According to Art. 28 of the Personal Data Protection Law, institutions and third parties are compelled to hand over personal data to intelligence agencies and police when it is needed to process personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public security, public order or economic security.
Only exception to this requirement are health data and sexual life data, which can only be processed by natural persons who are under an oath of secrecy or by authorities for the purposes of protecting public health, preventive medicine, medical diagnosis, the provision of care and treatment services or planning, and the management and financing of healthcare services. This exception is provided in the Art. 6 of the Personal Data Protection Law.

Law No. 6698 provides a comprehensive regime of data protection in Türkiye. It outlines a similar framework to the European Data Protection Directive (Directive 95/46/EC). Secondary legislation in Türkiye, in the form of regulations and communications, has been evolving in line with the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR). Law No. 6698 establishes the Personal Data Protection Authority (KVKK) and the Board as the supervisory authorities responsible for its enforcement. The KVKK serves a mostly administrative role, while the Board is the decision-making organ within the KVKK. The KVKK was established as an independent regulatory authority with institutional and financial autonomy and is responsible for ensuring personal data protection and raising awareness in this respect.

Art. 23 of Law No. 6493 requires that "the system operator, payment institution and electronic money institution shall be required to keep all the documents and records related to the matters within the scope of this Law for at least ten years within the country, in a secure and accessible manner". The article also specifies that "The information systems and their substitutes, which are used by system operator to carry out its activities shall also be kept within the country".

According to Article 51(10) of the Electronic Communications Law No. 5809:
- Personal data subject to inspection, examination, investigation or dispute shall be retained until the related period has been completed;
- Logs regarding with the access of personal data and related other systems are retained for two years;
- Logs that prove the consent of subscribers/users for processing personal data are retained throughout subscription period;
- Categories of data to be retained and data retention periods, not less than one year and not more than two years from the date of the communication, are determined by secondary law.

According to Art. 9 of the Personal Data Protection Law, data cannot be processed or transferred abroad without the individual's explicit consent. Consent will not be required if the transfer is necessary to exercise a right or is required by law, and either:
- Sufficient protection exists in the transferee country, or
- if the data controller gives a written security undertaking and Türkiye’s Data Protection Board grants permission.
It is reported that these conditions are very restrictive, so that, in some cases, data controllers have made their own assessment of whether personal data will be adequately protected based on the criteria used by the Turkish Personal Data Protection Authority to assess adequacy.

Art. 51 of the Electronic Communications Law stipulates that the transfer of traffic and location data abroad is permitted with the data subjects' explicit consent.

Türkiye has not joined any agreement with binding commitments to open transfers of data across borders.

Art. 5.2 of the Regulation on the Processing of Personal Data and the Protection of Confidentiality in the Electronic Communications Sector prohibits the cross-border transfer of traffic and location data due to national security reasons. Traffic data is defined in Art. 4 as any data processed for communication or invoicing in an electronic communication network, for example, the parties in phone calls or the duration of the call, and location data is the specific data that determines the geographical location of the device belonging to the public electronic communication service user and processed in/through the electronic communication network.

According to Decision No. 2018/DK-YED/27, the emergency call (eCall) in vehicles, along with servers that provide the communication system allowing for value-added services, are to be located in Türkiye, and personal data in such systems cannot be transferred abroad without explicit consent. To achieve this, it is mandatory for the SIM cards, electronic SIMs (eSIMs) or modules having SIM card properties to be procured from operators licensed to provide mobile electronic communication in Türkiye or to be programmable to allow them to be controlled by such operators.
With Decision No. 2019/DK-TED/053, the localization requirements are no longer limited to eCall services only, encompassing all eSIM applications. Moreover, all infrastructure, system and storage units, including equipment and software related to the eSIM platform in GSMA standards, shall be established in Türkiye by a licensed local operator (or by a third party to be appointed by such local operators, but liability remaining with the local operator). The decision also states that all data should be kept within Turkish borders. Moreover, where the devices manufactured to be used in Türkiye or imported to the country have remotely programmable SIM (eUICC, eSIM/embedded SIM etc.) technologies, their relevant modules are expected to be programmable only by local mobile operators and only local mobile operator profiles may be installed.

Banking Law No. 5411 (only available in Turkish) foresees specific rules for cross-border transfers of customer data. Conditions regarding the cross-border transfer of customer data set forth under the Banking Law should take precedence over conditions set forth under the Data Protection Law. The Banking Law stipulates that even if the explicit consent of the customer is obtained pursuant to the Data Protection Law for cross-border transfers or transfers of customer data to third parties located in Türkiye, the customer data should not be shared with and transferred to third parties located in Türkiye or outside Türkiye without the customers' instructions or requests (Art. 73).
Furthermore, under the Banking Law, the Banking Regulation and Supervision Authority is authorised to prohibit the sharing or transfer of customer data or bank secrets with third parties located outside Türkiye, as well as to make decisions regarding keeping information systems used by banks and their backups locally due to evaluations regarding economic security.

According to Electronic Communication Law No. 5809, the executive authority for the supervision and administration of services in the telecommunications sector in Türkiye is the Information and Communication Technologies Authority. It is reported that the Information and Communication Technologies Authority is independent from the government in the decision-making process.

In July 2020, the Law on Regulating Broadcasting in the Internet and Fighting against Crimes Committed through Internet Broadcasting was amended. The amendments define the term "social network provider", oblige them to appoint a local representative, set out procedures for content removal, request reports every six months, and require user data to be stored within Türkiye.
In September 2020, the Information and Communication Technologies Authority (ICTA) published a secondary regulation called "Social Network Provider Procedures and Principles", which clarifies the amendments applicable to social network providers. The amendments entered into force in October 2020.
Under the law, domestic or foreign social network providers that have more than one million daily accesses to their services from Türkiye are obligated to store user data within the country (supplementary Art. 4). ICTA's secondary regulation (Art. 12) indicates that social network providers must prioritize storing users' basic information and the information required by ICTA within Türkiye, and the measures must be reported every six months.

Art. 23 of Law No. 6493 requires that "the system operator, payment institution and electronic money institution shall be required to keep all the documents and records related to the matters within the scope of this Law for at least ten years within the country, in a secure and accessible manner". As a result, the information systems have to be located in the country. The article also specifies that "the information systems and their substitutes, which are used by system operator to carry out its activities shall also be kept within the country".

Art. 5.2 of the Regulation on the Processing of Personal Data and the Protection of Confidentiality in the Electronic Communications Sector prohibits the cross-border transfer of traffic and location data due to national security reasons. Traffic data is defined in Art. 4 as any data processed for communication or invoicing in an electronic communication network, for example, the parties in phone calls or the duration of the call, and location data is the specific data that determines the geographical location of the device belonging to the public electronic communication service user and processed in/through the electronic communication network.

In July 2020, the Law on Regulating Broadcasting in the Internet and Fighting against Crimes Committed through Internet Broadcasting was amended. The amendments define the term "social network provider", oblige them to appoint a local representative, set out procedures for content removal, request reports every six months, and require user data to be stored within Türkiye.
In September 2020, the Information and Communication Technologies Authority (ICTA) published a secondary regulation called "Social Network Provider Procedures and Principles", which clarifies the amendments applicable to social network providers. The amendments entered into force in October 2020.
Under the law, domestic or foreign social network providers that have more than one million daily accesses to their services from Türkiye are obligated to store user data within the country (supplementary Art. 4). ICTA's secondary regulation (Art. 12) indicates that social network providers must prioritize storing users' basic information and the information required by ICTA within Türkiye, and the measures must be reported every six months.