Regulatory Landscape of Data Protection and Artificial Intelligence in Türkiye
1- Major Legal Developments
For industry stakeholders, most of the year was spent on implementing the developments from last year into their practice, as the most recent major legal developments came around at the end of 2024.
The Personal Data Protection Law (the “Law”) is the main regulatory framework for data privacy in Türkiye. It was ratified in 2016, and the Personal Data Protection Authority (the “DPA”) was established by the Law. In 2024, the Law had some major amendments. These amendments were mostly focused on the topic of transferring personal data outside Türkiye and processing of sensitive data. A new regulation based on these amendments was introduced in June 2024. The year 2025 did not see any major changes in any of the fields with regards to legislation.
In the field of data protection, industry practice is mostly shaped around guidelines published by regulatory authorities. The policies of industry actors are shaped by the Authority’s attitude and regulations. The guidelines published by the Authority have significant effects in their respective industries and cause large shifts in industry practice. In fact, a new significant guideline document regarding data protection in the field of generative AI was published by the Authority on November 24th, 2025, titled “Guidelines for the Protection of Personal Data and Generative Artificial Intelligence” (the “AI Guideline”). The AI Guideline outlines the principles to follow and measures to be taken when using AI systems that are able to generate content such as text, images, sounds and software code. The Guideline is very comprehensive as it contains explanations about the role personal data plays in the process and how the output of these AI systems is generated, the risks associated with using generative AI (hallucinations, data insecurity, violation of IP rights etc.). It addresses many points of interest regarding data protection and AI usage and apparently follows the GDPR.
Firstly, the Authority asserts that industry actors cannot satisfy the data protection regulations by stating that the data being used in AI systems is anonymized. Claims of data anonymity must be supported by technical inspection and objective criterion. Secondly, it raises concerns about the determination of the data controller with regard to data protection regulations when generative AI is involved, explaining that the multi-layered and complex constitution of these systems make it hard to pinpoint a person as data controller. It also states that designation of the data controller by contractual terms is irrelevant when it comes to actually achieving data protection, and that the person with actual access and control to the data used must be designated as data controller. (The term data controller can be said to be equivalent to the GDPR’s data controller term.)
The document reminds AI system users of their obligation to comply with general principles of data protection law while using generative AI and explains how they can achieve compliance by giving examples. Transparency with regards to generative AI usage, allowing affected people the option to reject or ask for a review of decisions aided by decision-making AI systems (which is also an obligation present in Art. 11 of the Law), implementing human intervention over AI operations, having in place techniques such as red-teaming and PETs are encouraged for data controllers.
Apart from new guidelines in data protection law, a new “Cybersecurity Law” was enacted on March 19th, 2025. The aim of the Cyber Security Law is to ensure the effective implementation of national cybersecurity policies, to increase the resilience of public institutions and critical infrastructures, to integrate technological developments into processes, to monitor and eliminate cyber incidents from a central perspective, to implement deterrent sanctions, to regulate standardization and certification processes and to increase penalties for cybercrimes.
Pursuant to the Cyber Security Law, those who provide services, collect data, process data and conduct similar activities using information systems are obliged to certain obligations, including but not limited to (i) promptly and in a timely manner providing to the Presidency data, information, document, hardware, software and any other contribution requested within the scope of the duties and activities of the Presidency relating to cybersecurity, (ii) taking the measures prescribed by legislation for the purpose of national security, public order or the proper execution of public service relating to cybersecurity, (iii) reporting without delay to the Presidency the vulnerabilities or cyber incidents identified in the area where they provide services, (iv) procuring the cybersecurity products, systems and services to be used in critical infrastructures from cybersecurity experts, manufacturers or companies authorized and certified by the Presidency, (v) showing importance for compliance with policy, strategy, action plans and other regulatory acts issued by the Presidency developed for the purpose of increasing cyber maturity and taking the necessary security measures. Therefore, the regulations to be made by the Cyber Security Presidency will also be extremely important in terms of development, operation and use of AI systems along with procurement and deployment of AI systems. Accordingly, it is extremely important to closely follow the upcoming regulations of the Cyber Security Presidency.
Benefiting safely and responsibly from opportunities offered by AI systems necessitates an approach that protects individuals’ personal data, respects human rights, and is transparent and accountable. In addition, matters such as human oversight, implementation of privacy impact assessments, and privacy-by-design are already subject to personal data protection and cybersecurity legislation to the extent those are applicable.
However, although the scope and entry into force of the AI Act also bring certain debates in the EU, it can be stated that there is currently no approach fully in parallel with the AI Act in Türkiye, and that at this stage, the matter is being addressed only through documents such as guides, policies, strategies and action plans. The bills prepared by members of parliament also show that it is necessary to primarily indicate certain risks; however, the bills currently submitted may be characterized as sanction-focused regulations aimed at preventing certain legal problems in specific matters without putting in place a special holistic regulation in Türkiye on this matter. Undoubtedly, there is an increasing need for artificial intelligence regulations that are specific to Türkiye.
2- Political or Regulatory Developments
Türkiye’s attitude towards regulating tech-related sectors can be described as a “wait and see” type of approach. Instead of taking initiative and attempting to create legal text from the ground up, the bodies usually observe the ongoing discussion in the US and the EU and adapt the resulting legislation into Türkiye’s system. This approach also goes hand in hand with the EU integration efforts, which has stood as a long-term policy for Türkiye.
It can be argued that the same attitude is being preserved, as new proposals for an “AI Law” that are mostly in compliance with relevant EU legislation were brought to the Parliament in 2024. The proposal entails an overall regulatory framework for AI usage, focusing on the subjects of safe AI usage, protection of personal data and privacy, and the encouragement of AI usage and development in the country. As of 2025, the proposal is still ongoing.
The main focus of regulatory efforts seems to be on data protection and AI areas. IT or cloud services, while being heavily affected by data protection and AI regulations, are not viewed as an urgent area to regulate as the other two do.
The Presidential Office of Digital Conversion was an advisory office of the government whose field of operation was e-government, AI and IT technologies. This presidential office had published strategic programs for national AI and data-related development; however, the mentioned presidential office was abolished around the same time the Cybersecurity Law was ratified, and a Cybersecurity Presidency was established with it. Therefore, it can be reasonably expected that the policies of Presidency presidential office will be taken over by the new Cybersecurity Presidency.
In the 2024-2028 strategic program of the Ministry of Industry and Technology, the Ministry states that it plans to encourage the usage of AI and cloud technologies.
Last, in the mid run, Turkiye has plans to adopt the Law with GDPR, but apparently there is a need for more regulation on AI applications.
3- Practical Experience/Implementation
Compliance with data protection regulations in Türkiye is ensured by the Authority. The Authority is very active in terms of its operations and engages with the industry to a high degree. It aims to provide guidance to industry actors by publishing lots of material and guidelines.
The main tool the Authority utilizes to ensure compliance is the administrative penalties in the form of monetary fines. The attitude of the Authority towards actors may be described as strict, as it usually imposes administrative fines penalties in cases of data breach incidents or compliance complaints.
Decisions by the Authority contain useful explanations as to why or why not a data protection violation has not occurred, which help direct specific industries into gaining a better understanding of the standards they need to achieve in order to be compliant. The decisions also help guide industry and the public by addressing wide-spread data processing activities and advising compliant alternatives to violating actions.
It can be said that the courts of Türkiye do not play a significant role in data protection, since court judgements related to data protection requirements are pretty rare. The Authority the most active public authority in this field. The prosecution offices are active when any data protection related crimes are in question.
With the amendments to the Law made in 2024 to regulate the international transfers introducing standard contractual clauses, which are also present in GDPR, had a major effect in the privacy practice as before the amendment the most preferred legal tool used to be consent, but now Turkish standard contractual clauses took place. Actors who wish to transfer personal data outside Türkiye are now obliged to form these standard contracts with the party receiving the data and they have to notify the Authority of the formation of the standard contract in 5 days. The Office reviews these documents closely for any informality such as the date of signature and documents proving signature authorization.
The other obligation is to notify the Authority in case of a data breach incident. Unlike GDPR, under the Law each and every breach is subject to notification as there is no identified threshold for not notifying. These notifications must be made no matter how strong an effect the breach has, or how large or small in scale it is and the Authority interprets the duration set by the Law (written as soon as possible) as 72 hours.
4- Outlook for 2026
The year 2025 was a year of revision for industry actors where they struggled to implement the amendments from the last year and orient themselves into compliance with international transfers mostly.
One new thing to look out for may be the new Cybersecurity Presidency. It’s hard to guess what kind of an effect if any the new Presidency will have on the field, since we haven’t seen much engagement from it since its inception. However once established and organized, if it starts to show similar levels of activity as the Authority does, the Presidency can become another regulatory body that needs to be monitored closely for stakeholders.
Even though there are ongoing legislative proposals in the Parliament, including one separate clauses under specific law, it would not be unreasonable to think that these AI related proposals in Türkiye will not be finalized until the discussion on these fields around the world reaches some kind of conclusion. There may be a few ongoing proposals with the goal of updating existing laws in order to make them more equipped to deal with new technologies, but a comprehensive act that will have significant impact on the industry is not expected to arrive in 2026. Most of the regulatory efforts seem to focus on disjointed topics that need urgent attention, and there is no sign to indicate the year 2026 will differ substantially.