Last review date: 22 January 2026

• Law No. 6698 on the Protection of Personal Data ("Data Protection Law")
• The Regulation on Data Controllers Registry
• The Regulation on Deletion, Destruction or Anonymization of Personal Data
• The Regulation on Procedures and Principles Regarding the Cross-Border Transfer of Personal Data ("Regulation")
• The Communiqué on Principles and Procedures for Compliance with the Information Obligation
• The Communiqué on Principles and Procedures for Applications to Data Controllers (for data subjects)

Last review date: 31 December 2025

Cybersecurity Law

In Türkiye, Cybersecurity Law No. 7545 entered into force recently, upon its publication in the Official Gazette dated 19 March 2025. The secondary regulation, which is expected to provide detailed implementation guidelines, has not yet been published and is expected to be published in 2026. As a result, certain application procedures and technical requirements remain unclear.

Turkish Criminal Code and Data Protection Law

There are certain provisions in the Turkish Criminal Code regarding the use of personal data.

Articles 135-140 of the Turkish Criminal Code regulate the misuse of personal data. The relevant articles regulate punitive sanctions to be imposed in case of (i) unlawful recording of personal data, (ii) unlawful disclosure/access to personal data, and (iii) failure to delete personal data upon expiry of the legal retention period and the qualified forms of the offense.

Under Article 135 of the Turkish Criminal Code, unlawful recording of personal data may result in a sentence of imprisonment ranging from one to three years. If the data relates to political, philosophical, religious opinions, ethnicity, moral values, sexual life, health, and union membership records, the duration of imprisonment may be increased by half.

Under Article 136 of the Turkish Criminal Code, the unlawful disclosure of personal data may result in criminal liability punishable by two to four years of imprisonment (or the imposition of security measures on legal entities, such as the seizure of assets). In cases involving qualified forms of the offense, the applicable sanctions are increased by half.

Under Article 138 of the Turkish Criminal Code, failure to destroy data at the end of lawful retention periods is punishable by imprisonment ranging from one to two years.

All of the crimes above are subject to complaints initiated by complainants.

Moreover, although not classified as a criminal offense, Article 12 of the Data Protection Law imposes an obligation on data controllers to take all necessary technical and organizational measures to prevent the unlawful processing of personal data, to prevent unlawful access to personal data, and to ensure the secure storage of personal data. Failure to implement the required technical and organizational measures to ensure data security may result in an administrative fine ranging from TRY 256,357 to 17,092,242 (approx. USD 5,961 to USD 397,494) for the year 2026, pursuant to Article 18/1(b) of the Data Protection Law. Please note that these administrative fines are subject to annual revaluation based on the revaluation rate of the preceding year.

Moreover, certain cybersecurity obligations apply to entities operating critical infrastructure, particularly with respect to responding to cyber incidents. For further details, please refer to the question "Do other laws or regulations impose obligations to protect systems from cyberattacks?" under the Security Requirements and Breach Notification section.

Last review date: 22 January 2026

As of December 2025, Türkiye has not enacted any laws or regulations comparable to the Data Act or Data Governance Act.

That said, the obligations set out under the Cybersecurity Law apply to all types of data.