MEF CEO Dario Betti shares news of the 2024 Annual Report issued by the Turkish Data Protection Authority which outlines a snapshot of regulatory trends relevant to the international mobile ecosystem, and shares the key takeaways for companies operating in Turkey.
As data becomes the new infrastructure of the digital economy, regulatory enforcement and compliance expectations around personal data protection continue to evolve globally. Turkey’s Personal Data Protection Authority (KVKK) has published its 2024 Annual Report, offering a comprehensive snapshot of enforcement trends, compliance metrics, and institutional priorities under Law No. 6698 on the Protection of Personal Data (DP Law).
For stakeholders in the mobile ecosystem—ranging from messaging platforms and telecom operators to fintech and health tech startups—this report provides essential regulatory signals. It not only outlines the operational footprint of the Authority but also offers a data-driven understanding of cross-border transfers, complaints, fines, and registry compliance. This blog breaks down the most important takeaways and offers practical recommendations for companies operating in or serving the Turkish market.
1. Cross-Border Data Transfers: A Rising Bar for Compliance
One of the most significant developments in 2024 was the operationalization of Standard Contractual Clauses (SCCs) following amendments to Article 9 of the DP Law. Since September 2024, 1,364 SCCs have been reported to the Authority, signaling strong market adoption of this mechanism to facilitate lawful international data transfers.
Meanwhile, 90 applications for data transfer permissions under the older “undertaking” mechanism were submitted. Of these, only 10 received approval, while 76 were rejected. This high rejection rate underscores the Authority’s stringent interpretation of adequacy and accountability in cross-border data governance.
The Authority’s report offers a clear direction: greater transparency, user empowerment, and international alignment are the pillars of Türkiye’s evolving data governance model. As KVKK aligns itself more closely with GDPR-like principles, organizations must embrace a privacy-by-design approach and elevate their internal compliance programs.”
MEF Guidance: If your business involves international data flows—particularly if you’re routing data between Türkiye and the EU or other third countries—ensure you have up-to-date SCCs in place and maintain detailed documentation to demonstrate compliance.
2. Violation Reports and Complaints: What Users Are Reporting
In 2024, the Authority received 8,275 new complaints and violation reports through various digital and traditional channels. Including applications from previous years, nearly 9,849 petitions were reviewed, of which 8,372 were concluded. However, 60% of new applications were rejected due to procedural errors—highlighting a widespread lack of clarity among users about complaint filing protocols.
Among valid complaints:
- 55% related to unlawful processing of personal data,
- 18% concerned unauthorized sharing with third parties,
- 16% involved spam SMS or calls.
The most reported sectors included telecommunications, media, and services, showing clear public concern about how mobile and digital services handle personal data.
MEF Insight: Companies operating mobile platforms in Türkiye must ensure transparency, legal basis articulation, and consent management in their data handling practices. Implementing visible user controls and clear privacy policies can mitigate both complaints and reputational risk.
3. Enforcement in Numbers: Administrative Fines Cross TRY 550 Million
The Authority imposed fines on 862 data controllers, totalling TRY 552 million (~$18 million USD). The breakdown is instructive:
- TRY 421.9 million for failing to register with VERBIS;
- TRY 88.3 million for issues related to data breach notifications;
- TRY 41.9 million for violations revealed through user complaints.
This data confirms what many privacy professionals suspected: non-registration and delayed breach notifications are high-risk areas for enforcement.
Action Point: If your organization has not registered with VERBIS or reviewed its breach reporting protocols, now is the time. The Authority is clearly prioritizing basic compliance hygiene as a foundation for broader accountability.
4. Data Breaches: Disclosure Still Incomplete
A total of 289 data breach notifications were received by the Authority in 2024. As of year-end:
- 93 were concluded;
- 63 were publicly disclosed;
- 196 remained under review.
More than 90% of breach notifications came from domestic entities, suggesting that local data controllers are either more exposed or more aware of notification obligations.
MEF Recommendation: Mobile service providers, especially those processing payment, health, or communication data, should ensure they have incident response plans aligned with KVKK timelines. Incomplete or delayed disclosures can lead to compounding fines and reputational harm.
5. VERBIS: Volume Growth, but Compliance Gaps Persist
VERBIS—the national registry for data controllers—received 234,579 applications by the end of 2024. Of these:
- 194,867 were approved;
- 7,861 were rejected;
- 31,851 remained under review.
Rejections were primarily due to incomplete or inaccurate information, often from local entities. In addition, 8,400 update requests were processed, and the system logged over 1.8 million registry queries—indicating a growing public interest in who holds their data.
Compliance Note: VERBIS isn’t just a bureaucratic requirement; it’s a transparency tool. Ensure that registry entries are accurate, current, and reflect your actual data processing activities.
Building a Future-Proof Data Compliance Strategy in Türkiye
The Authority’s report offers a clear direction: greater transparency, user empowerment, and international alignment are the pillars of Türkiye’s evolving data governance model. As KVKK aligns itself more closely with GDPR-like principles, organizations must embrace a privacy-by-design approach and elevate their internal compliance programs.
Here are five practical steps MEF recommends for businesses operating in Türkiye:
- Audit your cross-border data flows and establish updated SCCs if applicable.
- Educate internal teams on proper complaint-handling procedures and public engagement.
- Align your VERBIS registration with real-world data processing and update it as operations change.
- Ensure breach preparedness by establishing or testing a formal incident response plan.
- Monitor enforcement trends and sector-specific risks through local counsel or MEF briefings.
Conclusion
The 2024 Annual Report is not just a retrospective—it’s a regulatory roadmap. For MEF members and mobile ecosystem participants, staying ahead of these developments will be key to building trust, enabling innovation, and avoiding costly missteps in one of the region’s most dynamic digital markets.
