The end of 2025 and the beginning of 2026 have seen notable developments in Turkish data protection law, particularly regarding personal data processing in the context of artificial intelligence (AI), reflecting the increasingly widespread integration of AI tools into day\u2011to\u2011day business operations.<\/p>\n
The Turkish Personal Data Protection Authority (DPA) has issued comprehensive guidelines on generative AI, outlining key compliance expectations for organisations. On the legislative side, a bill proposing amendments to the Turkish Data Protection Law No. 6698 (DPL) has been submitted to Turkish Parliament, introducing sanctions for the unauthorised use of AI\u2011generated content. In parallel, recent presidential decrees have reshaped T\u00fcrkiye\u2019s institutional framework for AI governance.<\/p>\n
Beyond AI-related updates, the DPA has released further clarifications on granular consent for push notifications, revised its policy on the publication of data breach notifications, and provided additional clarification on exemptions from registration with the Data Controller Registry (VERBIS) for enterprises without a balance sheet. The DPA has also announced the updated administrative fines for 2026, increased by 25.49%, now ranging from TRY\u00a085,437 to 17,092,242 (approx. EUR\u00a01,650 to 330,300).<\/p>\n
In November 2025, the DPA published the \u201cGuidelines on Generative AI and the Protection of Personal Data in 15 Questions\u201d, its first comprehensive interpretation of how the DPL applies to generative AI systems. The Guidelines stress that generative AI is fully subject to the DPL and that all stages of an AI system\u2019s lifecycle \u2013 from training to deployment and use \u2013 must comply with data protection requirements. They outline key concepts aligned with EU sources and highlight principal risks such as data leakage, intellectual property issues, deepfakes, bias, and manipulation.<\/p>\n
The Guidelines clarify that personal data may be processed at each stage of a generative AI system\u2019s operation, including within training data, prompts, and outputs, and that data controller\/data processor roles must be assessed based on who determines the purposes and means of processing. They also emphasise that training, operating, and using AI outputs constitute separate processing activities, each requiring a valid legal basis, and that consent alone would not be sufficient without clear transparency.<\/p>\n
In addition, the DPA confirms that publicly available data cannot be freely used for AI training and that the use of AI systems hosted outside T\u00fcrkiye qualifies as a cross\u2011border transfer subject to DPL rules. The Guidelines conclude with recommended safeguards, including privacy\u2011by\u2011design, data protection impact assessments, and enhanced technical and organisational measures tailored to AI\u2011specific risks.<\/p>\n
On 8\u00a0January 2026, a bill was submitted to the Turkish Parliament proposing an amendment to the DPL. The bill introduces a new misdemeanour under Article 18 that would impose an administrative fine of 5% of the previous year\u2019s turnover on social media tools and digital platforms that enable the sharing of AI\u2011generated audio, written or visual content without the data subject\u2019s consent, with the penalty applied separately for each instance of communication.<\/p>\n
This represents a notable shift from the current framework, where misdemeanours under the DPL are subject to fixed monetary fines adjusted annually. The proposed amendment would instead establish a proportional, turnover\u2011based administrative fine specifically targeting unauthorised AI\u2011generated content. At this stage, the bill remains limited in scope and solely addresses sanctions related to AI\u2011generated content. Further debate and additional provisions may emerge as the legislative process progresses.<\/p>\n
On 25\u00a0December 2025, two presidential decrees introduced noteworthy changes to T\u00fcrkiye\u2019s institutional framework for AI and digital infrastructure. While these reforms do not impose new obligations on private\u2011sector organisations, they signal increased regulatory attention to AI governance, data management and cloud services.<\/p>\n
Turkish Presidential Decree No.\u00a0191 renamed the National Technology General Directorate under the Turkish Ministry of Industry and Technology as the National Technology and Artificial Intelligence General Directorate and expanded its mandate to include developing data centre and cloud infrastructure, setting standards and certification processes, strengthening national AI capacity, and supporting AI\u2011related R&D and regulatory work.<\/p>\n
Under Turkish Presidential Decree No.\u00a0192, the Cybersecurity Directorate\u2019s responsibilities were broadened, and a new Public Sector Artificial Intelligence General Directorate was established, tasked with overseeing AI use in the public sector and contributing to alignment with international AI frameworks.<\/p>\n
These institutional updates reflect the government\u2019s strategic focus on coordinated AI governance. Companies providing AI solutions or cloud\u2011based services in T\u00fcrkiye should monitor further guidance from these newly empowered bodies.<\/p>\n
The DPA has issued an announcement clarifying the consent requirements for push notifications sent through mobile applications. The DPA noted that many applications currently rely on a single, bundled consent mechanism covering both operational notifications (e.g. order or delivery updates) and marketing notifications \u2013 an approach that does not meet the DPL\u2019s standards for valid consent.<\/p>\n
The DPA reiterated that consent must be specific, informed and freely given. Conditioning access to essential services, such as order tracking, on the user\u2019s agreement to receive unrelated marketing messages undermines the \u201cfree will\u201d element of consent. In line with its prior decisions on electronic commercial communications, the DPA emphasised the need for \u201cgranular consent\u201d meaning that users must be offered separate, independent choices for each processing purpose.<\/p>\n
The announcement also stresses that mobile applications must be technically designed to support these granular choices. The absence of such functionality may amount not only to invalid consent but also to a breach of the data controller\u2019s obligation to implement appropriate technical and organisational measures under Article 12 of the DPL.<\/p>\n
The DPA has updated its policy on the publication of data breach notifications through its decision No.\u00a02025\/2451 dated 25\u00a0December 2025. Previously, data breach notifications published on the DPA\u2019s website remained available indefinitely, creating ongoing reputational concerns for data controllers even after remediation efforts and individual notifications had been completed.<\/p>\n
Under the new policy, data breach notification announcements will be published for a maximum of 60\u00a0days. If the data controller can demonstrate that all affected individuals were notified in a shorter timeframe, the announcement may be removed earlier. This approach aims to balance transparency with proportionality, protecting data subjects while mitigating unnecessary long\u2011term reputational impact on organisations.<\/p>\n
The core data breach notification obligations remain unchanged: data controllers must notify the DPA within 72\u00a0hours of becoming aware of a data breach and inform affected individuals within a reasonable period. When determining whether to publish a data breach notification, the DPA will continue to consider factors such as the severity of the breach, the categories of affected data, the groups of impacted data subjects, the sector of the data controller, and the number of individuals affected.<\/p>\n
The DPA has issued an announcement clarifying the criteria for exemptions from VERBIS registration for data controllers that do not keep their accounts on a balance\u2011sheet basis.<\/p>\n
Under the current rules, data controllers located in T\u00fcrkiye whose main activity involves processing special categories of personal data are exempted if they employ fewer than 10 employees annually and have an annual balance sheet total below TRY\u00a010,000,000 (approx.\u00a0EUR\u00a0192,850). For all other data controllers located in T\u00fcrkiye, the exemption applies to those with fewer than 50 employees annually and an annual balance sheet total below TRY\u00a0100,000,000 (approx.\u00a0EUR\u00a01,928,500).<\/p>\n
The DPA has now clarified that for data controllers subject to balance\u2011sheet accounting, both criteria \u2013 the number of employees and the annual balance sheet total \u2013 must continue to be met together. However, for data controllers not subject to balance\u2011sheet accounting, the assessment will be based solely on the number of employees, as no annual balance sheet total exists for such enterprises. As a result, these organisations can determine their VERBIS registration obligations by reference only to their workforce size and the nature of their data processing activities.<\/p>\n
The administrative fines under Article\u00a018 of the DPL have been increased by 25.49% for 2026 to reflect annual inflation. The applicable amounts now span from TRY\u00a085,437 to 17,092,242 (approx. EUR\u00a01,650 to 330,300).<\/p>\n
The updated fine ranges for 2026 are as follows:<\/p>\n
The end of 2025 and the beginning of 2026 have seen notable developments in Turkish data protection law, particularly regarding personal data processing in the context of artificial intelligence (AI), reflecting the increasingly widespread integration of AI tools into day\u2011to\u2011day business operations.<\/p>\n","protected":false},"author":3,"featured_media":154931,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[281],"tags":[],"class_list":["post-154921","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-publications"],"acf":[],"yoast_head":"\n