Recent developments in Turkish data protection law

The end of 2025 and the beginning of 2026 have seen notable developments in Turkish data protection law, particularly regarding personal data processing in the context of artificial intelligence (AI), reflecting the increasingly widespread integration of AI tools into day‑to‑day business operations.

The Turkish Personal Data Protection Authority (DPA) has issued comprehensive guidelines on generative AI, outlining key compliance expectations for organisations. On the legislative side, a bill proposing amendments to the Turkish Data Protection Law No. 6698 (DPL) has been submitted to Turkish Parliament, introducing sanctions for the unauthorised use of AI‑generated content. In parallel, recent presidential decrees have reshaped Türkiye’s institutional framework for AI governance.

Beyond AI-related updates, the DPA has released further clarifications on granular consent for push notifications, revised its policy on the publication of data breach notifications, and provided additional clarification on exemptions from registration with the Data Controller Registry (VERBIS) for enterprises without a balance sheet. The DPA has also announced the updated administrative fines for 2026, increased by 25.49%, now ranging from TRY 85,437 to 17,092,242 (approx. EUR 1,650 to 330,300).

Guidelines on generative AI and protection of personal data

In November 2025, the DPA published the “Guidelines on Generative AI and the Protection of Personal Data in 15 Questions”, its first comprehensive interpretation of how the DPL applies to generative AI systems. The Guidelines stress that generative AI is fully subject to the DPL and that all stages of an AI system’s lifecycle – from training to deployment and use – must comply with data protection requirements. They outline key concepts aligned with EU sources and highlight principal risks such as data leakage, intellectual property issues, deepfakes, bias, and manipulation.

The Guidelines clarify that personal data may be processed at each stage of a generative AI system’s operation, including within training data, prompts, and outputs, and that data controller/data processor roles must be assessed based on who determines the purposes and means of processing. They also emphasise that training, operating, and using AI outputs constitute separate processing activities, each requiring a valid legal basis, and that consent alone would not be sufficient without clear transparency.

In addition, the DPA confirms that publicly available data cannot be freely used for AI training and that the use of AI systems hosted outside Türkiye qualifies as a cross‑border transfer subject to DPL rules. The Guidelines conclude with recommended safeguards, including privacy‑by‑design, data protection impact assessments, and enhanced technical and organisational measures tailored to AI‑specific risks.

New legislative proposal targeting unauthorised AI-generated content

On 8 January 2026, a bill was submitted to the Turkish Parliament proposing an amendment to the DPL. The bill introduces a new misdemeanour under Article 18 that would impose an administrative fine of 5% of the previous year’s turnover on social media tools and digital platforms that enable the sharing of AI‑generated audio, written or visual content without the data subject’s consent, with the penalty applied separately for each instance of communication.

This represents a notable shift from the current framework, where misdemeanours under the DPL are subject to fixed monetary fines adjusted annually. The proposed amendment would instead establish a proportional, turnover‑based administrative fine specifically targeting unauthorised AI‑generated content. At this stage, the bill remains limited in scope and solely addresses sanctions related to AI‑generated content. Further debate and additional provisions may emerge as the legislative process progresses.

New government structures for AI oversight

On 25 December 2025, two presidential decrees introduced noteworthy changes to Türkiye’s institutional framework for AI and digital infrastructure. While these reforms do not impose new obligations on private‑sector organisations, they signal increased regulatory attention to AI governance, data management and cloud services.

Turkish Presidential Decree No. 191 renamed the National Technology General Directorate under the Turkish Ministry of Industry and Technology as the National Technology and Artificial Intelligence General Directorate and expanded its mandate to include developing data centre and cloud infrastructure, setting standards and certification processes, strengthening national AI capacity, and supporting AI‑related R&D and regulatory work.

Under Turkish Presidential Decree No. 192, the Cybersecurity Directorate’s responsibilities were broadened, and a new Public Sector Artificial Intelligence General Directorate was established, tasked with overseeing AI use in the public sector and contributing to alignment with international AI frameworks.

These institutional updates reflect the government’s strategic focus on coordinated AI governance. Companies providing AI solutions or cloud‑based services in Türkiye should monitor further guidance from these newly empowered bodies.

Granular consent requirements for push notifications

The DPA has issued an announcement clarifying the consent requirements for push notifications sent through mobile applications. The DPA noted that many applications currently rely on a single, bundled consent mechanism covering both operational notifications (e.g. order or delivery updates) and marketing notifications – an approach that does not meet the DPL’s standards for valid consent.

The DPA reiterated that consent must be specific, informed and freely given. Conditioning access to essential services, such as order tracking, on the user’s agreement to receive unrelated marketing messages undermines the “free will” element of consent. In line with its prior decisions on electronic commercial communications, the DPA emphasised the need for “granular consent” meaning that users must be offered separate, independent choices for each processing purpose.

The announcement also stresses that mobile applications must be technically designed to support these granular choices. The absence of such functionality may amount not only to invalid consent but also to a breach of the data controller’s obligation to implement appropriate technical and organisational measures under Article 12 of the DPL.

Revised policy on publication of data breach notifications

The DPA has updated its policy on the publication of data breach notifications through its decision No. 2025/2451 dated 25 December 2025. Previously, data breach notifications published on the DPA’s website remained available indefinitely, creating ongoing reputational concerns for data controllers even after remediation efforts and individual notifications had been completed.

Under the new policy, data breach notification announcements will be published for a maximum of 60 days. If the data controller can demonstrate that all affected individuals were notified in a shorter timeframe, the announcement may be removed earlier. This approach aims to balance transparency with proportionality, protecting data subjects while mitigating unnecessary long‑term reputational impact on organisations.

The core data breach notification obligations remain unchanged: data controllers must notify the DPA within 72 hours of becoming aware of a data breach and inform affected individuals within a reasonable period. When determining whether to publish a data breach notification, the DPA will continue to consider factors such as the severity of the breach, the categories of affected data, the groups of impacted data subjects, the sector of the data controller, and the number of individuals affected.

Clarification on VERBIS registration exemptions for enterprises without a balance sheet

The DPA has issued an announcement clarifying the criteria for exemptions from VERBIS registration for data controllers that do not keep their accounts on a balance‑sheet basis.

Under the current rules, data controllers located in Türkiye whose main activity involves processing special categories of personal data are exempted if they employ fewer than 10 employees annually and have an annual balance sheet total below TRY 10,000,000 (approx. EUR 192,850). For all other data controllers located in Türkiye, the exemption applies to those with fewer than 50 employees annually and an annual balance sheet total below TRY 100,000,000 (approx. EUR 1,928,500).

The DPA has now clarified that for data controllers subject to balance‑sheet accounting, both criteria – the number of employees and the annual balance sheet total – must continue to be met together. However, for data controllers not subject to balance‑sheet accounting, the assessment will be based solely on the number of employees, as no annual balance sheet total exists for such enterprises. As a result, these organisations can determine their VERBIS registration obligations by reference only to their workforce size and the nature of their data processing activities.

Updated administrative fines for 2026

The administrative fines under Article 18 of the DPL have been increased by 25.49% for 2026 to reflect annual inflation. The applicable amounts now span from TRY 85,437 to 17,092,242 (approx. EUR 1,650 to 330,300).

The updated fine ranges for 2026 are as follows:

• Failure to comply with information obligation:
  TRY 85,437 – 1,709,200 (approx. EUR 1,650 – 33,000)

• Failure to comply with data security obligations:
  TRY 256,357 – 17,092,242 (approx. EUR 5,000 – 330,300)

• Failure to comply with decisions of the DPA:
  TRY 427,263 – 17,092,242 (approx. EUR 8,250 – 330,300)

• Failure to comply with VERBIS registration and notification obligation:
  TRY 341,809 – 17,092,242 (approx. EUR 6,600 – 330,300)

• Failure to notify standard contractual clauses to the DPA within five business days of signing:
  TRY 90,308 – 1,806,177 (approx. EUR 1,750 – 34,900)