Last review date: 31 December 2024

• omnibus – all personal data

• sector-specific
  electronic communications, banking and payment systems and healthcare sectors

• constitutional

Last review date: 31 December 2024

• Law No. 6698 on the Protection of Personal Data ("Data Protection Law")
• The Regulation on Data Controllers Registry
• The Regulation on Deletion, Destruction or Anonymization of Personal Data
• The Regulation on Procedures and Principles Regarding the Cross-Border Transfer of Personal Data (“Regulation”)
• The Communiqué on Principles and Procedures for Compliance with the Information Obligation
• The Communiqué on Principles and Procedures for Applications to Data Controllers (for data subjects)

Last review date: 31 December 2024

There are no specific cybersecurity laws under Turkish legislation. However, there are certain laws envisaged under Turkish Criminal Code regarding the use of personal data.

Articles 135-140 of the Turkish Criminal Code regulate the misuse of personal data. The relevant articles regulate punitive sanctions to be imposed in case of (i) unlawful recording of personal data, (ii) unlawful disclosure/access to personal data and (iii) failure to delete personal data upon expiry of the legal retention period and the qualified forms of the offense.

As per Article 135 of Turkish Criminal Code, unlawful recording of personal data may result in an imprisonment between one to three years. If the data relates to political, philosophical, religious opinions, ethnicity, moral values, sexual life, health and union ship records, the duration of imprisonment may increase by half again.

As per Article 136 of Turkish Criminal Code, unlawful disclosure of personal data may result in a criminal liability constituting two to four years of imprisonment (or security measures for legal entities, such as the seizure of assets). In cases of qualified forms of the offence, the sanctions are increased by half again.

As per Article 138 of the Turkish Criminal Code, if the data is not destructed in the end of lawful retention periods, an imprisonment of one to two years is envisaged.

All the crimes above are subject to complaints issued by complainants.

Moreover, although not being recognized as a crime, as per Article 12 of the Data Protection Law, data controllers are obliged to take all necessary technical and organizational measures to prevent the unlawful processing of personal data, to prevent the unlawful access to personal data and to maintain personal data in a secure way and failure to take necessary organizational and technical measures to ensure data security may lead to an administrative fine between TRY 204,285 to TRY 13,620,402 (approx. USD 5,841 to USD 389,488) for the year 2025 as per Article 18/1(b) of the Data Protection Law. Please note that the administrative fines are subject to revaluation annually based on the revaluation rate of the previous year, and that the foregoing administrative fine amounts reflect our unofficial calculation based on the revaluation rate of previous years.

Moreover, there are certain cybersecurity requirements envisaged on entities that have critical infrastructure, especially in terms of responding to cyber-incidents. Please refer to the section "Do other laws or regulations impose obligations to protect systems from cyberattacks?" for detailed information on requirements for entities that have critical infrastructure.

Last review date: 16 December 2024

As of December 2024, there are no regulations similar to the Data Act or Data Governance Act in Türkiye.

Last review date: 31 December 2024

Yes.

Amendments to the Data Protection Law and the harmonization of personal data protection legislation with the GDPR (with a specific focus on cross-border transfer rules and sensitive personal data processing) have been on the government's agenda for years; and were therefore included in various reform packages as action items.  On 12 March 2024 the long-awaited amendments were finally introduced. Accordingly, requirements for cross-border data transfers, processing of special categories of personal data (sensitive data) and appeals to the Turkish Data Protection Authority’s decisions are amended.

The Presidency of the Turkish Republic published “Mid-Term Program 2025-2027” (“Program"), which also contains updates on the upcoming amendments. The Program states that GDPR-compliance actions (i.e., amendments to the Data Protection Law) will be completed by Q4 of 2025 (i.e., around October 2025).