Personal Data Protection Bulletin - 2025 First Quarter

Current Developments from Türkiye

The Personal Data Protection Authority (Authority) Published the Guide on Processing Special Categories of Personal Data

The Authority published the Guide on Processing Special Categories of Personal Data on 26 February 2025. The Guide was prepared to explain the Personal Data Protection Board’s approach to the conditions for processing special categories of personal data, shed light on how data controllers can process special categories of data in compliance with the legal grounds specified in the legislation, and ensure that they fulfill their obligations in these processes in accordance with the Personal Data Protection Law No. 6698 (KVKK).

You can access the Guide in Turkish here and our announcement on this topic here.

Cybersecurity Law No. 7545 Published in the Official Gazette on 19.03.2025

The Cybersecurity Law No. 7545, which was adopted by the Grand National Assembly of Türkiye on 12 March 2024 and published in the Official Gazette No. 32846 on 19 March 2025, introduces significant regulations covering public and private sector institutions. The Law defines the obligations of all actors operating in the public and private sectors to ensure cybersecurity, and it regulates the institutional structure, authorities, and responsibilities regarding the prevention, detection, response, and punishment of cyber threats. In addition, the Law provides for the establishment of a Cybersecurity Directorate, sets out the powers of the Cybersecurity Board, and includes comprehensive provisions on practices such as supervision, certification, and personnel employment. The Law also introduces administrative fines and imprisonment for cybersecurity violations, breaches of confidentiality obligations, and failure to take necessary measures.

You can access the Law in Turkish here and our announcement on this topic here.

The Authority Issued a Public Announcement on Points to Consider in Standard Contracts

On 5 February 2025, the Authority issued a Public Announcement regarding Points to Consider in Standard Contracts, outlining the fundamental rules related to the validity of standard contracts and their signing and notification processes. The announcement emphasizes that the contract must be duly signed by the parties, and that documents regarding signatory authority must be submitted to the Authority completely and consistently. It also highlights that the Authority must be notified of the signed contract within five business days following its execution, the signing date must be clearly indicated, and consistency in language and party information must be ensured within the contract content.

You can access the Public Announcement in Turkish here and our announcement on this topic here.

The Authority Published a Public Announcement on Fulfilling the Obligation to Inform in Mediation Activities

On 13 January 2025, the Authority published a Public Announcement regarding Fulfilling the Obligation to Inform within the Scope of Mediation Activities. The announcement notes that, under Article 11 of the Law on Mediation in Civil Disputes No. 6325, mediators are obliged to inform the parties about the fundamentals, process, and consequences of mediation before starting their activities. However, it is underlined that this duty to inform is different from the obligation to inform regulated under Article 10 of the KVKK.

Accordingly, mediators must provide information about the mediation process and separately provide a KVKK-compliant privacy notice regarding personal data in line with their obligations under data protection law. The announcement clearly states that mediators act as data controllers and as such are subject to all obligations under the KVKK.

You can access the Public Announcement in Turkish here and our announcement on this topic here.

Advertising Board Imposed Sanctions Regarding the “User and Privacy Agreement” on Evkur’s Website

As detailed in the Advertising Board’s press bulletin dated 16 January 2025, the content of the “User and Privacy Agreement” on the e-commerce website evkur.com.tr, operated by Evkur Alışveriş Merkezleri Ticaret A.Ş., was examined. It was found that the agreement included statements indicating that consumers were deemed to have given consent to receive commercial electronic messages without any active action or approval on their part, that no option was provided to opt out of targeted advertising and marketing activities, that withdrawals of consent were not enabled with equal ease, and that insufficient information was provided to users. Consequently, Evkur’s practice was deemed an unfair commercial practice, and the Board decided to order the cessation of these practices.

You can access the press release in Turkish here.

Key Actions

• Individuals or organizations wishing to send commercial electronic messages should clearly identify their obligations under the KVKK and the Regulation on Commercial Communication and Commercial Electronic Messages, segregating any processes that require explicit consent. They should refrain from practices that presume pre-obtained consent without an active user action, and ensure that any consent given can be as easily withdrawn as it was given.

The Authority Updated the Banking Sector Best Practices Guide on Personal Data Protection

The Banking Sector Best Practices Guide on Personal Data Protection was updated to align with the KVKK amendments introduced by Law No. 7499 of 12.03.2024, published in the Official Gazette No. 32487. The updated Guide provides comprehensive explanations of the new regulations, especially regarding transfers of personal data abroad. It includes detailed guidance on conditions for domestic transfer of special categories of personal data and for international data transfers, reflecting changes in the law. In particular, it offers sector-specific examples for the banking industry under concepts such as adequacy decisions, appropriate safeguards, and one-time (occasional) transfers, thereby bringing the Guide in line with the KVKK amendments and offering practical guidance for implementation.

You can access the updated Guide in Turkish here and our announcement on this topic here.

Current Developments from the World

European Data Protection Board Published a Position Paper on the Interplay between Data Protection and Competition Law and Cooperation among Regulators

On 17 January 2025, the European Data Protection Board (EDPB) published a position paper examining the interaction between data protection law and competition law, and how cooperation among regulators in these areas can be improved. The paper discusses the intersection points between data protection and competition law and the common objectives shared by the two fields. It also highlights the importance of considering competition-law-related elements in data protection practices and, conversely, incorporating data protection regulations into analyses conducted within the competition law framework. Various recommendations for establishing closer cooperation between regulatory authorities are also included.

You can access the position paper in English here.

EDPB Published a Document Outlining the Cooperation Procedure for Binding Corporate Rules Approval

On 19 March 2025, the EDPB published a document detailing the cooperation procedure for the approval of Binding Corporate Rules (BCR) for data controllers and processors. The document, adopted on 13 March 2025, sets out the principles for designating the lead supervisory authority in the BCR approval process, noting that this designation will consider various criteria such as the location of the group’s European headquarters and which company within the group is entrusted with data protection responsibility.

The document describes a multi-stage approval procedure, including the lead supervisory authority’s review, a simultaneous joint review stage with other supervisory authorities, a cooperation process, dedicated BCR sessions to resolve disputed issues, and an EDPB opinion stage. It explains that the procedure concludes with the lead authority’s final approval and the translation of the approved BCR text into the relevant languages.

You can access the document that published by EDPB here.

Court of Justice of the European Union (CJEU) Issued a Judgment (Case C-203/22) Affirming the Right to an Explanation for Automated Credit Decisions

In its judgment published on 27 February 2025, CJEU held that an individual can request information about how a decision made by automated means regarding their credit assessment was reached. The Court emphasized that the explanation provided must be such that the person can understand the decision and, if necessary, challenge it.

In the case at hand, an Austrian mobile operator refused to conclude a contract with a customer on the grounds of a low credit score, relying on an automated credit assessment performed by Dun & Bradstreet Austria. The CJEU ruled that the data controller responsible for an automated decision-making process is obliged to explain which personal data were used in the decision and how those data were evaluated. Merely sharing the technical details of the algorithm is not sufficient; the explanation must be understandable and transparent. Furthermore, if the information to be provided contains trade secrets or sensitive elements related to third-party data, such information should be disclosed only to the competent supervisory authorities or courts, rather than directly to the data subject.

You can access the relevant CJEU decision here.

The European Health Data Space Regulation 2025/327, Official Gazette of the European Union on 5 March 2025

A new regulation establishing the European Health Data Space, Regulation 2025/327, was published in the Official Gazette of the European Union on 5 March 2025. The Regulation aims to create a common framework across Europe for the sharing and use of electronic health data. It strengthens individuals’ rights to access their own electronic health data and increases their control over these data. At the same time, it allows certain health data to be reused for purposes such as the public interest or scientific research. The Regulation entered into force on 26 March 2025 and will be implemented gradually, with its provisions coming into application in stages.

You can access the Regulation here.

The European Commission Published a Guideline on Artificial Intelligence Practices Deemed Contrary to European Union (EU) Values Due to Fundamental Rights Violations and Prohibited under Article 5 of the EU Artificial Intelligence Act (AI Act)

On 4 February 2025, the European Commission published guidelines on artificial intelligence applications that are deemed contrary to EU values and are prohibited under Article 5 of the AI Act due to violations of fundamental rights. The AI Act aims to ensure a high level of health, safety, and protection of fundamental rights while encouraging innovation, and it classifies AI systems into prohibited, high-risk, and transparency-required categories. These guidelines specifically focus on unacceptable AI practices such as harmful manipulation, social scoring, and real-time remote biometric identification, among others.

The guideline at the hand is intended to support the consistent and effective application of the AI Act across the EU and is non-binding. It provides legal clarifications and practical examples to help stakeholders understand their obligations under the AI Act’s prohibitions, thereby reinforcing the EU’s commitment to a safe and ethical AI ecosystem.

You can access the guideline here.

Key Actions

• Companies subject to the AI Act should always consider the Act’s risk classification when developing and deploying AI systems. They should implement special oversight and control mechanisms for high-risk AI applications or systems. In doing so, organizations can rely on the European Commission’s explanations and concrete examples as valuable guidance.

European Commission Published Guideline on the Definition of an AI System to Facilitate AI Act Implementation

On 6 February 2025, the European Commission published a non-binding guideline on the definition of an artificial intelligence system to support the implementation of the AI Act. The guideline aims to assist providers and other stakeholders in determining whether a software system qualifies as an AI system. It is intended to be updated over time based on practical experience, emerging questions, and evolving use cases.

You can access the guideline here.

European Parliamentary Research Service (EPRS) Published a Study on the Interplay between the AI Act and the General Data Protection Regulation (GDPR) and on Addressing Algorithmic Discrimination

On 26 February 2025, EPRS published a study examining the interplay between the AI Act and GDPR, with a focus on how algorithmic discrimination is addressed.

The AI Act aims to promote human-centric and trustworthy artificial intelligence that respects fundamental rights and freedoms, including the right to the protection of personal data. In this context, the study notes that the AI Act seeks to mitigate discrimination and bias in high-risk AI systems and, under certain conditions, allows for the processing of special categories of personal data. However, the GDPR imposes more restrictive provisions on the processing of such sensitive data.

This divergence may lead to uncertainties in practice, and the study suggests that additional guidance or even amendments to existing legislation may be necessary to ensure alignment between the AI Act and the GDPR.

You can access the study here.

United Kingdom Information Commissioner’s Office (ICO) Published Guidance for Organizations Implementing a “Consent or Pay” Model

On 23 January 2025, ICO published a guidance document to assist organizations that are implementing, or considering implementing, a Consent or Pay model. Under this model, users are typically offered three options: (i) consent to the use of their personal data for personalized advertising to access an online product or service for free, (ii) decline the use of personal data and instead pay a certain fee to access the product or service, or (iii) choose not to use the product or service at all.

The ICO’s guidance presents a framework of key factors to consider when evaluating whether a “consent or pay” approach can meet the standard of valid consent. It emphasizes that organizations using such a model must be able to demonstrate that individuals have given their consent to personalized advertising freely and voluntarily. In this process, existing data protection principles and relevant guidance from regulators should be taken into account.

You can access the ICO guide here.

European Commission Announced a Plan to Simplify the GDPR

On 13 March 2025, with a statement by Commissioner for Justice, Democracy, and the Rule of Law Michael McGrath, the European Commission announced that it is considering simplifying GDPR to reduce the compliance burden on small and medium-sized enterprises (SME).

This announcement came as part of the 2025 Commission Work Programme which is published on 11 February 2025, which includes a comprehensive fitness check of digital legislation and a “Digital Package” initiative planned for fourth quarter of 2025. Under this initiative, the Commission is evaluating possible amendments not only to GDPR but also to other digital regulations such as the Data Governance Act, the Data Act, the Cybersecurity Act, the Cyber Resilience Act, the EU Chips Act, and the AI Act, with the aim of ensuring these laws are up-to-date and not unnecessarily burdensome.

You can access further details of the European Commission’s announcement here and the video of the announcement here.

ICO Published a New Guide on Employers’ Obligations for Processing Employment Records

On 5 February 2025, ICO released a new guide to help employers comply with their obligations under the United Kingdom General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 when collecting, storing, and managing employment records.

The guide consists of three main sections: (i) principles for collecting and protecting records, covering lawful bases for processing personal data, conditions for processing special category and criminal data, and the rights of employees over their data; (ii) employers’ obligations regarding the use of employee data – including sharing with third parties, providing references, publishing employee information, and duties during company mergers and restructurings; and (iii) practical checklists for HR functions, particularly focusing on record-keeping, outsourcing services, equality monitoring, insurance and pension systems, and data processing steps in mergers and acquisitions.

The guide focuses solely on data protection obligations, noting that employers should seek separate legal advice for other obligations such as health and safety or employment law requirements.

You can access the guide that published by ICO here.

The European (EU) Enacted the Cyber Solidarity Act to Enhance Cyber Resilience

EU’s Cyber Solidarity Act entered into force on 4 February 2025. The Act aims to strengthen preparedness, detection, and response capacities against cyber threats across the EU.

Under the Act, a European Cybersecurity Alert System will be established, consisting of national and cross-border Security Operations Centers (SOC) powered by artificial intelligence and data analytics. Additionally, an EU Cybersecurity Reserve, composed of certified providers, will be created to conduct vulnerability testing and respond to cybersecurity incidents in critical sectors. The Act also envisions the creation of a Cybersecurity Incident Review Mechanism to cover post-incident evaluation processes.

You can access the Cyber Solidarity Act here.

Court of Justice of the European Union (CJEU) Ordered the European Commission to Pay Compensation for Personal Data Transfer to the United States (US)

In a decision dated 8 January 2025 (Bindl v Commission, Case T-354/22), the GC ruled that the European Commission must pay 400 euros in compensation for transferring a German citizen’s personal data to the US without adequate safeguards.

The case arose from the European Commission’s “Conference on the Future of Europe” website, which offered a login option via Facebook. As a result, personal data of the applicant (such as their IP address) were transferred to Meta Platforms, Inc. (Facebook) in the US. The CJEU found that this transfer lacked sufficient technical and legal protection, and that the data subject suffered non-material (moral) damage as a consequence. On the other hand, the Court dismissed the portion of the case concerning an alleged data transfer via Amazon Web Services due to insufficient evidence.

CJEU also did not uphold the claims regarding violation of the right of access to information or the requests to annul the data transfer. This judgment demonstrates that EU institutions may be held liable and required to pay damages if they fail to implement appropriate safeguards in their data transfer processes.

You can access the text of the decision here.

To download the bulletin in pdf format, click here.