Quick Read: Data Protection Law Updates In Türkiye – November 2025

January 2026 – In November 2025, the Turkish Personal Data Protection Authority (the “DPA”) issued one Principle Decision, published its guideline on generative AI, and organised several events. Below is a summary of key developments.

Privacy Shift in Hospitality: Turkish DPA Stops Collecting ID Photocopies

Following multiple complaints and notifications, the DPA reviewed the common practice in the accommodation sector of requesting and retaining photocopies of guests' Turkish identity cards. After consultations with relevant ministries and industry stakeholders, the DPA issued a Principle Decision on 6 November 2025, published in the Official Gazette, declaring that this practice is disproportionate and must be discontinued.

In its Principle Decision, the DPA confirms that hotels and accommodation providers may lawfully record guests' basic identification details, i.e., name, surname, and Turkish identity number, as this processing is requited under the Identity Notification Law No. 1774 and is therefore in accordance with the law.

The DPA also clarifies that requesting guests to present an identity document for verification purposes is lawful. Comparing the recorded information with an official identity document is considered a normal and expected part of providing accommodation services. However, the DPA emphasises that photocopying and storing Turkish identity cards, even if claimed to be for verification, constitutes excessive data processing and lacks a legal basis. As such, retaining ID photocopies is unlawful.

Key takeaways from the Principle Decision include:

• Lawful processing: Hotels may record basic ID details (name, surname, Turkish ID number) as required by law.
• Lawful verification: Guests may be asked to present an ID to verify the accuracy of the recorded information.
• Unlawful retention: Photocopying and storing Turkish identity cards is excessive and has no legal basis.
• Increased risk with older IDs: Older identity cards may contain special categories of personal data (such as religion or blood type); copying these may also violate Article 6 of the Turkish Data Protection Law.

In conclusion, the DPA expects data controllers in the tourism and hospitality sector to immediately cease the practice of retaining photocopies of Turkish identity cards. Any previously collected copies must be destroyed. The DPA further reiterates that non-compliance may result in administrative fines.

New Guideline Sets Principles for Data Processing with Generative AI

On 24 November 2025, the DPA published a new guideline titled “Guideline on Generative Artificial Intelligence and the Protection of Personal Data with 15 Questions” (the “Guideline”). The Guideline clarifies that generative AI involves personal data processing throughout its lifecycle and must therefore be developed and used in compliance with the DP Law.

The DPA defines generative AI as systems trained on large-scale datasets that can create new content—such as text, images, audio, video, code, or synthetic data—in response to prompts. Organisations that develop, deploy, or use generative AI systems are expected to ensure compliance with data protection principles at all stages.

The Guideline highlights the following key points:

• Human-centric approach: Data processing must respect individuals' rights and freedoms.
• End-to-end accountability: Generative AI involves multiple processing stages (development, operation, and use of outputs), all of which should follow privacy by design and privacy by default principles.
• Public data is not free to use: Publicly available personal data, including data collected through web scraping, still requires a valid lawful basis and, where relevant, a data protection impact assessment. Legitimate interest cannot be relied on if the processing leads to adverse effects on individuals.
• Limits of legitimate interest: Legitimate interest is neither a fall-back nor a blanket justification and requires a proper balancing test.

For our detailed article on the Guideline, you may refer to this link.

Amendments Introduced to the Regulation on Personal Health Data in Türkiye

On 3 December 2025, the Turkish Ministry of Health published amendments to the Regulation on Personal Health Data (the “Regulation”). The Regulation governs the processing of and access to personal health data by the Ministry, healthcare providers, and other relevant parties in accordance with the DP Law. The amendments primarily aim to clarify lawful processing grounds, recalibrate access rights in specific scenarios, and align the Regulation more closely with the DP Law.

Key changes include:

• Lawful processing framework clarified: Processing of and access to personal health data are now explicitly tied to the conditions set out in Article 6(3) of the DP Law, replacing the broader “healthcare necessity” approach.
• Attorneys' access repealed: The provision governing attorneys' access to clients' health data has been abolished. Any such access will now be assessed under the general DP Law framework and other applicable legislation.
• e-Nabiz access controls: Individuals may restrict access to past health data through e-Nabiz security settings and must be informed of the consequences. The Ministry is not liable for service disruptions caused by such restrictions.
• SMS verification mechanism: Access to past health data may be enabled via a verification code sent to the individual's registered phone number. Exceptions apply where verification is not possible (e.g., detention or imprisonment).
• Caregiver concept introduced: A new definition of “caregiver” allows authorised persons to access the health data of individuals with valid disability reports.
• Children's health data in custody cases: Access rules are clarified for divorce and custody scenarios, granting access to the custodial parent and allowing limited, filtered disclosure to the non-custodial parent subject to Ministry approval.

Healthcare professionals' access restructured:

• Family physicians: Unrestricted access to registered patients' data, reflecting continuity of care.
• Outpatient treating physicians: Access limited to the duration and scope of the relevant appointment and follow-up.
• Emergency and inpatient care: Broader access permitted but generally limited until patient discharge. All access remains subject to Article 6(3) of the DP Law.

For our detailed article on the amendment, you may refer to this link.

DPA Event Highlights

Pristina Hosts European Casework Workshop on Complex Privacy Issues

The Annual European Casework Workshop was held in Pristina, Kosovo, on 17–19 November 2025 as a side event of the Spring Conference of European Data Protection Authorities. The Turkish DPA participated in the workshop, which focused on practical approaches to complex enforcement and casework matters, including biometric data and smart cameras in public spaces, deep fakes and AI-generated content, and the processing of children's and health data on digital platforms.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.