• Insights
  • Personal Data Protection in Turkiye and Worldwide in Light of TikTok Decisions: Children's Data and Cross-Border Data Transfer

Personal Data Protection in Turkiye and Worldwide in Light of TikTok Decisions: Children's Data and Cross-Border Data Transfer

Insights -
Gün + Partners

Personal data protection has become a critical area that has rapidly gained importance both in Türkiye  and worldwide in recent years. With the impact of digitalization, individuals generate increasing amounts of personal data in their daily lives, which in turn raises societal sensitivity regarding data security and privacy awareness. In this context, regulatory authorities are tightening oversight of data processing activities; particularly, technology companies are increasingly facing sanctions due to extensive data collection and processing practices. One striking example of these developments is the enforcement decisions imposed on TikTok, which serves millions of users globally, both in Europe and Türkiye . These decisions are also noteworthy for reflecting data protection trends at both local and global levels.

By way of example, the Irish Data Protection Commission (“DPC”) issued a decision on 1 September 2023 finding that TikTok had committed violations of the European Union General Data Protection Regulation (“GDPR”) in its data processing activities between 31 July 2020 - 31 December 2020, and imposed an administrative fine of 345 million euros.

The relevant decision identified serious violations such as the platform's use of default public profile settings, inadequate age verification mechanisms, and failure to fulfil its obligation to inform users. In particular, it was emphasised that Articles 5(1)(a), 5(1)(c), 5(1)(f), 12(1), 13(1)(e), 24(1), 25(1) and 25(2) of the GDPR had been violated. Additionally, in line with the binding opinion of the European Data Protection Board (“EDPB”) it was noted that TikTok acted contrary to the principle of fair processing due to the “dark patterns” it applied to child users.

Similarly, in 2023, the Turkish Personal Data Protection Board (“Board”) imposed an administrative fine of TRY 1,750,000 on TikTok pursuant to its decision No. 2023/134. The Board identified numerous violations, including processing data without explicit consent, failure to fulfil the obligation to inform, collecting data from children under the age of 13 without parental consent, failure to translate the privacy policy into Turkish, and unlawful profiling through cookies. Additionally, TikTok has been required to update its privacy policies, simplify its terms of service, and present its disclosure texts under a separate structure.

The fact that children are more vulnerable in the digital environment has led to stricter controls by regulatory authorities and increased awareness in the sector. As many countries, including the European Union, develop specific regulations to protect children's online privacy, Türkiye is also preparing to establish a separate legal framework for children's data. These developments impose a much higher duty of care and attention on data controllers in the design of services for children.

On the other hand, in an effort to further align Türkiye’s legal framework on personal data protection with European Union standards, long-anticipated legislative amendments were enacted last year. The amendments to the Law on the Protection of Personal Data No. 6698 ("Law") were published in the Official Gazette on March 12, 2024, and entered into force on June 1, 2024. These amendments introduced significant changes, particularly regarding the processing of sensitive personal data and administrative sanctions, as well as cross-border transfers of personal data. (For detailed information on the amendments to the Law, please click here.)

With the recent amendment, the cross-border data transfer regime regulated under Article 9 of the Law has been substantially restructured to align more closely with the GDPR framework, bringing the procedures and principles governing the transfer of personal data abroad in line with European Union practices. Accordingly, if personal data is processed based on one of the legal grounds set out in Articles 5 and 6 of the Law, and the country, sector, or international organization to which the data is to be transferred has been granted an “adequacy decision” by the Board, the data may be transferred abroad without obtaining explicit consent. In the absence of an adequacy decision, it must be ensured that the data subject can exercise their rights and access effective legal remedies in the destination country; in addition—and except in exceptional cases—appropriate legal safeguards approved by the Board, such as standard contracts, binding corporate rules, or undertakings, must be provided. This new regulation aims to bring more flexibility to data transfer processes while also enhancing the effectiveness of oversight by the Board and the overall protection of personal data.

While data controllers and processors in Türkiye  are endeavouring to comply with legislative amendments, another decision issued by the DPC on 2 May 2025 regarding TikTok has attracted public attention. This decision by the DPC demonstrates the extent to which controls on data transfers abroad have been tightened. The decision found that TikTok failed to take the necessary safeguards under Article 46(1) of the GDPR when transferring personal data of users in the European Economic Area to China and did not fulfil its transparency obligation under Article 13(1)(f). Additionally, TikTok was found to have provided misleading information about its data storage locations, and it was determined that China's legal regulations are not compatible with the European principle of “equivalent level of protection.” As a result, the company was fined an administrative penalty of €530 million.

When all these developments are considered together, the TikTok example is a concrete reflection of the increasing regulatory sensitivity on a global scale regarding the transfer of personal data abroad, as well as the protection of children's data. Considering the legal amendments made in Türkiye and the increasingly active supervisory approach of the Board, it is important for data controllers to take the necessary measures in a timely manner in order to avoid similar sanctions. In particular, it will be critical for data controllers who transfer data abroad to review their technical and administrative measures, provide appropriate safeguards such as undertakings, standard contracts or binding corporate rules for cross-border data transfers, and act in full compliance with the principle of transparency.

Special thanks to İsmail Arslan for his contributions.