Skip to main content

Personal Data Protection Law (“Law”) completed its tenth year in April 2026. As detailed in the 2025 Presidential Annual Program and the 2026-2028 Medium-Term Program, efforts related to the process of harmonization with the European Union acquis, most notably the General Data Protection Regulation (“GDPR“), are accelerating and taking concrete shape. [1] Accordingly, during the first half of the year, the Personal Data Protection Authority (“Authority”) and the Personal Data Protection Board (“Board”)  issued numerous principle decisions, announcements, and guidelines. Furthermore, significant developments have occurred regarding administrative penalties under personal data protection law and findings concerning the Law, including a decision of the Constitutional Court. In this article, we examine the key developments relating to personal data protection and data privacy in Türkiye during the first half of 2026 in chronological order.

I. Board Decisions, Authority Announcements and Guidelines

A. Updated Administrative Fine Amounts Applicable Under the Law for the Year 2026[2]

On 31 December 2025, the Authority published a table setting out the updated administrative fines prescribed under Article 18 of the Law for the year 2026.

Accordingly, the administrative fines applicable for 2026 have been determined as follows:

Article Relevant Article of the Law Description Penalty Amount in 2026 (TRY)
18/1/a 10 Failure to fulfil the obligation to inform data subjects 85,437 – 1,709,200
18/1/b 12 Failure to comply with obligations relating to data security 256,357 – 17,092,242
18/1/c 15 Failure to comply with decisions of the Board 427,263 – 17,092,242
18/1/ç 16 Failure to comply with the obligations regarding registration with and notification to the Data Controllers Registry 341,809 – 17,092,242
18/1/d 9 Failure to fulfil the notification obligation stipulated under paragraph five of Article 9 90,308 – 1,806,177

 

B. Public Announcement Dated 12 January 2026 Regarding the Implementation Principles of the Board’s Decision No. 2025/1572 Dated 4 September 2025[3]

Pursuant to the decision, it was determined that, with respect to data controllers that do not maintain accounting records on a balance sheet basis and therefore do not have an annual financial balance sheet, the exemption criteria for registration with the Data Controllers Registry Information System (“VERBIS”), as set out in the Board Decision No. 2018/87 dated 19 July 2018 updated by the Board Decision No. 2025/1572 dated 4 September 2025, shall be assessed solely on the basis of the annual number of employees. Accordingly, the conditions for exemption from the VERBIS registration requirement for 2026 are as follows:

  • Natural or legal person data controllers whose principal activity does not involve the processing of special categories of personal data and who:
    • employ fewer than 50 employees annually; and
    • have an annual financial balance sheet total of less than TRY 100 million;
  • Natural or legal person data controllers whose principal activity involves the processing of special categories of personal data and who:
    • employ fewer than 10 employees annually; and
    • have an annual financial balance sheet total of less than TRY 10 million.

C. Recommendations Issued by the Authority on 12 January 2026 for Parents of Children Using Artificial Intelligence Tools[4]

In its recommendations, the Authority included guidance such as selecting age-appropriate applications for children’s use of artificial intelligence, raising awareness that information obtained through AI tools may not always be accurate or reliable, being cautious of fake content, and exercising caution when sharing photos and videos. The Authority also issued warnings to children about sharing personal data via artificial intelligence tools. Additionally, a 10-point checklist was published to enable parents to assess whether the artificial intelligence applications used are appropriate for children.

D. Public Announcement Issued by the Authority on 14 January 2026 Concerning Push Notifications Delivered via Mobile Applications[5]

The Authority determined that, in cases where push notifications sent via mobile applications are used as a “single consent” mechanism covering multiple purposes at once, users who wish to consent to one purpose are effectively required to consent to the others as well. This undermines the element of free will required for valid explicit consent and, therefore, does not constitute a lawful basis for processing personal data. In this context, it was emphasized that such consent processes should be reviewed considering the principles of “granular explicit consent” and “specificity”, and that application architectures should be redesigned to separate notification purposes and enable users to manage their preferences accordingly.

E. The Authority’s Public Announcement Dated 29 January 2026 on the Use of Foreign-Origin Communication Applications in Public Institutions[6]

The announcement was issued following reports and complaints alleging that public employees were being compelled to use foreign-origin communication applications such as WhatsApp, to join various groups on such applications, and that instructions, directives, official documents, and records were being shared through these platforms.

The Authority recalled the provisions of Presidential Circular No. 2019/12, which encourage the use of domestic communication applications and prohibit the sharing of classified information through mobile applications. The Authority further stated that the sharing of information and documents containing personal data via foreign-origin applications must comply with the data processing conditions set out in Articles 5 and 6 of the Law.

The announcement emphasized that data processing activities carried out in violation of the Law may be subject to complaints or ex officio investigations and that disciplinary measures may be imposed on public personnel found responsible for such violations. It was also stressed that public employees’ mobile phone numbers constitute personal data and that their use in institutional processes must be based on a lawful data processing condition.

F. Board Principle Decision No. 2026/266 of 11 February 2026 on the Use of a Loyalty Card Member’s Mobile Phone Number or Loyalty Card Number by a Third-Party During Purchases[7]

The Board’s Principle Decision, published in the Official Gazette dated 28 February 2026, and numbered 33182, concerns the practice whereby a third party provides a loyalty card holder’s mobile phone number or card number at the point of sale and completes a transaction using the loyalty card without any verification being carried out.

The Board assessed that such practice cannot be based on any personal data processing condition and further concluded that recording invoice and customer transaction information relating to purchases made by third parties in the loyalty card holder’s account may violate the principle that personal data must be accurate and, where necessary, kept up to date. It was also stated that contractual provisions in loyalty card membership agreements assigning responsibility to the user not to allow third-party use of the card do not relieve the data controller’s obligations regarding data security under Article 12 of the Law.

In this context, the Board decided that practices allowing third parties to carry out transactions through loyalty cards without any verification must be discontinued. It further required the establishment of appropriate verification mechanisms to ensure that transactions such as membership creation, earning or redemption of points, and access to discounts and promotional benefits are carried out with the data subject’s knowledge and consent. The Board stated that different verification methods may be adopted depending on the characteristics of the relevant categories of data subjects and the risk level of the transaction concerned, and granted data controllers a six-month compliance period starting from the publication of the Principle Decision in the Official Gazette.

An announcement regarding the decision was also published on 28 February 2026.[8]

G. Principle Decision No. 2026/347 of 18 February 2026 on the Requirement for Data Controllers to Prepare Explicit Consent Texts and Information Notices Separately

The Board’s Principle Decision, published in the Official Gazette No. 33203 dated 24 March 2026, was adopted in response to a number of unlawful practices frequently encountered in practice. These include presenting the explicit consent text and the privacy notice in a single, intertwined document; requesting the data subject’s approval or consent for the fulfillment of the duty to inform; using documents prepared by other data controllers without adapting them to the specific data processing activities in question; and providing texts that are not clear, plain or understandable, are incomplete, misleading, or unnecessarily lengthy.[9] The Board emphasized that the duty to inform is not contingent upon the data subject’s request or consent and must be fulfilled before the commencement of any personal data processing activity, irrespective of the legal basis on which the processing is based.

Accordingly, where a data processing activity is based on the grounds of explicit consent, the privacy notice and the explicit consent text must be prepared as separate documents under distinct headings. Even where both documents are presented on the same page, separate declarations must be obtained for each document. Where the processing activity is based on another legal ground provided under the Law, no separate explicit consent text should be presented to the data subject. In such cases, the data controller may only obtain confirmation that the privacy notice has been read and understood; however, the data subject should not be asked to approve or consent to the data processing activities described therein.

An announcement regarding the decision was also published on 24 March 2026.[10]

H. The Authority’s “The Risk Behind QR Codes: Quishing” Guidance Document of 26 February 2026[11]

The document defines “quishing” — a combination of the words “QR” (quick response) and “phishing” — as a phishing technique carried out through QR codes. It provides explanations regarding how quishing attacks are conducted and how they may be identified.[12] The document also sets out the following precautions that individuals should take against quishing attacks:[13]

  • Being cautious when scanning QR codes displayed in public places;
  • Verifying the source of a QR code;
  • Using trusted QR code reader applications;
  • Verifying the URL or link to which a QR code directs the user before proceeding;
  • Staying vigilant against requests for personal information; and
  • Strengthening device and account security.

I. Principle Decision No. 2026/348 of 18 February 2026 on the Display of Apartment/Residential Complex Residents’ Debt Information in Common Areas[14]

The Principle Decision of the Board, published in the Official Gazette No: 33210 dated 31 March 2026, concerns the display of personal data of apartment or residential complex residents, such as their names, surnames, apartment numbers, outstanding debt amounts, duration of payment delay, number of default periods, and whether they are owners or tenants, in common areas including elevators, building entrances, and corridors. The Board held that, under Condominium Law No. 634, co-owners have a right to obtain information regarding common expenses and debts, and that certain data disclosures may fall within the conditions for processing of personal data, namely, where it is “explicitly provided for by law” or “necessary for the establishment, exercise or defense of legal claims.” However, it stressed that the manner in which such information is disclosed must also comply with the general principles of the Law and the provisions on data security.

In this context, the Board found that displaying lists containing personal data in common areas and thereby making them accessible to an indefinite number of individuals is not based on any of the legal grounds set out in Article 5 of the Law and constitutes a breach of the data security obligations under Article 12. The Board further stated that such notifications should instead be delivered through channels accessible only to the relevant individuals, such as closed email or messaging groups, or applications designated for this purpose.

An announcement regarding the decision was also published on 31 March 2026.[15]

J. The Authority’s Guidance Document on the Use of Generative Artificial Intelligence Tools in the Workplace, Published in February[16]

The document provides an overview of the use of generative artificial intelligence tools in the workplace and addresses the concept of “shadow AI,” which is defined as the uncontrolled use of such tools. It further outlines the associated risks, including issues relating to auditability and accountability, decision-making quality and accuracy, protection of intellectual property rights and trade secrets, loss of corporate reputation and trust, information security and cybersecurity, and the protection of personal data.[17]

An announcement on the matter was also published on 5 March.[18]

K. The Authority’s Document on Agentic Artificial Intelligence, Published in February[19]

The document addresses “agentic AI,” which is defined as integrated systems capable of assessing environmental conditions, adapting to changing circumstances, and initiating actions autonomously at varying levels in order to achieve specified objectives.[20]

It outlines potential applications of agentic AI systems as well as the associated risks. In this context, the document notes that the following principles may be taken into consideration in terms of personal data protection:[21]

  • Establishing measures to ensure an appropriate level of transparency, considering the nature of the tasks performed by the systems and the risks that may arise;
  • Ensuring that the personal data used to generate outputs in agentic AI systems is accurate;
  • Clearly defining the roles and responsibilities of the actors involved in the development and deployment of agentic AI systems;
  • Systematically incorporating the principles of privacy by design and privacy by default throughout the lifecycle of agentic AI systems with regard to the protection of personal data;
  • Adopting risk assessment mechanisms that ensure the systematic identification and management of risks that may arise throughout the lifecycle of agentic AI systems;
  • Reviewing existing data protection and governance mechanisms in light of the structural characteristics of agentic AI systems and conducting awareness-raising and training activities for individuals involved in the use or operation of such systems regarding their functioning, limitations of use, and potential risks.

An announcement on the matter was also published on 12 March 2026.[22]

L. The Authority’s Public Announcement of 16 March 2026 on the Notification of Personal Data Processed in Activities Conducted Through Partnerships, Consortia, Ordinary Partnerships, and Similar Structures to VERBIS[23]

The announcement reaffirmed the principles set out in the Board’s Decision No. 2021/569 dated 9 June 2021. Accordingly, it was emphasized that business partnerships, consortia, ordinary partnerships, and similar structures should not create separate VERBIS registrations in their own name, as they do not possess a legal personality distinct from the parties constituting the partnership. Instead, it should first be determined whether each partner is individually subject to the obligation to register with VERBIS, and that those partners who are subject to such an obligation must include in their own VERBIS registrations, alongside their own processing activities, information on personal data processed within the framework of the partnership’s activities.

M. The Board’s Principle Decision No. 2026/921, dated 29 April 2026, on the Processing of Biometric Data for Employee Attendance Tracking Purposes[24]

In the Principle Decision published in the Official Gazette No. 33273 on 2 June 2026, the Board addressed the use of biometric identification systems, including fingerprint recognition, facial recognition, iris scanning, and retina scanning, for the purposes of employee attendance and working time monitoring.

The Board stated that, although employers are required to monitor and document employees’ working hours, there is no explicit legal provision authorizing such monitoring to be carried out through the processing of biometric data. It further assessed that explicit consent would, as a rule, not provide a sufficient legal basis for the processing of biometric data for attendance and working time monitoring purposes, having regard to the structural imbalance of power inherent in the employment relationship, the possibility that employees may face adverse consequences if they refuse to give or subsequently withdraw their consent, and the incompatibility between the revocable nature of consent and the continuous operation of such systems.

The Board also emphasized that biometric data processing activities must be assessed separately in terms of suitability, necessity, and proportionality. It concluded that, where less intrusive alternatives are available, the use of biometric systems for attendance and working time monitoring would not satisfy the principle of proportionality, even where the data subject has provided valid explicit consent. Accordingly, the Board stated that attendance and working time monitoring should instead be carried out through alternative methods, such as password-protected card or PIN-based systems, signature and paper-based attendance logs, RFID/NFC identification cards, or manual registration under supervisory oversight.

An announcement regarding the decision was also published on 2 June 2026.[25]

N. Announcement of the Authority Dated 21 May 2026 on the Binding Corporate Rules Application[26]

In the announcement, the Authority stated that the application for Binding Corporate Rules submitted to it by Sosyo-Plus Bilgi Bilişim Teknolojileri Danışmanlık Hizmetleri A.Ş. (“Insider One”) had been reviewed and approved on 20 May 2026.

Accordingly, Insider One has become the first company in Türkiye to implement Binding Corporate Rules, one of the appropriate safeguards required for the transfer of personal data abroad, following the comprehensive amendments introduced in 2024.

O. The Authority’s Public Announcement Dated 8 June 2026, on Points to be Observed in the Use of Security Camera Systems in Apartment Buildings[27]

The announcement states that the installation of security camera systems in apartment buildings or residential compounds is permissible for legitimate purposes such as the protection of common areas, ensuring general security, and safeguarding the interests of unit owners. However, since video recording constitutes a personal data processing activity, camera systems must be operated in compliance with both the Law and the Condominium Ownership Law.

The Authority emphasized that camera locations should be determined in a manner that does not infringe upon residents’ reasonable expectation of privacy. Cameras should not be installed in stairwells or in areas where opening an apartment door would allow the interior of the unit to be viewed. Intrusive features such as facial recognition and audio recording should not be used; camera angles should be kept narrow, and unnecessary areas should be masked. Further, because elevators are confined, narrow, and closed spaces, any surveillance conducted therein must be specifically justified, recordings should be retained only for a reasonable period, access should be restricted to authorized persons, the obligation to inform data subjects must be fulfilled, and appropriate technical and administrative measures must be implemented.

P. The Authority’s Public Announcement Dated 8 June 2026 on Points to be Observed in the Use of Security Camera Systems in Workplaces[28]

The announcement states that employers may use security camera systems in workplaces within the scope of their legal obligations to protect employees’ personality rights and ensure their health and safety; however, the purpose of processing must be clearly and specifically determined in advance on a case-by-case basis, and camera usage must comply with the principles of data minimization and proportionality.

The Authority noted that cameras installed for workplace security, crime prevention, or the protection of occupational health and safety must not be used for the general or abstract monitoring of employees’ attendance, performance, or discipline. Furthermore, cameras should not be installed in areas where there is a heightened expectation of privacy, such as restrooms, changing rooms, prayer rooms, and rest areas.

The announcement emphasized that camera position, viewing angle, zoom capabilities, monitoring frequency, and audio recording functions should be assessed with regard to the severity of the intrusion upon privacy. Employees must be properly informed, recordings should be retained for the shortest possible period, automated deletion mechanisms should be established, access should be restricted to authorized personnel, and procedures concerning the security and confidentiality of recordings should be implemented.

Q. The Authority’s Public Announcement dated 23 June 2026 on Live Broadcasts Made by Municipalities for Tourism Promotion Purposes[29]

The Announcement noted that live internet broadcasts made through cameras installed by municipalities in public spaces for tourism promotion purposes are considered personal data processing activity within the scope of the Law, as they involve the ability to view identifiable facial images of individuals and vehicle licence plates. The practice was assessed in light of the following conditions for processing personal data: “processing expressly provided for by law” and “processing necessary for the legitimate interests of the data controller, provided that such processing does not prejudice the fundamental rights and freedoms of the data subjects”.

In its assessment, the Authority emphasized that there is no explicit statutory provision authorizing municipalities to conduct continuous live camera broadcasts for tourism promotion purposes. It further observed that individuals using public spaces for socializing, leisure, and recreation have a reasonable and objectively justifiable expectation that their activities will not be subject to ongoing monitoring. Accordingly, the live broadcasting of such spaces was considered to interfere with the right to respect for private life. The Authority also highlighted that the broadcasts are accessible to an unlimited audience and may be misused for malicious purposes, creating a risk of serious and potentially irreversible harm to the individuals concerned. Considering these factors, it concluded that the interference was not proportionate. Municipalities were therefore called upon to discontinue existing live-streaming activities that result in the processing of personal data and to pursue tourism promotion through alternative methods that do not involve the processing of personal data.

II. Constitutional Court Decision Dated 16 June 2026

In its decision with application number 2020/32193, published in Official Gazette No. 33282 dated 16 June 2026, the Constitutional Court held that the administrative fine imposed by the Board, which departed from the statutory minimum prescribed by the Law, constituted a violation of the principle of legality in crimes and punishments as guaranteed under Article 38 of the Constitution and Article 2 of the Turkish Criminal Code No. 5237.[30]

As grounds for its conclusion, the Court noted that, under the Law, where personal data has been made public by the data subject, the data subject’s explicit consent is not required for its processing. However, the Law does not contain clear provisions as to how such data should be made public, the purpose of such public disclosure, or whether the use of personal data in a manner incompatible with the purpose of its public disclosure is subject to any penalties. The Court further observed that explanations regarding the purpose of disclosure had been provided only in the Authority’s Guidelines on the Application of the Law on the Protection of Personal Data. Accordingly, it concluded that the imposition of the administrative fine in question was made possible only through an unforeseeably broad interpretation of the statutory provision.[31]

Having found a violation of the constitutional principle of legality in crimes and punishments, the Constitutional Court determined that there was no need to examine the applicant’s claims regarding violations of the right to a fair trial and the right to property, while also granting the applicant’s request for a retrial on the basis of the identified violation of the legality principle.[32]

This Constitutional Court decision is significant because it highlights the relationship between the obligations established under personal data protection legislation and the administrative sanctions that may be imposed by the Board for violations of those obligations.

III. Assessment

As part of its commitment to achieving GDPR alignment, Türkiye continues to strengthen and further develop its legal and practical framework governing the protection of personal data. In this context, considering international approaches and technological developments, Türkiye continues its efforts to proactively foster awareness among legal practitioners and interested parties and to resolve emerging issues in a manner consistent with the protection of fundamental rights and sound legal reasoning. The developments in the first half of 2026 have once again demonstrated that personal data protection law is not merely a field confined to documentation-based compliance processes. Rather, it remains a dynamic area in which practical issues affecting numerous products and services encountered in everyday life are actively discussed and addressed.

—–

[1] Presidency of the Republic of Türkiye, Presidency of Strategy and Budget, “2025 Yılı Cumhurbaşkanlığı Yıllık Programı”, October 2024, p. 88, Tedbir 359.2, https://www.sbb.gov.tr/wp-content/uploads/2024/11/2025-Yili-Cumhurbaskanligi-Yillik-Programi-05112024.pdf, accessed 18 June 2026; Presidency of the Republic of Türkiye, Presidency of Strategy and Budget, “The Medium Term Program (2026–2028)”, September 2025, p. 45, https://www.sbb.gov.tr/wp-content/uploads/2025/10/Medium-Term-Program-2026-2028.pdf, accessed 18 June 2026.

[2] Personal Data Protection Authority, “Administrative Fine Amounts under the Personal Data Protection Law No. 6698”, https://www.kvkk.gov.tr/Icerik/8291/Administrative-Fine-Amounts-Under-Personal-Data-Protection-Law-No-6698, accessed 18 June 2026.

[3] Personal Data Protection Authority, “Kişisel Verileri Koruma Kurulunun 04.09.2025 tarihli ve 2025/1572 sayılı Kararının Uygulama Esaslarına İlişkin Kamuoyu Duyurusu”, 12 January 2026, https://www.kvkk.gov.tr/Icerik/8577/kisisel-verileri-koruma-kurulunun-04-09-2025-tarihli-ve-2025-1572-sayili-kararinin-uygulama-esaslarina-iliskin-kamuoyu-duyurusu, accessed 18 June 2026.

[4] Personal Data Protection Authority, “Yapay Zekâ Araçları Kullanan Çocukları İçin Ebeveynlere Yönelik Tavsiyeler”, https://www.kvkk.gov.tr/SharedFolderServer/CMSFiles/MTY5NjRmZGEyY2I3ZDY.pdf, accessed 18 June 2026.

[5] Personal Data Protection Authority, “Mobil Uygulamalar Üzerinden Gönderilen Anlık Bildirimlere İlişkin Kamuoyu Duyurusu”, https://www.kvkk.gov.tr/Icerik/8578/mobil-uygulamalar-uzerinden-gonderilen-anlik-bildirimlere-iliskin-kamuoyu-duyurusu, accessed 18 June 2026.

[6] Personal Data Protection Authority, “Kamu Kurumlarında Yurt Dışı Menşeli Haberleşme Uygulamaları Kullanımına İlişkin Kamuoyu Duyurusu”, 29 January 2026, https://www.kvkk.gov.tr/Icerik/8607/kamu-kurumlarinda-yurt-disi-menseli-haberlesme-uygulamalari-kullanimina-iliskin-kamuoyu-duyurusu, accessed 18 June 2026.

[7] Personal Data Protection Board, Principle Decision numbered 2026/266 and dated 11 February 2026.

[8] Personal Data Protection Authority, “Sadakat Kart Üyeliği Bulunan Bir Kişinin Cep Telefonu Numarasının veya Sadakat Kart Numarasının Üçüncü Bir Kişi Tarafından Alışveriş Esnasında Kullanılması Hakkında İlke Kararı”, 28 February 2026, https://www.kvkk.gov.tr/Icerik/8670/sadakat-kart-uyeligi-bulunan-bir-kisinin-cep-telefonu-numarasinin-veya-sadakat-kart-numarasinin-ucuncu-bir-kisi-tarafindan-alisveris-esnasinda-kullanilmasi-hakkinda-ilke-karari, accessed 18 June 2026.

[9] Personal Data Protection Board, Principle Decision numbered 2026/347 and dated 18 February 2026.  

[10] Personal Data Protection Authority, “Veri Sorumluları Tarafından Açık Rıza ve Aydınlatma Metinlerinin Ayrı Ayrı Düzenlenmesi Gerektiği Hakkında Kişisel Verileri Koruma Kurulunun 18.02.2026 Tarihli Ve 2026/347 Sayılı İlke Kararına İlişkin Kamuoyu Duyurusu”, 24 March 2026, https://www.kvkk.gov.tr/Icerik/8710/veri-sorumlulari-tarafindan-acik-riza-ve-aydinlatma-metinlerinin-ayri-ayri-duzenlenmesi-gerektigi-hakkinda-kisisel-verileri-koruma-kurulunun-18-02-2026-tarihli-ve-2026-347-sayili-ilke-kararina-iliskin-kamuoyu-duyurusu, accessed 18 June 2026.

[11] Personal Data Protection Authority, “QR Kodlarla Gelen Risk: Quishing”, February 2026, https://www.kvkk.gov.tr/SharedFolderServer/CMSFiles/MTY5OWVmNzMzOWE4YWM.pdf, accessed 18 June 2026.

[12] Id., pp. 4, 6-8.

[13] Id., pp. 9-10.

[14] Personal Data Protection Board, Principle Decision numbered 2026/348 and dated 18 February 2026.

[15] Personal Data Protection Authority, “Toplu Yapılarda Apartman/Site Sakinlerine Ait Borç Bilgilerinin Ortak Yerlere Asılması Hakkında Kişisel Verileri Koruma Kurulunun 18.02.2026 Tarihli ve 2026/348 Sayılı İlke Kararına İlişkin Kamuoyu Duyurusu”, 31 March 2026, https://www.kvkk.gov.tr/Icerik/8719/toplu-yapilarda-apartman-site-sakinlerine-ait-borc-bilgilerinin-ortak-yerlere-asilmasi-hakkinda-kamuoyu-duyurusu, accessed 18 June 2026.

[16] Personal Data Protection Authority, “İş Yerlerinde Üretken Yapay Zekâ Araçlarının Kullanımı”, February 2026, https://www.kvkk.gov.tr/SharedFolderServer/CMSFiles/MTY5YTdkNjdjNzJlMjM.pdf, accessed 18 June 2026.

[17] Id., s. 4-9.

[18] Personal Data Protection Authority, “İş Yerlerinde Üretken Yapay Zekâ Araçlarının Kullanımı”, 5 March 2026, https://www.kvkk.gov.tr/Icerik/8674/is-yerlerinde-uretken-yapay-zeka-araclarinin-kullanimi, accessed 18 June 2026.

[19] Personal Data Protection Authority, “Etken Yapay Zekâ (Agentic AI)”, February 2026, https://www.kvkk.gov.tr/SharedFolderServer/CMSFiles/MTY5YWE4ZDE0NWYwMWI.pdf, accessed 18 June 2026.

[20] Id., pp. 3-4.

[21] Id., pp. 17-40.

[22] Personal Data Protection Authority, “Etken Yapay Zekâ (Agentic AI)”, 12 March 2026, https://www.kvkk.gov.tr/Icerik/8683/etken-yapay-zeka-agentic-ai, accessed 18 June 2026.

[23] Personal Data Protection Authority, “İş Ortaklığı/Konsorsiyum/Adi Ortaklık Gibi Yapılar Nezdinde Gerçekleştirilen Faaliyetlerde İşlenen Kişisel Verilerin VERBİS’e Bildirimi Hakkındaki Kamuoyu Duyurusu”, 16 March 2026, https://www.kvkk.gov.tr/Icerik/8692/is-ortakligi-konsorsiyum-adi-ortaklik-gibi-yapilar-nezdinde-gerceklestirilen-faaliyetlerde-islenen-kisisel-verilerin-verbis-e-bildirimi-hakkindaki-kamuoyu-duyurusu, accessed 18 June 2026.

[24] Personal Data Protection Board, Principle Decision numbered 2026/921 and dated 29 April 2026.

[25] Personal Data Protection Authority, “Mesai Takibi Amacıyla Biyometrik Veri İşlenmesi Hakkında Kişisel Verileri Koruma Kurulunun 29.04.2026 Tarihli ve 2026/921 Sayılı İlke Kararına İlişkin Kamuoyu Duyurusu”, 2 June 2026, https://www.kvkk.gov.tr/Icerik/8762/mesai-takibi-amaciyla-biyometrik-veri-islenmesi-hakkinda-kisisel-verileri-koruma-kurulunun-29-04-2026-tarihli-ve-2026-921-sayili-ilke-kararina-iliskin-kamuoyu-duyurusu, accessed 18 June 2026.

[26] Personal Data Protection Authority, “Bağlayıcı Şirket Kuralları Başvurusu Hakkında Duyuru”, 21 May 2026, https://www.kvkk.gov.tr/Icerik/8757/baglayici-sirket-kurallari-basvurusu-hakkinda-duyuru, accessed 18 June 2026.

[27] Personal Data Protection Authority, “Apartmanlarda Güvenlik Kamerası Sistemi Kullanımında Dikkat Edilecek Hususlara Dair Kamuoyu Duyurusu”, 8 June 2026, https://www.kvkk.gov.tr/Icerik/8769/apartmanlarda-guvenlik-kamerasi-sistemi-kullaniminda-dikkat-edilecek-hususlara-dair-kamuoyu-duyurusu, accessed 18 June 2026.

[28] Personal Data Protection Authority, “İş Yerlerinde Güvenlik Kamerası Sistemi Kullanımında Dikkat Edilecek Hususlara Dair Kamuoyu Duyurusu”, 8 June 2026, https://www.kvkk.gov.tr/Icerik/8770/is-yerlerinde-guvenlik-kamerasi-sistemi-kullaniminda-dikkat-edilecek-hususlara-dair-kamuoyu-duyurusu, accessed 18 June 2026.

[29] Personal Data Protection Authority, “Belediyelerin Turistik Tanıtım Amacıyla Yaptığı Canlı Yayınlar Hakkında Kamuoyu Duyurusu”, 23 June 2026, https://www.kvkk.gov.tr/Icerik/8777/belediyelerin-turistik-tanitim-amaciyla-yaptigi-canli-yayinlar-hakkinda-kamuoyu-duyurusu, erişim 23 June 2026.

[30] Plenary of the Constitutional Court, Decision Viennalife Emeklilik ve Hayat A.Ş., application numbered 2020/32193, dated 27 January 2026, para. 45.

[31] Id., para. 43.

[32] Id., paras. 46, 48.