LEGAL ACCOUNTABILITY OF SOCIAL MEDIA PLATFORMS IN CASES OF USER DATA LEAKAGE

I. INTRODUCTION

Social media platforms increasingly permeate significant aspects of users’ digital lives; consequently, user data is being collected in increasingly diverse and comprehensive ways. Such data is not limited solely to information directly provided by users but also encompasses behavioral data both within and outside the platform, as well as device-related information.

The processing of personal data encompasses the broad activities of collecting, storing, and protecting individuals’ identity information, habits, preferences, and other sensitive details in digital environments. With the accelerating pace of digitalization and the widespread use of the internet today, the secure processing of personal data has gained critical importance both for safeguarding individuals’ privacy and for ensuring that organizations fulfill their legal obligations. The processing of personal data involves planning and implementing all necessary measures to protect the rights of data subjects, prevent misuse of information, maintain data integrity, and comply with applicable legal regulations. Especially with the widespread adoption of social media, e-commerce, and mobile applications, both the volume and diversity of data have increased, leading to a parallel rise in the complexity and significance of data management. While data management was historically limited to mostly manual methods, today these processes are conducted more systematically and effectively through advanced technologies and professional approaches. However, the continuously growing volume and complexity of personal data in digital environments also bring heightened risks of data breaches and misuse. Therefore, it is of utmost importance that measures for the protection of personal data are continually updated and strengthened.

II. USER DATA

A. Types of Data Collected by Social Media Platforms

Personal data has been defined in legal doctrine as follows: “Personal data is any type of output derived from information such as text, audio, image, or video, regardless of the technological tools or methods used in its processing”1. In parallel with this definition, as social media platforms have increasingly permeated nearly every aspect of users’ digital lives, the types of data collected have also diversified over time. This data extends beyond information explicitly and consensually submitted by users and also encompasses behavioral patterns both within and outside the platform, as well as metadata obtained from the technical configurations of users’ devices.

Firstly, personal identification data provided by users during the account registration or profile modification processes is involved. This category includes information essential for identity verification, such as full name, email address, date of birth, gender, and phone number. However, data collection does not cease at this stage. Social media platforms diligently record users’ content-related and interaction data. Information regarding which posts a user likes, comments made, videos watched, accounts followed, groups joined, and individuals messaged contributes to the creation of a detailed profile reflecting the user’s interests, mindset, and social environment. Furthermore, platforms may monitor device-specific and technical data as well as users’ movements in the physical realm. Data such as IP addresses, geolocation, device type and operating system, time spent on the platform, and even browser details are tracked and stored. These data points are critical not only for ensuring the security of the service but also for enabling targeted advertising and behavioral analytics. In summary, while social media platforms ostensibly provide their services free of charge, they in fact collect data that constitute users’ digital identities—data that are processed and transformed into valuable assets.

B. Methods of Collecting User Data

Social media platforms employ various methods to collect the broad range of data mentioned above. The simplest of these methods is the direct input of data by users during account creation or profile updates. However, this represents only the tip of the iceberg. Platforms continuously collect and record behavioral data by monitoring every action users perform on the platform. Even seemingly simple actions, such as liking a post or the duration of video viewing, provide insights into users’ interests. Furthermore, data collection activities are not limited solely to the platform’s own ecosystem. Through tracking technologies such as cookies and pixel tags, information can be gathered about other websites or online stores users visit even after they have left the platform. These data are utilized to infer users’ online shopping habits, the news they consume, and even their political preferences. Additionally, when users log into third-party applications or websites using their social media accounts, this facilitates data sharing between platforms. For instance, when a gaming application requests access to a user’s social media account, it may involve the sharing of personal information and the user’s contact list with that application. Moreover, the widespread use of mobile devices has further simplified data collection through device permissions. With user consent, an application may access the device’s microphone, camera, geolocation, or contact list—granting the platform, at least theoretically, the ability to monitor ambient sounds or track the user’s physical location. All of these methods enable social media platforms to collect user data in a continuous, comprehensive, and multi-channel manner.

III. THE CONCEPT OF DATA BREACH

A. In General

In today’s digital age, data breaches have emerged as one of the most significant risks at both individual and institutional levels. In general terms, a data breach refers to the disclosure of personal data—entrusted to and under the responsibility of an organization—to unauthorized third parties due to various causes such as unauthorized access, intentional and malicious attacks, system vulnerabilities, or human error.

It is important to emphasize that data breaches are not solely the result of technical security failures but also reflect deficiencies in the data governance policies of platforms, the inadequacy of oversight mechanisms, and the presence of unethical practices. When a data breach occurs, it is not only users’ email addresses or passwords that may be compromised, but also their most sensitive categories of personal data—such as geolocation information, private messages, financial records, and even health-related data—may be placed at significant risk. Such exposure may lead to identity theft, fraud, blackmail, and serious invasions of privacy. On the other hand, companies affected by data breaches may suffer substantial financial losses, face legal sanctions, and—perhaps most critically—lose the trust of their users in a manner that is often difficult, if not impossible, to restore. Therefore, the concept of a data breach should not be understood merely as a technological failure; rather, it constitutes a multi-dimensional crisis encompassing legal, ethical, social, and economic implications.

B. Notable Case

Social media platforms have evolved beyond being mere tools for interpersonal communication and have become strategic instruments of influence for states, political parties, and institutions. As articulated in legal and academic doctrine, “State authorities and political party officials use social media as a means to communicate with voters and to reach large audiences quickly and efficiently. Governments and political organizations analyze data obtained via social media to develop effective strategies for future electoral periods” 2. This practice has become increasingly prevalent in today’s digital environment. However, the extensive and multi-dimensional use of social media raises critical concerns regarding the security of the vast quantities of data accumulated on these platforms. Sensitive information—including users’ identity data, political affiliations, location details, and private communications—has become a prime target for malicious actors or organized groups. The following examples illustrate the scope and potential consequences of major data breaches experienced by leading social media platforms in the digital age.

1. Facebook - Cambridge Analytica

The Facebook–Cambridge Analytica case is significant as it demonstrates that data breaches are not merely security violations but can also serve as powerful tools capable of influencing democratic processes. In the incident that occurred in 2018, it was determined that the British political consulting firm Cambridge Analytica accessed the data of millions of users through a “personality quiz” application hosted on Facebook. However, this access was not limited to users who took the quiz but also extended to the data of their friends listed on the platform3. The collected data was utilized in critical political campaigns, such as the U.S. presidential elections and the Brexit referendum, with the aim of understanding and manipulating voter behavior. The exposure of this incident revealed the significant weaknesses in Facebook’s data-sharing policies and led to serious scrutiny regarding the platform’s responsibility to protect user data.

2. TikTok

TikTok, which has hundreds of millions of users worldwide, has frequently come under scrutiny due to concerns regarding data security. The fact that the application is operated by a China-based company has intensified debates surrounding national security and data sovereignty. In 2022, it was alleged that a hacker group had infiltrated TikTok’s servers, obtaining personal information of over two billion users, the platform’s source code, and other sensitive data. Although TikTok has denied these allegations, the incident has raised significant questions about the application’s data security policies and the manner in which user data is stored. Such breaches particularly raise serious concerns regarding the protection of sensitive data belonging to the platform’s primary user base, which consists largely of minors.

3. X

The microblogging platform X has experienced numerous data breaches and security violations in the past. The most notable of these incidents occurred in 2022, when the personal information, including phone numbers and email addresses, of over two hundred million users was compromised through a security vulnerability and offered for sale on illegal forums. It was determined that cybercriminals exploited this vulnerability to gain access to sensitive data via the API Application Programming Interface. This breach highlighted the platform’s API security deficiencies and served as a stark reminder that even on a platform where users share their tweets, their personal contact information is not secure.

IV. LEGAL RESPONSIBILITY OF SOCIAL MEDIA PLATFORMS

A. Situation in Turkish Law

The legal responsibility of social media platforms regarding data breaches is determined by various legal regulations in Turkish law, primarily the Constitution of the Republic of Turkey4 (“the Constitution”) and the Personal Data Protection Law No. 66985 (“the PDPL”), which came into force in 2016. In this context, Article 20 of the Constitution states: “Everyone has the right to request the protection of their personal data. This right includes being informed about personal data concerning oneself, accessing this data, requesting its correction or deletion, and learning whether it is used in accordance with its purpose. Personal data can only be processed in cases prescribed by law or with the explicit consent of the person. The principles and procedures regarding the protection of personal data are regulated by law”6. With this provision, the right to the protection of personal data is constitutionally guaranteed.

PDPL does not provide a specific definition for social media platforms, nor does it introduce specific regulations for these platforms; they are considered as “data processors” or “data controllers” to the extent that they process the personal data of their users. Therefore, the obligations of social media platforms regarding the protection of personal data should be addressed within the framework of general provisions, and their activities should be carefully evaluated within the scope of the PDPL provisions. This legal framework clearly sets forth the obligations that platforms must comply with in the processes of collecting, processing, and protecting user data. Turkish law recognizes personal data as a fundamental right that must be protected, aiming to prevent the unlawful processing or leakage of such data. In this context, the legal responsibility of social media platforms extends to a broad area, including both administrative sanctions and compensation liability.

1. PDPL and Social Media Platforms

PDPL regulates the protection of personal data as a fundamental right. Nowadays, the protection of individuals’ privacy and personal secrets has become even more important with technological developments and increasing digitalization. PDPL aims to protect the rights of real persons and regulate the obligations of data controllers in the processing of personal data.

Personal data is any information relating to an identified or identifiable real person7. In this context, data such as name-surname, T.C. identity number, telephone number, and e-mail address are considered personal data. The law also defines more sensitive information, such as individuals’ race, ethnic origin, political opinion, religious belief and health information, as special categories of personal data and provides stricter protection for them.

According to the accepted view in the doctrine; “In the law of protection of personal data, illegality is a presumption in the processing of personal data”8. In this context, the processing of personal data can only be carried out in accordance with the conditions specified in the law. These conditions include obtaining the explicit consent of the person, the necessity of data processing for the establishment or performance of the contract, and cases such as fulfilling a legal obligation9. However, if personal data is processed without explicit consent, this is illegal and may result in serious sanctions. In the doctrine regarding explicit consent; “Although there is no clear regulation on which method the consent should be given, what its content and nature should be as one of the reasons for general compliance with the law, it is stated that this consent can be given with a clear declaration of will of the person concerned, or even with a tacit declaration of will based on behavior (...)”10. In this context, in which procedures and forms the explicit consent regarding the processing of users’ personal data on social media platforms can be validly given is also a matter that needs to be examined.

In data processing activities, fundamental principles such as “compliance with the law and rules of integrity,” “being accurate and up-to-date when necessary,” “being processed for specified, explicit, and legitimate purposes,” “being retained for the period stipulated in the relevant legislation or necessary for the purpose for which they are processed,” and “being relevant, limited, and proportionate to the purpose for which they are processed” must be observed11. These principles aim to prevent data controllers from collecting and processing data arbitrarily.

Individuals have significant rights under the PDPL, including the right to inquire whether their personal data has been processed, to obtain detailed information if it has been processed, to know the third parties to whom personal data has been transferred domestically or internationally, to request the correction of personal data if it has been processed incompletely or inaccurately, to request the deletion or destruction of personal data within the framework of the legislation, to request that the corrected and deleted data be notified to third parties to whom personal data has been transferred, to object to any result that is to their detriment through the analysis of processed data exclusively by means of automatic systems, and to demand the compensation of damages in the event that they suffer damage due to the unlawful processing of personal data12.

Since social media platforms provide services in Turkey, they are subject to this law. The Law on the Protection of Personal Data (PDPL) requires explicit consent for the processing of personal data, mandating that data be collected in accordance with the law, honestly, and for specific purposes. Social media platforms must clearly state the purposes for which they collect data from users and the duration for which they will store it, and they must take the necessary technical and administrative measures to prevent data breaches, as these are the fundamental requirements of the law. Social media platforms generally obtain this consent through the “terms of use” or “privacy policy” that users approve when registering on the platform. However, in practice, the extent to which this consent is “informed and freely given” is a serious matter of debate. Article 12 of the PDPL directly assigns the obligation to ensure data security to the data controller and foresees serious consequences in the event of a violation of this obligation. In the event of a data breach, platforms are also obliged to notify the Personal Data Protection Authority and the relevant individuals within a certain period.

2. Data Controller Under the PDPL

PDPL, the data controller, is the natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system13. In Turkish law, social media platforms are considered data controllers because they collect, process, and store users’ personal data. This status places heavy obligations on the platforms. As data controllers, platforms are obliged to take reasonable and up-to-date technological measures to ensure the security of the data. When a data breach occurs, it is investigated whether the platform has any fault in the occurrence of this breach. Platforms that are found not to have taken the necessary measures may face legal and criminal liability. The title of data controller emphasizes the platform’s absolute authority over user data and the responsibility that comes with this authority.

In this context, the data controller is obliged to take all necessary technical and administrative measures to prevent the unlawful processing and access of personal data, and to ensure the preservation of personal data. If the data controller has the personal data processed by another natural or legal person on its behalf, the data controller shall bear joint responsibility with these persons for taking the necessary measures regarding the protection of personal data. At the same time, the data controller is obliged to carry out the necessary audits within its own institution or organization to fulfill the requirements of the provisions of the PDPL, or to have them carried out by another person. On the other hand, the data controller may not share personal data learned during his/her duty with others in violation of the PDPL and may not use it outside the purpose of processing; this obligation remains valid even after leaving office. In addition, in the event that the processed personal data is seized by third parties through unlawful means, the data controller is obliged to notify both the data subject and the Personal Data Protection Board (“the Board”) of the situation as soon as possible. The Board may, if it deems necessary, disclose this violation to the public on its website or through other means it deems appropriate14. If this obligation is not fulfilled, both administrative fines and criminal liability may be imposed.

3. Administrative Fines and Sanctions

PDPL foresees administrative fines for data controllers in case of data breaches and data security violations. According to Article 18 of the law, administrative fines ranging from 5,000 TRY to 1,000,000 TRY can be imposed on data controllers who fail to fulfill their obligations regarding data security. In addition, failure to report a data breach to the PDPL also requires a separate administrative fine15. These administrative fines are determined by the Board, taking into account the size and severity of the violation. These sanctions aim to ensure that platforms take data security seriously and act transparently in the event of a possible violation.

Furthermore, the unauthorized recording of personal data without the data subject’s consent falls under the crime of recording personal data, as regulated by Article 135 of the Turkish Penal Code numbered16 5237 (“TPC”). Article 136 of the TPK stipulates that “A person who unlawfully gives, disseminates, or seizes personal data to another shall be punished with imprisonment from two to four years.” individuals who unlawfully seize or disseminate personal data will have committed the offense of unlawfully providing or seizing data. Additionally, according to Article 138 of the TPC, failure to destroy personal data despite the expiration of legal periods constitutes the crime of failure to destroy data. In this context, those who do not delete personal data in accordance with the provisions of the PDPL and do not render it anonymous will be punished according to Article 138 of the TPC17.

4. Current Amendments in Legislation

The “Guidance on the Processing of Special Categories of Personal Data” (“Guidance”), published in February 2025, has expanded the responsibilities of social media platforms. The Guidance imposes additional obligations on platforms for the processing of sensitive data such as biometric data, health information, or political opinions. Furthermore, the data security breach notifications and administrative fine processes have been intensified with the amendments to the PDPL in 2024. Platforms are now expected to report potential data breaches more quickly and transparently, and to prove that they have taken the necessary measures to prevent these breaches. Otherwise, in addition to the previously applied penalties, more severe sanctions may be imposed on the platforms. These new regulations increase the compliance obligations of social media platforms, which are data controllers, and ensure that they adopt a proactive approach to data security.

5. Board Decisions and Implementation Examples

Although judicial decisions regarding the data breach liability of social media platforms in Turkish law have not yet fully matured, the decisions taken and the sanctions imposed by the Board are guiding. The Board has imposed administrative fines on a global platform such as Facebook due to data security breaches18. With these decisions, sanctions were imposed on the grounds that the platforms could not adequately protect user data and did not make breach notifications in a timely manner. For example, after a data breach, platforms are expected to submit to the Board in detail the source of the breach, the types of data affected, and the potential consequences of the breach. These application examples demonstrate that the PDPL is not just a regulation but an actively implemented tool that seriously binds social media platforms.

B. The Situation in International Law

The responsibility of social media platforms concerning data breaches is also shaped by robust legal regulations in the international arena. In particular, the General Data Protection Regulation (“GDPR”), adopted by the European Union, has set a global standard in this area, ushering in a new era of data protection law. These regulations are binding not only on companies operating within the borders of the European Union but also on all platforms that offer services to users in Europe. The GDPR’s extraterritorial scope mandates that global social media entities comply with its stringent requirements regarding data processing, security, and breach notification, regardless of where the company is officially headquartered.

1. GDPR

GDPR, which entered into force in 2018, is considered one of the most comprehensive and effective regulations in the field of personal data protection. For social media platforms, the GDPR brings very clear obligations regarding transparency, accountability, and data security in data processing activities. The principle of “data minimization,” which is one of the remarkable articles of the GDPR, stipulates that platforms collect only the data necessary for the service. In the event of a data breach, platforms are obliged to notify the relevant supervisory authority of this breach within seventy-two hours and data owners in cases where the risk is high. Failure to make this notification may result in severe sanctions. The most deterrent feature of the GDPR is the high fines applied for violations19. Companies may face substantial monetary penalties. The millions of Euros in fines imposed on major platforms such as Facebook, Google, and WhatsApp are the most concrete evidence of the GDPR’s effectiveness.

2. Judgments of the ECHR

The European Court of Human Rights (“ECHR”) addresses the issue of personal data protection within the scope of the “right to respect for private and family life” as enshrined in Article 8 of the European Convention on Human Rights. The general approach of the ECHR regarding personal data protection is explained in the doctrine as follows: “(...) instead of generally applicable principles concerning the protection of personal data, it determines the principles related to the right to data protection by making an assessment based on the specifics of each concrete case within the guarantees provided by the ECHR, and rules accordingly. In this context, the ECHR decides on a violation of Article 8 of the ECHR in case of non-compliance with the principles it has established, such as the necessity for personal data not to be processed without the individual’s consent, for data not to be retained indefinitely or for longer than necessary, and for a clearly legitimate purpose to be specified (...)”20. The ECHR emphasizes that the protection of individuals’ personal data is an integral part of the right to privacy. Although ECHR judgments do not directly target social media platforms, they outline the positive obligations of states regarding personal data protection. These judgments mandate that countries take sufficient legal and administrative measures to ensure data security for private sector organizations like social media platforms. The ECHR addresses the state’s responsibility in cases of unlawful interference with personal data, demonstrating how data breaches violate individuals’ fundamental rights and freedoms. In this context, ECHR judgments constitute an international reference point in the field of data protection law.

V. TECHNICAL AND ETHICAL RESPONSIBILITY OF SOCIAL MEDIA PLATFORMS

The responsibility of social media platforms regarding data breaches is not limited to legal regulations. While the law draws a framework of necessity, the technical and ethical responsibilities of the platforms go beyond this framework, requiring user safety and privacy to be maintained at the highest level. These responsibilities include not only avoiding actions contrary to the law but also adopting an honest, transparent, and protective stance towards their users.

A. Ensuring Data Security: Technical Infrastructure Responsibility

The fundamental responsibility of social media platforms is to establish a robust and up-to-date technical infrastructure to protect user data. This is not only a necessity but also a fundamental aspect of the platforms’ existence. Technical infrastructure responsibility encompasses the entire lifecycle of data, from collection to storage, processing, and sharing. In this context, platforms are obligated to ensure the protection of data against unauthorized access by using encryption technologies. Storing user passwords with one-way encryption algorithms prevents passwords from being exposed even in the event of a data breach. Additionally, platforms are expected to enhance the security of user accounts by offering extra layers of security such as two-factor authentication (2FA). Since the majority of data breaches stem from system vulnerabilities, it is of vital importance that platforms continuously audit their systems with teams comprised of cybersecurity experts, identify potential vulnerabilities, and address them. With this proactive approach, a potential data breach can be prevented before it occurs.

B. Ethical Responsibility to Protect User Privacy

One of the ethical issues behind data breaches is that platforms do not see user privacy as a primary value or sacrifice it for commercial interests. The ethical responsibility of social media platforms requires them to stop commodifying users’ data as a “product” and to evaluate this data as sensitive information or an element of individual privacy that must be protected. This means that data is processed not only legally but also morally correctly. Platforms should clearly explain the exact purposes for which user data will be used, in a clear and understandable language, when collecting it. Users should have full control over the collection and use of their data. For example, Platforms should offer users easily accessible options such as turning off ad targeting, disabling location tracking, and deleting their personal data. This ethical approach reinforces users’ trust in platforms and strengthens the idea that digital privacy is not a luxury but a fundamental right.

C. Transparency, Accountability, and Public Oversight

The obligation of social media platforms to act transparently in processes involving user data is the most important indicator of their ethical responsibilities. In the event of a data breach, platforms must disclose this situation to the public without delay and with all its details. They should not only make legal notifications but also clearly share how the violation occurred, which data was affected, and what steps users should take.

Accountability, on the other hand, means that platforms take concrete measures to learn from their mistakes and prevent similar events from recurring. These measures can be implemented through practices such as strengthening security protocols, tightening internal audit mechanisms, and cooperating with independent auditors.

Lastly, public oversight is ensured through the continuous review of platforms’ data policies by non-governmental organizations, journalists, and academic circles, and the informing of the public. Such oversight limits platforms from making decisions on their own, raising the issue of data security to a broader social discussion.

VI. CONCLUSION

As social media platforms become an integral part of individuals’ digital lives, the vast amount of personal data collected and processed through these platforms constitutes one of the most important legal, technical, and ethical issues of our time. It is essential for platforms to adopt a transparent and accountable management approach that prioritizes user privacy over commercial interests.

PDPL and the GDPR impose significant obligations on platforms regarding data protection. These regulations mandate data minimization, the principle of explicit consent, and the timely notification of data breaches. Platforms are obliged to establish robust technical infrastructures, conduct continuous audits, and implement security measures such as encryption. Failure to comply may result in substantial administrative fines and criminal sanctions.

Legal compliance alone is not enough to ensure that users feel safe in the digital world. Platforms must adopt an ethical stance by refraining from commodifying data, giving users full control over their data, and acting transparently in the event of a breach. In this way, both individual privacy will be protected and trust will be established in the digital ecosystem.

Footnote

1. Çiğdem Aygözer, Personal Data Protection, İstanbul, 2016, 1st Edition, p. 8.

2. Aykut Kaya, The Use of Archived Social Media Data as a Research Resource, Journal of Information and Document Studies, Issue 16, 2021, p. 56.

3. Asena Yıldırımer, The Surveillance Society in the Information Age: The Facebook–Cambridge Analytica Scandal, New Media Electricity Journal, Volume 6, Issue 2, 2022, p. 104-112.

4. 09.11.1982 Official Gazette No. 17863 (OG).

5. 07.04.2016 Official Gazette No. 29677 (OG).

6. Turkish Constitution Article 20.

7. PDPL Article 3/1-d.

8. Bekir Gürses, An Evaluation of the Harmonization of Personal Data Protection Legislation in EU and Turkish Law, 1st Edition, İstanbul 2022, p. 57.

9. PDPL Article 5.

10. Serdar Çelikel, A Comparative Analysis of Explicit Consent as a Legal Basis for Personal Data Processing under Directive 95/46/EC and the GDPR, Journal of the Court of Jurisdictional Disputes, Volume 9, Issue,17, 2021, p. 163.

11. PDPL Article 4.

12. PDPL Article 11

13. PDPL 3/1-ı.

14. PDPL Article 12.

15. PDPL Article 18.

16. Official Gazette, No. 25611 (October 12, 2004)

17. Sümeyra Karuncu Karaağaç, The Misdemeanor of Failure to Fulfill the Obligation to Inform under the Law on the Protection of Personal Data, 2022, 1st Edition, p. 44-51.

18. Decision of the Personal Data Protection Board dated 11.04.2019 and numbered 2019/104, Decision of the Personal Data Protection Board dated 18.09.2019 and numbered 2019/269.

19. GDPR Article 85.

20. Berrak Yılmaz, Protection of Personal Data in Light of the Decisions of the Turkish Constitutional Court and the European Court of Human Rights, Ankara, 1st Edition, 2022, p. 190.

Kaynakça

1. ASENA YILDIRIMER, The Surveillance Society in the Information Age: The Facebook–Cambridge Analytica Scandal, New Media Electricity Journal, Volume 6, Issue 2, 2022.

2. AYKUT KAYA, “The Use of Archived Social Media Data as a Research Resource”, Journal of Information and Document Studies, Issue 16, 2021.

3. BEKİR GÜRSES, An Evaluation of the Harmonization of Personal Data Protection Legislation in EU and Turkish Law, 1st Edition, İstanbul 2022.

4. BERRAK YILMAZ, Protection of Personal Data in Light of the Decisions of the Turkish Constitutional Court and the European Court of Human Rights, Ankara, 1st Edition, 2022.

5. ÇİĞDEM AYGÖZER, Personal Data Protection, İstanbul, 1st Edition, 2016.

6. SERDAR ÇELİKEL, A Comparative Analysis of Explicit Consent as a Legal Basis for Personal Data Processing under Directive 95/46/EC and the GDPR, Journal of the Court of Jurisdictional Disputes, Volume 9, Issue17, 2021.

7. SÜMEYRA KARUNCU KARAAĞAÇ, The Misdemeanor of Failure to Fulfill the Obligation to Inform under the Law on the Protection of Personal Data, 1st Edition, 2022.