06 March 2026

New Principle Decision from the Turkish Data Protection Authority on Loyalty Programs: Six-Month Compliance Period for Data Controllers

The Personal Data Protection Board's (Kişisel Verileri Koruma Kurulu) Principle Decision No. 2026/266 (In Turkish), published in the Official Gazette dated February 28, 2026 and numbered 33182, has significantly clarified both the legal nature of loyalty card programmes and the obligations incumbent on data controllers.

23 February 2026

What Is E-Vizite? How to Submit the SSI E-Vizite Notification?

Category Work Life

When employees obtain a medical report due to illness, an occupational accident, or maternity, this situation affects not only human resources processes, but also SSI notification obligations, payroll calculations, and the temporary incapacity benefit process directly.

20 January 2026

What Is a Withholding Tax Return? When Is It Submitted?

Category Work Life

The withholding tax return is a declaration through which employers and tax withholding agents report, on a collective basis, the income tax withholdings deducted from various payments made within a month (or a quarter). As of 2020, the withholding tax return and the Social Security Institution (SSI) “Monthly Contribution and Service Document” were consolidated into a single form, and the practice has been carried out under the name Withholding Tax and Social Security Contribution Service Return (MPHB / MUHSGK). Accordingly, wage withholding tax and social security contribution and service information are submitted electronically within the same return. In this article, we answer practical questions such as what “muhtasar” means, what the withholding tax return is, when it is submitted, how it is prepared, and what the withholding tax return codes are.

04 March 2026

What Is Quishing? QR Code–Based Phishing and an Assessment from a Data Protection Law Perspective

Category KVKK - GDPR

QR code technology has become one of the key tools of the digital economy. From restaurant menus to public services, from e-commerce to financial transactions, QR codes are used across a wide range of contexts and—because they are fast and practical—have become a natural part of user behaviour. However, this widespread adoption also creates an exploitation ground with a low level of suspicion from the attacker’s perspective.

In its Information Note dated 26 February 2026 titled “The Risk Coming with QR Codes: Quishing” (“Information Note”), the Turkish Data Protection Authority (“KVKK”) examines phishing attacks carried out via QR codes in detail and assesses this threat from a personal data security perspective. The Information Note clearly demonstrates that the issue is not merely a technical cybersecurity risk; it is also an area that must be addressed directly within the scope of data protection law.

17 February 2026

What Are 4A/4B/4C Insurance Types? Who Do They Cover?

Category Work Life

In Türkiye, the social security system aims to provide protection against risks that every employee may encounter throughout their lifetime. (such as illness, unemployment, old age, disability, death, etc.)

The institutional framework of this system is established under Law No. 5502 on the Social Security Institution (SSI) and Law No. 5510 on Social Insurance and General Health Insurance, and as of 2004, the former systems of the Social Insurance Institution (SSK), the Social Security Organization for Artisans and the Self-Employed (BAĞ-KUR), and the Pension Fund were consolidated under a single institutional structure.

14 January 2026

2026 İŞKUR (Employment Agency) On-the-Job Training Program and Wages

Category Work Life

What is On-the-Job Training Program?

İŞKUR (Employment Agency) on-the-job training program aims to reduce unemployment, to reinforce the professional knowledge of the unemployed candidates registered on İŞKUR, to learn and develop by experiencing the work and production processes. With the on-the-job training program, employers can have the opportunity to review the performances of the candidates for a certain period of time to employ qualified workforce, and they also have the opportunity to save on the cost of searching for new employees.

24 February 2026

Artificial Intelligence in Recruitment Processes and the Protection of Personal Data

Category KVKK - GDPR, Work Life, Technology

Recruitment processes have become one of the areas most rapidly transformed by digitalization. Today, many organizations rely on artificial intelligence–enabled systems in candidate screening and evaluation stages. CV-screening algorithms, video interview analytics tools, and automated scoring mechanisms increasingly shape decisions such as shortlisting, interview invitations, and candidate rejection through data-driven models.

06 February 2026

2026 SSI Administrative Monetary Penalties

Category Work Life

Administrative monetary penalties imposed by the Social Security Institution (SSI) are not merely "fees for late notifications." In many cases, they trigger a chain of consequences such as the loss of incentive eligibility, increased inspection intensity, disruption of labour cost models, and even the escalation of legal disputes. For this reason, instead of an approach based on "paying the fine and closing the matter," businesses that understand which obligation has transformed into a penalty based on which legal or evidentiary grounds, and that plan their processes accordingly, will be in a far more advantageous position.

13 January 2026

Clarification on the Application Principles of VERBİS Registration Exemptions

Category KVKK - GDPR

With the decision of the Turkish Personal Data Protection Board dated December 25, 2025 and numbered 2025/2393, the application principles regarding exemptions from the VERBIS (Data Controllers' Registry Information System) registration obligation have been clarified. The decision aims to eliminate uncertainties arising from the implementation of the Board's decision dated September 4, 2025 and numbered 2025/1572, which amended the scope of VERBIS registration exemptions.

Pursuant to Article 16 of the Turkish Personal Data Protection Law No. 6698, data controllers processing personal data are required to register with VERBIS. However, the Board may grant exemptions from this obligation based on objective criteria such as the nature and volume of personal data processed, and the characteristics of the data processing activities.