On 26 February 2025, the Turkish Data Protection Authority (“DPA”) published Guidelines on the Processing of Special Categories of Personal Data (the “Guidelines”). The Guidelines shed further light on the new rules for the processing of sensitive data which came into force on 1 June 2024 as a result of amendments to Turkish Law No. 6698 on the Protection of Personal Data (“DPL”).
The amended rules expand the cases in which sensitive data can be processed without obtaining consent from the data subjects. Most importantly for companies, they address a legal gap by enabling employers to process sensitive data, including health data, to fulfil their legal obligations related to employment and maintain workplace health and safety – without requiring employee consent.
The Guidelines provide companies acting as data controllers with detailed guidance on the steps to be taken to implement the new rules:
- Update of data inventory. Data controllers must review the applicable legal grounds for their processing of sensitive data in view of the new rules, and ensure that their data inventory is updated accordingly.
- Assessment of explicit consents. As indicated in the Guidelines, consent should not be obtained where one of the exceptions to consent under the DPL applies. The DPA considers that obtaining consent when there is another legal basis to process the data is misleading to the data subject, and constitutes a breach of the DPL. Data controllers should thus reassess the cases in which they rely on consent to process sensitive data, and determine whether the data should now be processed on the basis of a legal exception instead.
- Update of privacy notices. Any change in the applicable legal ground for processing sensitive data should also be reflected into the privacy notices given by data controllers to comply with the obligation to inform data subjects. In order to ensure transparency, the relevant data subjects should be informed of such changes in new privacy notices.
- Update of data retention and disposal policy. It is necessary for data controllers to review their data retention and disposal policy in order to ensure that sensitive data is not retained longer than necessary under the new legal grounds for processing.
- Adoption of data security measures. When processing sensitive data, data controllers must take the additional technical and organisational measures listed in DPA Decision No. 2018/10 dated 31 January 2018, so as to prevent unlawful processing or unauthorised access and to ensure the overall protection and security of the sensitive data. These security measures include establishing clear and sustainable policies and procedures for data security, organising employee access authorisations and regular training, and putting confidentiality agreements in place. It is thus essential for data controllers to review the data security measures in place in relation to the sensitive data they process.
Share
Related persons
You can contact us for detailed information.


Legal Information
This briefing is for information purposes; it is not legal advice. If you have questions, please call us. All rights reserved.
You May Be Interested In
29 April 2025
The Turkish Regional Court of Appeal in Ankara, 31st Civil Chamber, Confirmed That Preliminary Attachment Can Be Imposed on the Respondent’s Assets Pending Enforcement Proceedings
In proceedings for the enforcement of foreign arbitral awards, it is crucial to secure the enforcement of the award, in other words, to…
21 April 2025
New Communiqué on Green Asset Ratio of Banks Published
The Communiqué on the Calculation of Green Asset Ratio of Banks (the “Communiqué”) was published in the Official Gazette dated 11 April…
28 March 2025
Circular on the Prevention of Mobbing in Workplaces Has Been Published
On 6 March 2025, Presidential Circular No. 2025/3 on the Prevention of Mobbing at Workplaces (“Circular”) was published in the Official…
26 March 2025
Turkish Cybersecurity Law enters into force
The long-anticipated Cybersecurity Law No. 7545 came into force in Türkiye following its publication in the Official Gazette on 19 March…
24 March 2025
Recent Developments in Healthcare Legislation – Winter Issue 2025
Amendment to the Regulation on the Licensing of Medicinal Products for Human Use. An amendment to the Regulation on the Licensing of…
21 March 2025
Secondary Regulation on Crypto Assets Comes into Force!
Following the provisions introduced to the Capital Markets Law No. 6362 (“CML”) on crypto assets and crypto asset service providers…