You may follow the recent developments on Data Protection and Privacy in Türkiye and around the World. 


The Dutch Data Protection Authority (Autoriteit Persoonsgegevens) has published a guide answering frequently asked questions about the use of facial recognition technology.

The guidance, which says that the use of facial recognition technology is generally prohibited, states that its use may be lawful in exceptional cases, in particular where security requires it. In this context, the use of this technology may be lawful in cases where the security of dangerous materials requires it, such as ensuring the security of a nuclear power plant or dangerous materials that can be used to make bombs. However, in this case it is pointed out that an impact assessment should be carried out to ensure that there is a necessity and overriding public interest.



The Turkish Personal Data Protection Authority published various guidelines, information notices, public announcements and decisions in January. These contents are presented below:

  • Decision of the Board on the Exemption of Legal Entities of Local Authorities from the Obligation to Register in the Data Protection Registry: As a result of the examinations and evaluations made by the Turkish Personal Data Protection Board within the scope of Law No. 6698 and the Regulation on the Data Controllers Registry, it was decided on 12.01.2024 to exempt village public legal entities from the obligation to register in the Data Controllers Registry.

  • Guideline on Identification Numbers of the Republic of Turkey: The guideline published on 16/01/2024 regarding the identification numbers of the Republic of Turkey, which are frequently processed especially in the last few years, and which, if obtained, allow access to other personal data of the data subjects concerned, contains information on many legal provisions that are intended to be processed and gives recommendations in a guiding manner. In this context, it is mentioned that in order to process Turkish ID numbers in accordance with Law No. 6698 on the Protection of Personal Data and other legislation, those methods should be preferred that interfere less with the right of data subjects to request the protection of their personal data, and the necessary technical and administrative measures should be taken by data controllers in this regard. In addition, the guide provides information on the provisions on the processing of Turkish ID numbers in the legislation governing e-commerce, freight, transport, electronic communications, insurance sectors and public institutions and organisations.

  • Public Notice on the Demands of Citizens of the Republic of Turkey Living Abroad Regarding the Non-Transfer of Financial Account Data Abroad: As a result of the complaints received by the Revenue Administration and the banks where the account information is located, the Board has decided that the issues of automatic data exchange are regulated in the "Multilateral Competent Authority Agreement on Automatic Exchange of Financial Account Information", and, in accordance with the provision of Article 90 of the Constitution that "international agreements duly entered into force shall have the force of law", the personal data processed under this Agreement shall fall within the scope of the processing condition "The provisions of other laws regarding the transfer of personal data abroad are reserved" in paragraph (6) of Article 9 of the Law. "In this context, it has been assessed that the personal data transfer activities to be carried out within the scope of the provisions of the international agreement are in compliance with the Law. Accordingly, with the decision of 28.12.2023, number 2023/2199, it has been decided that there are no measures to be taken within the scope of Law no. 6698 and that the complaints that have been filed and will be filed in the future will no longer be evaluated. 

  • Deepfake Memo: In the information note on deepfake published by the Personal Data Protection Authority on 19.01.2024, the issues of what deepfake is, what kind of threat it poses, and what can be done against these threats are underlined. In this context, the Authority stated that deepfake has dangers such as manipulation by creating fake voices and videos, financial damage, cyberbullying, discrediting, fraud, and included a short checklist in items to detect them. In addition, in the information note, the importance of increasing the awareness of real persons in order to be protected from deepfake technology was mentioned and it was stated that institutions and organisations should effectively manage their network and cyber security operations. Finally, measures that can be taken by cyber security companies such as the development of tools to detect content created with deepfake, the creation of databases to reference the original content used in deepfake content, and the development of defence methods against cyber attacks that can be carried out with deepfake are also listed as items.

  • Guidance on the protection of personal data in electoral activities: During election periods, personal data of data subjects may be processed for many reasons. In this context, on 24/01/2024, the Council published a guideline setting out the conditions for processing personal data processed by the Supreme Electoral Board and relevant public institutions, political parties and independent candidates. The guide provides information on personal data processed in processes such as organising, updating and suspending the electoral register, nominating candidates, announcing the final lists of candidates, electoral propaganda, public opinion research, voting, etc. It also provides information on the obligations of data controllers in these processes and gives detailed reminders of the rights of data subjects. At the end of the guide, there is a section on the EDPS's suggestions and recommendations.

  • 28 January Data Protection Day Event: Speaking at the Data Protection Day event held at the Authority's conference hall on 28 January, President Prof. Dr. Faruk Bilir said: "Our authority continues to work to ensure that the right to protection of personal data continues to exist as an effective means of seeking rights. To date, 38,789 notifications, complaints and requests have been submitted to the authority, of which 37,010 have been closed. In addition, 290 out of 1317 data breach notifications were published on the Authority's website. As a result of the investigations, administrative sanctions amounting to TL 463 million 801 thousand were imposed. 1080 legal opinions were issued on issues within the scope of the Authority's duties. In addition, 8 companies were approved by the Board as having sufficient qualifications to transfer personal data abroad".



The Personal Data Protection Board published the "Guide on the Issues to be Considered in the Processing of Genetic Data".

The Personal Data Protection Authority published the 2nd issue of the KVKK Bulletin with the title "Traces Remaining in the Shadow: The Right to be Forgotten".



The non-profit Identify Theft Resource Center (ITRC) has released its 2023 Business Impact Report. The report includes statistics on the rate of exposure to cyber attacks on small businesses operating in the US. The report was compiled by surveying 551 small business owners.

According to the report, 73 per cent of small business owners in the US reported being exposed to cyber attacks. Employee and customer information were found to be the most common targets of data breaches.

While 85 per cent of business owners participating in the report said they were prepared to respond to a cyber attack, the report noted that this rate was 70 per cent last year.

It also found that good cybersecurity practices, such as multi-factor authentication, mandatory strong passwords and limiting employee access rights, were only being adopted by around 30 per cent of respondents.



The Belgian data protection authority, the APD, has published a 'checklist' to check the compliance of organisations' use of cookies.

While the checklist covers the do's and don'ts of cookie use, it states that there is no need to obtain the consent of the data subject for the use of cookies that are only strictly necessary, while the consent of the data subject must be obtained for other cookies.