📌 KEY LEGAL DEVELOPMENTS

The Competition Authority decided that companies operating in the elevator maintenance and repair sector in Niğde province violated Law No. 4054 on the Protection of Competition through price fixing and customer allocation and imposed an administrative fine with a 25% reduction applied.

The Sustainability Audit Regulation, published in the Official Gazette dated January 17, 2025, entered into force. Accordingly, the principles of auditing, auditors’ obligations, and applicable administrative sanctions have been regulated.

The Digital Operational Resilience Act (“DORA”), which came into effect on January 16, 2023, began to be applied as of January 17, 2025. DORA aims to strengthen the cybersecurity of institutions such as banks, insurance companies, and investment firms in the financial sector and to ensure resilience against serious operational disruptions.

The Austrian Data Protection Authority fined a diagnostic laboratory company processing health data €5,000 for appointing the company general manager as the Data Protection Officer and launched an ex officio investigation because the appointment was not reported to the Austrian Data Protection Authority.

📜 OFFICIAL GAZETTE

The Constitutional Court’s decision dated September 18, 2024, application no. 2020/25268 relates to allegations of violation of the right to respect for private life and freedom of communication linked to effective application rights, due to the rejection of a compensation claim filed for the failure to destroy and public disclosure of records obtained by monitoring telecommunications. The applicant was investigated in 2011 for alleged connections to a terrorist organization, and a communication monitoring order was applied. In 2015, it was decided not to prosecute and to destroy the communication records. However, the applicant claimed the records were unlawfully retained, sent to other courts, and uploaded to the national judicial database (UYAP). The applicant was awarded 1,500 TRY in non-pecuniary damages in a lawsuit concerning the prolonged monitoring period before the Istanbul 1st Heavy Penal Court. However, the compensation claim related to failure to destroy the records was first dismissed for lack of jurisdiction and then on the merits. The Constitutional Court found that the applicant’s claims regarding late destruction and disclosure of communication records were not effectively examined. As a result, it ruled for a retrial to remedy the violation but rejected the compensation claim.

🔒 DATA BREACH NOTIFICATIONS

In a personal data breach notification made by the Rectorate of Trabzon University to the Personal Data Protection Board, it was stated that some personal information of personnel and students belonging to the university was put up for sale by cyber attackers on illegal online platforms. The breach was reported to have started on January 1, 2025, and was detected on January 6, 2025. The affected personal data categories include identity information (full name, Turkish ID number, date of birth, mother and father’s name, place of birth), contact data (email addresses, phone numbers, work and mobile numbers), personnel records (corporate registration number, title, files containing teacher and student class schedules), and location data. Additionally, the total number of affected records was reported as 25,237.