- within Food, Drugs, Healthcare, Life Sciences, Employment and HR and International Law topic(s)
Authority Warns Public Institutions Against Use of Foreign Messaging Apps
The Turkish Personal Data Protection Authority ("DPA") announced on 29 January 2026 that the use of the foreign electronic communications applications such as WhatsApp, Telegram etc. as a communication tool in public institutions is contrary to Presidential Circular No. 2019/12 on 'Information and Communication Security Measures' published in the Official Gazette dated 06.07.2019 and numbered 30823, as such applications does not have any data centres established in Türkiye.
The relevant Circular emphasised that domestic applications should be preferred for communication in public institutions and official documents containing confidential or otherwise sensitive information should not be shared via these platforms.
It also noted that sharing official information and documents via these applications could constitute a personal data processing activity and comply with the data processing conditions set out in the Personal Data Protection Law ("Law"), otherwise administrative sanctions may apply.
DPA Issues 10th Bulletin Covering September– December 2025
On 26 January 2026, the DPA shared with the public the 10th issue of its Bulletin covering September-December 2025, summarising developments over the past three months and matters on the DPA agenda. The Bulletin focused on the relationship between digital literacy and personal data protection. Providing a general framework on digital literacy, the DPA announced that it had organised seminars on secure digital literacy in 16 cities across Turkey. The concept of digital privacy was defined, and suggestions were made for adults and children on how to use digital platforms safely.
The DPA also emphasised the importance of selecting privacy-secure mobile applications and made recommendations for protecting personal data, including location, audio, and image data. Furthermore, it emphasised that, to ensure cybersecurity, passwords should be multi-segmented, consisting of upper- and lowercase letters and symbols.
DPA Limits the Period for Which Data Breach Notifications Must Remain Posted to 60 Days
In its announcement on 20 January 2026, the DPA reminded that data controllers must report personal data breaches within 72 hours and that the data subjects must be notified as soon as possible. The DPA had been publishing breaches on its website without a time limit, considering factors such as the nature of the breach, the number of individuals affected, and the level of risk. However, with this announcement, it stated that it would remove the publication within 60 days of the notification date, provided that the party responsible for the breach proves that it notified the relevant parties before publication. The publication of breaches aims to minimise the damage caused by the breach, and this approach strikes a balance between this objective and the interests of the data controller concerned.
DPA Clarifies Consent Requirements for Push Notifications
In its announcement dated 14 January 2026, the DPA noted that consent for push notifications is typically obtained at the time of downloading the relevant application, but that the consent covers multiple purposes. It stated that the consent was given for the purpose of tracking operational processes related to orders and that this consent also forced users to accept campaign and advertising-related notifications, and that this situation violated the principle of 'granularity' (requiring explicit consent for each purpose) and therefore could not be considered "freely given explicit consent." The DPA invited data controllers to make the necessary changes to enable data subjects to manage their preferences by separating specific purposes in accordance with the granularity principle.
Authority Clarifies VERBIS Exemption Criteria for Non-Balance Sheet Controllers
On 12 January 2026, the DPA published a public announcement that clarifies how VERBIS registration exemptions apply to data controllers that do not keep accounting books on a balance sheet basis, based on Board Decision No. 2025/2393 (25 December 2025).
Under the clarified approach, data controllers maintaining accounts on a balance sheet basis must meet both the annual employee threshold and the financial balance sheet threshold cumulatively to benefit from the exemption. However, for controllers that do not keep balance sheet accounts, the exemption assessment will be based solely on the annual number of employees.
The DPA clarification is particularly relevant for small and micro-sized enterprises and underscores that failure to register with VERBIS where required may result in administrative sanctions under Law No. 6698.
The DPA announced the following data breach notifications in January:
| Data Controller (and sector) | Affected Data Subjects | Affected Personal Data Categories | Number of Data Subjects |
|---|---|---|---|
| Özbeyler
Sağlık ve Özel Hastahane Medikal İthalat İhracat Sanayi ve Ticaret A.Ş. |
Employees, students,
customers (including prospective customers), patients and their relatives, job applicants, service providers and their representatives, suppliers and their employees, shareholders/ partners, interns, visitors (including individuals subject to CCTV recording), public officials, and other related individuals. |
Identity Data, Contact Data, Personnel (HR) Data, Physical Premises Security Data, Transaction Security Data, Financial Data, Professional Experience Data, Visual and Audio Records Special Categories of Personal Data: (Racial And Ethnic Origin, Philosophical Belief, Religion, Sect And Other Beliefs, Clothing/ Appearance Data, Health Data, Sex Life, Criminal Convictions and Security Measures, Biometric Data), Title, Signature Data, Number of Children And Age Information, Marital Status, Military Service Status, Travel Information. |
Not yet been
determined Data subjects seeking further information about the incident may contact the info@korfezhastanesi.com |
| Codeway Dijital Hizmetler A.Ş. | Registered users
of "Chat & Ask AI" mobile application |
Email address,
username (nickname selected at registration), User-generated content shared within the application. |
3.700 users |
| Docplanner Teknoloji A.Ş. | Employees and former employees | Identity Data (name,
surname, gender, date of birth and/or age, passport number, issuing country and validity date), Contact Data (address/ place of residence, email address, phone number), customer Transaction Data (train travel details, including country, city, travel date and time). |
525 |
| Eurail B.V. | Customers who purchased train tickets. | Identity data (name,
surname, gender, date of birth and/or age, passport number, issuing country and validity date), Contact Data (address/ place of residence, email address, phone number), Customer Transaction Data (train travel details, including country, city, travel date and time). |
8,823 individuals
residing in Türkiye. Data subjects seeking further information about the incident may contact the privacyhelp@eurail.com |
| Köfteci Yusuf
Hazır Yemek Temizlik Canlı Hayvan Et Mamulleri Entegre Gıda İthalat İhracat San. Tic. AŞ |
Employees and customers | Customers'; Identity Data (name,surname) Contact Data (e-mail, phone number), Phone Number, Order Details Employee's; Name, Address, Phone Number, Personnel Data |
150.000 customer 13.000 employee Total 163.000 |
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
