Compliance Quarterly Türkiye

Global

EU AI Act comes into force: What businesses need to know 

Read the full article: "EU AI Act comes into force: What businesses need to know."

EU Digital Operational Resilience Act (DORA) update by the Dutch Authority for the Financial Markets (AFM)

Learn more about the Digital Operational Resilience Act (DORA).

NIS2: End of 2024 marked the date when EU member states must begin to comply with the Network and Information Security Directive (NIS2)

 Read the full article: "NIS2."

Revised Product Liability Directive entered in the EU's statute book

Read the full Inside Tech Law blog, "Revised Product Liability Directive (introducing rules on strict liability for AI and other software) entered in the EU's statute book."

Deployment of artificial intelligence (AI) in company secretarial and governance functions: Opportunities and risks

Read the full Inside Tech Law blog, "Artificial Intelligence: deployment in company secretarial and governance functions."

Türkiye

Türkiye establishes AI Research Commission

The draft Artificial Intelligence Law was submitted to the Grand National Assembly of Türkiye, aiming to address the safe, ethical and fair use of artificial intelligence (AI) technologies, to address the protection of personal data, prevent the violation of privacy rights and to establish a regulatory framework for the development and use of AI systems. 

In the European Union, the “Regulation (EU) No 2024/1689 laying down harmonized rules on artificial intelligence and amending Regulations,” which sets out the rules on the placing of artificial intelligence systems on the market, putting them into service and prohibiting certain applications, came into force on August 1, 2024, establishing the world’s first comprehensive regulation the Artificial Intelligence Act (AI Act) and introducing a detailed regulation covering AI systems developed or used within the EU.

Türkiye has also made a step in that direction. The Decision of the Grand National Assembly of Türkiye (TBMM) on the Establishment of a Parliamentary Research Commission to Determine Steps to Achieve the Benefits of Artificial Intelligence, Establish the Legal Infrastructure in this Field, and Define Measures to Prevent the Risks Associated with the “Use of Artificial Intelligence” was published in the Official Gazette, issue 32683, on October 5, 2024. 

Considering that Türkiye has been following the developments in Europe, particularly in the fields of data protection, information technology and technology law, it is likely that the work to be conducted by the commission will be based on European legislation and developments. Türkiye is expected to enact a law on AI in 2025 and complete the objectives set out in the action plan, which was previously put into practice with the Presidential Circular No. 2021/18, setting out a long-term roadmap for AI. This has been updated as the National Artificial Intelligence Strategy 2024-2025 Action Plan in line with the 12^th Development Plan, considering the developments and country’s needs.

For more information, read our article: "Legal developments on Artificial Intelligence in 2024."

Personal Data Protection Authority Publishes Information Note on Chatbots

The Personal Data Protection Authority (Authority) published an Information Note on Chatbots (Example: ChatGPT) (Information Note) on its official website on November 8, 2024, which defines AI-powered chatbots as software that can simulate human conversations to communicate with end users. Accordingly, these systems pose significant risks to personal data security due to their need to process copious amounts of data to achieve high performance. 

Transparency is crucial for personal data security in chatbots. According to the Information Note, users must be clearly informed before their data is collected about how and for what purposes their data will be used, with whom it will be shared and how long it will be retained. This is a critical step in increasing users’ control over their personal data. During the development of chatbots, risk assessment, accountability principle, lawful data processing, obligation to inform and technical/administrative measures should be considered. 

For more information, read our article: "Artificial Intelligence Chatbots and Personal Data Protection."

A Cooperation Protocol is signed between the Personal Data Protection Authority and the Ministry of Trade

The rapid development of digitalization worldwide has led to changes in various fields, including marketing, sales and advertising. Traditional methods used in these areas have been replaced by digital advertising and applications. In digital environments, a large amount and variety of data are used in targeted advertising and deceptive commercial design processes, which are based on personal data and aimed at consumers. This data is used for accuracy and consistency in the advertisement directed at the target individual and to conduct advertising activities according to their level of interest and engagement. However, this practice presents risks related to personal data, as it enables decisions to be made about individuals and makes them identifiable. 

In order to raise awareness about targeted advertising and deceptive commercial design practices across all segments of society, monitor international regulations and practices related to the use of personal data in digital advertising and applications and develop joint policies against existing or potential violations, a cooperation protocol has been signed between the Ministry of Trade’s General Directorate of Consumer Protection and Market Surveillance and the Personal Data Protection Authority. The protocol aims to increase consumer awareness regarding digital advertising and applications and strengthen consumers’ control over their personal data.

Updated penalties on the Personal Data Protection Law

The administrative fines foreseen under the Personal Data Protection Law No. 6698 to be applicable for 2025 are determined as follows:

• For those who do not fulfil the obligation to inform provided for in Article 10, an administrative fine of ₺68,083  – ₺1,362,021 shall be imposed
• For those who do not fulfil the obligations related to data security provided for in Article 12, an administrative fine of ₺204,285 TL – ₺13,620,402 shall be imposed
• For those who do not fulfil the decisions issued by the Personal Data Protection Board pursuant to Article 15, an administrative fine of ₺340,476 – ₺13,620,402 shall be imposed
• For those who act contrary to the obligations for registry with the Data Controllers’ Registry and for notification provided for in Article 16, an administrative fine of ₺272,380 – ₺13,620,402 shall be imposed
• For those who do not notify the Personal Data Protection Authority within five days from the signing of the standard agreement, an administrative fine of ₺71,965 TL – ₺1,439,300 shall be imposed 

For more information, read our article: "Personal Data Protection Law – Updated Penalties."

Public Announcement on the Standard Contract Notification Module

As one of the appropriate safeguards for transferring personal data outside of Türkiye under Article 9 of the Law on the Protection of Personal Data No. 6698, the Personal Data Protection Authority (Authority) published the Public Announcement on the Standard Contract Notification Module (Public Announcement) on October 25, 2024.

The standard contract must be submitted to the Authority physically or via registered electronic mail (KEP) address or other methods determined by the Board within 5 business days upon its execution. However, pursuant to the decision of the Personal Data Protection Board dated October 17, 2024 the submission can also be made through the Standard Contract Notification Module.

For more information, read our article: "Public Announcement on the Standard Contract Notification Module."

Information Note on the Personal Data Processing Requirement Stipulated under the Laws

The Personal Data Protection Authority (Authority) published the Information Note on the Personal Data Processing Requirements When Processing Is Provided for by the Laws (Information Note) on August 5, 2024. Pursuant to Article 5/2-a of Protection of Personal Data No. 6698 (LPPD), personal data may be processed without explicit consent if the processing is expressly stipulated under the laws. The Authority has examined such exception provided under Article 5/2-a of LPPD in accordance with Turkish Law and EU Law.

As the right to request the protection of personal data is regulated under Article 20 of the Constitution of the Republic of Türkiye and fundamental rights and freedoms may only be limited by laws, the Information Note first distinguishes between legislative and administrative regulation when determining the scope of the exception meant under Article 5/2-a. Accordingly, personal data may be processed only if there is an express provision in any law or if an express provision is directed to a secondary legislation.

It is also noted under the Information Note that the phrase “express” should be interpreted broadly. For example, the processing of employees’ data, such as bank account numbers and social security numbers, to enable the employer to pay employees’ salaries, would fall within this scope. The Information Note also makes a comparison with the EU General Data Protection Regulation (GDPR) where, unlike the LPPD, the data processing condition of “expressly stipulated under the laws” is not regulated separately and only covered under the scope of “fulfillment of the legal obligation of the data controller.”

For more information, read our article: "Personal Data Processing Requirement."