The Turkish Data Protection Authority (“Authority”), through its public announcement dated 29 January 2026, has provided important clarifications regarding the use of foreign-based messaging applications (in particular WhatsApp) by personnel employed in public institutions in the course of carrying out administrative duties and procedures.
In the said public announcement, it is stated that, based on various complaints and notifications submitted to the Authority, allegations have been raised that public officials working in certain public institutions are compelled to use the WhatsApp application and to join WhatsApp groups for the purposes of conducting administrative processes, that orders and instructions are issued through such application, and that official documents and records are shared via these platforms.
As is known, public services must be carried out in a regular, prompt, effective, efficient, and economical manner. However, while delivering public services and managing administrative processes, strict compliance with the applicable legislation is required, and equal care and diligence must be exercised with respect to the protection of personal data and the safeguarding of data security.
In this context, reference is made to Presidential Circular No. 2019/12 on “Information and Communication Security Measures”, published in the Official Gazette dated 6 July 2019 and numbered 30823 (“Circular”). The Authority recalls that, pursuant to the Circular:
- Article 4 provides that, except for domestic mobile applications developed by institutions authorized under the legislation to conduct coded or encrypted communications, no classified data sharing or communication shall be carried out via mobile applications; and
- Article 6 stipulates that the use of domestic social media and messaging applications shall be preferred.
Accordingly, the public announcement dated 29 January 2026 particularly emphasizes that official documents and records containing classified or critically important data should not be shared via foreign-based messaging applications such as WhatsApp, which, although widely used in Türkiye, do not have any data centers located within the country.
Furthermore, the public announcement explicitly states that the sharing of information or documents containing personal data relating to natural persons (data subjects) by public institutions through foreign-based messaging applications such as WhatsApp may constitute a personal data processing activity within the scope of Law No. 6698 on the Protection of Personal Data (“Law”).
In this regard, it is noted that personal data processing activities which do not satisfy the conditions set forth:
- Under Article 5 of the Law with respect to the processing of non-sensitive personal data, and
- Under Article 6 of the Law with respect to the processing of sensitive personal data
may be subject to investigation by the Data Protection Board of Türkiye (“Board”) either ex officio or upon complaint. As a result of such investigations, administrative sanctions may be imposed on the responsible public personnel within the framework of disciplinary provisions, pursuant to Article 18(4) of the Law.
In addition, the public announcement dated 29 January 2026 underlines that GSM phone numbers of public personnel constitute personal data. Accordingly, it is emphasized that personal data processing activities carried out by public institutions through the use of public officials’ mobile phone numbers must comply with the personal data processing conditions stipulated under Article 5 of the Law, and that public institutions must exercise the utmost care and diligence in this regard.
Conclusion and Assessment:
It is of significant importance that public institutions reassess their use of foreign-based messaging applications in the conduct of administrative processes within the framework of the public announcement of the Turkish Data Protection Authority dated 29 January 2026, the relevant legislation, and the provisions of the Law, and that they implement the necessary technical and administrative measures to ensure information security and the protection of personal data.
The full text of the public announcement published by the Turkish Data Protection Authority can be accessed via the link below.
For detailed information and professional support during the compliance process, feel free to contact us.
This Legal Alert has been prepared for general information purposes only on current legal issues, and the evaluations contained in this Legal Alert do not constitute legal advice or a legal opinion. It is not possible to impose any liability on SRP-Legal Law Office due to the content of this Legal Alert. It is recommended to obtain the opinion of a legal advisor regarding your questions and enquires within the scope of this Legal Alert.
