Cybersecurity 2022 Comparisons

According to the International Telecommunication Union's Global Cybersecurity Index, published in 2020, Turkey is ranked 11th in the world on cybersecurity. Hence, it is fair to say that Turkey is one of the most cybersecure countries in the world, and it is keen on making further significant improvements in this area.

However, currently, Turkey does not have a standalone general legal framework governing cybersecurity; the country's legal framework regarding cybersecurity is quite fragmented. It is possible to find relevant provisions related to cybersecurity, data breach notifications and incident response that are set forth in different parts of Turkish legislation.

The most relevant general legislations, as well as policy documents, are as follows.

General Regulations

Constitution of the Turkish Republic (“Constitution”)

The Constitution does not directly set out any provision on cybersecurity. However, as cybersecurity is an umbrella term for both personal data and non-personal data protection, it can be considered that cybersecurity is partly and indirectly set out under (i) Article 20(3) which provides the right to protection of personal data, and (ii) Article 22 which provides the freedom of communication, as an individual right to any person.

Law on Regulation of Publications via Internet and Combating Crimes Committed by Means of Such Publications No 5651 (“Internet Law”)

The Internet Law aims to regulate the obligations and responsibilities of content providers, hosting providers, internet service providers, social network providers, as well as public internet access providers, in order to combat crimes that are committed via the internet.

Obligations that were set forth in the Internet Law include providing certain information to users and retaining the traffic data for a certain time.

The Internet Law entails the Turkish Information and Communication Technologies Authority (ICTA) to co-ordinate activities with content, hosting, access providers and other related institutions and organisations regarding the detection and prevention of cyber-attacks, conduct activities on taking necessary measures and carry out the necessary activities within the scope of national cybersecurity activities.

Law on Electronic Communication No 5809 (“Electronic Communication Law”)

As stated above, Turkey does not have a general cybersecurity law yet. There is a plan to introduce a network and information security regulation, mostly modelled after the EU's Network and Information Security (NIS) Directive (“NIS Directive”). In order to establish the normative background for cybersecurity and institutional framework for overseeing cybersecurity, a special rule was incorporated into the Electronic Communication Law No 5809.

Information security is among the basic principles set forth in the Electronic Communication Law, which includes several provisions on information security and confidentiality of communication. Several secondary legislation were enacted for the same purpose based on this law.

Moreover, although this law almost entirely regulates electronic communication sectors, Article 60(11) of this law empowers ICTA to take or ensure that all kinds of measures are taken to protect public institutions and organisations and natural and legal persons against cyber-attacks and provide deterrence against these attacks.

Hence, based on this provision, ICTA has comprehensive authority over private and public organisations to ensure cybersecurity.

Council of Ministers Decision on Carrying out, Managing and Coordinating National Cybersecurity Activities, dated 11 June 2012 (“Council of Ministers Decision on Cybersecurity”)

This decision is one of the landmarks of Turkey’s focus on cybersecurity.

It defines national cybersecurity as: “security of all services, transactions and data provided via information and communication technologies as well as systems used for provision of the same”.

This decision empowers the Ministry of Transport and Infrastructure (MTI) to oversee the national cybersecurity in Turkey and, among others, to prepare policy, strategy and action plans to ensure cybersecurity.

According to this decision, MTI is authorised to carry out its tasks via ICTA and other state institutions.

Communiqué on Procedures and Principles of the Establishment, Duties and Activities of Cyber Incidents Response Centres (CERTs) ("Communiqué on CERTs")

The purpose and scope of this Communiqué is to ensure that the services are carried out effectively and efficiently by determining the procedures and principles regarding the establishment, duties and work of CERTs.

Guideline for Establishment and Management of Institutional CERTs (“Institutional CERT Guideline”) and Guideline for Establishment and Management of Sectoral CERTs ("Sectoral CERT Guideline")

These guidelines provide guidance in establishing and managing institutional CERTs and sectoral CERTs in relevant organisations, their relationship with each other and National Cyber Incidents Response Centre (TR-CERT), capacity planning, qualifications of personnel (education level and experience), trainings that must be completed and the steps that personnel must take before, during and after a cybersecurity incident.

It also includes the principles of communication with internal/external stakeholders and the establishment steps and principles required to establish CERTs.

Decree on Information and Communication Security Measures No 2019/12 issued by the Presidency of Turkey (“Presidency Decree”)

The Presidency Decree has set specific measures that have been deemed appropriate in order to diminish and neutralise security risks, in particular, ensuring the security of critical data that may jeopardise national security or deteriorate public order, especially when its confidentiality, integrity or accessibility is compromised.

All public bodies are bound by the Presidency Decree.

Turkish Data Protection Law No 6698 (TDPL) and its secondary legislation

TDPL covers all personal data processing activities in Turkey. It also has a specific outcome for cybersecurity. According to TDPL, data controllers are obliged to take all the necessary technical and organisational measures to provide a sufficient level of security to:

• prevent unlawful processing of personal data;
• prevent unlawful access to personal data;
• ensure the safekeeping of personal data.

Personal data breach notification is also set forth in the same provision.

Turkish Criminal Law (TCrL)

Turkish Criminal Code (TCrL) criminalises a number of actions and sets out criminal sanctions of imprisonment between six months and eight years with respect to cybersecurity. Some of these actions are as follows:

• unlawful access to cyber systems;
• blocking or bricking the cyber system, or destroying, modifying or making inaccessible the data within a cyber system;
• misuse of debit or credit cards;
• manufacturing, importing, dispatching, transporting, storing, accepting, selling, offering for sale, purchasing, giving to others or keeping the forbidden devices and software that is used to break a computer program’s password or such a code in order to commit a crime described in the bullet points above;
• committing theft or fraud via cyber systems;
• unlawful recording of personal data;
• unlawful transfer, publication or acquisition of personal data;
• failure to destroy personal data after the retention period set forth in the current laws.

The Policy Framework

National Cybersecurity Strategy and Action Plans

For 2013–14 term

In accordance with this action plan, TR-CERT, whose main task is to oversee cybersecurity incident response activities and reporting, was established.

In addition to this, sectoral Cyber Incidents Response Centres (“sectoral CERTs”) were established for co-ordinating cybersecurity incident response activities for critical sectors and institutional Cyber Incidents Response Centres (“institutional CERTs”) were established for carrying out cybersecurity incident response activities within certain organisations such as governmental bodies and companies working in critical sectors.

For 2016–19 term

This action plan resulted from the need to update the previous one due to the development of information and communication technologies, the increasing need for cybersecurity and the gained experience.

In the said action plan, (i) cybersecurity risks have been evaluated to define the strategic objectives for cybersecurity and (ii) the main risks such as unauthorised access and disclosure of citizens’ personal data or public information following an attack targeting the information systems used by public institutions or critical infrastructure were identified.

In this action plan, actions are grouped under five categories:

• strengthening cyberdefence and protecting critical infrastructures;
• fighting against cybercrimes;
• awareness and human resources development;
• developing the cybersecurity ecosystem;
• integration of cybersecurity into national security.

For 2020–23 term

It is emphasised in this action plan that international co-operation is as important as national activities due to the inherently cross-border nature of cybersecurity. Thus, the government shall show efforts to increase bilateral and multilateral co-operation, improve information sharing and contribute to the activities that are carried out for establishing international common norms and standards in cyberspace.

In this action plan, actions are grouped under seven categories:

• protecting critical infrastructure and increasing resilience;
• building national capacity;
• organic cybersecurity network;
• security of new generation technologies;
• fighting against cybercrime;
• developing and fostering national and domestic technologies, integrating cybersecurity into national security;
• improving international co-operation.

For other legislation (eg, sectoral and specific legislation), please see 2.1 Key Laws.

The Ministry of Transport and Infrastructure

According to the Council of Ministers Decision on Cybersecurity, MTI has been authorised for implementation, administration and co-ordination of national cybersecurity actions and preparation and co-ordination of policy, strategy and action plans regarding the governance of national cybersecurity.

MTI is the responsible government agency for overseeing all other cybersecurity organisations throughout Turkey. It has been overseeing and conducting cybersecurity activities at the strategic level through the TR-CERT.

MTI’s responsibilities on cybersecurity include:

• preparing strategy and action plans to ensure national cybersecurity;
• preparing the procedures and principles that are necessary for securing the security and privacy of the information and data that belong to public institutions and organisations;
• in ensuring national cybersecurity, following the establishment of the technical substructures in public institutions and organisations, ensuring verification, and testing of the applications’ efficiency.

Information and Communication Technologies Authority

While policymaking is the responsibility of MTI, the regulatory function has been assigned to ICTA.

ICTA is an independent administrative institution that has administrative and financial autonomy.

In addition to its role in the telecom sector, ICTA closely follows up the cybersecurity incidents through publicly available and private forums and mediums. ICTA also audits and warns private companies concerning specific cybersecurity threats and technical vulnerabilities.

For this purpose, ICTA acts in co-ordination with public and private organisations, including hosting providers, internet service providers and other relevant institutions and organisations.

Presidency of Republic of Turkey Digital Transformation Office (DTO)

DTO has played an active role in cybersecurity, big data, artificial intelligence and digital transformation since its establishment in 2018.

Among its other duties, DTO focuses on developing projects that support national cybersecurity and information security, following the developments regarding the effective implementation of policies, strategies and action plans related to cybersecurity throughout the country and carrying out studies to identify critical infrastructures.

In July 2020, DTO published an Information and Communication Security Guide, which includes information and communication security measures to be taken by public institutions and organisations offering critical infrastructure services.

TR-CERT

In 2013, TR-CERT was established under ICTA to oversee cybersecurity in Turkey, identify emerging threats, take measures to reduce and eliminate the effects of possible attacks and cybersecurity incidents and share them with the determined actors.

CERTs started their activities in institutions and organisations, mainly (but not limited to) in critical infrastructure sectors.

TR-CERT oversees the management of response to cybersecurity incidents from the beginning until the resolution. It co-ordinates with CERTs for this purpose. CERTs are required to report cybersecurity events to TR-CERT.

TR-CERT also carries out awareness-raising and guidance activities to increase the awareness of public institutions and organisations against cyber-attacks.

CERTs

Sectoral CERTs

Sectoral CERTs are established under (i) the regulatory and supervisory bodies or (ii) the relevant ministries of critical sectors.

Sectoral CETRs are responsible for the co-ordination, regulation and supervision of cybersecurity in the concerning critical sector.

Sectoral CERTs act in co-ordination with TR-CERT and institutional CERTs operating in the concerning sector.

Institutional CERTs

Institutional CERTs are established within public and private organisations.

All organisations operating in the critical infrastructure sectors must establish an institutional CERT within their organisations. On the other hand, ICTA has the authority to order a public or private organisation to establish and maintain a CERT, even if such organisation is not operating in the critical infrastructure sector.

Institutional CERTs act in co-ordination with TR-CERT and sectoral CERTs operating in the concerning sector (as applicable).

The personnel working in CERTs are under the obligation to maintain the confidentiality of the information they have obtained due to their duties. This obligation continues after the duty ends.

Personal Data Protection Authority (PDPA)

The primary supervisory and regulatory authority on data protection in Turkey is PDPA. It is an independent administrative institution that has administrative and financial autonomy.

PDPA has the power to regulate data protection activities and protect the rights of data subjects. PDPA is competent to receive data breach notices according to TDPL.

National Intelligence Agency

The National Intelligence Agency is entitled to collect, record and analyse information, documents, news and data by using all kinds of technical intelligence and human intelligence methods, tools and systems on foreign intelligence, national defence, counter-terrorism, international crimes and cybersecurity, and to deliver the produced intelligence to the necessary institutions.

Turkish National Police Department of Cybercrime Prevention

This police department provides support for investigating crimes committed by using information technology. It gathers forensic data to fight cybercrime effectively and efficiently. It was established in 2011.

The Ministry of National Defence, the Presidency of Defence Industries and the Turkish Armed Forces Cyber Defence Command

These entities ensure cybersecurity from a perspective of military and national defence.

Please see 2.4 Data Protection Authorities or Privacy Regulators and 9.2 Public Disclosure for further information.

Other

Apart from the above, sector-specific administrative institutions such as the Banking Regulation and Supervision of Agency (BRSA), the Capital Markets Board (CMB), the Turkish Republic Central Bank (TRCB), the Energy Market Regulatory Authority (EMRA) and the Turkish Atom Energy Agency are entitled to regulate cybersecurity-related issues in their respective sectors.

Information and Communication Technologies Authority

ICTA has broad powers to administrate and enforce the rules on cybersecurity. ICTA was given a unique authority to take or compel public institutions, organisations, natural and legal persons to take all kinds of precautions against cyber-attacks and to establish deterrence against such attacks.

For this purpose, ICTA is entitled to request any information, documents, data and records from relevant organisations, as well as requesting access to archives, databases and the communication infrastructure.

ICTA works in co-operation with ministries, institutions and organisations to perform its duties.

Natural persons or private organisations cannot avoid fulfilling the requests of ICTA due to the reason that they are subject to certain legislation.

ICTA has a special regulation dealing with administrative fines – ie, the By-Law on Information Technologies and Communications Administrative Sanctions, which lays down special procedures for issuing administrative fines.

The administrative fines related to breaches of network and information security are as follows:

• if the operator does not comply with the legislation on electronic communication security, including network security, an administrative fine of up to 1% of its net sales in the previous calendar year can be imposed;
• administrative fines ranging from TRY1,000 to TRY1 million are imposed on natural persons and private legal entities other than operators who do not fulfil the obligations to be determined by ICTA within the scope of its duties, or do not implement the measures to be taken for the protection and deterrence against national cybersecurity activities and cyber-attacks; and
• in case of detection of violations, in addition to the given sanctions, concrete measures may be decided by ICTA depending on the nature of the violation.

Personal Data Protection Board (PDPB)

PDPB’s investigations may be initiated based on a data subject’s complaint received by PDPB or ex officio if it becomes aware of the alleged violation.

If PDPB identifies a violation of TDPL, it can impose administrative fines, which may vary between TRY13,393 and TRY2,678,866, depending on the nature of the violation.

Criteria for administrative fines

The criteria which must be sought by ICTA when imposing administrative sanctions are the presence of damage, the existence of unfair economic gain, the presence of recurrence, administrative sanctions imposed on the operator in the last five years regarding the violation of the same article and presence (or lack thereof) of good will.

As per the Misdemeanours Law No 5326, when determining the amount of fines, PDPB must consider the severity of the breach, the fault of the breaching party and its economic condition.

Appeal to decisions of ICTA and PDPB

The fined party has a right to appeal against PDPB’s or ICTA’s decisions.

All decisions of ICTA, including administrative fines, can be appealed before the administrative courts.

On the other hand, if PDPB’s decision includes only an administrative fine, the data controller may object to the decision regarding the administrative fine before the Magistrate Criminal Court within 15 days from the receipt of the decision. The decisions of the Magistrate Criminal Court can be appealed to another Magistrate Criminal Court in the same district.

Where the decision includes an administrative order bundled with or without an administrative fine, the data controller can object to the decision before the administrative courts, whose decisions can be appealed to the Council of State.

Criminal Sanctions

As stated in 1.1 Laws, TCrL criminalises a number of actions that involve personal data processing.

The investigation may commence without the need for any complaint – ie, ex officio by public prosecutors. The final judicial sentence is held only by courts. Under certain circumstances, it is possible to appeal against the first-tier court to the second-tier court, the Regional Criminal Court. It is possible to appeal against the Regional Criminal Court’s decision to the Court of Appeals if the sentence of the courts meets specific criteria.

The Budapest Convention on Cybercrime of the Council of Europe (CETS 185)

Turkey has signed the Budapest Convention (with a few reservations) on 10 November 2010. The Convention was ratified on 29 September 2014 and came into force on 1 January 2015.

After accepting and ratifying the Convention, Turkey amended its related legislation, such as TCrL. For example, the crimes against the confidentiality, integrity and accessibility of computer data or systems, which are regulated in the first title of the Convention, were reflected in TCrL.

In the international co-operation section of the Convention, there are provisions on international legal assistance. According to the Convention, the state parties should provide legal assistance to each other in the broadest possible way and co-operation should be implemented in a way that covers crimes related to information systems and other crimes whose evidence is found in the electronic environment.

European Convention on Mutual Assistance in Criminal Matters

Turkey is a party to the European Convention on Mutual Assistance in Criminal Matters. Furthermore, Turkey has particular legislation – the Law on International Judicial Cooperation in Criminal Matters No 6706, dated 23 April 2016.

Convention No 108

Turkey was one of the first countries that became a member of the Council of Europe and signed Convention No 108. Although Turkey signed the Convention on 28 January 1981, it did not ratify the Convention until 17 March 2016, shortly before Turkeys’ adoption of TDPL. However, Turkey has not yet signed the Modernized Convention (also known as "108+").

Convention No 108 lays down a crucial rule for data security. According to Article 7 of the Convention, appropriate security measures must be taken to protect personal data stored in automated data files against accidental or unauthorised destruction or accidental loss and unauthorised access alteration or dissemination. However, Convention No 108 does not prescribe an additional provision dealing with breach notification.

Other

Turkey has signed many co-operation agreements and memorandums with foreign countries – eg, Azerbaijan, Belarus, China, Georgia and Greece – to provide mutual assistance in the cybersecurity realm.

NIS Directive’s Relevance for Turkey

Turkey, as a candidate country for the EU membership, is closely monitoring any legal developments of the EU acquis. Turkey has a plan to adopt the provisions of NIS Directive into the Turkish Law as stated under Section 474.2 of the 11th Development Plan (2019-2023) dated July 2019.

Data Protection

PDPA works collaboratively with public and private organisations to share information on privacy issues and encourage privacy compliance.

Cybersecurity

ICTA

ICTA closely follows up the cybersecurity incidents through publicly available and private forums and mediums. ICTA also audits and warns companies concerning specific cybersecurity threats and technical vulnerabilities.

TR-CERT and CERTs

TR-CERT and CERTs are vital structures in eliminating cyber incidents, prioritising or reducing possible damages, and performing cyber incident management in co-ordination and co-operation at the national level. The co-ordination and co-operation between TR-CERT and institutional CERTs and/or sectoral CERTs contribute greatly to Turkey’s national cybersecurity.

Cybersecurity

As mentioned in 1.1 Laws, according to the International Telecommunication Union's Global Cybersecurity Index published in 2020, Turkey is ranked 11th in the world on cybersecurity.

As previously stated, Turkey does not have a standalone general framework governing cybersecurity law. Turkey’s legal framework regarding cybersecurity is quite fragmented.

Sector-specific regulations such as the By-Law on Information Systems Management of Capital Markets Board of Turkey, the By-Law on Information Security in Industrial Control Systems Used in Energy Sector, the By-Law on Specific Principles for Safety of Nuclear Power Plants and the By-Law on Internet Domain Names mostly follow international information security standards. They require a risk-based approach and mandate notification of cyber incidents. However, lack of a general law covering all sectors is a shortcoming of the Turkish law.

The details of cybersecurity are mainly regulated by administrative, regulatory actions and guidelines issued by administrative bodies. This feature of the system gives Turkey an advantage to quickly act against cybersecurity threats. It could be argued that giving broad authority to administrative bodies may be disputable from a rule of law principle.

Data Protection

As TDPL was enacted only six years ago, Turkey’s data protection practice can be considered as a developing practice. On the other hand, considering the level achieved nearly from scratch, it is fair to say that Turkey has made significant progress so far. PDPA’s decisions in which an administrative fine relatively high is imposed, the fine is almost always based on the data controllers’ failure to ensure an adequate level of data security while processing personal data.

In the light of published decisions of PDPB, (it should be noted that PDPB decisions are not public unless PDPA publishes them) the total amount of penalties imposed due to data breaches/leaks is approximately TRY56 million.

It is also important to note that Turkey follows the EU’s omnibus model for data protection.

E-commerce

In 2021, ICTA published a guideline for information security measures to be adopted by e-commerce web operators. ICTA has not publicly made available this guideline. Rather, the guideline was directly sent to the Turkish e-commerce operators. The guideline covers application security, system security, network security, audit and log control procedures, test procedures and digital forensics procedures.

Cybersecurity

On 27 October 2021, DTO published the Information and Communication Security Audit Guideline, which set forth the steps to be taken to comply with Information and Communication Security Guideline (published on 27 July 2020), which mainly adopts ISO 27001-alike certification criteria.

Personal Data Protection

Requirement for confirming the accuracy of the contact information

PDPB’s resolution, which was published on 15 January 2021 in the Official Gazette, states the following: "Upon complaints and informing that were received by PDPA regarding personal data containing documents such as reservation documents and invoices being sent by data controllers by SMS or e-mail to third parties due to customers giving a third party’s contact information or mistakenly giving wrong contact information".

The Resolution states that in order to prevent documents that contain third-party personal data from being unlawfully sent to communication channels such as email or phone, data controllers must take the necessary technical and organisational measures to establish mechanisms that confirm the accuracy of the contact information they are given.

Requirement to take measures to ensure user log-in (eg, website) security

PDPA issued a public announcement on 15 February 2022 on the technical and organisational measures that data controllers are advised to take regarding user security.

It is stated that the technical and organisational measures that are taken by data controllers and data processors within the scope of data security would minimise the possible data breaches and the risks they would pose to data subjects.

The public announcement has laid out a number of technical and organisational measures such as:

• two-factor authentication;
• safe and up-to-date hashing algorithms;
• establishing a password policy;
• reminding data subjects to change their passwords periodically and not to use the same password on different platforms;
• limiting the number of unsuccessful account access attempts from the IP address; and
• conducting periodic security updates and necessary checks on the software or services that are used for accessing data controllers’ systems if such software or services are used.

It is also emphasised that data controllers must conduct a risk assessment and take the technical and organisational measures that are suitable for them.

Please also see 8.1 Regulatory Enforcement or Litigation.

Cybersecurity

As stated previously, Turkey, as a candidate country for the EU membership, is closely monitoring any legal developments of the EU acquis. Turkey has a plan to adopt the provisions of NIS Directive into the Turkish Law as stated under Section 474.2 of the 11th Development Plan.

In the medium term, Turkey is expected to have a standalone network and information security legislation.

Data Protection

According to the Economic Reform Action Plan by the Ministry of Treasury and Finance of the Republic of Turkey, which was announced on 12 March 2021, TDPL is under review to have its provision on data transfer abroad (Article 9) be amended in line with GDPR. The targeted date for this amendment to enter into force is 31 March 2022.

However, the scope of the revisions may be broader as per the 11th Development and Human Rights Action Plan dated April 2021.

In line of the above, a comprehensive amendment to TDPL, which will harmonise it with GDPR, is expected to enter into force in 2022.

Some important sector-specific legislation are as follows.

Electronic Communication Sector

By-Law on Network and Information Security in Electronic Communication Sector (“By-Law NIS in Electronic Communication Sector”)

The purpose of this By-Law is to regulate the procedures and principles to be followed by the operators to ensure network and information security.

Electronic communication service providers must take related measures regarding network and information security set forth in this By-Law, such as establishing an information security management system and establishing a reporting and feedback mechanism to ensure that information security breach incidents and security vulnerabilities are reported as soon as possible.

Energy Sector

By-Law on Information Security in Industrial Control Systems Used in Energy Sector

The purpose of this By-Law is to regulate the procedures and principles regarding monitoring the informatics processes of industrial control systems used in critical energy infrastructures, ensuring system continuity, and ensuring cybersecurity.

Critical energy infrastructure is defined as the whole of the energy network, assets, systems and structures where the sustainability of the social order and/or the delivery of public services will be adversely affected when it cannot perform its functions partially or entirely by this By-Law.

By-Law on Management System in Nuclear Facilities

According to this By-Law, top management of the organisation determines all kinds of information, technical, financial, human and similar resources and competencies that the organisation should have in order to carry out its activities safely. These resources and competencies may be either in-house or outsourced.

Banking and Finance Sector

By-Law on Information Systems of Banks and Electronic Banking Services (“ISBEBS By-Law”)

The purpose of this By-Law is to regulate the minimum procedures and principles to be taken as a basis in the management of the information systems used by banks in the performance of their activities, the provision of electronic banking services and the management of the risks related to them and the information systems controls that must be established.

Communiqué on Management and Auditing of Information Systems of Financial Lease, Factoring and Finance Companies

The purpose of this Communiqué is to regulate the procedures and principles regarding the management of information systems used by financial leasing, factoring and financing companies in the performance of their activities within the scope of the Financial Lease, Factoring and Finance Companies Law and their auditing by authorised independent audit firms.

E-Governance

By-Law on Procedures and Principles Regarding Carrying out e-State Services

According to this By-Law, while carrying out e-state services, each public institution and organisation must take cybersecurity measures on their own information systems, keep access records that they use and ensure the accuracy, integrity and confidentiality of this information.

Electronic commerce

Law on Regulation of Electronic Commerce No 6563 (“e-Commerce Law”)

According to Article 10 of the e-Commerce Law, service providers and intermediary service providers (i) are responsible for the safe storage and security of the personal data obtained due to the transactions carried out within the framework of this law, (ii) cannot transfer personal data to third parties and use it for other purposes without the consent of the person concerned.

Please see 1.1 Laws for other major laws, 4. Key Affirmative Security Requirements and 5. Data Breach Reporting and Notification for security and incident reporting requirements under certain legislations.

By-Law on Internet Domain Names

The domain registrars providing services for the Turkish top-level domain-name system are subject to the Internet Domain Names Regulation published by ICTA. As per this Regulation, the registrars are required to ensure the cybersecurity of their operations and notify ICTA of any security breach accordingly.

Please see 1.2 Regulators and 2.4 Data Protection Authorities or Privacy Regulators.

Currently, there is no over-arching cybersecurity agency for Turkey similar to ENISA. ICTA, as explained previously, has general cybersecurity powers besides its telecommunication sector regulatory body role.

The primary supervisory and regulatory authority in Turkey is PDPA. It is an independent administrative institution which has administrative and financial autonomy.

PDPA has the power to regulate data protection activities and protect the rights of data subjects.

The decision-making body of PDPA is PDPB. The main duties and powers of PDPB are as follows:

• ensuring that personal data is processed in compliance with fundamental rights and freedoms;
• conducting investigations upon complaints of the data subjects or ex officio if it becomes aware of the alleged violation and taking temporary measures, where necessary;
• concluding the complaints of those who claim that their rights concerning personal data protection have been violated;
• determining the adequate measures which are necessary for the processing of special categories of personal data;
• maintaining the Registry of Data Controllers (VERBIS);
• carrying out regulatory acts on the matters concerning the duties, powers, responsibilities and data security obligations of the data controllers and their representatives;
• imposing administrative sanctions that were envisioned in TDPL;
• determining and announcing the countries with an adequate level of protection of personal data protection for international data transfers;
• approving the written undertaking of data controllers in Turkey and the relevant foreign country that undertakes to provide adequate protection, when adequate protection is not provided, for international data transfers.

BRSA, CMB and TRCB are entitled to regulate the cybersecurity-related issues in their respective sectors.

Please see 1.2 Regulators, 4.3 Critical Infrastructure, Networks, Systems and 5.8 Reporting Triggers for security and reporting requirements under certain financial and other sectoral legislation.

Please see 1.2 Regulators.

ISO/IEC 27001 is an international standard on the management of information security. It is translated into Turkish by the Turkish Standards Institute (TSI), and TS EN ISO/IEC 27001 standard has been drafted under the name of "Information Technology – Security Techniques – Information Security Management Systems – Requirements".

ISO/IEC 27001 is a frequently used international standard in Turkey that indicates an institution’s qualifications with regard to establishing and maintaining cybersecurity measures.

Obtaining ISO/IEC 27001 certificate is a de jure standard in a number of sectors, especially in the electronic communication sector, energy sector and e-invoice service providers. However, many organisations have chosen to voluntarily comply with the ISO 27001 standard as this is a good way to improve cybersecurity.

Another standard that draws attention to information security in Turkey, especially in the banking sector, is Control Objectives for Information and Related Technologies (COBIT). All banks are required to meet COBIT standards thanks to the BRSA's communiqués and by-laws which were published since 2006 and make COBIT-based auditing mandatory for all banks.

COBIT process management is used not only in banks but also in the finance and production sectors.

According to CMB’s Communiqué on Independence Audit of Information Systems, auditors who audit public companies must have a CISA certificate.

Also, PDPA has published guidelines on personal data security which provide helpful advice on security compliance with the TDPL.

Please see the comments in 3.1 De Jure or De Facto Standards and 3.3 Legal Requirements.

Cybersecurity

The Information and Communication Security Guideline published by DTO elaborates on cybersecurity measures that must be taken by public organisations, as well as companies that provide critical substructure services.

The issues regulated by the Guideline are as follows:

• security measures towards the groups of assets (network and system security, application and data security, portable devices and platform security, security of IoT devices, personnel security, security of physical environments);
• security measures towards areas of application and technology (personal data security, instant messaging security, cloud computing security, security of crypto applications, security of critical substructures, new development and supply);
• consolidation measures concerning operating systems, databases and servers.

The studies of TSI regarding the subjects directly related to cybersecurity are as follows:

• Data Centre Information Security Standard;
• Criterion of Public Secure Data Sharing;
• Electronic Document and Document Management System Protection Profile;
• Protection Profile of Common Criteria for Web Service Security;
• Authorisation Program for Personnel and Firms Providing Penetration Testing Services;
• E-Commerce Application Protection Profile;
• SIEM – Security Information and Event Management Systems Protection Profile;
• Web Applications Protection Profile;
• Health Information System Software Protection Profile;
• Secure IC Platform;
• Common Criteria Protection Profile for Smart Meter of Turkish Electricity Advanced Metering Infrastructure. 

Related drafts are as follows:

• Cloud Computing Security and Standard;
• Administrative and Technical Authorisation Program for SSL Certificate Service Providers (SSHS);
• Penetration Testing Technical Criteria Program;
• General Requirements for Hospital Information Management Systems;
• Embedded Operation System Protection Profile; 
• E-Passport Protection Profile;
• Geographic Information Systems Protection Profile;
• Liveness Detection for Biometric Systems with Touch Sensor Protection Profile.

Data Protection

PDPA issued the Guideline on Personal Data Protection (Technical and Organisational Measures) (“Measures Guideline”) in 2018.

Technical measures that were laid out in the Measures Guideline are as follows:

• authorisation matrix;
• authorisation control;
• access logs;
• user account management;
• network security;
• application security;
• encryption;
• penetration test;
• attack detection and prevention systems;
• log records;
• data masking;
• data loss prevention software;
• back-up;
• firewalls;
• up-to-date antivirus systems;
• deleting, destroying or anonymising;
• key management.

Organisational measures that were laid out in the Measures Guideline are as follows:

• preparing a personal data processing inventory;
• establishing institutional policies (access, information security, usage, preservation and extermination, etc);
• data processing and confidentiality agreements (between data controllers and between data controllers and data processors);
• privacy undertakings by employees;
• periodic and/or random inspections within the institution;
• risk analyses;
• adding legislation-compliant provisions to employment contracts and disciplinary regulations;
• institutional communication (crisis management, informing PDPB and data subjects, reputation management, etc);
• training and awareness activities regarding information security and legislation;
• registering with VERBIS.

If the personal data are kept on the cloud, some important measures expected to be taken are as follows:

• encryption of data with cryptographic methods;
• encrypted transfer of data to cloud environments;
• where possible, using encryption keys specifically for each cloud solution service;
• deleting/destroying all copies of encryption keys when the cloud computing service expires or is terminated.

Moreover, PDPB introduced more strict requirements for processing of special categories of data.

Please see 1.4 Multilateral and Subnational Issues.

According to Article 12(1) of TDPL, data controllers are obliged to take all the necessary technical and organisational measures to provide an appropriate level of security for the purposes of:

• preventing unlawful processing of personal data;
• preventing unlawful access to personal data;
• ensuring the protection of personal data.

Data controllers are jointly responsible with data processors for taking these measures.

Data controllers must carry out the necessary audits in their own institution or organisation to ensure the implementation of the provisions of TDPL.

Data controllers and data processors shall have a confidentiality provision for an unlimited time.

For more information about the personal security measures that the PDPB considers as adequate measures, please see 3.3 Legal Requirements; for data breach notification requirements, please see 5.1 Definition of Data Security Incident, Breach or Cybersecurity Event and 5.8 Reporting Triggers.

There are no specific security requirements on material business data or material non-public information.

According to TCrL, those who give or disclose to unauthorised persons the information or documents constituting a commercial secret, banking secret or customer secret which are obtained as a matter of their title or duty, occupation or profession, shall be subject to imprisonment from one year to three years and judicial fine (corresponding to) up to 5,000 days upon complaint.

According to Article 82(7) of Turkish Commercial Law, merchants may ask the court to be given a document if the books and documents that the merchant must keep are lost due to a disaster such as fire, flood, earthquake or theft.

According to Article 7(1) of Electronic Book General Communiqué, if a force majeure in the context of the Turkish Tax Procedure Law occurs which affects e-books, e-book-keepers are obliged to apply to the Turkish Revenue Administration within 15 days from the date of the event and demand for a certificate of loss. A cyber-attack may be considered as a force majeure situation within the meaning of this Communiqué.

Critical infrastructure sectors include the following sectors:

• electronic communication;
• energy;
• water management;
• critical public services;
• transportation;
• banking and finance.

Some important security requirements for these sectors are as follows.

Electronic Communication Sector

According to Article 37 of By-Law NIS in Electronic Communication Sector, the report on network and information security must be prepared by the operator every year until the end of March and is kept for five years to be sent to ICTA upon request and/or submitted during the inspections made by the Authority. The report in question includes certain information, such as:

• risk assessment and processing methods and details of transactions made according to these methods;
• business continuity plans;
• information on information security breach events that have taken place.

Energy Sector

According to the By-Law on Information Security in Industrial Control Systems Used in Energy Sector, obligatory organisations must fill out certain forms – namely, the Industrial Control System (ICS) Recognition Form and the ICS Inventory Form – and submit to EMRA.

The ICS Recognition Form is a form that includes the processes operated by the obligatory organisations regarding the ICS, their work on information security and resource information. The ICS Inventory Form is not a standard form, it is individually formulised by EMRA for each obligatory entity.

Banking and Finance Sector

Banks and other financial institutions under the authority of BRSA must take the measures set forth in the ISBEBS By-Law.

Moreover, personal data specific to banking relationships are also considered as customer secrets under the Banking Law. This information cannot be disclosed or transferred to third parties that are either in Turkey or abroad without receiving a request or explicit instruction from the customer to do so, even if the customer’s explicit consent to transfer personal data to a third party is obtained, as per TDPL.

The following entities must keep their primary and secondary information systems in Turkey:

• banks;
• payment institutions and electronic money institutions;
• insurance and private pension companies (except for services such as email, teleconference or videoconference);
• certain public companies, as well as certain capital markets institutions;
• financial lease, factoring and finance companies.

Other

In addition to these, the Minimum Security Measures Document for Critical Information System Infrastructures, prepared by the Scientific and Technological Research Council of Turkey, defines and categorises critical infrastructure in Turkey. In addition, the minimum-security measures required for critical infrastructure systems have been determined in this document, which includes institutions and organisations operating critical infrastructure.

Denial of service attack (DDos) is defined under Article 3(1)(g) in the By-Law NIS in Electronic Communication Sector.

According to this By-Law, the operators must establish mechanisms such as signal processing control, user authentication control and access control in their IP addresses, communication ports and application protocols to protect their servers, routers and other network elements against cyber-attacks such as Dos/DDos attacks.

The sectors with information security rules and the relevant legislation are as explained above. Although there are special provisions in the mentioned legislation, there is no general security requirement for internet of things, software development or any other data or systems.

Cybersecurity Event

A "cybersecurity event" is defined in the Communiqué on CERTs as “breach or attempt to breach to confidentiality, integrity or accessibility of industrial control or information systems or data processed by these systems”.

If an organisation is required to establish a CERT, then, as a rule, its CERT must report any cybersecurity event to TR-CERT and the relevant sectoral CERT (if applicable).

On the other hand, if an organisation is not required to establish a CERT, then it does not have the requirement to report a cybersecurity event to TR-CERT, although it can do so voluntarily.

Personal Data Breach

Unlike GDPR, TDPL does not include a definition of a personal data breach per se. On the other hand, according to PDPB’s decision on data breach, data controllers must report to PDPB within 72 hours and notify the relevant data subjects within the shortest time possible in the event that personal data, which are processed by such data controller, is unlawfully acquired by third parties.

Also, unlike GDPR, there are no criteria to be qualified as reportable or non-reportable personal data breaches. As a rule, any personal data breach must be reported to PDPB as well as be communicated wito the relevant data subjects.

Reporting a cybersecurity event covers any data processed by ICSs and information systems.

Reporting a personal data breach to PDPB covers only personal data affected by such breach.

Reporting a cybersecurity event covers ICSs and information systems.

Reporting a personal data breach covers any information system that processes personal data affected by such breach.

The security requirements regarding cybersecurity have been stated in the Turkish Medical Devices Regulation (TMDR).

Pursuant to Appendix 1 of the TMDR, an IT audit plus operating safety and information security are indicated as the security requirements that the medical device manufacturers must take.

The minimum-security requirement applies to the ICSs (and SCADA) are as follows.

• Protecting the systems from unauthorised access:
1. management of physical access to the centre where the system is located;
2. restricting access to the systems by computer networks;
3. restricting portable storage platforms.
• Management of authorised personnel’s access to the systems:
1. procedure for assigning the system manager and operator;
2. management of authorised personnel’s user IDs and procedure of safe log-in;
3. records management and separation of duties;
4. operating procedures, roles and responsibilities.
• Management of system’s procurement, development and maintenance:
1. management of application software’s safety;
2. management of technical deficits;
3. maintenance contract;
• Work continuity precautions:
1. back-up system centre, procedures and tests.
• Employment of information systems security manager and personnel:
1. security manager;
2. personnel continuity;
3. personnel training and education.
• Documentation:
1. policy document;
2. management of records.
• Intervention to cybersecurity events.

No specific security requirements apply to IoT.

As for the security of the personal data processed in IoT devices, please see 3.3 Legal Requirements.

There is no regulation that uniformly regulates the security software life cycle, patching and responsible disclosure of vulnerabilities, so the general data protection and cybersecurity regulations apply.

Sector-specific requirements, if any, must also be considered.

Cybersecurity Event

If an organisation is required to establish a CERT, then, as a rule, its CERT must report any cybersecurity event to TR-CERT and the relevant sectoral CERT (if applicable).

On the other hand, if an organisation is not required to establish a CERT, it does not have the requirement to report a cybersecurity event to TR-CERT, but can do so voluntarily. 

Personal Data Breach

Also, unlike GDPR, there are no criteria to be qualified as reportable or non-reportable personal data breach. As a rule, any personal data breach must be reported to PDPB as well as be communicated to the relevant data subjects.

Electronic Communication

In telecommunication sector, according to the By-Law NIS in Electronic Communication Sector, the operator must notify the ICTA regarding the network and information security breaches which affect more than 5% of its subscribers and the circumstances that interrupt the continuity of the business. The aforementioned notification must include, as a minimum, the time, nature, impact and duration of the act, as well as the measures that were taken regarding the breaches.

Banking and Finance

In the banking sector, pursuant to Article 18 of ISBEBS By-Law, banks must report the cyber events to the BRSA.

Public Companies

If a public company is affected by a cyber-attack, such an attack must be disclosed to the public as per the Communiqué on Material Events Disclosure. 

There is no “risk of harm” threshold for reporting cybersecurity events or data breaches.

While there are no provisions that explicitly restrict network and website access monitoring, there are Turkish Constitutional Court decisions that set forth principles for employers to access and/or monitor their employees’ work computers, work mobile phones and other electronic devices. It is explicitly stated that if such accessing and/or monitoring will be done:

• employers must inform their employees in prior regarding this activity;
• employers must be taking this action due to a legitimate purpose in doing so;
• accessing and/or monitoring must be proportionate to the legitimate purpose.

These principles can be used as precedent to similar activities, network monitoring and other cybersecurity defensive measures.

Moreover, as per the Internet Law, hosting service providers, internet service providers are required to retain traffic data for one year (although there is ambiguity for the retention period for hosting service providers in the relevant by-law, the minimum period for retaining this data is one year, as per the Internet Law).

Public internet access providers must retain access logs that are required records and retain them for two years.

These entities are required to provide such data with public prosecutors or other competent administrative authorities when requested.

For data protection-related measures, please see 3.3 Legal Requirements.

Cybersecurity and data protection are fundamentally linked and compatible disciplines since both work towards the same goals and implement similar regulations and techniques.

However, there is always the risk of extreme cybersecurity precautions leaning towards excessive monitoring. This might further the line cause damage to the data protection rights of the data subjects whose data is being processed within the scope of cybersecurity activities.

In order to prevent any harm, establishing and maintaining a balance between these two disciplines should be aimed at by institutions while conducting their activities.

VERBIS is an open-to-public registry that helps demonstrate the data processing activities of data controllers that have an obligation to register with this system.

The information that must be disclosed to this system includes the technical and organisational measures that are taken by the data controller with respect to data protection.

Please also see 5.8 Reporting Triggers.

The TR-CERT, operated by ICTA, requires the covered bodies, particularly operators under the critical sectors, to notify cyber incidents directly. TR-CERT also publishes a list of known vulnerabilities through its official website.

Data controllers and data processors are free to share information with other people and organisations, as long as it is necessary for the execution of their legal obligations, or the information is shared in order to carry out their business activities.

However, when sharing information, data controllers and data processors must bear in mind their obligations arising from relevant data protection and cybersecurity legislation as well as legal contracts, especially non-disclosure agreements (NDAs), if such have been signed.

ICTA has an active contact point for accepting notification and denunciation from third parties. The authority welcomes voluntary information sharing.

Administrative Fine on Yemeksepeti (a Subsidiary of Delivery Hero)

In February 2022, PDPB has imposed the second-highest administrative fine yet against Yemeksepeti (a subsidiary of Delivery Hero), which is a technology company that provides online food and grocery delivery.

Yemeksepeti made a data breach notification to PDPA after it detected that the username, address, phone number, email address, password and IP information of its 21,504,083 users were affected by a data breach caused by authorised access to a web application server of the data controller.

PDPB fined Yemeksepeti TRY1.9 million due to its failure to take the necessary technical and organisational measures that should have been taken towards establishing data security.

Administrative Fines on Credential Stuffing

Although data controllers usually consider “credential stuffing attacks” (where an attacker unlawfully collects account credentials from another website and then uses these credentials to gain unauthorised access to the concerning website) as a cybersecurity incident on which they do not have any fault, PDPB has imposed fines on data breaches caused from “credential stuffing attacks”.

Decision on an e-commerce company

Personal data of 832 people was unlawfully accessed by trying the email addresses and passwords disclosed on the internet via a robot application on the website of an e-commerce company. Although the email addresses and passwords were not obtained through the website of the data controller, the users' accounts were accessed by unauthorised persons, thus the confidentiality of personal data was compromised. The data controller did not limit the number of unsuccessful log-in attempts from the same IP address and failed to take other measures that could be taken. Hence, PDPB decided to impose an administrative fine of TRY165,000 on the grounds that the data controller did not take the necessary and adequate technical and organisational measures.

Decision on a personal care company

The attacker had obtained the email addresses and passwords of the users from an external source. PDPB decided to impose an administrative fine of TRY210,000 on the data controller, concluding that the number of unsuccessful log-in attempts is a deficiency in monitoring the information networks.

On the other hand, ICTA does not publish cybersecurity fines through public mediums. It prefers to keep such information confidential.

ICTA has also levied administrative fines on the entities, including non-telecom operators, in the course of time.

Please see 8.1 Regulatory Enforcement or Litigation.

Applicable legal standards are explained through the text where applicable.

There is no major publicly known private litigation about cybersecurity.

Class actions are not applicable in Turkish Law.

Carrying out due diligence over a target organisation is considered to be based on the legal basis of “legitimate interest”.

On the other hand, when requesting and sharing of personal data in the course of a due diligence process, “proportionality” and “data minimisation” principles must be taken into consideration.

The relevant capital markets regulations impose an obligation on the companies which will do a public offering, to state the risks of the business before such public offering. Although there is no specific requirement to state the risks on cybersecurity, since the aforementioned risks may also include risks regarding cybersecurity, such risks should be mentioned in the course of a public offering.

As mentioned above, VERBIS is an online public registry which shows the personal data processing inventory of data controllers who have registered with and submitted information to VERBIS. The information which is submitted to VERBIS and is hence publicly available, includes “technical and organisational measures” obtained by the relevant data controllers.

For more information about notifying the affected persons, please see 5.1 Definition of Data Security Incident, Breach or Cybersecurity Event.

In Turkey, cybersecurity insurance has not been regulated as a mandatory obligation, but some of the insurance companies resideing in Turkey ensure cybersecurity insurance policies and most of them warrant the following protections:

• administrative fines regarding personal data;
• data protection damage;
• cyber-ransom damage;
• information security and secrecy responsibility;
• network security responsibility;
• data breach costs;
• business interruption insurance;
• legal expenses.