📌 KEY LEGAL DEVELOPMENTS

The Competition Authority concluded its investigation regarding the World Credit Card Program Cooperation Agreements. It was decided that some provisions in these agreements restrict competition under Article 5 of Law No. 4054 on the Protection of Competition.

The Competition Authority completed its investigation into certain companies operating in the cement and ready-mix concrete sector in Aydın province. During the negotiations on 30.04.2025, it was decided that some companies violated Article 4 of Law No. 4054 by fixing prices and/or sharing customers and regions and facilitating such sharing. No violation was found for six companies.

The Competition Authority opened an investigation against seven companies operating in the field crop seeds market. At the meeting on 22.05.2025, it was decided to start an inquiry to determine whether these companies violated Article 4 of Law No. 4054 through regional/customer sharing and exchange of competitively sensitive information.

The Competition Authority published its 2024 Annual Report. The report included examples of competition violations, assessments of merger and acquisition transactions, the 2024 Merger and Acquisition Outlook Report, and statistics from the last five years, sharing economic analysis activities with the public.

The Competition Authority announced the opening of an investigation following a preliminary inquiry into allegations against Coca-Cola Sales and Distribution Inc. concerning exclusivity practices at retail points and exclusion of competitors, which were found serious and sufficient at the meeting held on 22.04.2025.

The Central Bank of the Republic of Turkey published the May 2025 Financial Stability Report. The report includes updated assessments on the real sector’s access to finance and risk dynamics, as well as evaluations of profitability and capital adequacy indicators in the banking sector.

The Ministry of Trade announced intensified market inspections between January and May 2025, inspecting 239,098 firms and 14,206,936 products. As a result, administrative fines totaling 1,225,787,722 TRY were imposed for consumer rights violations, excessive pricing, and unfair commercial practices.

The Ministry of Trade announced the prohibition of sales, advertising, promotion, and brokerage activities related to retail and e-commerce of breast milk. According to Law No. 6563 on Regulation of Electronic Commerce and Law No. 6585 on Regulation of Retail Trade, administrative fines of up to 684,214 TRY per violation will be imposed on individuals or entities violating this ban.

📜 OFFICIAL GAZETTE

The Regulation Amending the Distance Contracts Regulation was published in the Official Gazette No. 32909 dated 24.05.2025. Accordingly, starting 01.01.2026, costs cannot be charged to consumers if the right of withdrawal is exercised, and the right of withdrawal will now also apply to mobile phones, smartwatches, tablets, and computers.

The Law Amending the Enforcement of Penal and Security Measures and Certain Laws was published in the Official Gazette No. 32920 dated 04.06.2025 and entered into force. According to this, penalties under Article 35, paragraph 2 of the Turkish Penal Code (“attempt to commit a crime”) have been adjusted, increasing the range of prison sentences replacing aggravated life sentences and life sentences. The minimum penalty for intentional injury was raised from 1 year to 1 year and 6 months.

With the amendment published in the Official Gazette No. 32915 dated 30 May 2025, obligations related to online advertisements were added to the Regulation on Real Estate Trade. Furthermore, price increases inconsistent with economic data and without justified reasons are prohibited in advertisements, and intermediaries facilitating such advertisements are banned.

🔒 DATA BREACH NOTIFICATIONS

The explanations in the seven (7) personal data breach notifications submitted to the Personal Data Protection Board are as follows:

Atakaş Çelik Sanayi ve Ticaret A.Ş. and Atakaş Liman İşletmeciliği ve Ticaret AŞ reported unauthorized access detected since 03.05.2025. An email dated 08.05.2025 included personal identity, contact, and private information of employees and former employees. Approximately 1,080 individuals for Atakaş Çelik and 135 for Atakaş Liman were affected. The data included names, photos, contact info, birth dates, parents’ names, and similar personal information.

Christian Dior Couture SA reported unauthorized access to its global CRM database on 26 January 2025. The malicious party threatened to disclose data and demanded ransom. Customers, potential customers, sales consultants, and customer assistants were affected. The number of affected individuals is not yet determined. Data included identity, contact, purchase, job information, and identity verification data.

Adidas Spor Malzemeleri Satış ve Pazarlama A.Ş. reported a cybersecurity incident linked to Adidas group infrastructure on 17.05.2025, where customer data was accessed by third parties. It was determined that Turkish customers were among those affected, with approximately 544,395 individuals impacted. Data included names, emails, gender, birth dates, and phone numbers. Investigation continues.

Manulaş Manisa Ulaşım Hizmetleri Makina Sanayi ve Ticaret A.Ş. reported a ransomware attack on 25.05.2025, affecting 1,268,222 records (actual individuals fewer due to duplicates). Data included identity, contact, profession, license plate, photo, and health information. Whether data was exported remains unclear. Affected individuals can get information via Manulaş communication channels.

Richemont İstanbul Lüks Eşya Dağıtım A.Ş. reported a breach detected on 30.05.2025, resulting from unauthorized access to an employee account within Richemont Group between 17–18 January 2025. 25,737 customers were affected. Data included names, emails, countries, customer IDs, and birth dates. The Board decided on 03.06.2025 to publicly announce the notification on its website.

İstanbul Gedik University reported unauthorized access to a data processor on its behalf between 13–14 May 2025, affecting 23,269 people (employees, users, students) with 209,421 records compromised. Data included names, surnames, usernames, masked Turkish IDs, emails, institution info, and traffic data. The Board decided on 03.06.2025 to publish the notification on its website.

TCO Turkey Mücevherat Ticaret Limited Şirketi reported unauthorized access to systems of its US-based affiliate Tiffany and Company between 12.05.2025 and 16.05.2025, detected on 04.06.2025. Affected groups include company employees and customers. The number of individuals and records is being determined. Data involved names, contact info, titles, management details, usernames, hashed passwords, and company directory data. Ongoing investigations suggest personal data of customers, including names, contact info, age, sales data, and gender, may also be affected.