- within International Law topic(s)
- with readers working within the Automotive and Metals & Mining industries
DPA Issues Principle Decision on Separation of Consent and Privacy Notices
The Turkish Data Protection Authority (“DPA”) has issued a principle decision requiring that explicit consent and privacy notices be presented separately to data subjects.
The Authority identified the use of combined texts as a common compliance issue and emphasized that the obligation to inform must always be fulfilled prior to the processing of personal data, regardless of the legal basis relied upon. Where processing is based on explicit consent, consent and privacy notices must be structured as separate texts, even if presented on the same page under distinct headings. Conversely, where processing relies on other legal grounds, data controllers should not request explicit consent in addition to fulfilling their obligation to inform.
The decision also highlights that privacy notices must be clear, concise and tailored to the specific processing activities of the data controller. Failure to comply may result in administrative sanctions.
DPA Publishes Guidance on the Use of Generative AI in the Workplace
The DPA has published guidance on the use of generative AI tools in the workplace, highlighting key risks and compliance considerations. The document notes that such tools are increasingly used across business processes, often without a clear corporate framework, which may lead to “shadow AI” practices-where employees use AI tools outside organizational control. This may limit visibility over data processing activities and create challenges in ensuring compliance.
The DPA identifies several risks associated with such use, including risks related to data security, unlawful disclosure of personal data and confidential information, and concerns regarding the reliability of outputs. It also warns that personal data shared with third-party AI tools may be processed unlawfully or accessed by unauthorized third parties. Rather than adopting restrictive approaches, the Authority encourages organizations to establish internal policies, raise employee awareness and ensure that the use of such tools complies with data protection obligations.
DPA Rules Against Public Display of Residents’ Debt Information
The DPA has issued a principle decision finding that posting residents’ debt information -such as unpaid maintenance fees- in common areas of apartment buildings constitutes unlawful disclosure of personal data.
While informing other residents may be justified in certain cases, the DPA emphasized that such practices cannot be justified when carried out through publicly accessible areas and fail to ensure data security. Instead, more restricted communication methods should be used.
DPA Deepens AI and Privacy Agenda with Three Seminars
The DPA hosted a Wednesday seminar on the intersection of AI law and data protection (11 March), an event titled “The 10th Year of Data Protection: A Future Perspective in Light of the GDPR” (14 March), and a seminar addressing the post-mortem protection of personal data (25 March). Taken together with the workplace AI guidance released on 5 March, the month’s activity signals a deliberate effort by the DPA to build regulatory and practitioner literacy ahead of anticipated legislative developments on AI governance in Türkiye.
Data Breach Notifications — March 2026
The DPA announced the following data breach notifications in March 2026:
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
