The Turkish Constitutional Court Intervention in Personal Data Protection Board Decision: Offences Cannot Be Broadened Through Administrative Interpretation

The Turkish Constitutional Court's ("the TCC") decision on an individual application dated January 27, 2026, and numbered 2020/32193, published in the Official Gazette on June 16, 2026, contains important assessments regarding the principles of personal data protection law and administrative law. The decision sets limits on the administrative fines imposed by the Personal Data Protection Board ("Board") in recent years through guidelines and expansive interpretations.

In the case in question, an insurance company processed personal data that was publicly available online for the purpose of preparing a quotation. Following a complaint by the data subject, the Board imposed an administrative fine on the company on the grounds that the purpose of processing the data was contrary to the intention of the person who had made the data publicly available, and that this constituted a breach of the data security obligations set out in Article 12 of the Personal Data Protection Law No. 6698 (“PDPL”). The essence of the dispute, which was brought before the courts by the company and ultimately reached the TCC, centres on whether the criterion of compliance with the intention to disclose—which is not explicitly set out in the law—can be established as an element of an offence based on the wording contained in the guidelines published by the Personal Data Protection Authority (“the Authority”) and on administrative interpretation.

In its ruling, the TCC, referring to the provision in Article 4(2) of the Misdemeanours Act stating that ‘the type, duration and amount of penalties for misdemeanours may only be determined by law’, reiterated that the power to impose penalties lies exclusively with the legislature. It was emphasised that, as in criminal law, the prohibition on analogy applies in the law of minor offences, and that the administration cannot, through interpretation, expand the scope of an existing minor offence. According to the TCC, the legislature has defined a limited number of types of minor offences within the PDPL and has deliberately structured the legislation so that not every breach of the regulations results directly in an administrative fine. In this context, the Board’s practice to date of penalising virtually every alleged breach of the law by subsuming it under Article 12 (data security obligations)—which functions as an open-ended ‘catch-all’ provision—has been found to be contrary to the fundamental principles of criminal law. Indeed, whilst the legislator explicitly opted to require an intention to disclose in the 2024 amendments to the PDPL for special-category personal data (Articles 5 and 6(3)(c)), the Board’s attempt to infer such an intention through interpretation in relation to general-category data has been assessed as an interference with legislative authority.

Another important aspect of the ruling concerns the legal binding force of the guidelines published by the Authority. The Authority’s guidelines are atypical regulatory acts of a ‘soft law’ nature that provide guidance to data controllers. The TCC has found that using the principles or administrative interpretations contained in these guidelines as a direct basis for criminal sanctions is contrary to the principle of legality in criminal matters, as set out in the first paragraph of Article 38 of the Turkish Constitution. In its ruling, the TCC stated that the diversion of the guidelines from their primary function—and their use as a punitive norm, almost like a regulation or a statute—undermines the formal requirements and the hierarchy of norms.

This decision by the TCC has given rise to interpretations suggesting that a comprehensive reform of administrative offences is necessary in the implementation of the PDPL, in line with the European Union’s General Data Protection Regulation (GDPR). It is considered that the TCC’s decision is significant not only for the Personal Data Protection Authority but also for all regulatory and supervisory authorities that issue guidelines and manuals to facilitate the application of statutory provisions subject to sanctions. In light of the TCC decision we have examined, it is essential that regulatory and supervisory bodies ensure compliance with the rule of law in their work on guidelines and manuals.

AUTHORS

Nuri Melih İnce

Osman Tuna Kısaoğlu