PDPL BULLETIN – APRIL 2025
The Personal Data Protection Law No. 6698 (‘KVKK’) and its secondary legislation have been subject to frequent updates since their entry into force.
Not only the KVKK and the secondary regulations enacted pursuant to the KVKK, but also the decisions of the Personal Data Protection Board (‘Board’), the Principles and Decisions of the Board, and the summaries of the Board’s decisions establish numerous procedures and principles related to data protection. Therefore, our monthly bulletins aim to keep stakeholders informed about the Board’s practices and ensure up-to-date information.
In April 2025, the Personal Data Protection Authority (‘Authority’) published three data breach notifications on its website at www.kvkk.gov.tr. In addition, the Authority published the ‘Good Practice Guide on the Protection of Personal Data in the Payment and Electronic Money Sector’ and the ‘2024 Activity Report.’ In addition, the Authority updated the ‘Guidelines on Matters to Be Considered in the Processing of Genetic Data’ in line with the amendments to the KVKK and published a book entitled ‘An Academic Perspective on Artificial Intelligence Technologies.’
DATA BREACH NOTIFICATIONS
The KVKK, under the heading ‘Obligations Regarding Data Security,’ Article 12/5, states: ‘In the event that personal data processed is obtained by others through unlawful means, the data controller shall notify the relevant party and the Board as soon as possible. The Board may, if necessary, announce this situation on its website or through another method it deems appropriate.’
Bellapais Hand and Foot Care and Beauty Salon Trade Limited Company
According to the data breach notification submitted to the Board by Bellapais Hand and Foot Care and Beauty Salon Trade Limited Company, which acts as the data controller, the breach occurred as a result of an unauthorised access to the data controller’s system through a cyber attack, leading to the unauthorised acquisition of data within the system, on 03.04.employees, users and customers/potential customers were affected.
The breach involved names, surnames, Turkish ID numbers, dates of birth, gender, mother and father’s names, telephone numbers, address details, planned transactions with customers, payment details (amount, transaction descriptions, etc.) and health data (if any, information on declared chronic conditions) were affected, the number of individuals affected by the breach was 83,070, and that the relevant individuals could obtain information from the data controller via the call centre and social media channels.
Robotistan Electronic Commerce Inc.
According to the data breach notification submitted to the Board by Robotistan Electronic Commerce Inc., which is the data controller; cyber attackers contacted the data controller via email and stated that they had obtained their data, the data controller receives services from T-Soft as its website infrastructure provider,
The breach began in February 2024 and was detected on 7 April 2025.
The group of individuals affected by the breach consists of customers and potential customers. The number of individuals affected by the breach has not yet been determined. The breach affected the names, surnames, telephone numbers, address information, and order information of the individuals concerned.
Kullanatmarket Elektronik Pazarlama Ticaret Anonim Şirketi
According to the data breach notification submitted to the Board by Kullanatmarket Elektronik Pazarlama Ticaret Anonim Şirketi, which is the data controller; the breach occurred between 30 September 2024 and 9 April 2025 and was detected on 8 April2025, it was stated that the data breach occurred through the unauthorised access of certain files containing personal data (database files) by cyber attackers.
It was stated that the breach occurred on the management panel and web application components hosted on the e-commerce infrastructure provided by T-Soft, that customers and potential customers were affected by the breach, and that the number of affected individuals has not yet been determined. It has been stated that the following data belonging to the relevant individuals has been affected by the breach: identity (name, surname), contact (email address, phone number, possible address information), customer transactions (order details, transaction history) and transaction security (records containing information such as IP addresses and usernames associated with user sessions). It has been stated that the relevant individuals can obtain information about the data breach via the email address kvkk@kullanatmarket.com.
GRC LEGAL Comment: The data breaches reported in April 2025 demonstrate that systemic weaknesses in personal data protection and cybersecurity vulnerabilities pose serious risks for both small-scale service providers and e-commerce platforms.
Additionally, it is noteworthy that Robotistan Electronic Commerce Inc. and Kullanatmarket Electronic Marketing Trade Inc. receive services from T-Soft as their infrastructure provider. In this context, technical and legal audits should be conducted to ensure that data controllers take the necessary measures regarding the data processors they engage, and that data processing processes are carried out in a manner integrated with privacy and security principles from the design stage onwards. This will play a critical role in preventing such breaches. This is because the protection of personal data is not merely an obligation, but a critical risk management issue with direct consequences in terms of reputation, customer relations and legal liability.
GUIDELINES
Guidelines on Good Practices for the Protection of Personal Data in the Payment and Electronic Money Sector
The Authority published the ‘Guidelines on Good Practices for the Protection of Personal Data in the Payment and Electronic Money Sector’ in April. These Guidelines clarify the responsibilities of payment and electronic money institutions operating in the sector under the KVKK and aim to guide practitioners with sector-specific example scenarios and interpretations regarding data processing activities. The Guide is particularly noteworthy in terms of the distinction between the roles of data controller and data processor, the scope of activities requiring explicit consent, and the alignment of technical and administrative measures with sector-specific legislation. Our detailed analysis of this Guide will be shared on our LinkedIn page.
Guidance on Matters to Be Considered in the Processing of Genetic Data
Following the amendments made to the conditions for the processing of special category personal data within the scope of the KVKK reform in 2024, the ‘Guidance on Matters to Be Considered in the Processing of Genetic Data’ has been updated as of April 2025 to ensure compliance with the relevant regulations.
Following the substantial amendments made to Article 6 of the KVKK regarding the processing of special category personal data, the update of the relevant Guidelines regulating the processing of genetic data, which fall under the category of special category personal data, is highly appropriate. In this context, it would be beneficial for implementers and data controllers engaged in genetic data processing activities to review the Guidelines with a fresh perspective. We believe that the relevant update will serve as a guide not only for private legal entities but also for public institutions, healthcare providers, insurance companies, and all actors providing genetic testing services that may be involved in genetic data processing activities.
BOOK ANNOUNCEMENT
Academic Perspective on Artificial Intelligence Technologies
Rapid developments in artificial intelligence technologies are the subject of intense debate, not only in terms of their technical dimensions, but also in terms of their legal and ethical implications. In this context, the book ‘Academic Perspective on Artificial Intelligence Technologies’ published by the Authority, prepared with the contributions of experts in the field, addresses the effects of artificial intelligence in the context of data protection law in a multidimensional manner.
Comprising five chapters and fifteen articles, this work offers up-to-date and in-depth analyses of the effects of artificial intelligence in various sectors, such as the protection of personal data in artificial intelligence applications, profiling, data responsibility, ethical approaches, regulatory efforts (e.g., the EU Artificial Intelligence Act), sensitive groups, health, employment, finance, and education.
We believe that this study, which serves as a guide for all data controllers, researchers, and lawyers working in the field of artificial intelligence, provides a comprehensive assessment of the future of artificial intelligence from the perspective of personal data protection.
ACTIVITY REPORT
Highlights from the KVKK 2024 Activity Report
- Within the scope of VERBİS audits, a total of 421,897,000 TL in administrative fines were imposed on data controllers who violated VERBİS obligations throughout 2024.
- In 2024, a total of 552,188,101 TL in administrative fines were imposed on 862 data controllers, representing a significant increase compared to 2023.
- Only 10 out of 90 commitments submitted for data transfers abroad were accepted. In addition, 1,364 standard contracts were reported to the Authority in 2024.
- In 2024, 55% of the applications made to the Authority concerned the unlawful processing of personal data, and 18% concerned unauthorised SMS/calls. In 2024, the service sector was again the sector with the highest number of complaints.
- 62% of the applications submitted to the Institution by data subjects were rejected on procedural grounds, indicating that there is still insufficient knowledge regarding the application processes.
You can access our detailed evaluation of the KVKK 2024 Activity Report on our LinkedIn page.