Certain regulations mandate that financial institutions retain both their primary and secondary systems within the borders of Türkiye, prohibiting the systematic transfer of such data abroad for banks, financial leasing and factoring companies, publicly traded companies, pension investment funds, and other entities regulated by the Capital Markets Board. These regulations include the Regulation on Internal Systems and Internal Capital Adequacy Assessment Process of Banks, whose Art. 11(4) stipulates that Turkish banks must host their primary data systems—comprising the infrastructure, hardware, software, and data necessary for recording and utilising all information required to conduct banking activities and meet legislative obligations—within Türkiye. Likewise, their secondary data systems, which serve as backups, must also be stored domestically. Additionally, Art. 23 of Law No. 6493 requires system operators to maintain information systems and their backups domestically. A system operator is defined as a legal entity responsible for the day-to-day functioning of payment or securities settlement systems, holding the requisite licence for such operations. This provision further compels online payment services, such as PayPal, to retain all data in Türkiye for a minimum of ten years. The law specifies: “The system operator, payment institution, and electronic money institution shall be required to keep all documents and records related to matters within the scope of this Law for at least ten years within the country, in a secure and accessible manner.”
Additionally, under Art. 73 of the Banking Law, the Banking Regulation and Supervision Authority (BRSA) is empowered to prohibit the sharing or transfer of customer data or bank secrets with third parties outside Türkiye. The BRSA may also mandate that banks maintain their information systems and backups within Türkiye, based on assessments related to economic security.

Under Art. 9 of the Turkish Personal Data Protection Law, personal data may be transferred abroad only if the conditions set out in Arts. 5 and 6, which govern the lawful processing of personal data and special categories of personal data respectively, are satisfied. In addition, one of several safeguards must be in place. These include an adequacy decision by the Personal Data Protection Authority (KVKK) concerning the recipient country, sector, or international organisation. In the absence of such a decision, transfers may proceed if the data subject retains enforceable rights and access to effective legal remedies in the destination country, and if mechanisms such as Personal Data Protection Board-approved commitment letters, binding corporate rules (BCRs), or standard contractual clauses (SCCs) are implemented. Transfers may also be authorised through administrative arrangements between public institutions, subject to the Board’s approval. Where neither an adequacy decision nor appropriate safeguards are available, data may still be transferred under specific derogations. These include the data subject’s explicit and informed consent, the necessity of the transfer for the performance of a contract or pre-contractual measures, the conclusion or performance of a contract in the data subject’s interest, reasons of public interest, the establishment or defence of legal claims, situations of physical impossibility, or access to public registers by individuals with a legitimate interest.
The Regulation on the Procedures and Principles Regarding the Transfer of Personal Data Abroad provides the procedural framework for implementing Art. 9.

Art. 51 of the Electronic Communications Law stipulates that the transfer of traffic and location data abroad is permitted with the data subject's explicit consent.

Türkiye has not joined any agreement with binding commitments to open transfers of data across borders.

The Personal Data Protection Law establishes a comprehensive data protection regime in Türkiye. It provides for the establishment of the Personal Data Protection Authority (KVKK) and the Data Protection Board as the bodies entrusted with supervisory and enforcement functions. Within the institutional structure of the KVKK, the Board functions as its decision‑making organ, whereas the KVKK itself predominantly fulfils administrative duties. The KVKK is constituted as an independent regulatory authority with institutional and financial autonomy and is mandated both to ensure the protection of personal data and to promote awareness in this area.

Art. 23 of Law No. 6493 requires that "the system operator, payment institution and electronic money institution shall be required to keep all the documents and records related to the matters within the scope of this Law for at least ten years within the country, in a secure and accessible manner". The article also specifies that "The information systems and their substitutes, which are used by the system operator to carry out its activities shall also be kept within the country".

According to Art. 51.10 of the Electronic Communications Law No. 5809:
- Personal data subject to inspection, examination, investigation or dispute shall be retained until the related period has been completed;
- Logs regarding the access of personal data and related other systems are retained for two years;
- Logs that prove the consent of subscribers/users for processing personal data are retained throughout the subscription period;
- Categories of data to be retained and data retention periods, not less than one year and not more than two years from the date of the communication, are determined by secondary law.

According to Art. 11 of the Regulation on the Registry of Data Controllers, a contact person must be appointed if the data controller is a legal entity located in Türkiye and is not exempt from registration with the Turkish Personal Data Protection Authority. Additionally, if the data controller is not located in Türkiye, it must appoint a representative who must be either a Turkish legal entity or a Turkish citizen.
The data controller’s contact person or representative is responsible for managing communications with the Turkish Personal Data Protection Authority and data subjects. Data controllers remain liable for compliance with the Protection of Personal Data Law regardless of the appointment of a contact person or a representative.

Pursuant to Art. 5 of Law No. 5651, all data stored by hosting providers, which are defined as real persons or legal entities who provide and operate the systems which host services and content, must be made available to the Information and Communication Technologies Authority upon request, without the need for a court order. Failure to comply can result in fines ranging from TRY 10,000 (approx. USD 1,300) to TRY 100,000 (approx. USD 12,800).

Pursuant to Additional Art. 4.6 of Law No. 5651, social network providers, whether based in Türkiye or abroad, that receive more than one million daily visitors from Türkiye are obligated to take the necessary measures to retain the data of their Turkish users within Türkiye. According to Art. 13 of the Procedures and Principles concerning Social Network Providers, priority must be given to basic user information and any other data specified by the Information and Communication Technologies Authority.

According to Art. 28 of the Personal Data Protection Law, institutions and third parties are compelled to hand over personal data to intelligence agencies and police when it is needed to process personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organisations authorised by law to ensure national defence, national security, public security, public order or economic security.
The only exceptions to this requirement are health data and sexual life data, which can only be processed by natural persons who are under an oath of secrecy or by authorities for the purposes of protecting public health, preventive medicine, medical diagnosis, the provision of care and treatment services or planning, and the management and financing of healthcare services. This exception is provided in Art. 6 of the Personal Data Protection Law.

Section 4.3.1.7 of the Information and Communication Security Guide states that cloud operators must implement measures to ensure that domestic communication traffic remains within Türkiye. The Guide is directed at public institutions and providers of critical infrastructure services across a range of sectors, including telecommunications and electronic communications, water management, energy, essential public services such as healthcare, transportation, banking, and finance. The Guide defines critical infrastructure as systems whose compromise, through breaches of confidentiality, integrity, or availability, could result in large-scale harm, national security vulnerabilities, or significant disruption to public order.

According to Art. 6 of Law No. 2937, intelligence services are entitled to request any type of document/information from individuals and private/public entities while performing their duties. It is not clear whether a court order is needed.

The Regulation on the Processing of Personal Data and the Protection of Confidentiality in the Electronic Communications Sector reaffirms the data processing principles set out in Art. 4.2 of the Data Protection Law mandating that operators adhere to these principles when managing personal data. According to Art. 5 of the Regulation, cross-border transfer of traffic and location data is prohibited on the basis of national security concerns.
Data processing in the electronic communications sector was previously regulated by the Regulation on Processing and Privacy of Personal Data in the Electronic Communications Sector. The regulation imposed strict conditions on the transfer of personal data outside of Türkiye by telecommunications providers. However, the Constitutional Court invalidated the basis of this regulation, and as a result, the regulation was considered null and void.

The Regulation of Publications on the Internet and Suppression of Crimes Committed by means of Such Publications (Internet Law) establishes a safe harbour regime for intermediaries for copyright infringements. According to Art. 4 of the law, a content provider is not responsible for the link to the content that belongs to someone else. However, if it is clear from the format of the presentation that the content in question it links to is embraced and intended to be reachable, the content provider is responsible according to the general provisions. Furthermore, hosting providers are only liable for removing unlawful content that they host, provided that they are notified, pursuant to Articles 8 and 9 of the Internet Law, that is, ensuring that they act according to a notice-and-takedown procedure.