1. The Chain of Responsibility Extending from the Individual to the Institution as the Fundamental Purpose of the Personal Data Protection Law
   The Law on the Protection of Personal Data No. 6698 (“KVKK” or the “Law”) is a framework law that protects the right to respect for private life of the individual and places this right at the center of institutional activities. The Law holds not only public institutions but also all data controllers, from the smallest enterprises to international holdings, responsible for personal data processing activities.
   Article 4 of the Law introduces the principles of lawfulness and fairness, accuracy and up-to-dateness when necessary, processing for specific and legitimate purposes, and being relevant, limited, and proportionate to the purpose of processing; while Articles 5 and 6 regulate the legal grounds for processing activities and exceptions for the processing of special categories of personal data.
   Within this system, private school operators, healthcare institutions, human resources departments, technology, and e-commerce companies are subject to the same chain of fundamental obligations. In this framework, Article 10 of the Law regulates the obligation to inform, Article 12 regulates the obligations related to data security, Article 9 regulates the transfer of personal data abroad, and Article 18 regulates administrative fines.
   Pursuant to these provisions, the responsibility of institutions is not limited to the obligation to protect personal data; it also requires the implementation of the principle of “accountability” at every stage of the data processing activity. Data controllers are obliged to determine the purpose, legal basis, and retention period of each piece of data they collect, to transparently inform the data subjects of this information, to take necessary technical and administrative measures against unauthorized access or data breaches, to transfer data abroad only when necessary and under legal safeguards, and to ensure that all these processes are auditable. Otherwise, severe administrative fines and reputational risks arise pursuant to Article 18 of the Law. Therefore, for institutions, the KVKK has become not only a piece of legislation but also an inseparable part of sustainable corporate governance.
2. Deepening Obligations and Increasing Sanctions Introduced by the 2025 Guidelines

2.1. New Standards Introduced by the 2025 Guidelines
The Personal Data Protection Authority (“the Authority”) published two significant guidelines in 2025:

• Guideline on the Transfer of Personal Data Abroad, published on 02.01.2025: This guideline clarifies the implementation of the amendments made to Article 9 of the KVKK at the end of 2024 and allows data controllers to transfer data abroad based on standard contractual clauses containing the matters announced by the Board. This guideline serves as a roadmap, particularly for entities using international cloud-based services or having foreign parent companies.
  The guideline comprehensively regulates the main transfer mechanisms, such as adequacy decisions, appropriate safeguards (standard contractual clauses, binding corporate rules, undertakings), and exceptional circumstances. It emphasizes that in common scenarios such as shared systems among group companies, cloud service providers, or data sharing with foreign business partners, the provisions on cross-border transfers must be applied.
  In cases where no adequacy decision exists and none of the appropriate safeguard mechanisms can be implemented, personal data may be transferred abroad only under the exceptional circumstances listed in paragraph 6 of Article 9 of the Law and only if the transfer is incidental (one-off) in nature. These exceptions include: the explicit consent of the data subject; necessity of the transfer for the performance of a contract between the data subject and the data controller or for pre-contractual measures; necessity for the conclusion or performance of a contract concluded in the interest of the data subject with a third party; existence of an overriding public interest; necessity for the establishment, exercise, or protection of a right; necessity for the protection of the life or physical integrity of the data subject or another person; and obtaining personal data from a public register under the conditions prescribed by law.
  The requirement of incidental nature means that the transfer does not have a continuous character, is made only once or in connection with a specific event, and does not become a routine part of the data controller’s business processes. Such exceptional transfers may only be used in compulsory and temporary circumstances; they are not valid for regular or systematic data transfers. The Board does not consider this method suitable as a permanent transfer model and expects data controllers to implement one of the adequacy decision or appropriate safeguard mechanisms whenever possible.
• Guideline on the Processing of Special Categories of Personal Data, published on 26.02.2025: This guideline was prepared by the Board to clarify the legal grounds for processing special categories of personal data and to ensure that data controllers act in compliance with the Law.
  According to the guideline, special categories of personal data are strictly limited to those listed in Article 6 of the Law, and this scope cannot be extended by analogy. Therefore, data not explicitly listed in the Law (such as nationality information) is not considered a special category of personal data. On the other hand, data relating to race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, clothing, membership in associations, foundations, or trade unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data, are included in this scope. Elements such as blood type information within health data are also considered special categories of personal data.
  With the amendments introduced by Law No. 7499, which entered into force in 2024, the distinction between health and sexual life data and other special categories of personal data has been removed, and the circumstances in which all special categories of personal data may be processed without explicit consent have been re-regulated. Accordingly, it has been stipulated that processing may be carried out without explicit consent in cases such as where it is clearly provided for by law, in situations of vital danger, where the data has been made public by the data subject, where it is necessary for the establishment, exercise or protection of a right, for employment relations, occupational health and safety, and the fulfillment of social security obligations. The guideline elaborates on these exceptions with illustrative scenarios, specifying in detail in which cases explicit consent is not required.
  In the final section of the guideline, compliance steps for data controllers are emphasized. Accordingly, institutions processing special categories of personal data must update their data inventories, restructure their explicit consent and information processes, review their retention and destruction policies, and strengthen their technical and administrative security measures.
  In sectors with high volumes of personal data such as education, healthcare, and human resources, these guidelines are of particular importance. Merely obtaining “explicit consent” is no longer sufficient to ensure lawful data processing. The Board now expects institutions and companies to ensure that each data processing activity is secure, traceable, and documented. Within this scope, data controllers must document in writing which data are processed by whom, the access authorizations of these persons, the technical security measures taken (e.g., encryption, access restrictions, antivirus, network security), the log systems recording the actions performed, and the internal policies and procedures governing all these processes.

2.2. Revaluation Rate and Increasing Administrative Fines
As of 2025, the administrative fines regulated in Article 18 of the KVKK have been increased by 43.93% based on the revaluation rate determined each year pursuant to Article 298 (repeated) of the Tax Procedure Law No. 213 (“VUK”). This rate was announced by the Tax Procedure Law General Communiqué (No. 574) published in the Official Gazette dated 27.11.2024 and numbered 32735, and subsequently put into effect by the Authority’s announcement dated 03.01.2025. Moreover, as the revaluation rate for 2026 will be 25.49%, it is anticipated that the amounts for the following year will be as shown below.

In addition, the Authority announced that a total of TRY 552,668,000 in administrative fines was imposed in 2024. This increase shows that the KVKK has evolved from being merely an “ethical” framework into a compliance requirement with significant financial consequences.

3. Current Examples from Different Sectors in Light of the Board’s Decisions

3.1. Principle Decision No. 2025/1072 dated 10.06.2025: Sending Verification Codes via SMS
The Board examined the processing of personal data through SMS verification codes sent during payment or registration processes and the indirect collection of commercial electronic communication consents through such practices. The investigation revealed that many data controllers, under the pretext of “transaction security,” used SMS verification not only for authentication but also to obtain commercial consent or explicit consent, without adequately informing the data subjects.
According to the decision, SMS verification may only be used for security authentication or transaction completion purposes; this process cannot be combined with obtaining explicit consent, commercial communication approval, or membership agreement approval. Furthermore, the obligation to inform and the process of obtaining explicit consent must be carried out separately, and refusal to give consent should not prevent the provision of goods or services.
The Board emphasized that data controllers must comply with the “layered information” principle by clearly stating the purpose of the SMS, the specific transaction for which the verification code is used, and that the service can still be provided even if the code is not given. It should also be clearly indicated that the consent can be withdrawn at any time.
For private schools, this decision provides guidance in designing SMS verification processes used in student registration, parent communication, or online payment systems. For instance, schools should request verification codes from parents solely for purposes such as “secure payment confirmation” or “completion of registration procedures,” while consent for promotions, advertisements, or announcements should be obtained separately through a distinct form or screen. This ensures compliance with the KVKK and validly obtained explicit consent based on informed and free will.

3.2. Board Decision No. 2025/1572 dated 04.09.2025: Exception to VERBIS Registration Obligation
Through this decision, the Board introduced an additional exemption category concerning the obligation to register with the Data Controllers Registry (“VERBIS”). Previously, data controllers employing fewer than 50 employees and having an annual financial balance sheet of less than TRY 100 million, and whose main activity was not processing special categories of personal data, were exempt from registration.
With the new decision, real or legal person data controllers whose main activity is processing special categories of personal data but who employ fewer than 10 employees and have an annual financial balance sheet of less than TRY 10 million are also exempted from registration and notification obligations to VERBIS. These two criteria must be met simultaneously.
With this change, the Board aimed to introduce proportionate obligations for micro-scale enterprises with limited human and financial resources within the KVKK compliance process. However, even though these entities are exempt from VERBIS registration, they remain obliged to fulfill their information and data security obligations under Articles 10 and 12 of the KVKK.

3.3. Decisions Concerning the Education Sector:

• Decision No. 2021/572 dated 09.06.2021:
  This decision was rendered upon a complaint alleging that a private school used a student’s photograph for promotional purposes without obtaining explicit consent. The complaint stated that a photograph taken during a meeting between the student and teachers was published in the school’s brochures and on its website, without explicit or implied consent from the student or the parent.
  In its defense, the school claimed that the photograph was taken during an event attended by all students, that written permission had been obtained from the parent, and that the photograph was no longer actively used.
  Upon examination, the Board determined that the school had presented a “social media sharing” information and consent form to parents, allowing them to choose whether to grant permission for sharing, and that in this case the parent had signed the consent-giving option. Therefore, the Board concluded that the publication of the photograph was lawful within the scope of explicit consent.
  However, since the student’s enrollment had ended but the photograph remained accessible on the school’s website and the deletion request was not properly addressed, the Board found deficiencies in data retention and destruction processes.
  The Board emphasized that schools must prepare distinct information and consent forms for each sharing medium (brochure, website, social media) and must anonymize or delete visuals belonging to former students.
  This decision clearly sets out the criteria that private educational institutions must follow regarding the scope of explicit consent, data destruction obligations, and the use of promotional images.
• Decision No. 2023/1461 dated 24.08.2023:
  A complaint was filed against an educational institution alleging that both video and audio recordings were made within the school premises and that these recordings were used as evidence in a notice regarding a rental dispute between the school and the lessor. The complaint claimed that the recordings were made without the explicit consent of the individuals concerned and violated both the KVKK and Article 133 of the Turkish Penal Code.
  In its defense, the school stated that camera systems were installed for security purposes, that these systems were located in common areas, and that recordings were made in the founder’s office for security and evidentiary purposes, including audio recordings to prove rent payment.
  The Board determined that the Ministry of National Education’s Private Educational Institutions Regulation permits only video recordings, with no legal basis for audio recordings. The Board found that while video recording may be lawful and proportionate for security and occupational safety purposes, additional audio recording violates the principle of relevance, limitation, and proportionality, and exceeds the reasonable expectations of individuals.
  The Board held that the audio recording had no lawful basis under Article 5 of the Law and therefore constituted unlawful data processing. Conversely, video recording alone may rely on legitimate interest or legal obligation provisions, provided the obligation to inform is fulfilled.
  Since the school failed to prove compliance with the obligation to inform, the Board imposed an administrative fine of TRY 200,000 for violating Article 12 (data security obligations) and TRY 30,000 for violating Article 10 (obligation to inform), totaling TRY 230,000. The Board also ordered the deletion of unlawfully obtained audio data, notification of the data subjects, and reporting the outcome to the Authority.
  Ultimately, the Board emphasized that camera systems in educational institutions must serve only security purposes, that audio recording can never fall within legitimate interest or legal obligation grounds, and that the obligation to inform must always be fulfilled clearly and demonstrably.
• Decision No. 10162731 dated 10.07.2025 – Italy:
  The Italian Data Protection Authority (Garante) imposed a EUR 10,000 administrative fine in 2024 on a private educational institution for publishing photos depicting children’s private moments on its website and Google Maps profile. Although the institution relied on consent forms signed by parents, the Authority emphasized that parental consent cannot override the child’s best interests. It determined that the photographs exposed children to serious risks, and that obtaining consent from only one parent or including expressions such as “mandatory for admission” in consent forms invalidated the consent.
  The decision also found violations where the institution’s CCTV system continuously recorded both video and audio and where the manager was simultaneously appointed as the Data Protection Officer. The Authority ordered the removal of all photos from online platforms.
  This decision demonstrates how stringent the approach to protecting children’s personal data has become in Europe. Considering that Turkey’s KVKK practices are increasingly aligning with EU standards, private educational institutions in Turkey must ensure that the sharing of children’s photographs complies not only with explicit consent requirements but also with the principle of the best interests of the child.

4. Recommendations and Roadmap for Corporate Compliance in Light of Recent Developments

1. Updating the data inventory: For each processing activity, the purpose, legal basis, data category, recipient/transfer, retention period, and destruction method must be determined. This information should be regularly updated for both VERBIS registration and internal audit processes.
2. Reconstructing information texts: The obligation to inform must be fulfilled through layered and comprehensible texts specific to each processing activity. If explicit consent is required, it must be obtained independently of the information process, on a specific matter, and based on free will, and mechanisms for withdrawal of consent must be established.
3. Establishing a separate security protocol for special categories of personal data: Pursuant to the 2025 “Guideline on the Processing of Special Categories of Personal Data,” additional technical and administrative measures must be implemented for health, biometric, and similar data. Access limitation, authorization matrices, access logs, encryption, retention–destruction policies, and confidentiality undertakings constitute the minimum security measures.
4. Reviewing camera and monitoring policies: Camera monitoring activities must be carried out solely for legitimate purposes such as security, occupational safety, and protection of facility order, and in accordance with the principle of proportionality. Audio recording, unless justified under any data processing condition of Article 5 of the Law, constitutes an excessive interference with privacy and is unacceptable. The obligation to inform regarding such systems must always be fulfilled, and the location of cameras, retention period, access authorizations, and deletion policy must be determined in writing and all processes documented.
5. Designing digital verification processes based on the principle of proportionality.
6. Determining the mechanism for cross-border data transfers: Pursuant to Article 9 of the Law, data transfer abroad is permissible only where an adequacy decision, appropriate safeguards (standard contract, binding corporate rules, undertaking approved by the Board), or exceptional circumstances exist. If a standard contract is signed, it must be notified to the Authority within the prescribed period.
7. Implementing the retention and destruction policy: A “Data Retention and Destruction Policy” must be established within the institution, and periodic deletion, destruction, and anonymization processes must be documented.
8. Strengthening contracts with data processors.
9. Managing data subject applications and responses in compliance with the Law.
10. Establishing a data breach notification procedure: The timeframe and content for notifications to the Authority and data subjects in the event of a data breach must be predetermined.
11. Ensuring employee awareness: Employees must be provided with regular KVKK training according to their job descriptions. Additional awareness modules should be prepared for HR, health, and education units.
12. Internal audit and technical controls: Sampling checks of access logs, authorization reviews, security tests, and the preparation of annual audit reports must be carried out.
    The year 2025 has ushered in a new era in personal data protection law. Increasing administrative fines, updated guidelines, and the Board’s increasingly expanding scope of application are steering enterprises of all sizes toward a measured, auditable, and documented data-processing structure.

From private schools to hospitals, from technology start-ups to manufacturing facilities, the message to all institutions is that the protection of personal data is not merely a matter of technical compliance; it stands as an indicator of corporate reputation, legal responsibility, and sustainability.

Kind regards,