Publications

In the Principle Decision No. 2026/347 published in the Official Gazette dated March 24, 2026, it was determined that one of the most common unlawful practices in the processing of personal data is the intertwining of information notices and explicit consent texts provided by data controllers. Accordingly, it was ruled that these documents must be prepared separately and data controllers are required to fulfill these obligations through distinct texts.

Pursuant to Article 20 of the Constitution and Articles 5, 6, and 10 of Law No. 6698, The Obligation to Inform is an informational activity that must be fulfilled in all circumstances, regardless of the data subject’s request or consent, whereas Explicit Consent is a declaration of approval based on informed and freely given will regarding a specific matter.

In this context, even if data controllers present information notices and explicit consent texts on the same page, they must be structured under separate headings. Instead of including statements such as “I have read and accept” at the end of information notices, which imply consent, only statements confirming that the information has been received, such as “I have read and understood” should be included. Furthermore, practices such as copying texts belonging to other data controllers, unnecessarily extending texts with technical and legal terminology, including ambiguous expressions, and reproducing the exact wording of Article 11 of the Law instead of summarizing the rights of the data subject should be avoided. Instead, each data controller should adopt a clear and plain language tailored to its own organizational structure. It was also determined that practices where the data controller’s title, MERSIS number, and contact details are not clearly stated, or where the obligation to inform is made conditional upon obtaining consent are unlawful. (Additionally, the decision includes examples of good and bad practices).

In conclusion, compliance with these procedures and principles is considered a mandatory administrative measure to ensure data security under Article 12 of the Law. In case of non-compliance, administrative action will be taken against data controllers pursuant to Article 18 of the Law, as announced to the public.

You may access the decision via the following link:

(https://www.resmigazete.gov.tr/eskiler/2026/03/20260324-3.pdf )

The Regulation Amending the Regulation on Personal Health Data was published in the Official Gazette dated 3 December 2025 and entered into force on the same date.

The notable amendments introduced by the Regulation are summarized as follows:

• The requirement for powers of attorney to contain an explicit consent clause regarding the processing and transfer of special categories of personal data for attorneys’ access to health data has been abolished. Accordingly, attorneys’ access will be evaluated within the framework of general provisions on powers of attorney and the Personal Data Protection Law. However, the obligation to provide and display records of past health data is conditioned upon the fulfilment of the processing requirements applicable to special categories of personal data.

• The definition of a “caregiver” has been added to the section on definitions. The access period for healthcare personnel has been expanded, while the provision granting family physicians unlimited access has been preserved. The access of the examining physician and other physicians within the relevant healthcare provider will continue until the completion of the healthcare service. In emergency department admissions, all emergency physicians will be authorized to access data until the patient is discharged.

• Within the scope of e-Nabız security settings, individuals who have disabled access preferences may have their historical data accessed through the sharing of a phone verification code. In cases such as detention or imprisonment, the verification code requirement will not apply, and access will be granted to the family physician and the examining physicians. The Ministry shall be held responsible for any service disruptions or damages arising in situations where the conditions for data processing are met.

• Significant innovations have been introduced regarding access to the health data of children and persons with disabilities. During divorce proceedings, the parent with temporary custody will be able to access the child’s health data, while after the divorce, the parent with final custody will retain this right. The non-custodial parent may, upon request, view only limited information concerning the child’s health status, with location and contact details removed. In addition, caregivers of individuals who hold disability reports have been granted access authorization.

• The retention period for health data relating to deceased individuals has been extended from 20 years to 30 years.

• The wording of certain provisions in the Regulation has been amended, and several articles have been repealed. The amendments have entered into force, and matters concerning implementation shall be carried out by the Ministry of Health.

You may access the full text of the Regulation at the following link:

https://www.resmigazete.gov.tr/eskiler/2025/12/20251203-2.htm 

The Personal Data Protection Authority announced to the public that, pursuant to subparagraph (a) of paragraph four of Article 9 of the Personal Data Protection Law No. 6698, permission has been granted for the first time for the transfer of personal data abroad under an agreement that does not constitute an international treaty.

According to the announcement, if there is no adequacy decision for the country to which the transfer will be made, “agreements that do not constitute an international treaty” concluded between public institutions in Türkiye or professional organizations with public-institution status and public institutions abroad or international organizations were indicated as one of the appropriate safeguards envisaged under the Law. As a result of the assessment carried out by the Personal Data Protection Board pursuant to Article 11 of the Regulation on the Procedures and Principles Regarding the Transfer of Personal Data Abroad, permission was granted for the transfer of personal data abroad under the agreement concluded between the Ministry of Interior Directorate General of Migration Management and the United Nations High Commissioner for Refugees (UNHCR).

You can access the full announcement via the link below:

https://www.kvkk.gov.tr/Icerik/8538/uluslararasi-sozlesme-niteliginde-olmayan-anlasma-ile-yurt-disina-kisisel-veri-aktarimina-izin-verilmesi-hakkinda-duyuru