04 March 2026

What Is Quishing? QR Code–Based Phishing and an Assessment from a Data Protection Law Perspective

QR code technology has become one of the key tools of the digital economy. From restaurant menus to public services, from e-commerce to financial transactions, QR codes are used across a wide range of contexts and—because they are fast and practical—have become a natural part of user behaviour. However, this widespread adoption also creates an exploitation ground with a low level of suspicion from the attacker’s perspective.

In its Information Note dated 26 February 2026 titled “The Risk Coming with QR Codes: Quishing” (“Information Note”), the Turkish Data Protection Authority (“KVKK”) examines phishing attacks carried out via QR codes in detail and assesses this threat from a personal data security perspective. The Information Note clearly demonstrates that the issue is not merely a technical cybersecurity risk; it is also an area that must be addressed directly within the scope of data protection law.

03 October 2025

Changes in Exceptions to the Obligation to Register with VERBİS

Category KVKK - GDPR

With the Decision of the Personal Data Protection Board published in the Official Gazette dated October 1, 2025 and numbered 33034, amendments have been made to the exemption criteria regarding the obligation to register with VERBİS (Data Controllers' Registry Information System), which is carried out pursuant to Article 16 of the Law on the Protection of Personal Data No. 6698.

16 July 2024

Consent of the Consumer in Processing Personal Data

Category KVKK - GDPR

1. Introduction

The intersection of personal data protection law with various legal fields is evident. Any interference with personal data is generally considered illegal. According to our Constitution, the primary exception for processing personal data is the explicit consent of the individual. The Law on the Protection of Personal Data No. 6698 (KVKK) provides a framework for explicit consent without considering the personal characteristics of the data subject. If the data subject is a consumer, the general principles of consumer law and protective provisions established by other laws apply directly. The "power imbalance" between the data controller and the consumer must be considered, and an appropriate approach must be adopted. This article will discuss the explicit consents obtained from consumers by data controllers and the validity conditions of such consent.

24 February 2026

Artificial Intelligence in Recruitment Processes and the Protection of Personal Data

Category KVKK - GDPR, Work Life, Technology

Recruitment processes have become one of the areas most rapidly transformed by digitalization. Today, many organizations rely on artificial intelligence–enabled systems in candidate screening and evaluation stages. CV-screening algorithms, video interview analytics tools, and automated scoring mechanisms increasingly shape decisions such as shortlisting, interview invitations, and candidate rejection through data-driven models.

18 November 2024

Standard Contract Notification Obligation and Penalties

Category KVKK - GDPR

Standart Contract Notification Obligation and Penalties

Significant amendments to Law No. 6698 on the Protection of Personal Data ("KVKK") regarding the transfer of personal data abroad were introduced through Law No. 7499, published in the Official Gazette dated March 12, 2024, No. 32487. Additionally, the By-Law on the Procedures and Principles for the Transfer of Personal Data Abroad ("By-Law") was published in the Official Gazette dated July 10, 2024, No. 32598 and entered into force.

30 May 2024

Legal Liability Arising from the Protection of Personal Data

Category KVKK - GDPR

I. Obligation To Protect Personal Data

Personal data is any information relating to an identified or identifiable natural person. This information may be related to the personal values of the person, his/her assets or the physical and social environment in which he/she lives. Although personal data is not a secret most of the time, real persons, as they are social beings, disclose many of their data to other real and even legal persons with whom they are in contact.

13 January 2026

Clarification on the Application Principles of VERBİS Registration Exemptions

Category KVKK - GDPR

With the decision of the Turkish Personal Data Protection Board dated December 25, 2025 and numbered 2025/2393, the application principles regarding exemptions from the VERBIS (Data Controllers' Registry Information System) registration obligation have been clarified. The decision aims to eliminate uncertainties arising from the implementation of the Board's decision dated September 4, 2025 and numbered 2025/1572, which amended the scope of VERBIS registration exemptions.

Pursuant to Article 16 of the Turkish Personal Data Protection Law No. 6698, data controllers processing personal data are required to register with VERBIS. However, the Board may grant exemptions from this obligation based on objective criteria such as the nature and volume of personal data processed, and the characteristics of the data processing activities.

05 August 2024

Amendments to the Law on the Protection of Personal Data No. 6698 Within the Scope of the 8. Judicial Package and the Reflections of it

Category KVKK - GDPR

I- Introduction

As is known, with the 8th Judicial Package accepted in the Grand National Assembly of Türkiye on March 2, 2024, and the Law No. 7499 published in the Official Gazette No. 32487 on March 12, 2024, titled the Law on Amendments to the Criminal Procedure Code and Certain Laws, several amendments were made to the Law on the Protection of Personal Data No. 6698 (the Law).

06 May 2024

Processing of Special Categories of Personal Data in Employer and Employee Relations

Category KVKK - GDPR, Work Life

Law No. 6698 on the Personal Data Protection ("Law") stipulates its purpose in Article 1 titled "Purpose" as follows: “The purpose of this Law is to protect fundamental rights and freedoms of persons, particularly the right to privacy, with respect to processing of personal data and to set forth obligations, principles and procedures which shall be binding upon natural or legal persons who process personal data.” This provision regulates how personal data will be processed. Personal data is defined as "any information relating to an identified or identifiable natural person" in subparagraph d of Article 3 of the Law. Personal data are divided into special and general categories. In Article 6 of the Law titled "Conditions for processing of Special categories of personal data", special categories of personal data are defined as follows: "Personal data relating to the race, ethnic origin, political opinion, philosophical belief, religion, religious sect or other belief, appearance, membership to associations, foundations or trade-unions, data concerning health, sexual life, criminal convictions and security measures, and the biometric and genetic data are deemed to be special categories of personal data."

KVKK - GDPR

1. Introduction

I. Obligation To Protect Personal Data

I- Introduction

Would you like to know more about our services?

Would you like to know more
about our services?