May 2025 – In April 2025, The Turkish Personal Data Protection Authority (the “DPA”) held several events on data processing activities in various sectors, released new guidelines on the payment and e-money sector, and published three data breach notifications.
New Guidelines on Personal Data Protection in the Payment and e-Money Sector
On 11 April, the DPA and the Turkish Payment and Electronic Money Institutions Association published new Guidelines on Personal Data Protection in the Payment and E-Money Sector (“Guidelines”). The Guidelines provide sector-specific regulator insights and serve as a practical tool for data controllers and processors to ensure compliance with the Turkish Personal Data Protection Law (“DP Law”).
The Guidelines cover five core services:
- electronic money issuance;
- money remittance;
- POS services;
- bill payment intermediation; and
- mobile payments.
For each service, the Guidelines outline common personal data processing activities and clarify the roles of data controllers, data processors, and data subjects with sector-based examples. The Guidelines also highlight the personal data categories that are processed, the legal bases for processing, cross-border data transfers by stating restrictions under Law No. 6493[1], and other compliance requirements.
The Guidelines represent a significant development for the payment and e-money sector, where personal data is processed continuously and intensively. All institutions in the payment and e-money sector must take the necessary steps to ensure full compliance with the DP Law.
You can read our detailed summary of the Guidelines here.
Key Events
1. DPA hosts 2025 personal data protection day event
On 7 April, the DPA held an event titled "Personal Data and Legal Updates: A 2025 Perspective" as part of the Personal Data Protection Day program. The event featured expert presentations on several critical topics, including:
- key considerations in applications to the DPA and data controllers;
- practical implications of the recent amendments to the DP Law;
- an overview of the amendments made to align with the EU acquis and future amendment proposals;
- the processing of sensitive data following the amendments; and
- the role of cybersecurity solutions in preventing data breaches.
2. Workshop on best practices in the payment and e-money sector
On 11 April, the DPA, in collaboration with the Turkish Payment and Electronic Money Institutions Association, held a workshop in Istanbul focused on best practices for personal data protection in the payment and e-money sector. As a key outcome of the workshop, the sector-specific Guidelines (detailed above) were officially published.
3. Symposium on personal data protection in digital games
On 16 April, the DPA and Fatih Sultan Mehmet Vakıf University Faculty of Law co-hosted a symposium titled “Personal Data Protection in Digital Games”.
Our office participated in the event, with the Head of Data Protection Practice, Ceren Ceyhan, delivering a presentation on "Processing of Personal Data in AI-Driven Digital Games: Legal Risks and Regulatory Decisions.”
The symposium covered a broad range of topics with the participation of leading experts in the field, including:
- data processing activities in the context in digital gaming;
- use of artificial intelligence in games;
- consumer rights in in-game purchases, and
- data breaches occurring in digital gaming environments.
4. Conference on personal data protection in the age of artificial intelligence
On 29 April, the DPA, in cooperation with the Artificial Intelligence Policy Association, hosted the Conference on Personal Data Protection in the Age of Artificial Intelligence.
During the conference, the following key topics were addressed:
- the role of personal data in current AI systems;
- ongoing challenges in personal data protection within AI systems;
- international examples and practices on safeguarding personal data in AI contexts.
5. 8th e-Safe Personal Data Protection Summit
On 30 April, the DPA hosted the 8th e-Safe Personal Data Protection Summit. The summit addressed key topics, including:
- cross-border transfers of personal data;
- recent legal developments related to personal data protection; and
- technological advancements in ensuring data security.
Data Breach Notifications
- Bellapais El Ayak Bakımı ve Güzellik Salonu Ticaret Limited Şirketi notified the DPA that an unauthorised access occurred. Accordingly, the identity, contact, customer transaction, and health data of employees, users, customers, and potential customers were affected.
- Robotistan Elektronik Ticaret A.Ş. notified the DPA regarding a cyber attack that breached the personal data of customers and potential customers. Identity, contact, and purchase order information were affected.
- Kullanatmarket Elektronik Pazarlama Ticaret A.Ş. notified the DPA of a cyber attack that breached the personal data of customers and potential customers. Identity, contact, customer information, and transaction security-related data were affected.