Compliance Quarterly Türkiye

Global

Our new global guide is out

With evolving technology, companies’ integration of artificial intelligence (AI) applications into their business processes continues to trigger regulatory needs.

Our global guide provides an overview of the key points on AI regulation across 12 jurisdictions, including Türkiye. 

Download and read: AI regulation

White House launches AI action plan

The White House has introduced Winning the AI Race: America’s AI Action Plan, a national framework aimed at strengthening US leadership in artificial intelligence. With more than 90 proposed policy actions, the plan seeks to boost innovation, modernize infrastructure and enhance national security amid growing global competition—especially from China.

Read the report: White House unveils AI action plan in artificial intelligence

The Chartered Institute of Arbitrators Issues first-ever guidelines for AI use in arbitration

The Chartered Institute of Arbitrators (CIArb) has released new, non-binding guidelines to help practitioners navigate the use of artificial intelligence in arbitration proceedings. The framework balances innovation with fairness, outlining how tribunals, parties and arbitrators can safely integrate AI tools while preserving confidentiality, integrity and enforceability in dispute resolution.

Read the full publication, "The Chartered Institute of Arbitrators’ new Guideline on the Use of AI in Arbitration."

Pseudonymized data: Not always “personal data”

The Court of Justice of the European Union (CJEU) recently ruled that pseudonymized data is not always considered personal data, depending on the recipient and the context. While this ruling is a welcome confirmation for innovative data uses like AI training, the original data controller is still obligated to inform individuals about data disclosure recipients at the time of collection.

Read the full publication, "Pseudonymised data could fall outside data protection law: Introducing the “means reasonably likely” assessment."

Türkiye

PDPB principle decision for SMS verification code

Pursuant to complaints and notifications received by the Personal Data Protection Board (PDPB) regarding the practice of requesting contact information during payment, membership or account creation processes and sending verification codes via SMS to citizens’ mobile phones, the PDPB, by its decision dated June 6, 2025, has ordered the termination of current practices and set forth the requirements summarized below.

Data subjects must be clearly and understandably informed at the outset, by data controller representatives, of the purpose of the SMS to be sent and the consequences of providing the verification code. SMS contents must include appropriate information channels to ensure compliance with this obligation, and practices whereby the same SMS verification is used simultaneously for different processing activities, such as approval of membership agreements, consent for data processing or consent for commercial electronic messages, must be discontinued. Explicit consents required for certain processing activities must be obtained separately, and the processes of obtaining consent and fulfilling the obligation to inform must be carried out distinctly.

Consent for the processing of personal data for commercial electronic messages must not be presented as a mandatory condition for accessing products or services. Explicit consent for such processing should be requested after the product or service is provided. Both SMS contents and other information channels must clarify that providing the code is not mandatory, services will still be delivered if the code is not given and permissions and preferences granted may be changed at any time. Finally, data controllers must conduct periodic training and awareness activities for personnel involved in these processes to ensure compliance with legal requirements.

It has further been emphasized that the above obligations constitute administrative and technical measures to be adopted by data controllers under Article 12(1) of the Personal Data Protection Law (PDPL) in order to ensure the lawful processing of personal data.

The guide on fulfilling the obligation to inform has been updated

The PDPB updated the Guide on the Fulfillment of the Information Obligation on April 18, 2025, detailing the general principles and procedures for data controllers to comply with the information obligations under the PDPL. The Guide emphasizes that, prior to the collection of personal data, data subjects must be informed about which data will be processed, for what purposes, to whom it will be transferred, and under which legal grounds, and it sets out the requirement for data controllers to prepare a personal data processing inventory covering processing purposes, data categories, recipient groups, security measures, and retention periods.

In fulfilling the information obligation, the Guide highlights the necessity of preparing an information notice in clear, plain, and understandable language, including the identity and contact details of the data controller, processing purposes, data transfers, data collection methods and legal basis and the rights of the data subjects as stipulated in Article 11 of the PDPL. The Guide underscores that data controllers must ensure transparency in the processing of personal data, respect the rights of data subjects, and select appropriate methods to effectively fulfill their information obligations.

The Guide on Processing of Special Categories of Personal Data has been published

The PDPB published the Guide on the Processing of Special Categories of Personal Data on February 26, 2025. This Guide was prepared to clarify the conditions for processing special categories of personal data following the amendments to Article 6 of the PDPL and to guide data controllers in fulfilling their obligations in compliance with the Law.

The Guide details the scope of special categories of personal data, which data fall into this category, the processing conditions for each type of special category data and the steps data controllers must take to ensure compliance. Accordingly, special category data may be processed without explicit consent in cases explicitly provided by law, to protect life or physical integrity, for public disclosure, to establish or protect a right, for employment, occupational health and safety and social security obligations and within the scope of activities conducted by associations or non-profit organizations. The Guide also specifies compliance measures, including updating the personal data processing inventory, regulating consent processes and revising information notices and data security measures.

The guide on best practices for the protection of personal data in the payment and electronic money sector has been published

In March 2025, the PDPB and the Association of Payment and Electronic Money Institutions of Türkiye jointly published the “Good Practice Guide on the Protection of Personal Data in the Payment and Electronic Money Sector”. The guide aims to provide sector-specific examples of good practices regarding personal data processing activities carried out within the scope of electronic money issuance, money remittance, POS services, bill payment intermediation and mobile payment services. It offers clarifications on critical issues such as the obligation to obtain explicit consent for the use of biometric data in remote identity verification processes, the distinction between data controllers and data processors and the evaluation of representatives as data processors.

The guide provides detailed explanations concerning the legal grounds for personal data processing, offering guidance to institutions on when to obtain explicit consent and when to rely on other legal bases, such as compliance with legal obligations or the performance of a contract. It elaborates on the processing of data based on legitimate interests through examples, noting that activities such as detecting unusual business operations, preventing fraud and responding to customer complaints may fall under this category. The guide also clarifies data retention periods, underlining that data may only be stored for as long as required by law or the purpose of processing and that upon expiration of these periods, data must be deleted, destroyed or anonymized. Institutions operating in the sector are advised to review their current practices and implement the necessary updates in accordance with the guidance provided.

New exception for the VERBIS registration obligation

With the decision of the PDPB dated September 4, 2025, published in the Official Gazette on October 1, 2025, another exemption has been introduced with respect to the obligation to register with the Data Controllers’ Registry Information System (VERBIS).

Data controllers whose annual number of employees is less than 50 and whose annual balance sheet total is less than TRY 100 million, and whose principal activity is not the processing of sensitive personal data, were already exempt from the VERBIS registration obligation. With the new decision, data controllers whose principal activity is the processing of sensitive personal data, but who employ less than 10 employees with an annual balance sheet total of less than TRY 10 million, will no longer be required to register with VERBIS.

Accordingly, small-scale enterprises whose main activity involves the processing of sensitive personal data—such as opticians, pharmacies, small medical practices, dental clinics and laboratories—have been exempted from the VERBIS registration obligation, provided they meet the above conditions.