PDPL BULLETIN – MARCH 2025
The Personal Data Protection Law No. 6698 (‘KVKK’) and its secondary legislation have been subject to frequent updates since their entry into force. Not only the KVKK and secondary regulations enacted in accordance with the KVKK, but also the Decisions, Principles, and Summary of Decisions of the Personal Data Protection Board (‘Board’) establish numerous procedures and principles related to data protection. Therefore, our monthly bulletins aim to keep stakeholders informed about Board applications and ensure up-to-date information.
In March 2025, the Personal Data Protection Authority (‘Authority’) published three data breach notifications on its website at www.kvkk.gov.tr.
DATA BREACH NOTIFICATIONS
Article 12/5 of the Personal Data Protection Law, titled ‘Obligations Regarding Data Security,’ states: ‘If personal data processed is obtained by others through unlawful means, the data controller shall notify the relevant parties and the Board as soon as possible. The Board may, if necessary, publish this information on its website or through other appropriate means.’
Anadolu Anonim Türk Sigorta Şirketi
According to the data breach notification submitted to the Board by Anadolu Anonim Türk Sigorta Şirketi, which acts as the data controller, the breach occurred between 25 February 2025 and 26 February .2025 and was detected on 26.02.2025. The data controller implemented a development that automatically sends documents related to policies when the policy is issued, and this development was deployed to the live environment on 25.02.2025. For approximately two days, automatic transmission of documents related to both individual health and group health products was enabled. However, it was revealed that, despite being excluded from coverage in the policies, health data (health letters) of some customers who purchased group health products were transmitted to the insurance companies, resulting in a breach. The group of individuals affected by the data breach is identified as ‘customers,’ with 242 individuals affected by the breach. The personal data affected by the breach includes ‘first name,’ ‘last name,’ ‘insured address,’ ‘policy number,’ and ‘health information.’
Turknet Communication Services Inc.
According to the data breach notification submitted to the Board by Turknet Communication Services Inc., which holds the status of data controller; the breach began on 26 February 2025 and was detected on 11 March 2025 through a publicly available BTK complaint record. the breach occurred as a result of an SQL injection attack on one of the data controller’s services, the group of individuals affected by the breach is subscribers/members, and the personal data affected by the breach includes customers’ first name, last name, phone number, subscription number, Turkish ID number, Turknet subscription circuit information, address, and static IP information. In the initial investigation by the data controller, it was determined that the data of 244,396 users had been leaked based on the relevant log records, and a detailed investigation is ongoing within the data controller. It has been stated that the relevant individuals can obtain information regarding the breach by contacting the Turknet quick service line at 0850 288 80 80 / 0850 344 28 18 or by sending an email to the following address: ‘Fulya, Büyükdere Cd. Torun Center No: 80 A Blok No: 74 A 34394 Şişli/İstanbul’
Bilfen Education Institutions Inc.
According to the data breach notification submitted to the Board by Bilfen Education Institutions Inc., which acts as the data controller; the breach began on 12 March 2025 and was detected on the same date via a message sent to the data controller’s WhatsApp line by a cyber attacker/attackers. the categories of data affected by the breach include identity, communication, transaction security, professional experience, visual and audio recordings, as well as special categories of personal data such as health information; the number of individuals affected by the breach is 24,061; the individuals affected by the breach include students, student parents, and employees; and the individuals may access announcements regarding the data breach through the bilfen .com.tr, and that they can also obtain detailed information about the data breach by sending an email to kvkk@bilfen.com.
GRC LEGAL Comment
The data breach reported to the Board by Anadolu Anonim Türk Sigorta Şirketi has once again highlighted the importance of protecting all personal data, especially sensitive personal data. The security of personal data must be ensured not only through technical measures but also through properly designed compliance processes and effective control mechanisms. In particular, before implementing new developments in live environments, it is crucial to thoroughly test data processing scenarios and carefully monitor data sharing processes.
To prevent such breaches, it is necessary to increase systemic controls, tighten access authorisation mechanisms, and conduct regular security tests on all personal data processing processes. In addition, continuous review of process-based controls by internal audit units, along with employee awareness training, will contribute to preventing violations before they occur. The protection of personal data is not only a compliance obligation but also a fundamental element of corporate trust and sustainable business processes.
ANNOUNCEMENT
Announcement Regarding Commitment Application
The three commitment applications submitted by VF Ege Giyim Sanayi ve Ticaret Limited Şirketi to the Institution regarding the transfer of personal data abroad have been evaluated by the Board in accordance with Article 9/4-ç of the KVKK, and no procedural or substantive deficiencies were identified. As a result, permission for the aforementioned data transfers was granted on 12 March 2025.
GUIDELINES
Guidelines on Matters to Be Considered in the Processing of Biometric Data
The ‘Guidelines on Matters to Be Considered in the Processing of Biometric Data’ (‘Guidelines’) published by the Institution in September 2021 have been updated as of March 2025.
As stated in the Guide, biometric data are data obtained through technical processes based on physical, physiological or behavioural characteristics that uniquely identify or verify the identity of an individual. Data such as fingerprints, facial recognition, retina and iris scans, palm prints, gait patterns, keystroke patterns, and even driving patterns fall under the category of biometric data. The KVKK considers biometric data to be ‘special category personal data’ and subjects the processing of such data to strict regulations. Therefore, certain principles must be followed to ensure legal compliance in biometric data processing.
In this context, processing activities must not harm the fundamental rights and freedoms of individuals. Since the right to the protection of personal data is a fundamental right guaranteed by the Constitution, biometric data processing must also be evaluated within the framework of legal compliance. The processing of biometric data must be appropriate for the purpose sought and selected as a suitable method for that purpose.
Where alternative methods are available, the biometric data processing process becomes disproportionate. For example, it is stated that there is no need to use biometric data to control the entry and exit of gym members, and that methods such as card access systems, which process less personal data and interfere less with rights, can be preferred. However, it is also considered that methods such as biometric verification can be used in facilities requiring high security, such as nuclear power plants. At this point, each specific case must be evaluated separately to determine whether biometric data processing activities are in line with the principle of proportionality. The method used must be proportionate to the intended purpose; otherwise, excessive data processing activities may violate individuals’ privacy rights.
One of the most important issues to consider in the biometric data processing process is that data should only be stored for as long as necessary. When the purpose of data processing ceases to exist, biometric data must be destroyed without delay Data controllers must fulfil their obligation to provide information to the relevant persons in accordance with Article 10 of the KVKK, limited to the purpose of processing. Where the explicit consent of the persons is required, this consent must be freely given and not obtained under any coercion or compulsion. In this context, it is important that an employee who does not wish to provide biometric data to their employer should not face any sanctions. If the employee is not effectively given the opportunity to refuse consent or if refusing consent could lead to negative consequences for the employee, the consent obtained shall be deemed not to be freely given.
Additionally, technical and administrative measures must be taken to ensure the security of biometric data. Technical measures include storing biometric data in cloud systems using only cryptographic methods, ensuring that original biometric data cannot be retrieved, and securing systems against unauthorised access. The data controller must conduct tests using synthetic (non-real) data before establishing the system and after any changes, and must delete the biometric data used for testing purposes no later than the end of the tests. Measures must be implemented to alert the system administrator or automatically delete biometric data in cases of unauthorised access. At the same time, hardware and software tests of biometric data systems should be performed periodically, the software used should be kept up to date, and open source software should be preferred.
Within the scope of administrative measures, alternative systems should be provided for individuals who cannot use biometric data, and an action plan should be established in case of failure of biometric verification. Access to biometric data systems by authorised persons should be monitored and documented. In addition, personnel involved in the biometric data processing process should receive special training, and this training should be documented. A formal reporting procedure should be established to enable employees to report security vulnerabilities in systems and services. Emergency procedures to be implemented in the event of a data breach should be prepared and communicated to all relevant parties.
In conclusion, the processing of biometric data must be carried out in accordance with legal and technical requirements. Data controllers should only carry out biometric data processing activities when strictly necessary and should give priority to alternative methods. At the same time, they are obliged to take all necessary technical and administrative measures to ensure data security and privacy. Since regulations on the processing of biometric data aim to protect the fundamental rights and freedoms of individuals, sensitivity in these processes is of great importance.
AGENDA NEWS
Personal Data Protection Legislation Changes: New Dynamics and Legislation Compliance Workshop
On 14 March 2025, the Institution and Legislation Compliance Association organised the ‘Personal Data Protection Legislation Changes New Dynamics and Legislation Compliance Workshop‘ (’Workshop”) was held at Boğaziçi University. The workshop was attended by Faruk Bilir, President of the Institution; Gürdoğan Yurtsever, Chairman of the Board of Directors of the Legislation Compliance Association; Burak Şenol, Vice Chairman of the Board of Directors of the Legislation Compliance Association; Dr. Osman Gazi Güçlütürk, Faculty Member at Galatasaray University; and Assoc. Dr. Aslı Deniz Helvacıoğlu, and KVK experts representing the institution.
Our Senior Lawyer, Zeynep Naz Topaloğlu, a member of the KVK Working Group of the Legislation Compliance Association, asked questions to the KVK experts, while Melike İşgören, one of our lawyers and a member of the KVK Working Group of the Legislation Compliance Association, moderated the event.
Statements by Institution President Faruk Bilir
Institution President Faruk Bilir made statements on current developments regarding the protection of personal data and provided important assessments. In this context, he stated that 1,932 standard contracts had been submitted to the Institution and that three commitment applications regarding the transfer of personal data abroad as of March 2025 had been approved. Bilir stated that the standard contract processes were generally running smoothly and that notifications were being made within the specified time frame, adding that no sanctions had been imposed yet. However, he emphasised that standard contracts could be prepared in Turkish and English, but that the Turkish text should be taken as the basis and both texts should be signed.
Stating that the issues of necessity and obligation are explained in the guide and supported with examples, Bilir said that although the guides are not directly binding, they reflect the Board’s perspective and should therefore be taken into consideration.
One of the important assessments was that the phrase ‘when necessary’ in Article 4 of the KVKK does not impose a periodic update obligation on data controllers, but that this obligation may arise in the event of harm to the data subject. In his speech, which also touched on the relationship between data processors and data controllers, he stated that, as is well known, if a data processor acts outside the instructions and orders of the data controller, it may become a data controller and be subject to administrative fines. However, he emphasised that the data processor does not need the instructions of the data controller to make a standard contract notification.
Faruk Bilir also announced that the guide for electronic money institutions has been completed and will be published in the coming days.
Statements by KVK Experts
In the second session, KVK experts representing the Institution at the workshop were asked questions that raised doubts in practice and were highly debated following the legislative amendments, and detailed answers were provided.
In particular, regarding questions centred on personal data transfer processes abroad, KVK experts stated that explicit consent under Article 9 of the KVKK can only be used in the context of incidental data transfer and that the term ‘incidental’ refers to data transfers that are not systematic and are not part of normal business activities. However, it was emphasised that even in such cases, the data subject must be informed about the potential risks. The experts stated that occasional transfers may occur once or several times but must not be part of routine activities, and that the data controller must make this distinction by considering the nature of its activities and interpret the process on a case-by-case basis.
While it is stated that the legal basis for standard contracts is Articles 5 and 6 of the KVKK, it is emphasised that the legal basis is the condition for data processing and that the standard contracts must clearly specify the processing condition on which the transfer is based. It is emphasised that, according to European Union legislation, a breach is considered an exceptional transfer and should be interpreted narrowly, and that it would be more appropriate to resort to appropriate safeguards in this context.
Experts have noted that standard contract notifications have begun and that the relevant guidelines were published in January 2025, while also stating that the sections to be filled in by the parties within the standard contracts are limited. It has been stated that the parties cannot make changes within the framework determined in the guide and that standard contracts prepared in accordance with the KVKK and the Regulation on the Procedures and Principles Regarding the Transfer of Personal Data Abroad will not be subject to a specific review in terms of content, and that the main purpose of this process is to facilitate data transfer.
It is stated that if any deficiencies or errors are identified in the standard contracts submitted, the party notifying the Authority will be contacted in writing to make the necessary corrections. However, if any additions or deletions are made to the standard contract or if the signatures of the parties are missing, a thorough review will be conducted, and a decision will be made accordingly.
Experts have stated that a notarised translation of every document in a foreign language must be submitted, emphasising that official documents must be certified by diplomatic missions. It has been stated that an apostille is not required in countries with bilateral agreements and that a notarised certification is sufficient in such cases.
Another important point is that in countries where relevant persons can transfer data, it is not sufficient for only a data protection authority to exist; appropriate safeguards must also be provided and remedies established.
While it was emphasised that a transfer impact assessment is mandatory, it was noted that documents published by the European Data Protection Board regarding additional safeguards can be used as examples. Additionally, it was underscored that the independence of data protection authorities, whether they have the power to impose sanctions, the scope of their authority, and whether the rights of foreign nationals are protected must also be taken into consideration.