The 2024 Annual Report (“Report”), issued by the Personal Data Protection Authority (“Authority”), outlines the regulatory activities of the Authority under Law No. 6698 on the Protection of Personal Data (“DP Law”), based on statistical data.
The Report outlines the institutional structure, duties, powers, and responsibilities of the Authority, as well as the activities carried out in line with the objectives and targets set under high-level policy documents and the 2024–2028 Strategic Plan adopted by the Authority.
In addition, the Report includes statistical analyses regarding enforcement actions implemented during the year and ongoing legal proceedings, as well as legal assessment and review processes; along with numerical data concerning registration procedures within the Data Controllers’ Registry Information System (“VERBIS”), personal data breach notifications, and cross-border data transfer mechanisms. Furthermore, awareness-raising events, training activities, cooperation initiatives conducted with public institutions and the private sector, and publications such as guidelines and information notes shared with the public in 2024 are also covered in the Report.
Key statistical data relating to the regulatory activities addressed in the Report are presented below.
1. Cross-Border Data Transfer Mechanisms
Throughout 2024, a total of 90 applications were submitted to the Authority through the undertaking mechanism, one of the cross-border personal data transfer tools regulated under Article 9 of the DP Law. Among these, 86 applications have been reviewed, while the evaluation of 4 applications is still ongoing. As a result of the completed reviews, data transfer permission was granted for 10 applications, whereas 76 applications were rejected.
Following the amendments to the DP Law, which entered into force in March 2024, a new procedure of requiring the execution of Standard Contractual Clauses (“SCCs”), one of the appropriate safeguards for continuous international data transfers, has been introduced under the revised Article 9, which became applicable in September 2024. Within this framework, a total of 1,364 SCCs signed between transfer parties since September 2024 have been notified to the Authority.
2. Statistics on Violation Reports and Complaints
In 2024, a total of 8,275 violation reports and complaints were submitted to the Authority through various channels, including postal mail, the e-Complaint Portal, and the Presidential Communication Center (CİMER). 60% of these applications were rejected on the grounds that they did not meet the procedural requirements. Including applications carried over from previous years, the total number of petitions reviewed reached 9,849, of which 8,372 were concluded. Among the concluded applications, 31% were assessed to fall outside the scope of the DP Law, 4% revealed no violation, 2% resulted in administrative fines imposed on data controllers, and 1% led to instructions being issued.
Of all submissions, 55% concerned the unlawful processing of personal data by data controllers, 18% related to the unlawful sharing of personal data with third parties, and 16% involved unsolicited SMSs or phone calls. In terms of sectoral distribution, the services, media, and telecommunications sectors were the most frequently reported.
3. Imposed Administrative Fines
According to the Report, a total of 862 data controllers were subject to administrative fines imposed by the Authority in 2024. The violations leading to these fines are distributed as follows:
- Related to complaints and notifications: TRY 41,907,101
- Related to data breach notifications: TRY 88,384,000
- Related to non-compliance with the obligation to register with and notify the VERBIS: TRY 421,897,000
The total amount of administrative fines imposed was recorded as TRY 552,188,101.
4. Data Breach Notifications in 2024
The Report indicates that a total of 289 data breach notifications were submitted to the Authority in 2024. Of these, 93 notifications were concluded, and 63 were publicly disclosed. As of the end of the year, 196 cases remained under review.
The majority of these notifications originated from Türkiye, with over 90% submitted by domestic data controllers. In this context, it has been observed that the notifications submitted throughout 2024 predominantly concerned data controllers established in Türkiye.
5. Overview of Applications to VERBIS
As of the end of 2024, a total of 234,579 applications were submitted to VERBIS. Among these, 194,867 applications were approved, 7,861 were rejected, and 31,851 were under review. An analysis of the rejected applications indicates that the vast majority were submitted by data controllers established in Türkiye.
Throughout the year, 8,400 application update requests were processed, and the number of queries made through the VERBIS website regarding registered data controllers exceeded 1.8 million.
You can access the full text of the Report here.
