- July 1, 2025
PDPL BULLETIN – JUNE 2025
Contents
ToggleData Protection Law, the Personal Data Protection Law No. 6698 (“KVKK” or “Law”) and its secondary regulations constitute a constantly evolving and updating field of law. Practices in this field are not limited to the Law and relevant regulations; they are shaped and concretised by the decisions, principles, and summaries of the Personal Data Protection Board (“Board”). In this context, the KVKK Bulletins prepared on a monthly basis serve as a resource for those who wish to follow current developments in the field of data protection, with the aim of providing up-to-date information and keeping interested parties informed.
In June 2025, the Personal Data Protection Authority (“Authority”) published four data breach reports on its website www.kvkk.gov.tr, four data breach notifications, the ‘Public Announcement on the Use of the E-Notification Application of the Revenue Administration of the Ministry of Treasury and Finance in the Notification of Administrative Fines’ and a board decision on sending verification codes via SMS were published.
DATA BREACH NOTIFICATIONS
Pursuant to Article 12/5 of the KVKK, if personal data processed is obtained by third parties through unlawful means, the data controller is obligated to promptly notify the relevant individual and the Board of such circumstances. In accordance with the aforementioned provision, the Board may, if deemed necessary, publish the relevant data breach on its official website or through other appropriate means. This regulation has been introduced to ensure the effective management of data breaches and the timely notification of the relevant persons.
Richemont Istanbul Luxury Goods Distribution Inc.
According to the data breach notification submitted to the Board by Richemont Istanbul Luxury Goods Distribution Inc., acting as the data controller, the breach an employee of the Richemont Group had their account compromised by unauthorised individuals, who then accessed personal data belonging to the data controller’s customers between 17 January 2025 and 18 January 2025, and that the breach was detected on 30 May 2025.
It has been stated that the group of individuals affected by the breach consists of customers/potential customers, that the number of affected individuals is 25,737, and that the information affected by the breach includes the names, email addresses, country information, customer IDs, and dates of birth of the individuals concerned.
İstanbul Gedik University
According to the data breach notification submitted to the Board by Istanbul Gedik University, which is the data controller; the breach occurred between 13 May 2025 and 14 May 2025
It was stated that the groups of individuals affected by the breach were employees, users, and students, and that the number of individuals affected by the breach was 23,269, while the number of records was 209,421. It has been reported that the following data was affected by the breach: name, surname, username, masked Turkish ID number with only the last four digits visible, email address, institution-department information, and user traffic data.
TCO Turkey Mücevherat Ticareti Limited Şirketi
According to the data breach notification submitted to the Board by TCO Turkey Jewellery Trade Limited Company, which acts as the data controller; the breach occurred between 12 May 2025 and 16 May 2025, when an unauthorised third party gained access to certain systems belonging to Tiffany and Company, a US-based subsidiary of the data controller.2025, and was detected on 04.06.2025.
It has been stated that the data subjects affected by the breach are the data controller’s employees and customers, and that efforts are ongoing to determine the number of individuals and records affected. Within the scope of the breach, it has been assessed that names, contact information, titles, manager information, user names and hash passwords, which constitute employee and consultant company directory data, have been affected, and that customer names, contact information, age, sales data and gender information may also have been affected by the breach within the scope of the ongoing investigation.
BeiGene Limited Company
BeiGene, Ltd., acting as the data controller, In the data breach notification submitted to the Board, it was summarised that on 16 June 2025, a limited number of corporate files were uploaded to two external file-sharing platforms (pastebin.com and swisstransfer.com), and that the files contained data used for the planning and monitoring of clinical trials.
The data controller for the affected individuals is employees and patients, and the breach affected 467 individuals, including 17 employees and 450 patients in Turkey. The categories of personal data affected by the breach are identity, contact, and health information.
GRC LEGAL Comment
The data breaches reported in June once again highlighted how critical vulnerabilities in third-party system security, data processor oversight, and the digital infrastructure of international subsidiaries can be in terms of personal data security for data controllers operating in various sectors.
The breach at Istanbul Gedik University, where unauthorised access occurred in the systems of the data processor providing services on behalf of the data controller, highlights the inadequacy of technical and administrative measures on the part of the data processor. This situation could result in the sensitive data of a large number of people being affected, particularly in the case of institutions providing education and public services.
The breach experienced by TCO Turkey Jewellery Trade Limited Company demonstrates that security vulnerabilities in the global digital infrastructure of international companies can directly affect local data controllers. This situation highlights the need for data integration processes with overseas-based subsidiaries to be evaluated comprehensively, not only in terms of cross-border data transfers but also in terms of cyber security protocols and crisis management.
The breach at Richemont Istanbul shows that traditional ‘human vulnerability’ breaches, such as unauthorised access through an employee’s account, can still lead to large-scale data leaks.
Therefore, it is critical to implement basic security measures such as multi-factor authentication for employee accounts, regular password updates, and awareness training. In the data breach reported by BeiGene Limited, a serious security issue arose due to the unauthorised uploading of identity, contact, and health data related to clinical trials to open platforms such as pastebin.com and swisstransfer.com.
In the incident, which affected 467 individuals in Turkey, the disclosure of special category personal data in violation of the KVKK clearly demonstrates that the data controller failed to take the necessary technical and administrative measures.
In conclusion, the violations highlight the importance of data controllers establishing an effective monitoring mechanism not only for their own systems but also for the systems of the data processors they engage and the systems of their affiliated group companies. In our opinion, data security should be evaluated in conjunction with technical capacity, organisational responsibility, awareness, and contractual protection.
PUBLIC ANNOUNCEMENT
E-Notification Application Has Been Implemented for the Notification of Administrative Monetary Penalties!
In accordance with Article 18 of the Law, in the announcement regarding the notification of administrative monetary penalties imposed by the Board, within the scope of Article 26/4 of the Law No. 5326 on Misdemeanours, the technical infrastructure enabling the notification of administrative penalty decisions in electronic environment has been completed within the framework of the protocol signed between the Authority and the Ministry of Treasury and Finance, and the notification of administrative penalty decisions has been implemented. Within the framework of the protocol signed between the Institution and the Ministry of Treasury and Finance, the technical infrastructure enabling the notification of administrative penalty decisions in electronic form has been completed and the E-Notification Application of the Revenue Administration Presidency has been put into use. Accordingly, administrative fines to be imposed on taxpayers’ data controllers will be notified through the E-Notification system in the future.
However, notifications for data controllers who do not have a tax registration or whose registration has been deleted will continue to be made by traditional methods in accordance with the provisions of the Notification Law No. 7201. This change is an important development in terms of ensuring that administrative sanctions are communicated to their recipients in a faster and more effective manner, and reminds data controllers of the importance of keeping their tax registration information up to date.
BOARD DECISION
Principle Decision No. 2025/1072 on the Sending of Verification Codes via SMS
The Personal Data Protection Authority, through its Decision No. 2025/1072 dated 10 June 2025, made important findings regarding the processing of personal data through the sending of verification codes via SMS during the provision of products or services. The Decision focuses on the illegality of widespread practices where individuals’ contact information is requested for verification purposes during payment, registration, and membership processes, but this verification is used to obtain commercial electronic communication consent.
The Board emphasised that explicit consent must be specific to a particular matter, informed, and based on free will; it stated that making consent a prerequisite for a service would eliminate free will. The Principle Decision also details the legal boundaries for using SMS verification processes as a means of obtaining explicit consent for the sending of commercial electronic communications, the obligation to provide information and obtain explicit consent independently and separately, and the training and internal audit obligations for data controllers.