ARTICLE
20 March 2026

Quick Read: Technology Law Updates In Türkiye – February 2026

KST LAW

Contributor

KST LAW logo

KST LAW is an independent Istanbul based full service corporate law firm in cooperation with Kinstellar.

We provide legal services relevant to all aspects of business in a wide variety of sectors. We operate to the highest international standards in managing cross border transactions or investments and providing practical and creative solutions to legal or regulatory issues.

KST LAW is proud to have an exceptional client base consisting some of the largest Turkish conglomerates, sector leaders in Turkey, multi-nationals, investment or private equity funds and financial institutions.

Explore Firm Details
February 2026 was a particularly active month for technology law developments in Türkiye, with the Turkish Personal Data Protection Authority (the “DPA”) issuing a principle decision affecting retail practices, publishing new cybersecurity warnings...
Turkey Privacy
Ceren Ceyhan,Çagla Tuna, and Simge Erdem
Ceren Ceyhan’s articles from KST LAW are most popular:
  • with Inhouse Counsel
  • with readers working within the Advertising & Public Relations industries
KST LAW are most popular:
  • in European Union

March 2026 – February 2026 was a particularly active month for technology law developments in Türkiye, with the Turkish Personal Data Protection Authority (the “DPA”) issuing a principle decision affecting retail practices, publishing new cybersecurity warnings, and initiating AI-related investigations, alongside broader regulatory developments signalling heightened scrutiny on the protection of children’s personal data, as well as the launch of a public consultation on Türkiye’s Artificial Intelligence Action Plan.

(Retail Practices in Focus: DPA Tightens Rules on Loyalty Card Use

On 28 February 2026, the DPA issued a Principle Decision addressing the use of loyalty card details during shopping transactions.

The Principle Decision follows complaints that, in sectors such as retail, cosmetics, electronics, DIY stores and apparel, purchases could be completed using only the loyalty card holder's phone number or membership number. This enabled third parties to benefit from discounts, promotions, or loyalty points without the cardholder’s knowledge or consent and without any verification mechanism.

The DPA found that such practices may lead to unlawful processing of personal data and potential personal data breaches. It also noted that recording purchases or issuing invoices in the data subject's name may breach the accuracy and up-to-date data principle under the Turkish Personal Data Protection Law ("DP Law").

Accordingly, data controllers must discontinue unverified use of loyalty card details and implement appropriate verification mechanisms to ensure that transactions are carried out with the data subject’s knowledge and consent. Required measures include:

  • use of verification tools such as one-time SMS codes, barcodes or QR code scanning, physical card checks, or password entry;
  • offering data subjects and opt-in choice where only a phone number is used (e.g., for earning or redeeming points); and
  • applying different verification methods depending on transaction risk.

Data controllers have a six-month compliance period starting from the publication of the Principle Decision. Failure to implement the required safeguards may lead to administrative sanctions.

Hidden Risks in QR Codes: Increasing “Quishing” Attacks on the Radar

The DPA has issued an awareness document on “quishing”, highlighting growing risks linked to the widespread use of QR codes in payments, online services, and everyday transactions.

Quishing attacks involve redirecting users to fraudulent websites through fake or manipulated QR codes, potentially leading to personal data disclosure, malicious software downloads, or fraudulent transactions. The DPA emphasises that dynamic QR codes pose particular risks, as their destination links can be changed without altering their appearance.

To mitigate these risks, the DPA advises individuals:

  • to verify the source of QR codes and carefully check redirected links,
  • to avoid scanning QR codes from unknown or unexpected sources, and
  • to strengthen device security through measures such as regular updates and multi-factor authentication.

AI Applications Under Review: Expanding Regulatory Scrutiny in Türkiye

1. Google Assistant Under Investigation

On 11 February 2026, the DPA announced the launch of an ex officio investigation into Google Assistant following reports that the service may record users’ private conversations without consent due to unintended activations of trigger phrases such as “Hey Google” or “Ok Google.”

The investigation will examine whether Google LLC complied with its obligations under the DP Law, including the implementation of adequate technical and organisational measures and the lawful processing of personal data, particularly in light of allegations that such recordings may be used for purposes such as targeted advertising.

2. Grok AI Assistant Under Investigation

On 11 February 2026, the DPA also announced the launch of an ex officio investigation into Grok, developed by X.AI Corporation (former Twitter), following reports that the European Commission has initiated an investigation into the platform.

The concerns relate to allegations that Grok has been used to generate and circulate explicit image and video content, including content involving minors, without the consent of the individuals concerned. The DPA will assess whether X Internet Unlimited Company and X.AI Corporation comply with the DP Law requirements.

3. Shaping Türkiye’s AI Future: Public Consultation Open

The Directorate General for National Technology and Artificial Intelligence under the Ministry of Industry and Technology has launched a public consultation for the preparation of the Artificial Intelligence Action Plan. Submissions are open to all stakeholders and citizens until 10 April. You can access the link here.

Regulatory Priority: Children’s Data and Platform Accountability

The protection of children and their personal data is emerging as a key regulatory priority in Türkiye, driven by both regulatory action and legislative developments. 

The DPA has launched an ex officio investigation into several social media platforms, including TikTok, Instagram, Facebook, YouTube, X, and Discord. The investigation will assess how children’s personal data is processed on these platforms and whether adequate safeguards are implemented to protect minors in digital environments.

In parallel, a draft law submitted to parliament proposes amendments to the Internet Law. The proposal introduces obligations for social network providers, including age-gating requirements, enhanced child protection measures, and a notification obligation to the relevant authority.

DPA Event Highlights

A Decade of Privacy: “Designing the Future with Privacy” Event Held

On 13 February 2026, the DPA, in cooperation with Selçuk University, hosted an event bringing together representatives from public institutions, academia and legal practice to discuss the evolution of data protection law in Türkiye, its alignment with the GDPR, ongoing legislative reforms, and the future of privacy and data governance in the context of increasing digitalisation.

Data Breach Notification

The DPA’s data breach notifications published for February 2026 may be accessed from this link.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]
Authors
Photo of Ceren Ceyhan
Ceren Ceyhan
Person photo placeholder
Çagla Tuna
Photo of Simge Erdem
Simge Erdem
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More