- within Food, Drugs, Healthcare, Life Sciences, Employment and HR, Litigation and Mediation & Arbitration topic(s)
Administrative Fines under the KVKK Applicable in 2026 Have Been Updated
Administrative monetary fines imposed under the Turkish Personal Data Protection Law No. 6698 ("KVKK") have been increased as of 2026 in line with the applicable revaluation rate. Following the finalization of inflation figures, the revaluation rate for 2026 has been set at 25.49%. This rate has been formally confirmed by the General Communiqué on the Tax Procedure Law published in the Official Gazette. Accordingly, the minimum and maximum amounts of administrative monetary sanctions prescribed under the KVKK have been increased. Administrative monetary sanctions to be imposed throughout 2026 will be calculated on the basis of the updated thresholds.
Amendment Proposal to the Turkish Internet Law Submitted to Parliament
An amendment proposal concerning Law No. 5651, commonly referred to as the "Internet Law", has been submitted to the Grand National Assembly of Turkey. The proposal has been prepared in line with the October 2023 annulment decision of the Constitutional Court of Turkey, which identified constitutional concerns, particularly regarding freedom of expression, proportionality, and legal certainty.
The proposal introduces revisions to key mechanisms such as content removal and access blocking, with the aim of strengthening the protection of personality rights while ensuring a more balanced framework for fundamental rights and judicial oversight. The final scope of the amendments will become clearer as the legislative process progresses.
Key Enforcement Statistics of the Personal Data Protection Authority Since 2017
Since 2017, the Personal Data Protection Authority has carried out extensive enforcement and supervisory activities under the Turkish Personal Data Protection Law. As part of these efforts, the Authority has imposed administrative monetary fines totalling TRY 1.265 billion and concluded the majority of 56,896 notifications and complaints received to date. During the same period, the Authority publicly disclosed 383 out of 1,872 data breach notifications, received more than 3,000 notifications of standard contractual clauses relating to cross-border data transfers, and approved 13 letters. In addition, the Authority has issued 1,336 legal opinions and published 332 decisions and 9 principal decisions on its website, providing guidance to data controllers, data processors, and data subjects.
Key Amendments to the Regulation on Personal Health Data
Recent amendments to the Regulation on Personal Health Data, published in the Official Gazette, have comprehensively updated the rules governing the processing, access, and protection of health data, with a stronger alignment with the KVKK. Under the amendments, the requirement to obtain explicit consent for lawyers' access to health data and to include a specific explicit consent clause in powers of attorney has been repealed. The processing of health data as a special category of personal data has been directly linked to the processing conditions set out under Article 6 of the KVKK, reinforcing legal consistency. The conditions under which physicians may access health data have been redefined based on medical necessity and treatment duration, while access rights for parents and caregivers have been clarified, including the introduction of a formal definition of caregiver. In addition, e-Nabız security settings have been strengthened, allowing individuals to further restrict access to their data and requiring one-time code verification for access to historical health records. Finally, internal access authorizations have been limited to the conditions set out under Article 6/3 of the KVKK, and the retention period for the health data of deceased persons has been extended from 20 to 30 years.
Personal Data Protection Board Prohibits Hotels from Taking Copies of ID Cards
The Personal Data Protection Board, through its newly published principle decision, has ruled that hotels' practice of obtaining photocopies of guests' identity cards constitutes unlawful data processing. While visually checking identity documents and recording information such as name and surname, Turkish ID number, and check-in/check-out dates is considered compliant with applicable legislation, taking photocopies of ID cards has been deemed excessive, lacking a legal basis, and potentially involving the processing of special categories of personal data.
The DPA announced the following data breach notifications in December:
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
