- within International Law, Strategy and Employment and HR topic(s)
Türkiye Determines Critical Infrastructure Sectors under Its Cybersecurity Framework
On 5 May 2026, the Cybersecurity Board convened under the chairmanship of the President of the Republic of Türkiye and evaluated key matters concerning Türkiye’s national cybersecurity framework. According to the announcement published by the Directorate of Communications, cybersecurity was emphasized as an integral component of national security, and the role of the Cybersecurity Presidency in protecting Türkiye’s digital assets and establishing a proactive national cybersecurity architecture was underlined.
At the meeting, the Board determined a broad list of critical infrastructure sectors, including digital infrastructures, digital services, electronic communications, energy, finance, healthcare, public services, defence industry, transportation, water management, food and agriculture, media and crisis communication, postal and cargo services, manufacturing industry and space. The decision is significant from a data protection and data security perspective, as operators in these sectors are expected to play a central role in ensuring the confidentiality, integrity and availability of information systems and digital assets.
Ministry of Justice Announces AI-Supported Decision Support System for Judicial Processes
On 12 May 2026, the Ministry of Justice announced a new AI-supported phase in judicial processes through the UYAP AI Decision Support System. The system is intended to strengthen speed, efficiency and effectiveness in judicial services by supporting judges and prosecutors in legal research, case-file analysis and decision preparation processes.
According to the announcement, UYAP AI is being developed with domestic and national resources and is expected to enable the rapid review of more than 30 million high court decisions and precedents. The system is also expected to support the summarization of case files, preparation of draft reasoned decisions, analysis of evidence and comparison of expert reports with relevant case law. From a privacy and data protection perspective, the development is noteworthy as the Ministry emphasized that the system will operate under ethical and legal safeguards, with transparency, auditability, human oversight, protection of personal data and the right to a fair trial placed at the centre of the framework.
DPA Extends VERBİS Registration Deadline for Certain Corporate Data Controllers
On 14 May 2026, the DPA published an announcement regarding the VERBİS registration and notification period for corporate taxpayer legal entity data controllers whose registration obligation arose based on their 2025 financial balance sheet totals.
According to the announcement, corporate taxpayer legal entity data controllers whose 2025 financial balance sheet total exceeds the thresholds set under the relevant Board decisions must complete their VERBİS registration and notification. This applies to data controllers whose main activity is not processing special categories of personal data but whose financial balance sheet total is TRY 100 million or above, and to data controllers whose main activity is processing special categories of personal data and whose financial balance sheet total is TRY 10 million or above.
The original deadline was extended to 5 June 2026 by the Board’s decision dated 13 May 2026 and numbered 2026/1026.
DPA Approves Binding Corporate Rules Application for Cross-Border Data Transfers
On 21 May 2026, the DPA announced that the Binding Corporate Rules (“BCR”) application submitted by Sosyo-Plus Bilgi Bilişim Teknolojileri Danışmanlık Hizmetleri A.Ş. regarding cross-border transfers of personal data had been reviewed under Article 9/4-b of Law No. 6698 and approved by the Personal Data Protection Board on 20 May 2026.
The approval is significant as BCRs provide a compliance mechanism for intra-group transfers of personal data abroad, particularly for multinational group structures transferring personal data to countries where adequate protection has not been recognized.
Data Breach Notifications- March 2026:
| Data Controller / Sector | Affected Data Subjects | Affected Personal Data Categories | Number of Data Subjects |
|---|---|---|---|
| Mopaş Marketcilik Gıda San. ve Tic. A.Ş. / Retail | Employees, customers / potential customers, and supplier representatives / employees | For supplier representatives / employees: identity data and contact data. For employees: duty information, seniority period, salary information and personnel data. For customers and potential customers: customer transaction data, including order and support information. | Not yet determined. The incident resulted from a ransomware attack and the DPA’s investigation is ongoing. |
| Best Western International, Inc. / Hospitality | Customers and potential customers | Name, e-mail address, phone number, address data and additional reservation-related information, including accommodation location, reservation dates and special requests. | 10,785 individuals in Türkiye, according to initial findings. |
| 1Onbir Grup Bilişim Teknolojileri Otomotiv Sanayi Ticaret imited Şirketi / IT & Automotive | Employees, users, customers and potential customers | Identity data, contact data, customer transaction data, transaction security data, risk management data, and visual and audio records. | Not precisely determined; approximately 10,000 individuals are estimated to have been affected. |
| Teknomobil Uydu Haberleşme AŞ / Satellite Communications | Customers and potential customers | Identity data, contact data and other customer account data contained in the accounting program, including ID number, tax number, title, address information, subscriber number and current account information. | Approximately 2,000 individuals. |
| Ondokuz Mayıs University / Public University & Healthcare | Patients | Identity data and demographic data. | 3,044 individuals. |
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
[View Source]
