The “Principle Decision on the Requirement for Data Controllers to Prepare Explicit Consent and Privacy Notices Separately” (“Principle Decision”), dated 18.02.2026 and numbered 2026/347, was published in the Official Gazette on 24.03.2026 by the Turkish Personal Data Protection Authority (“Authority”). The Principle Decision stipulates that data controllers must prepare explicit consent texts and privacy notices...

The public announcement (“Announcement”) issued on 16 March 2026 by the Turkish Personal Data Protection Authority (“Authority”) provides clarification regarding the registration obligation with the Data Controllers’ Registry Information System (“VERBIS”) for business partnerships, consortia, and ordinary partnerships that do not have legal personality. The Announcement sets out the principles as to which party and...

The Turkish Personal Data Protection Authority (“Authority”) published the Agentic Artificial Intelligence (Agentic AI) Guide (“Guide”) on 12 March 2026. The Authority has issued this Guide to assess the potential impacts of developments in artificial intelligence technologies on the protection of personal data. The Guide particularly focuses on evaluating the risks that the increasing autonomous...

On 28 February 2026, Turkish Personal Data Protection Board (“Board”) published its Principle Decision dated 11.02.2026 and numbered 2026/266 (“Decision”), introducing a significant regulation concerning loyalty card programs. The Decision addresses the use of a loyalty card holder’s mobile phone number or loyalty card number by third parties during shopping transactions without any verification mechanism....

QR codes are widely used in many areas of daily life, ranging from restaurant menus to payment systems, from campaign participation to website redirections. Their ability to provide rapid access through mobile devices has significantly increased the frequency of QR code technology usage. However, this practical convenience also brings new risks in terms of cybersecurity...

Two public announcements titled “Public Announcement Regarding Google Assistant” and “Public Announcement Regarding GROK Artificial Intelligence Assistant” were published on the Personal Data Protection Authority’s (“Authority”) website on 11.02.2026.” Public Notice Regarding Google Assistant Google’s voice assistant, “Google Assistant,” is supposed to activate with trigger phrases such as “Hey Google/ Ok Google,“ but instead recorded...

The Communiqué on Amendments (Communiqué No. 2026/2) to the Communiqué on Mergers and Acquisitions Requiring Approval from the Competition Authority (Communiqué No. 2010/4) entered into force upon its publication in the Official Gazette dated 11.02.2026 and numbered 33165. The definitions of “relevant undertaking” and “transaction party,” which were considered to cause confusion in practice, have...

The Official Gazette published Communique No. 57 on 31.01.2026, regarding amendments to the General Application Communique on Value Added Tax (“Communique”), introducing several significant changes to the value added tax system. The changes made to the communique are briefly summarized below: It has been clarified that premixes, which are mixtures of feed additives or carriers...

The Turkish Data Protection Authority (“Authority”), through its public announcement dated 29 January 2026, has provided important clarifications regarding the use of foreign-based messaging applications (in particular WhatsApp) by personnel employed in public institutions in the course of carrying out administrative duties and procedures. In the said public announcement, it is stated that, based on...

Personal Data Protection Board of Türkiye (“Board”), in its public announcement dated January 20, 2026, regarding the data controller’s breach notification, stated that the duration for which the breach notification will remain visible on the Institution’s website shall be in accordance with the Decision dated December 25, 2025, numbered 2025/2451, pursuant to Article 12-f.5 of...