It is reported that Türkiye imposes an identity requirement for SIM registration. Anyone wanting to purchase a SIM card has to provide their national ID card or a passport in case of foreigners to activate a new prepaid SIM card. In addition, SIM cards cannot be activated without biometric identification

The Regulation on the Processing of Personal Data and the Protection of Confidentiality in the Electronic Communications Sector reaffirms the data processing principles set out in Art. 4.2 of the Data Protection Law mandating that operators adhere to these principles when managing personal data. According to Art. 5 of the Regulation, cross-border transfer of traffic and location data is prohibited on the basis of national security concerns.
Data processing in the electronic communications sector was previously regulated by the Regulation on Processing and Privacy of Personal Data in the Electronic Communications Sector. The regulation imposed strict conditions on the transfer of personal data outside of Türkiye by telecommunications providers. However, the Constitutional Court invalidated the basis of this regulation, and as a result, the regulation was considered null and void.

According to Decision No. 2018/DK-YED/27, the emergency call (eCall) in vehicles, along with servers that provide the communication system allowing for value-added services, are to be located in Türkiye, and personal data in such systems cannot be transferred abroad without explicit consent. To achieve this, it is mandatory for the SIM cards, electronic SIMs (eSIMs) or modules having SIM card properties to be procured from operators licensed to provide mobile electronic communication in Türkiye or to be programmable to allow them to be controlled by such operators.
With Decision No. 2019/DK-TED/053, the localisation requirements are no longer limited to eCall services only, encompassing all eSIM applications. Moreover, all infrastructure, system and storage units, including equipment and software related to the eSIM platform in GSMA standards, shall be established in Türkiye by a licensed local operator (or by a third party to be appointed by such local operators, but liability remaining with the local operator). The decision also states that all data should be kept within Turkish borders. Moreover, where the devices manufactured to be used in Türkiye or imported to the country have remotely programmable SIM (eUICC, eSIM/embedded SIM, etc.) technologies, their relevant modules are expected to be programmable only by local mobile operators and only local mobile operator profiles may be installed.

Certain regulations mandate that financial institutions retain both their primary and secondary systems within the borders of Türkiye, prohibiting the systematic transfer of such data abroad for banks, financial leasing and factoring companies, publicly traded companies, pension investment funds, and other entities regulated by the Capital Markets Board. These regulations include the Regulation on Internal Systems and Internal Capital Adequacy Assessment Process of Banks, whose Art. 11(4) stipulates that Turkish banks must host their primary data systems—comprising the infrastructure, hardware, software, and data necessary for recording and utilising all information required to conduct banking activities and meet legislative obligations—within Türkiye. Likewise, their secondary data systems, which serve as backups, must also be stored domestically. Additionally, Art. 23 of Law No. 6493 requires system operators to maintain information systems and their backups domestically. A system operator is defined as a legal entity responsible for the day-to-day functioning of payment or securities settlement systems, holding the requisite licence for such operations. This provision further compels online payment services, such as PayPal, to retain all data in Türkiye for a minimum of ten years. The law specifies: “The system operator, payment institution, and electronic money institution shall be required to keep all documents and records related to matters within the scope of this Law for at least ten years within the country, in a secure and accessible manner.”
Additionally, under Art. 73 of the Banking Law, the Banking Regulation and Supervision Authority (BRSA) is empowered to prohibit the sharing or transfer of customer data or bank secrets with third parties outside Turkey. The BRSA may also mandate that banks maintain their information systems and backups within Turkey, based on assessments related to economic security.

According to Art. 9 of the Personal Data Protection Law, data cannot be processed or transferred abroad without the individual's explicit consent. Consent will not be required if the transfer is necessary to exercise a right or is required by law, and either:
- sufficient protection exists in the transferee country or
- if the data controller gives a written security undertaking and Türkiye’s Data Protection Board grants permission.
It is reported that these conditions are very restrictive, so in some cases, data controllers have made their own assessment of whether personal data will be adequately protected based on the criteria used by the Turkish Personal Data Protection Authority to assess adequacy.

Art. 51 of the Electronic Communications Law stipulates that the transfer of traffic and location data abroad is permitted with the data subject's explicit consent.

Türkiye has not joined any agreement with binding commitments to open transfers of data across borders.

Law No. 6698 provides a comprehensive regime of data protection in Türkiye. It outlines a framework similar to that of the European Data Protection Directive (Directive 95/46/EC). Secondary legislation in Türkiye, in the form of regulations and communications, has been evolving in line with the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR). Law No. 6698 establishes the Personal Data Protection Authority (KVKK) and the Board as the supervisory authorities responsible for its enforcement. The KVKK mainly serves an administrative role, while the Board is the decision-making organ within the KVKK. The KVKK was established as an independent regulatory authority with institutional and financial autonomy and is responsible for ensuring personal data protection and raising awareness in this respect.

Art. 23 of Law No. 6493 requires that "the system operator, payment institution and electronic money institution shall be required to keep all the documents and records related to the matters within the scope of this Law for at least ten years within the country, in a secure and accessible manner". The article also specifies that "The information systems and their substitutes, which are used by the system operator to carry out its activities shall also be kept within the country".

Türkiye lacks a comprehensive framework in place that provides effective protection of trade secrets, but there are limited measures addressing some issues related to them. Trade secrets can be protected under the Unfair Competition Provisions of the Turkish Commercial Code and the Turkish Criminal Code No. 5237. Art. 56 of the Commercial Code allows persons who have suffered damages or who may be exposed to the risk of such damage to apply to the competent court for the following:
- Declare whether the defendant's action is unfair;
- Prevent unfair competition;
- Removal of the material condition caused by the action of unfair competition; rectification of statements if wrong or misleading statements commit the unfair competition; and destruction of the means used in the unfair competition action, provided that it is unavoidable to prevent the infringement;
- In the case of a faulty action for compensation of damages, there is a reference to the conditions set forth by Art. 58 of the Turkish Code of Obligations.

It is reported that passive infrastructure sharing in Türkiye to deliver telecom services to end users is mandated, and it is practised both in the mobile and fixed sectors based on commercial agreements.

Turk Telecom (the incumbent) was privatised in 2005. However, at the moment, 25% of the share of Turk Telecom belongs to the Republic of Türkiye Ministry of Treasury and Finance, and 5% belongs to the Türkiye Wealth Fund, which is a sovereign wealth fund owned by the Government of Türkiye. It is reported that Turk Telecom has a de facto monopoly over network access services that are essential for service providers in different segments of the market.

Since February 2014, amendments to the Public Procurement Code have introduced defined local preference margins for medium- and high-technology products in Türkiye, replacing the previously discretionary application of such margins by issuing authorities. Art. 63 of the Turkish Public Procurement Code, as amended by Art. 74 of Law No. 7033 on the Amendment of Certain Laws and Decrees to Support the Development of Industry and Production, establishes the following provisions:
- Bidders offering domestic products in goods procurement may receive a price advantage of up to 15%. Additionally, a mandatory 15% price advantage is granted to bidders supplying domestic products identified as medium- or high-technology by the Ministry of Science, Industry and Technology. These products are selected based on recommendations from relevant institutions and included in an annually published list. The initial list, published in January 2015, included 2,139 items such as computers, mobile phones, and televisions.
- For construction projects, ministries may require that all or part of the machinery, materials, equipment, and software used are sourced domestically, based on technological classifications.
Furthermore, the eligibility criteria for a "domestic product" benefiting from these preference margins were detailed in September 2014 in Art. 4 of the Domestic Goods Communiqué. These criteria include:
- Production by enterprises registered with the Ministry of Industry, with the product listed in the “production content” category of the registration certificate.
- Completion of essential production stages entirely within Türkiye, including final processing.
- A local contribution of at least 51% of the final production cost.

Türkiye does not mandate functional separation for operators with significant market power (SMP) in the telecom market. However, accounting separation is required. SMP operators having accounting separation obligations in relevant markets prepare accounting separation reports annually.

The Regulation on the Implementation of the Turkish Industrial Cooperation Program gives civilian ministries the authority to impose commercial offset requirements in procurement contracts. A foreign company that wins a Turkish government procurement contract may be required to produce a certain percentage locally or with a local partner or transfer technology in order to provide its products and services. It is reported that the Turkish Government has imposed these requirements in the telecom and ICT sectors, among others.