Personal Data Protection Authority Published Its 2025 Annual Activity Report

The annual report (Report) regarding the 2025 activities of the Personal Data Protection Authority (Authority) published on the Authority’s official website. The Report includes detailed explanations regarding the decisions and principle decisions of the Personal Data Protection Board (Board), administrative fines, complaints and denunciation applications, personal data breach notifications, cross-border data transfers and the Data Controllers’ Registry Information System (VERBIS).

The key highlights of the Report are summarized below:

• The Board held 42 meetings and rendered 2,528 decisions in 2025. In this regard, two principle decisions were published regarding (i) the processing of personal data by sending SMS verification codes during the provision of products and services and (ii) the recording of photocopies of Turkish identity cards of individuals receiving accommodation services in the tourism and hospitality sector.
• Administrative fines amounting to approximately TRY 352.5 million were imposed on 876 data controllers. Approximately TRY 216.86 million of this amount was imposed for non-compliance with VERBIS registration and notification obligations, approximately TRY 90.36 million for non-compliance with data breach notification obligations and approximately TRY 45.29 million in connection with complaints and denunciations.
• A total of 12,512 complaints and denunciations were submitted to the Authority, representing an approximately 51% increase compared to the previous year. 75% of the applications were submitted through CIMER. On a sectoral basis, the highest number of applications concerned the services, media, banking and finance, public and telecommunications sectors.
• 52% of the applications concerned the unlawful processing of personal data; 22% concerned the unlawful sharing of personal data with third parties; 11% concerned the unauthorized sending of SMS messages and making of calls by data controllers; 6% concerned the failure to fulfill the data subject requests; 4% concerned non-compliance with requests for the erasure, destruction and anonymization of personal data; and 1% concerned the right to be forgotten, failure to comply with the obligation to inform data subjects, and unlawful transfer of personal data abroad, standard contractual clauses and other matters. In addition, 7,677 applications (64%) were rejected on procedural grounds.
• A total of 328 personal data breach notifications were submitted to the Authority in 2025. Of these, 296 originated domestically and 32 originated from abroad.
• Within the scope of cross-border data transfers, 90 undertakings on cross-border transfer of personal data were submitted to the Authority and following its review of 89 undertakings the Authority approved 13 and rejected 76 of them. Additionally, 2,497 standard contractual clauses were submitted to the Authority within the scope of cross-border data transfers, representing an approximately twofold increase compared to the previous year.
• As of 31.12.2025, a total of 249,474 new registration applications had been submitted to VERBIS and 9,558 existing VERBIS registrations had been updated. In addition, the total number of queries conducted through VERBIS in 2025 reached 1,985,918.
• During 2025, the Authority published five new guidelines: (i) Guideline on the Transfer of Personal Data Abroad, (ii) Banking Sector Good Practices Guideline on the Protection of Personal Data, (iii) Guideline on the Processing of Special Categories of Personal Data, (iv) Good Practices Guideline on the Protection of Personal Data in the Payment and Electronic Money Sector, and (v) Generative Artificial Intelligence and the Protection of Personal Data Guideline (in 15 Questions).
• The Report also states that policy efforts regarding GDPR harmonization, artificial intelligence applications, data security and the protection of children in digital environments remain among the priority areas.