Last review date: 31 December 2024

Yes.

☒     general obligation to take appropriate / reasonable technical, physical and/or organizational security measures

☒     obligation to take specific security measures e.g., encryption
Although not a strict legal requirement, the foregoing measures are considered by the Authority as an appropriate technical and organizational measure.

Last review date: 31 December 2024

☒   public company obligations (e.g., duties to maintain sufficient information security measures or ensure operational resilience to cyberattacks?)

☒    network information security requirements (broader than telecommunications)

☒    health regulatory requirements

☒    financial services requirements

☒   telecommunication requirements

☒    providers of critical infrastructure

Presidential Circular No. 2019/12 on Information and Communication Security Measures ("Circular") stipulates that certain measures should be taken to ensure the security of critical data that may threaten national security or lead to the deterioration of public order. Some of the measures include local retention of the critical information in Türkiye, using secure network to store critical information, prevention of use of cloud systems to store data belonging to public institutions and organizations.

As per the Circular, the Information and Communication Security Guideline has been published by the Digital Transformation Office which introduces various measures to be implemented by public institutions and organizations and enterprises providing critical infrastructure services. In the 2016-2019 National Cyber Security Strategy, critical infrastructures are defined as "infrastructures that host information systems capable of causing loss of life and large-scale economic damage." Accordingly; transportation, electronic communications, energy, water management, finance and critical public services are considered as critical infrastructure services. All public institutions and organizations and enterprises providing critical infrastructure services must comply with the procedures and principles set out in the Information and Communications Security Guideline.

As part of the measures in the Information and Communication Security Guideline, the establishment of the cyber-incident response teams ("SOME") is required. Legal entities operating in critical infrastructure sectors are required to establish corporate SOMEs. In addition to corporate SOMEs, there are sectoral SOMEs in each critical infrastructure sector. Corporate SOMEs are obliged to report cyber incidents to National Cyber-Incident Response Center ("USOM").

Under the Electronic Communications Act and its Administrative Sanctions Regulation, private legal entities that fail to fulfill the obligations determined by the ICTA for the protection and deterrence against cyber-attacks or fail to implement the relevant measures may be subject to administrative fines up to TRY 11,5 million (approx. USD 328,571) for the year 2025 further to our unofficial calculation based on the revaluation rates of previous years.

Data privacy

Recently, there has been a rise in the Authority's inclination to investigate the data breaches encountered by companies. Specifically, companies may be obliged to address information requests issued by the Authority followed by their data breach notification. In the event that the Authority determines that the data controller has not implemented sufficient data security measures, there is a notable risk of facing administrative fines.

Moreover, in the Recommendations on Protection Of Personal Data in Mobile Applications which was published by the Board on 22 December 2023, it is recommended for data controllers to use multi-factor authentication methods in order to ensure data security in mobile applications, retain passwords with adequate security measures, perform regular software updates, and provide an adequate encryption layer properly configured in network communication during the retention and transfer of personal data.

Last review date: 31 December 2024

Yes.

The Data Protection Law does not explicitly define the term "personal data breach". In practice, it is understood as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Last review date: 31 December 2024

☒    data protection authorities

Pursuant to the latest decision of the Authority on data breach notifications, data controllers must notify the Authority of any data breach Data controllers must use "The Personal Data Breach Notification Form", available on the Authority's website for the notification or the online system launched by the Authority available at https://ihlalbildirim.kvkk.gov.tr/.

☒    cybersecurity authorities

As explained under the "Security Requirements" section, legal entities operating in critical infrastructure sectors are required to establish corporate SOMEs and according to the Article 5/6 of the Communiqué on the Procedures and Principles on the Establishment, Duties and Operations of Cyber Incident Response Team; corporate SOMEs are obliged to report cyber incidents to USOM and sectoral SOME without delay. For companies that do not have a corporate SOME, there is no obligation to report cyber incidents to USOM.

☒    affected individuals

Data controllers must notify the affected data subjects directly or, if this is not possible, by other appropriate means such as publishing information regarding the data breach on its website, without undue delay after identifying the affected data subjects as per Article 12 (5) the Data Protection Law.

Last review date: 31 December 2024

☒    controller/ owner

without undue delay after becoming aware of any personal data breach as per the Data Protection Authority's decision dated 24 January 2019 numbered 2019/10.

Last review date: 31 December 2024

Yes.

☒    public company obligations (e.g., to notify security incidents that may materially affect an investor’s decision)
☒    cybersecurity authorities
☒    providers of critical infrastructure

As explained under the "Security Requirements" section, legal entities operating in critical infrastructure sectors are required to establish corporate SOMEs and according to the Article 5/6 of the Communiqué on the Procedures and Principles on the Establishment, Duties and Operations of Cyber Incident Response Team; corporate SOMEs are obliged to report cyber incidents to USOM and sectoral SOME without delay. For companies that do not have a corporate SOME, there is no obligation to report cyber incidents to USOM.

Details regarding the identified data security breach notification requirements

The Capital Markets Board of Türkiye ("CMB") provides for detailed public disclosure requirements applicable to companies listed in Borsa Istanbul, Türkiye's sole stock exchange. The current disclosure regime applicable to listed companies is regulated by the Public Disclosure Communiqué No. II-15.1 ("Disclosure Communiqué"). With the Disclosure Communiqué, the CMB regulates the regime of disclosure of material events relating to listed companies. Rather than identifying each material event requiring disclosure in the Disclosure Communiqué, the CMB left specific disclosure decisions regarding insider information to companies' individual discretion on a case-by-case basis.

Under the Disclosure Communiqué's general rule, every event that might affect investors' investment decisions and/or values of capital markets instruments must be publicly disclosed. In this scope, a material data breach which might affect investors' investment decisions and/or values of capital markets instruments must be disclosed as soon as practically possible as stated under the Disclosure Communiqué.