CoE Framework Convention signatory
This content is for informational and educational purposes only and does not constitute legal advice.
On 12 March 2026, the Personal Data Protection Authority published a report on agentic Artificial Intelligence (AI), outlining the characteristics, potential uses, and risks of agentic AI systems and their implications for personal data protection. The report explains that agentic AI systems consist of AI agents capable of autonomously pursuing goals, coordinating multi-step tasks, and adapting to changing conditions, which distinguishes them from conventional AI systems that mainly respond to inputs within predefined rules. It notes that these systems may be applied in areas including research and development, customer support, finance, healthcare, and incident management, but may also create risks related to transparency, accountability, bias, security vulnerabilities, and the accuracy of outputs. The report emphasises that the multi-step and autonomous nature of agentic AI can complicate personal data processing by expanding the scope of data use, enabling inference-based profiling, and making oversight and legal responsibility more difficult. To mitigate these risks, the report recommends a risk-based and human-centred approach, including meaningful human oversight, transparency and explainability mechanisms, privacy by design and by default, clear allocation of roles and responsibilities, and the use of risk assessment tools, including data protection impact assessments.
On 11 February 2026, the Personal Data Protection Authority (KVKK) opened an ex officio investigation into X Internet Unlimited Company and X.AI Corporation in relation to the development and deployment of the Grok Artificial Intelligence Assistant. The investigation follows suspicions that the companies failed to implement the technical and administrative measures required under Law No. 6698 on the Protection of Personal Data and that their personal data processing activities may not comply with the requirements of that law.
On 12 January 2026, the Personal Data Protection Authority (KVKK) released guidance for parents of children using artificial intelligence tools. The guidance addresses the use of artificial intelligence technologies by children in education, gaming, communication and social activities. The guidance covers tools including chatbots, artificial intelligence-supported learning applications and content generation tools. The guidance states that these tools may facilitate learning and access to information but may also involve risks if not used appropriately. The guidance identifies risks related to violations of privacy, online security threats, exposure to misleading or false content, artificial intelligence-generated fake images, videos and audio, misuse of personal data, and potential emotional and psychological effects. The guidance sets out parental responsibilities relating to age-appropriate application selection, review of terms of use and privacy policies, use of content filtering and parental control options, management of photo and video sharing, ethical and respectful use of artificial intelligence tools, screen time balance, open communication with children, and digital parenting practices, and includes a parental checklist for practical implementation.
On 8 January 2026, the Bill amending Law No. 6698 on the protection of personal data, was introduced to the Grand National Assembly. The Bill would amend the Personal Data Protection Act by introducing an administrative fine for social media services and digital platforms which permit the sharing of AI-generated audio, written, or visual content without the consent of the represented or depicted person. The imposed fine would amount to five percent of the offending entity's turnover in the year prior to sharing of the content in question. According to the Bill's justification, social media services and digital platforms should be held legally responsible for the sharing of AI-generated content because they are not merely passive intermediaries but play an active role in amplifying content through their algorithms.
On 7 January 2026, the Law on Protection of Children and Young People in the Digital Environment was introduced to the Grand National Assembly. The Law applies to content providers, intermediary service providers, social network providers, gaming companies, and users. It seeks to establish a preventive and protective framework addressing risks such as digital addiction, virtual gambling, cyberbullying, harmful or obscene content, misuse of personal data, disinformation, and terrorist propaganda. The Law defines terms including access provider, content provider, intermediary service provider, social network provider, gaming company, cyberbullying, and harmful content. The Law imposes new design, content classification, and time-use obligations on social network providers, digital platforms, and online game companies serving users under 16. The framework would require platforms to avoid virality-driven and recommendation-based design features, introduce parental control tools, protect children’s privacy and other rights, provide rapid complaint resolution, minimise personal data processing for vulnerable users, and prohibit third-party data transfers. It would also mandate age classification of content, limit children’s daily platform and gaming use to 55 minutes, prohibit access between 10.30 pm and 09:30 am, and exempt educational content. Non-compliance would be punishable by administrative fines of TRY one million to TRY 5 million, with fines increased by half for repeat offences within one year and termination of activities following a third offence.
On 25 December 2025, the Presidential Decree No. 191 on Amending Certain Presidential Decrees entered into force upon its publication in the Official Gazette No. 33118. The Decree amends Presidential Decree No. 1 on the Presidential Organisation by renaming the General Directorate of National Technology under the Ministry of Industry and Technology as the General Directorate of National Technology and Artificial Intelligence. It assigns responsibilities for developing a national data centre and cloud computing infrastructure, formulating and implementing artificial intelligence policies and strategies, supporting artificial intelligence research and development, increasing data, infrastructure, and human resource capacity, developing international cooperation, and determining criteria and standards for data centres, including certification, documentation, and authorisation processes related to data centre and cloud computing infrastructure.
On 25 December 2025, Presidential Decree No. 192 on Amending the Presidential Decree on the Cyber Security Directorate entered into force upon its publication in the Official Gazette No. 33118. The Decree amends Presidential Decree No. 177 on the Cyber Security Directorate by expanding its mandate to include public-sector artificial intelligence and digital government functions. It establishes the General Directorate of Public Artificial Intelligence within the Cyber Security Directorate and assigns responsibilities including legislative work on artificial intelligence applications in the public sector, preparation of national policies, strategies and action plans, alignment of national legislation with international regulations, determination of principles, procedures and standards for data governance across the data life cycle, setting data quality criteria and standards for data used in public-sector artificial intelligence applications, establishment of a common data space infrastructure, and coordination of artificial intelligence implementation across public institutions
On 24 December 2025, the President signed Decree No. 191 on Amending Certain Presidential Decrees. The Decree amends Presidential Decree No. 1 on the Presidential Organisation by renaming the General Directorate of National Technology under the Ministry of Industry and Technology as the General Directorate of National Technology and Artificial Intelligence. It assigns responsibilities for developing a national data centre and cloud computing infrastructure, formulating and implementing artificial intelligence policies and strategies, supporting artificial intelligence research and development, increasing data, infrastructure, and human resource capacity, developing international cooperation, and determining criteria and standards for data centres, including certification, documentation, and authorisation processes related to data centre and cloud computing infrastructure.
On 24 December 2025, the President signed Decree No. 192 amending Decree No. 177 on the Cyber Security Directorate by expanding its mandate to include public-sector artificial intelligence and digital government functions. It establishes the General Directorate of Public Artificial Intelligence within the Cyber Security Directorate and assigns responsibilities including legislative work on artificial intelligence applications in the public sector, preparation of national policies, strategies and action plans, alignment of national legislation with international regulations, determination of principles, procedures and standards for data governance across the data life cycle, setting data quality criteria and standards for data used in public-sector artificial intelligence applications, establishment of a common data space infrastructure, and coordination of artificial intelligence implementation across public institutions.
On 24 November 2025, the Personal Data Protection Agency (KVKK) released the Generative Artificial Intelligence and Personal Data Protection Guide (in 15 Questions). The Guide aims to explain the data protection implications generative AI systems and guide data controllers working with generative AI system on how they can fulfil data protection requirements, including those which arise under Law No. 6698 on the Protection of Personal Data. The Guide describes the structure of generative artificial intelligence systems, their content-generation mechanisms, lifecycle stages, usage areas and the associated ethical, legal and technical risks, and shows how personal data may be processed during data collection, model training, fine-tuning, and deployment and user interaction. In relation to these issues, the Guide offers advice to data controllers on questions such as the legal bases for data collection, data transfers abroad, the exercise of data subject rights, and measures for parents of children using generative AI tools.
On 7 October 2025, the Personal Data Protection Authority (KVKK) released guide to the Data Controllers Registry Information System (VERBIS). The guide complements the VERBIS system by presenting the framework of obligations in a question-and-answer format. It provides clarifications on the purpose and scope of the system, the obligations of data controllers, and the statutory basis under Article 16 of the Law on the Protection of Personal Data No. 6698. It addresses the registration requirements for natural and legal persons located in Turkey and abroad, the scope of exemptions defined by the Board, and timelines for registration. In addition, it explains the appointment of contact persons, entry of information on categories of personal data, processing purposes, storage periods, security measures, and transfers.
On 28 August 2025, the Competition Board opened a full investigation into Spotify over violations of Law No. 4054 on Protection of Competition in the online music streaming market. The Board will examine whether Spotify discriminates among rights holders in playlist placement, ranking, visibility, or recommendation algorithms, and whether it hinders rights holders earning royalties through predatory subscription pricing. The investigation, launched under Article 41 of the Law, does not imply any determination of infringement or penalties.
On 22 August 2025, the Competition Authority announced the opening of an investigation into Google over alleged abuse of dominance in the Play Store billing practices. The investigation will examine whether Google abused its dominance in the Play Store in contravention of Article 6 of the Law on Protection of Competition, which prohibits undertakings from abusing their dominant position in a market for goods or services. The investigation will specifically examine if Google is forcing developers to use Google Play Billing and blocking them from informing users about alternative payment methods.
On 14 August 2025, the Ministry of Trade’s Advertising Board ordered the blocking of websites selling “mystery boxes” and referred the cases to the competent authorities for criminal investigation. The practice, which involves selling products of unknown content, was considered likely to mislead consumers and inappropriately influence their economic decisions. The Ministry stated that it will continue monitoring such practices, imposing sanctions where necessary, and taking measures to protect consumers, particularly younger audiences, from misleading advertising.
On 14 August 2025, the Personal Data Protection Authority (KVKK) announced the launch of an investigation into a personal data breach reported by Biletal Domestic and Foreign Trade. The breach was detected on 11 August 2025 by the company’s IT teams in coordination with the Information and Communication Technologies Authority, after cyber attackers offered customer identity, contact, and transaction data for sale on illegal online platforms. The incident is estimated to have affected around 7,800 customers. The KVKK Board decided, under Decision No. 2025/1481, to publish the breach notification on its website while the investigation is still ongoing.
Last updated: 12/03/2026