Database

Browse Database

TÜRKIYE

Since April 2016, last amended in June 2024

Pillar Domestic data policies  |  Indicator Framework for data protection
Personal Data Protection Law No. 6698 (6698 sayılı Kişisel Verilerin Korunması Kanunu)
The Personal Data Protection Law establishes a comprehensive data protection regime in Türkiye. It provides for the establishment of the Personal Data Protection Authority (KVKK) and the Data Protection Board as the bodies entrusted with supervisory and enforcement functions. Within the institutional structure of the KVKK, the Board functions as its decision‑making organ, whereas the KVKK itself predominantly fulfils administrative duties. The KVKK is constituted as an independent regulatory authority with institutional and financial autonomy and is mandated both to ensure the protection of personal data and to promote awareness in this area.
Coverage Horizontal

TÜRKIYE

Since June 2013, as amended in March 2015, last amended in June 2020

Pillar Domestic data policies  |  Indicator Minimum period for data retention
Law No. 6493 on Payments and Security Settlement Systems, Payment Services and Electronic Money Institutions (Ödeme ve Menkul Kıymet Mutabakat Sistemleri, Ödeme Hizmetleri ve Elektronik Para Kuruluşları Hakkında Kanun - Kanun Numarası: 6493)
Art. 23 of Law No. 6493 requires that "the system operator, payment institution and electronic money institution shall be required to keep all the documents and records related to the matters within the scope of this Law for at least ten years within the country, in a secure and accessible manner". The article also specifies that "The information systems and their substitutes, which are used by the system operator to carry out its activities shall also be kept within the country".
Coverage E-money institutions and payment services providers

TÜRKIYE

Since November 2008, as amended in December 2020 and entered into force in June 2021

Pillar Domestic data policies  |  Indicator Minimum period for data retention
Electronic Communications Law No. 5809 (5809 sayılı Elektronik Haberleşme Kanununun)
According to Art. 51.10 of the Electronic Communications Law No. 5809:
- Personal data subject to inspection, examination, investigation or dispute shall be retained until the related period has been completed;
- Logs regarding the access of personal data and related other systems are retained for two years;
- Logs that prove the consent of subscribers/users for processing personal data are retained throughout the subscription period;
- Categories of data to be retained and data retention periods, not less than one year and not more than two years from the date of the communication, are determined by secondary law.
Coverage Telecommunications sector

TÜRKIYE

Since January 2018

Pillar Domestic data policies  |  Indicator Requirement to perform a Data Protection Impact Assessment (DPIA) or have a data protection officer (DPO)
Regulation on the Registry of Data Controllers (Veri Sorumluları Sicili Hakkında Yönetmelik)
According to Art. 11 of the Regulation on the Registry of Data Controllers, a contact person must be appointed if the data controller is a legal entity located in Türkiye and is not exempt from registration with the Turkish Personal Data Protection Authority. Additionally, if the data controller is not located in Türkiye, it must appoint a representative who must be either a Turkish legal entity or a Turkish citizen.
The data controller’s contact person or representative is responsible for managing communications with the Turkish Personal Data Protection Authority and data subjects. Data controllers remain liable for compliance with the Protection of Personal Data Law regardless of the appointment of a contact person or a representative.
Coverage Horizontal

TÜRKIYE

Since May 2007, as amended in July 2016, last amended in October 2022

Pillar Domestic data policies  |  Indicator Requirement to allow the government to access personal data collected
Law No. 5651 on Regulating Broadcasting in the Internet and Fighting Against Crimes Committed through Internet Broadcasting (5651 sayılı İnternet Ortamında Yapılan Yayınların Düzenlenmesi ve Bu Yaynlar Yoluyla İşlenen Suçlarla Mücadele Edilmesi Hakkında Kanun)
Pursuant to Art. 5 of Law No. 5651, all data stored by hosting providers, which are defined as real persons or legal entities who provide and operate the systems which host services and content, must be made available to the Information and Communication Technologies Authority upon request, without the need for a court order. Failure to comply can result in fines ranging from TRY 10,000 (approx. USD 1,300) to TRY 100,000 (approx. USD 12,800).
Coverage Hosting providers

TÜRKIYE

Since May 2007, as amended in July 2020, entry into force in October 2020
Since April 2023

Pillar Cross-border data policies  |  Indicator Ban to transfer and local processing requirement
Law No. 5651 on Regulating Broadcasting in the Internet and Fighting Against Crimes Committed through Internet Broadcasting (5651 sayılı İnternet Ortamında Yapılan Yayınların Düzenlenmesi ve Bu Yaynlar Yoluyla İşlenen Suçlarla Mücadele Edilmesi Hakkında Kanun)

Procedures and Principles about Social Network Provider (Sosyal Ağ Sağlayıcı Hakkında Usul ve Esaslar)
Pursuant to Additional Art. 4.6 of Law No. 5651, social network providers, whether based in Türkiye or abroad, that receive more than one million daily visitors from Türkiye are obligated to take the necessary measures to retain the data of their Turkish users within Türkiye. According to Art. 13 of the Procedures and Principles concerning Social Network Providers, priority must be given to basic user information and any other data specified by the Information and Communication Technologies Authority.
Coverage Social network providers

TÜRKIYE

Since April 2016

Pillar Domestic data policies  |  Indicator Requirement to allow the government to access personal data collected
Personal Data Protection Law No. 6698 (6698 sayılı Kişisel Verilerin Korunması Kanunu)
According to Art. 28 of the Personal Data Protection Law, institutions and third parties are compelled to hand over personal data to intelligence agencies and police when it is needed to process personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organisations authorised by law to ensure national defence, national security, public security, public order or economic security.
The only exceptions to this requirement are health data and sexual life data, which can only be processed by natural persons who are under an oath of secrecy or by authorities for the purposes of protecting public health, preventive medicine, medical diagnosis, the provision of care and treatment services or planning, and the management and financing of healthcare services. This exception is provided in Art. 6 of the Personal Data Protection Law.
Coverage Horizontal

TÜRKIYE

Since July 2020

Pillar Cross-border data policies  |  Indicator Ban to transfer and local processing requirement
Information and Communication Security Guide (Bilgi ve İletişim Güvenliği Rehberi)
Section 4.3.1.7 of the Information and Communication Security Guide states that cloud operators must implement measures to ensure that domestic communication traffic remains within Türkiye. The Guide is directed at public institutions and providers of critical infrastructure services across a range of sectors, including telecommunications and electronic communications, water management, energy, essential public services such as healthcare, transportation, banking, and finance. The Guide defines critical infrastructure as systems whose compromise, through breaches of confidentiality, integrity, or availability, could result in large-scale harm, national security vulnerabilities, or significant disruption to public order.
Coverage Public sector and critical infrastructure

TÜRKIYE

Since November 1983, as amended in April 2014

Pillar Domestic data policies  |  Indicator Requirement to allow the government to access personal data collected
Law on State Intelligence Services and National Intelligence Organization No. 2937 (2937 Devlet İstihbarat Hizmetleri ve Milli İstihbarat Teşkilatı Kanunu)
According to Art. 6 of Law No. 2937, intelligence services are entitled to request any type of document/information from individuals and private/public entities while performing their duties. It is not clear whether a court order is needed.
Coverage Horizontal

TÜRKIYE

Since December 2020, entry into force in June 2021
Since April 2016
Since July 2012, invalidated in January 2015

Pillar Cross-border data policies  |  Indicator Ban to transfer and local processing requirement
Regulation on the Processing of Personal Data and the Protection of Confidentiality in the Electronic Communications Sector (Elektroni̇k Haberleşme Sektöründe Ki̇şi̇sel Veri̇leri̇n İşlenmesi̇ Ve Gi̇zli̇li̇ği̇n Korunmasina İli̇şki̇n Yönetmeli̇k)

Personal Data Protection Law No. 6698 (6698 sayılı Kişisel Verilerin Korunması Kanunu)

Regulation on Processing and Privacy of Personal Data in Electronic Communications Sector
The Regulation on the Processing of Personal Data and the Protection of Confidentiality in the Electronic Communications Sector reaffirms the data processing principles set out in Art. 4.2 of the Data Protection Law mandating that operators adhere to these principles when managing personal data. According to Art. 5 of the Regulation, cross-border transfer of traffic and location data is prohibited on the basis of national security concerns.
Data processing in the electronic communications sector was previously regulated by the Regulation on Processing and Privacy of Personal Data in the Electronic Communications Sector. The regulation imposed strict conditions on the transfer of personal data outside of Türkiye by telecommunications providers. However, the Constitutional Court invalidated the basis of this regulation, and as a result, the regulation was considered null and void.
Coverage Electronic communications sector
Sources

TÜRKIYE

Since May 2007, last amended in October 2022

Pillar Intermediary liability  |  Indicator Safe harbour for intermediaries for copyright infringement
Law No. 5651 on Regulating Broadcasting in the Internet and Fighting Against Crimes Committed through Internet Broadcasting (5651 sayılı İnternet Ortamında Yapılan Yayınların Düzenlenmesi ve Bu Yaynlar Yoluyla İşlenen Suçlarla Mücadele Edilmesi Hakkında Kanun)
The Regulation of Publications on the Internet and Suppression of Crimes Committed by means of Such Publications (Internet Law) establishes a safe harbour regime for intermediaries for copyright infringements. According to Art. 4 of the law, a content provider is not responsible for the link to the content that belongs to someone else. However, if it is clear from the format of the presentation that the content in question it links to is embraced and intended to be reachable, the content provider is responsible according to the general provisions. Furthermore, hosting providers are only liable for removing unlawful content that they host, provided that they are notified, pursuant to Articles 8 and 9 of the Internet Law, that is, ensuring that they act according to a notice-and-takedown procedure.
Coverage Internet intermediaries

TÜRKIYE

Since January 2018
Since February 2019

Pillar Cross-border data policies  |  Indicator Ban to transfer and local processing requirement
Decision No. 2018/DK-YED/27 (Karar No 2018/DK-YED/27)

Decision No. 2019/DK-TED/053 (Karar No 2018/DK-YED/27)
According to Decision No. 2018/DK-YED/27, the emergency call (eCall) in vehicles, along with servers that provide the communication system allowing for value-added services, are to be located in Türkiye, and personal data in such systems cannot be transferred abroad without explicit consent. To achieve this, it is mandatory for the SIM cards, electronic SIMs (eSIMs) or modules having SIM card properties to be procured from operators licensed to provide mobile electronic communication in Türkiye or to be programmable to allow them to be controlled by such operators.
With Decision No. 2019/DK-TED/053, the localisation requirements are no longer limited to eCall services only, encompassing all eSIM applications. Moreover, all infrastructure, system and storage units, including equipment and software related to the eSIM platform in GSMA standards, shall be established in Türkiye by a licensed local operator (or by a third party to be appointed by such local operators, but liability remaining with the local operator). The decision also states that all data should be kept within Turkish borders. Moreover, where the devices manufactured to be used in Türkiye or imported to the country have remotely programmable SIM (eUICC, eSIM/embedded SIM, etc.) technologies, their relevant modules are expected to be programmable only by local mobile operators and only local mobile operator profiles may be installed.
Coverage eSIM applications

TÜRKIYE

Since April 2021

Pillar Cross-border data policies  |  Indicator Ban to transfer and local processing requirement
Regulation on Electric Scooters (Elektrikli Skuter Yönetmeliği)
Art. 8 of the Regulation on Electric Scooters stipulates that the servers hosting databases related to e-scooter operations must be located within the territory of the Republic of Türkiye and must provide unrestricted access to the competent Authority.
Coverage Electric scooter service providers

TÜRKIYE

Since July 2019
Since July 2020

Pillar Cross-border data policies  |  Indicator Local storage requirement
Presidential Circular on Information and Communication Security Measures No. 2019/12 (2019/12 Sayılı Cumhurbaşkanlığı Bilgi ve İletişim Güvenliği Tedbirleri Genelgesi)

Information and Communication Security Guide (Bilgi ve İletişim Güvenliği Rehberi)
According to Art. 1 of Circular 2019/12, critical information and data, including population statistics, health and communication records, as well as genetic and biometric data, must be securely stored within the territory of Türkiye. It is reported that it is generally understood that Art. 1 does not constitute a prohibition on cross-border data transfers; rather, it is interpreted primarily as imposing an obligation to maintain a domestic backup of the relevant data to ensure accessibility. Similarly, Section 4.3.1.1 of the Information and Communication Security Guide underscores the necessity of domestic storage of critical data when utilising cloud services.
Circular 2019/12 and the accompanying Guide are directed at public institutions and providers of critical infrastructure services across a range of sectors, including telecommunications and electronic communications, water management, energy, essential public services such as healthcare, transportation, banking, and finance. The Guide defines critical infrastructure as systems whose compromise, through breaches of confidentiality, integrity, or availability, could result in large-scale harm, national security vulnerabilities, or significant disruption to public order.
Coverage Public sector and critical infrastructure

TÜRKIYE

Since July 2019
Since July 2020

Pillar Cross-border data policies  |  Indicator Local storage requirement
Presidential Circular on Information and Communication Security Measures No. 2019/12 (2019/12 Sayılı Cumhurbaşkanlığı Bilgi ve İletişim Güvenliği Tedbirleri Genelgesi)

Information and Communication Security Guide (Bilgi ve İletişim Güvenliği Rehberi)
Art. 3 of Circular 2019/12 stipulates that data relating to public institutions and organisations may not be stored on cloud services, except where such services are operated by the institution itself or by local service providers under its control. It is reported that it is generally understood that Art. 3 does not constitute a prohibition on cross-border data transfers; rather, it is interpreted primarily as imposing an obligation to maintain a domestic backup of the relevant data to ensure accessibility.
Coverage Public sector

Report issue     Report new measure