On 28 February 2026, Turkish Personal Data Protection Board (“Board”) published its Principle Decision dated 11.02.2026 and numbered 2026/266 (“Decision”), introducing a significant regulation concerning loyalty card programs. The Decision addresses the use of a loyalty card holder’s mobile phone number or loyalty card number by third parties during shopping transactions without any verification mechanism....

QR codes are widely used in many areas of daily life, ranging from restaurant menus to payment systems, from campaign participation to website redirections. Their ability to provide rapid access through mobile devices has significantly increased the frequency of QR code technology usage. However, this practical convenience also brings new risks in terms of cybersecurity...

Two public announcements titled “Public Announcement Regarding Google Assistant” and “Public Announcement Regarding GROK Artificial Intelligence Assistant” were published on the Personal Data Protection Authority’s (“Authority”) website on 11.02.2026.” Public Notice Regarding Google Assistant Google’s voice assistant, “Google Assistant,” is supposed to activate with trigger phrases such as “Hey Google/ Ok Google,“ but instead recorded...

The Communiqué on Amendments (Communiqué No. 2026/2) to the Communiqué on Mergers and Acquisitions Requiring Approval from the Competition Authority (Communiqué No. 2010/4) entered into force upon its publication in the Official Gazette dated 11.02.2026 and numbered 33165. The definitions of “relevant undertaking” and “transaction party,” which were considered to cause confusion in practice, have...

The Official Gazette published Communique No. 57 on 31.01.2026, regarding amendments to the General Application Communique on Value Added Tax (“Communique”), introducing several significant changes to the value added tax system. The changes made to the communique are briefly summarized below: It has been clarified that premixes, which are mixtures of feed additives or carriers...

The Turkish Data Protection Authority (“Authority”), through its public announcement dated 29 January 2026, has provided important clarifications regarding the use of foreign-based messaging applications (in particular WhatsApp) by personnel employed in public institutions in the course of carrying out administrative duties and procedures. In the said public announcement, it is stated that, based on...

Personal Data Protection Board of Türkiye (“Board”), in its public announcement dated January 20, 2026, regarding the data controller’s breach notification, stated that the duration for which the breach notification will remain visible on the Institution’s website shall be in accordance with the Decision dated December 25, 2025, numbered 2025/2451, pursuant to Article 12-f.5 of...

The Personal Data Protection Authority (“Authority”) has published a public announcement, stating that, as a result of the findings and assessments reached following examinations conducted within the scope of similar complaints submitted to the Authority regarding push notifications sent to users via mobile applications, there is a need to inform the public about the compliance...

Pursuant to Article 16(2) of the Law No. 6698 on the Turkish Personal Data Protection Law (“KVKK”), natural and legal persons who process personal data are required to register with the Data Controllers’ Registry Information System (“VERBİS”) prior to commencing data processing activities. However, the Personal Data Protection Board (“Board”) may introduce exemptions to this...

On January 7, 2026, Competition Authority (“CA”) has published the 2025 Mergers and Acquisitions Overview Report (“Report”). The merger and acquisition overview report, published regularly each year by the CA, provides a comprehensive assessment of the relevant year, including statistical data such as transaction values and the distribution of investors by country for mergers and...