested in the relevant decisions of the DPA, in order to prevent unauthorised accessing by third parties.

The Board announced the following data breach notification in May: 

Data Controller

Affected Data Subjects

Affected Personal Data

Number of Data Subjects

Boyner Büyük Mağazacılık


Customers (Users)

Identity, Communication Information, Finance

Approx. 3,055,907

Trabzonspor Sportif Yatırım ve Futbol İşletmeciliği Ticaret


Employees, Users, Students, Customers and Potential Customers

Identity, Communication Information, Personnel Information, Customer Transaction, Finance, Professional Experience, Marketing, Visual and Audio Records and Other



For more information please contact Ceren Ceyhan, Associate, at, Hatice Nur Arslan, Junior Associate, at, or Bahar Bozdemi, Legal Trainee, at