Last review date: 31 December 2024
Yes.
Other laws that may require the retention and storage of personal data (including, for example, where such data is part of another type of record or dataset) in the local jurisdiction or otherwise prohibit the transfer or disclosure of the personal data outside of the local jurisdiction:
1. Banking and Finance Legislation
Regulation on Internal Systems of Banks and Electronic Banking Operations
Apart from the restrictions on cross-border data transfers under the Data Protection Law, Article 11 of the Regulation on Internal Systems of Banks requires Turkish banks to maintain their primary and secondary data systems in Türkiye.
The primary system of a bank comprises the infrastructure, hardware, software and data used to ensure the sound conduct of banking activities, as well as systems to record all the information necessary for fulfilling the bank's duties under banking law and other applicable laws (i.e., employment laws). The secondary system is essentially the back-up of the primary system.
Capital Markets Board's Communique on Information Systems
Currently, primary systems and secondary systems of certain public companies and institutions along with certain types of companies under the supervision of Capital Markets Board (such as public companies subject to mandatory independent audits and pension investment funds) must be kept in Türkiye per Article 26 of the Communique on Information Systems. Primary systems are defined as the combination of the infrastructure, hardware, software and data that allow secure and ready to access electronic retention and use of the information necessary for the company's compliance with its duties under the Capital Markets Law and its secondary legislation. Primary systems might be construed as the systems involved in storage and use of any data that is required to comply with a public company's obligations under capital market regulations. Secondary systems are back-ups of primary systems.
This restriction is expected to include all public companies in the future as indicated by Capital Markets Board in its Bulletin no. 2018/10 of 8 March 2018.
Communique on Management and Supervision of Information Systems of Payment and Electronic Money Institutions
There is also a data localization requirement regarding primary and secondary systems for payment and electronic money institutions within the scope of this communique, as explained above.
Communique on Management and Supervision of Information Systems of Financial Lease, Factoring and Finance Companies
There is also a data localization requirement regarding primary and secondary systems of financial lease, factoring and finance companies within the scope of this communique, as explained above.
Banking Secrecy Rules
Apart from the cross-border transfer rules under the Data Protection Law, banking secrecy rules envisage certain confidentiality obligations on banks and rules for the transfer of client and bank secrets.
- Turkish Banking Law No. 5411
Article 73 of Turkish Banking Law No. 5411 ("Banking Law") is the primary law governing bank secrecy in Turkey. Article 73 broadly prohibits banks and individuals from disclosing client secrets in any way to third parties except as permitted under the Banking Law. The Banking Law does not extend to banks located overseas that handle Turkish residents' client secrets. Nonetheless, the Banking Law's confidentiality obligations continue to apply to individuals who receive client data even after the termination of their employment.
- Regulation on the Disclosure of Confidential Information
The Regulation on Disclosure of Confidential Information ("Disclosure Regulation") governs confidentiality and non-disclosure of confidential client information under the Banking Law. Banks may not disclose confidential client information obtained by the bank through automated and non-automated means to third parties unless authorized under the Disclosure Regulation or by law. Accordingly, the Disclosure Regulation sets out the exemptions for disclosure of client and bank secrets along with rules for such disclosures.
- Circular No. 2022/1 on the Disclosure Regulation
Circular No. 2022/1 on the Disclosure Regulation addresses the questions arising from the interpretation of the Disclosure Regulation, which touches upon the subjects including the definition of bank secret and explanations on the exemptions of confidentiality obligation.
2. Telecommunication Legislation
Electronic Communication Act and the Regulation Concerning the Processing of Personal Data and the Protection of Privacy in the Electronic Communication Sector
Under the Article 51(6) of the Electronic Communication Act, the traffic and location data can only be transferred abroad based on the explicit consent of the data subjects. The Information and Communication Technologies Authority ("ICTA") has published the Regulation Concerning the Processing of Personal Data and the Protection of Privacy in the Electronic Communication Sector.
As per Article 5, the traffic and location data should not be subject to cross-border transfer due to national security reasons. In case of a transfer of traffic data, the operators are obliged to inform their subscribers and users of (i) the scope of the data to be transferred, (ii) the identity and address of the person to be transferred, (iii) the purpose and duration of the transfer, (iv) if the third party is abroad, the country where the data will be transferred; and obtain their explicit consent. If there are any changes to the foregoing information, operators must obtain the explicit consent of their subscribers and users again.
eCall regulations
ICTA published a decision on 22 January 2018, about 112 Based In-Vehicle Emergency Call Systems providing that servers, which are to serve to the communication systems that are on board vehicles (whether manufactured in Türkiye or imported) and which enable the rendering of value-added services in addition to eCall, must be kept and located in Türkiye, and the personal data on the system must not be transferred abroad without the explicit consent of the data subject.
eSIM decision
ICTA's decision No. 2019/DK-TED/53 published on 12 February 2019 requires all data generated by eSIM technologies to be kept in Türkiye.
3. Social Media Legislation
Data Localization Obligation of Social Network Providers
Social network providers must take the necessary measures to retain the data of their Turkish users in Türkiye. In fulfilling this requirement, priority is given to the basic user information and any other information determined by the ICTA.
In addition, measures taken to retain Turkish users' data in Türkiye must also be notified to the ICTA through bi-annual reports.
4. Other
Public Sector & Critical Sectors
Presidential Circular No. 2019/12 on Information and Communication Security Measures and Information and Communication Security Guidelines, which sets out requirements for information security measures applicable to all public institutions, organizations, and operators providing critical infrastructure services (e.g. telecommunication/electronic communication, water management, energy, critical public services such as health, transportation, banking and finance), including localization of critical data (e.g. sensitive data such as health data, biometric data, information on criminal convictions as well as any other data unlawful disclosure of which would result in significant damages to the relevant institution).
While the Presidential Circular and the information security guidelines mainly target "public institutions", it also concerns critical infrastructure service providers in variety of sectors, such as energy and transportation. Critical infrastructure is defined as infrastructures that contain information systems which can cause large-scale damages, national security vulnerabilities or disruption in public order when the confidentiality, integrity and accessibility of the data processed is disrupted.