Data protection and cybersecurity laws in Turkiye

• The Law on Protection of Personal Data No. 6698 (“DPL”) covers the general processing of personal data in Turkiye.
• The By-law on Erasure, Destruction or Anonymisation of Personal Data establishes principles and procedures regarding the erasure, destruction, and anonymisation of personal data processed in accordance with the DPL.
• By-law on the Data Controllers Registry determines and ensures the implementation of procedures and principles related to the establishment and management of the Data Controller’s Registry System (VERBIS) (“Registry”) pursuant to the DPL and the envisaged records to be entered in the Registry.
• The Communiqué On Principles And Procedures To Be Followed in Fulfilment of the Obligation to Inform determines the procedures and principles to be followed within the scope of the obligation to inform to be fulfilled by data controllers or persons authorised by them, pursuant to the DPL.
• The Communiqué on the Principles and Procedures for the Request to Data Controller determines the principles and procedures for the requests to be made to the data controller and fees to be charged in cases where the process requires additional costs.
• Furthermore, there are additional by-laws regulating the operating procedures and principles of the Turkish Data Protection Authority (“DPA”). Also, resolutions of the Data Protection Board (“Board”), the decision-making organ of the DPA, sets standards for the implementation of the DPL and the above-mentioned secondary legislations.

• The DPA (Turkish Data Protection Authority): https://www.kvkk.gov.tr/en/

Significant changes have been made to the regime concerning the processing of personal data and the cross-border transfer of personal data, as detailed below in the related sections.

The DPL with the Turkish Criminal Law No. 5237 contains details regarding enforcement.

The DPA has powers to impose fines of up to the greater of:

• TRY 9,834 to TRY 196,686 (EUR 1160 to EUR 23,267) in the case of non-compliance with information obligations;
• TRY 29,503 to TRY 1,966,862 (EUR 3,490 to EUR 232,675) in the case of non-compliance with the data security obligations;
• TRY 49,172 to TRY 1,966,862 (EUR 5,816 to EUR 232,675) in the case of non-compliance with the decisions of the Board; and
• TRY 39,337 to TRY 1,966,862 (EUR 4,653 to EUR 232,675) in the case of non-compliance with the requirements regarding the registration with the Registry.

The DPA may also impose corrective measures, such as mandatory training or compliance audits, either in lieu of or in addition to administrative fines.

There are various criminal offences under the DPL and the Turkish Criminal Law No. 5237 including:

• Illegal recording of personal data;
• Illegal transfer or acquisition of personal data or making personal data available to the public;
  or
• Failure to delete the data as required.

In addition to the data controller being subject to the fines mentioned in our responses above, individual directors and officers of the company may be criminally liable, with imprisonment ranging from one (1) year to twelve (12) years, depending on the merits of the case.

According to Article 14 of the DPL, data subjects are entitled to apply to the courts for compensation for material or non-material damage in the event of a data breach.

Unless they benefit from an exemption as outlined under the DPL and the secondary legislation, all data controllers (foreign or residing in Turkiye) engaged in data processing in Turkiye are obliged to sign up to the Registry.

The DPL requires data controllers to either obtain the explicit consent of the data subject for data processing or rely on one of the legal bases below:

• Such processing is explicitly allowed under the relevant legislation;
• Such processing is necessary to protect the vital interests or the bodily integrity of the data subject or of any other person who is physically or legally incapable of giving explicit consent;
• It is necessary to process the personal data of persons party to a contract where such processing is necessary to enter into the said contract or fulfil its terms;
• The processing of the personal data is necessary for the data controller to fulfil a legal obligation;
• The personal data has been made public by the data subject;
• The processing of the personal data is necessary to establish, use or preserve a right; or
• The processing of the personal data is necessary for the legitimate interests of the data controller on the condition that such processing does not infringe upon the fundamental rights and freedoms of the data subject.

Besides, personal data, in general, may only be processed in accordance with the relevant procedures and principles set out under the DPL as amended on 1 June 2024 and the relevant pieces of legislation.

For sensitive personal data (özel nitelikli kişisel veri), the data controller must rely on one of the following legal bases for lawful processing:

• Such processing is based on the explicit consent of the data subject;
• Such processing is explicitly permitted by law;
• Such processing is necessary to protect the vital interests or physical integrity of the data subject or another person who cannot provide valid consent due to actual incapacity;
• Such processing is based on the data made public by the data subject, in accordance with that intention;
• Such processing is necessary for the establishment, exercise, or protection of a right;
• Such processing is necessary for public health purposes, preventive medicine, medical diagnosis, treatment and care services, and the planning, management, and financing of health services, provided that it is carried out only by persons under a confidentiality obligation within authorised institutions/organisations;
• Such processing is necessary for compliance with legal obligations, such as in the fields of employment, occupational health and safety, social security, social services, and social assistance;
• Such processing is limited to members of non-profit organisations established for political, philosophical, religious, or trade union purposes, in accordance with applicable laws, within the limits of the field of activity, and is not disclosed to third parties, except for competent authorities/former members or regular contacts.

See our responses to “Sanctions & non-compliance” above.

The data subject must be granted the following rights:

• The right to learn whether his/her personal data has been processed and if so, demand information about such processing/transfer;
• The right to learn the purpose of such data processing and whether the use of his/her personal data is in line with the intended purpose of processing/transfer;
• The right to learn about the third parties to whom the data subject’s personal data has been transferred (in Turkiye or abroad);
• The right to demand correction in the event that the personal data has been processed in a deficient or wrongful manner;
• The right to demand deletion, disposal, or anonymisation of the personal data in accordance with the provisions of the DPL or if the grounds for the processing of the personal data are no longer applicable, notify the third parties to whom the data subject’s personal data was transferred about the said correction, deletion, disposal, and anonymisation procedures;
• The right to object to the results if the personal data has been analysed by automated systems and this has produced results that are unfavourable for the data subject; and 
• The right to demand compensation if the processing of the personal data in violation of the DPL has resulted in damages for the data subject.

According to the DPL, a data processor (veri işleyen) is a natural or legal person who processes personal data on behalf of the data controller with the latter’s authorisation. Where this third party is to receive the personal data to be processed from the actual data controller, the rules on domestic transfers of personal data would apply.

Accordingly, a data controller would be able to transfer such personal data to a data processor if the data subject has given his/her explicit consent to the transfer or if the transmission relies on one of the legal bases for processing mentioned above. 

In 2024, the legislation governing the transfer of personal data abroad in Türkiye underwent significant changes, whereby the principles under the DPL concerning the processing of sensitive personal data and the cross-border transfer of personal data were changed, effective as of 1 June 2024.

Consequently, the Regulation on the Procedures and Principles Regarding the Transfer of Personal Data Abroad was enacted on 10 July 2024.

Subsequently, in January 2025, the DPA published the Guide on the Transfer of Personal Data Abroad, clarifying both the legal framework and practical issues, with examples and evaluations drawn from common transfer scenarios.

Under the Law and the Guide, a three-tier structure has been established for the lawful transfer of personal data from Türkiye to abroad. In this context, one of the following safeguards must be in place when carrying out such transfers:

Transfers Based on an Adequacy Decision

A cross-border transfer of personal data may take place without the need for additional authorisation from the DPA if the recipient country, sector, or international organisation is deemed to provide an adequate level of protection by a formal adequacy decision issued by the DPA, as stipulated under the DPL. In such cases, the transfer must still be based on one of the legal grounds for processing set out in Articles 5 or 6 of the DPL (for example, explicit provision in law, performance of a contract, or legitimate interest), as further detailed under the “Main obligations and processing requirements” section above.

Transfers with Appropriate Safeguards

If no adequacy decision exists, and transfers may take place if one of the legal grounds in Article 5 or Article 6 of the DPL applies (as further detailed under the “Main obligations and processing requirements” section) and if one of the following safeguards is implemented:

• Agreement Between Public Authorities: An agreement, (which does not constitute an international treaty), between public institutions/organisations in Türkiye and those abroad or international organisations is implemented and approved by the DPA.
• Binding Corporate Rules (BCRs): Binding corporate rules as approved by the DPA are implemented for intra-group transfers within undertakings engaged in a joint economic activity.
• Standard Agreement: A standard agreement published by the DPA is implemented which allows transfers without additional authorisation. However, the signed copy of the standard agreement must be notified to the DPA within five business days of execution.
• A Written Undertaking: A written commitment is implemented guaranteeing adequate protection, subject to the DPA’s approval.

Transfers in Exceptional Cases

If none of the above mechanisms can be applied, cross-border data transfers may only take place on an occasional basis in the following exceptional situations:

• Such transfer is based on the data subject’s explicit consent, given voluntarily and after being informed;
• Such transfer is necessary for the performance of a contract to which the data subject is a party, or for pre-contractual measures taken at the data subject’s request;
• Such transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and a third party;
• Such transfer is necessary for reasons of strong and substantial public interest;
• Such transfer is necessary for the establishment, exercise, or defence of a legal claim;
• Such transfer is necessary to protect the life or physical integrity of the data subject or another person in cases where the data subject is unable to give consent;
• Such transfer is made to a register that is open to the public or to persons with a legitimate interest, provided that the conditions set out in the relevant legislation for access to the register are met.

The Data Protection Officer concept is not recognised under the DPL. 

However, all data controllers that are obliged to register with VERBIS must appoint either a “data controller’s representative” and a “contact person” if they are resident in a foreign jurisdiction, or only a “contact person,” if they are resident in Türkiye. 

In either case, the designated person should not be liable for the data controller’s failure to comply with its legal obligations but should merely act as an intermediary between the data controller and the DPA.

A specific list of technical and administrative measures to be implemented is not available under the Turkish data protection legislation. However, the Board has issued a decision whereby it obliges any entities/persons processing special categories of personal data to take additional protective measures for the protection of any sensitive personal data processed by them (Board decision dated 31 January 2018, numbered 2018/10). Similarly, various guidelines have been published by the Board concerning the secure processing of personal data.

In its updated guidelines on sensitive personal data, the Board reiterates the need for the adoption of advanced security frameworks particularly for large-scale data controllers operating in high-risk sectors such as healthcare and biometrics.

The DPL requires the data controllers to notify the affected data subjects and the DPA of data breaches as soon as possible.

To this effect, the Board issued a decision (Board decision dated 24 January 2019, numbered 2019/10) that (i) requires data controllers to have a data breach action plan which outlines the steps to be taken in the event of a breach, including identifying the affected data subjects, assessing the scope and severity of the breach, and implementing appropriate risk and consequence mitigation measures, and (ii) outlines that breaches must be notified to the DPA within 72 hours of becoming aware of the breach.

If the data controller fails to notify the DPA, it must also inform the DPA of the reasons for the delay in notification.

Although the DPL does not specifically regulate direct marketing activities, since the use of personal data for marketing purposes would be considered as data processing, such marketing activities would also be subject to the general principles of the DPL, as indicated above.

In addition, the Turkish Law on the Regulation E-Commerce No. 6563 (“Law No. 6563”) obliges the data controllers to obtain the consent of the data subjects through the Message Management System (İleti Yönetim Sistemi) (“IYS”). If they obtain consent primarily through their own resources, they are required to record the consent in the IYS within three (3) working days. Failure to do so will invalidate the consent and electronic communications will not be sent to recipients who have not provided consent through the IYS, providing means to data subjects to exercise their right to withdraw consent.

Further, the Regulation on the Commercial Communications and Commercial Electronic Messages enacted in line with Law No. 6563 prohibits unsolicited electronic communications for direct marketing purposes without the prior consent of the data subjects, unless:

• The data subject has provided his/her contact information to the service provider to receive the electronic communications related to the change, use, and maintenance of the goods or services already obtained.
• The electronic communication does not promote new goods or services; and it solely relates to the collection of a debt, the information update, or similar actions concerning an ongoing subscription, membership, or partnership.
• The electronic communication solely contains information on intermediary activities of the message sender, which are regulated by the capital market legislation.

Cookies (Çerezler) are not regulated under the DPL; however, due to the similarities between the Electronic Communication Law No. 5809 (see below) and the respective EU Directive, the DPA accepts that cookies are subjected to the general principles of the DPL as indicated above.

According to the Guideline on Cookie Applications of the DPA, it is recommended that the following criteria are met:

• The cookie should only be used when the communication is to be used for the purpose of providing the communication over the network; and
• The use of cookies is strictly necessary for the information society services that the subscriber or user has expressly requested in order to receive the service.

Severe.

• Website of the DPA: https://www.kvkk.gov.tr/en/ 
• Website of the Registry: https://verbis.kvkk.gov.tr/ 
• Guidelines of the DPA: https://www.kvkk.gov.tr/Icerik/6618/Guidelines 

The decisive applicable laws and regulations related to cybersecurity matters are the following:

• Cybersecurity Law No. 7545 (“Law No. 7545”)
• Electronic Communication Law No. 5809 (“Law No. 5809”)
• Law on the Regulation of Publications Made on the Internet and Fight against Crimes Committed through these Publications No. 5651 (“Law No. 5651”)
• Turkish Criminal Code No. 5237 (“Law No. 5237”)
• Personal Data Protection Law No. 6698 (“Law No. 6698”)
• Regulation on Network and Information Security in Electronic Communications Sector (the “Regulation”)

It should also be noted that other cybersecurity-related legislation, usually enacted on a sector-specific basis, is also in force (e.g., banking, e-commerce).

The Cybersecurity Law No. 7545 became effective in March 2025 and accordingly, secondary legislation is expected to be enacted in the upcoming period, covering detailed compliance requirements, certification and authorisation procedures for cybersecurity service providers, and enforcement mechanisms. 

Law No. 7545

Law No. 7545 sets out the overarching framework for cybersecurity in Türkiye, applying to public institutions, private sector entities, professional organisations, and individuals engaged in activities involving information systems, networks, or critical infrastructure. It establishes the Cybersecurity Authority (“Authority”) and the Cybersecurity Board (“Board”), defines their powers for supervision, inspection, and enforcement, and regulates obligations on critical infrastructure operators, cybersecurity service providers, and other relevant actors to implement security measures, conduct risk assessments, and report incidents.

Law No. 5809

The Law No. 5809 regulates the duties of the related parties and their fulfilment in the areas of information security and respect for the confidentiality of communications, ensuring network security against unauthorised access, taking the measures prescribed by law for the purposes of national security, public order or the proper performance of public services in the electronic communications sector, cybersecurity and internet domain names.

Law No. 5651

Law No. 5651 regulates the obligations and the liabilities of the content providers, access providers and collective use providers, as well as the procedure and principles regarding fighting against certain crimes committed through the use of services provided by content providers, access providers and hosting service providers. It also grants the Information and Communication Technologies Authority (“ICTA”) powers to detect and prevent cyberattacks, to ensure coordination between content, access and hosting service providers in this matter and to take the necessary measures in this respect.

The Regulation

This Regulation regulates the procedure and principles that must be complied by operators to ensure the security of network and information. The Regulation has been enacted based on the Law No. 5809

Cybersecurity Authority (Siber Güvenlik Başkanlığı) - Primary regulatory and supervisory body for cybersecurity in Türkiye, responsible for setting policies, conducting inspections, issuing authorisations, and enforcing compliance:

Cybersecurity Board (Siber Güvenlik Kurulu) - High-level decision-making body chaired by the President, determining national cybersecurity strategies and policies.

Information and Communication Technologies Authority (Bilgi Teknolojileri ve İletişim Kurumu) - Regulates and supervises the electronic communications sector, implements Law No. 5651, and coordinates with relevant actors on cybersecurity matters: https://www.btk.gov.tr/

National Centre for Intervention to Cyber Incidents (USOM – Ulusal Siber Olaylara Müdahale Merkezi) -National CSIRT responsible for monitoring, analysing, and coordinating responses to cyber incidents: https://www.usom.gov.tr/

Cybersecurity Law No. 7545

Entities covered by the Law, including public institutions, operators of critical information infrastructures, and licensed cybersecurity service providers, are obliged to:

• Implement technical and organisational measures to ensure the security and resilience of information systems and networks.
• Conduct periodic risk assessments and security audits.
• Report cybersecurity incidents to the Authority within the prescribed timelines.
• Comply with certification, authorisation, and registration requirements for certain cybersecurity services.
• Cooperate with the Authority and other relevant bodies during inspections and incident investigations.

Regulation

Operators in the electronic communications sector must, among others:

• Establish a “Cyber Incidents Intervention Team” (Siber Olaylara Müdahale Ekibi).
• Implement protection mechanisms such as IP filtering, port/application protocol controls, and user verification or access control.
• Maintain mandatory threat detection systems capable of identifying indicators of compromise and vulnerabilities.
• Notify the ICTA within 24 hours of becoming aware of threats or vulnerabilities affecting critical public services.
• Take proactive measures against cyberattacks such as DoS/DDoS, propagation of malicious software, and other forms of network exploitation.
• Cooperate with USOM (National Centre for Intervention to Cyber Incidents) in sharing information and coordinating mitigation actions.

Law No. 5651

Collective usage providers are obliged to take the necessary measures to fight against crimes and detect criminals within procedures and principles as determined under the applicable legislation.

Cybersecurity Law No. 7545

The Authority is empowered to inspect and monitor compliance of all entities within the scope of the Law. The Authority may impose administrative fines for the following actions:

• Failure to fulfil specific cybersecurity-related duties and responsibilities may result in an administrative fine ranging from TRY 1,000,000 to TRY 10,000,000 (EUR 21,276.60 to EUR 212,765.96).
• Failure to comply with duties and responsibilities under Article 18 (applicable to operators of critical infrastructures or certain obligated entities) may result in an administrative fine ranging from TRY 10,000,000 to TRY 100,000,000 (EUR 212,765.96 to EUR 2,127,659.57).
• Failure to comply with specific reporting, monitoring, or intervention obligations may result in an administrative fine ranging from TRY 100,000 to TRY 1,000,000 (EUR 2,127.66 to EUR 21,276.60). If such obligations are not met by commercial companies, the fine will be no less than TRY 100,000 and may be up to 5% of the gross sales revenue stated in their independently audited annual financial statements.
• If the same infringement is committed multiple times before the imposition of an administrative sanction, a single fine will be imposed but may be increased up to twofold.
• Where the infringement provides a benefit or causes damage, the fine may be between three (3) and five (5) times the amount of the benefit obtained, or the damage caused.

Without prejudice to the above, the Authority is also entitled to sanction the following:

• Suspension or revocation of authorisations, licences, or certificates;
• Temporary or permanent cessation of operations;
• Removal from the official registry of authorised cybersecurity service providers;
• Public disclosure of non-compliance.

Law No. 5809

The ICTA has the power to inspect and monitor the compliance of operators and, consequently, has the right to impose, inter alia, the following sanctions:

• An administrative fine of up to three percent (3%) of the operator’s net turnover in the previous calendar year. If the operator has recently started its business or it is an over-grid service provider (şebekeler üstü hizmet sağlayıcı), the administrative fine will be assessed by the ICTA on the merits of the case within the thresholds indicated in Law No. 5809;
• The suspension of the operator’s authorisation, in the case of gross negligence;
• The temporary suspension of the operator’s operations or the imposition of other tangible measures, in the cases specified in the regulations in force prior to the incident.

Law No. 5651

Commercial collective usage providers who fail to comply with above obligations will be subject to a warning, or an administrative fine, or the suspension of their business operations for up to three (3) days.

Regulation on Network and Information Security (as amended in May 2025)

Failure to comply with the mandatory threat detection and 24-hour reporting obligations may result in administrative fines -up to 1% of the operator’s net sales in the previous calendar year for operators, or between TRY 1,000 (EUR 21) and TRY 1,000,000 (EUR 20,955) for other private legal entities- and other enforcement measures, including service suspension, in accordance with the procedures set by the ICTA.

The Turkish Penal Code No. 5237 establishes various penalties for cybercrime, mainly:

• Any person who unlawfully accesses, partially or fully, a data processing system, or remains within such system, shall be subject to a penalty of imprisonment for a term of up to one (1) year or a monetary fine; 
• Where any data within any such system is deleted or altered because of this act, the penalty to be imposed shall be a term of imprisonment of six (6) months to two (2) years; 
• Any person who unlawfully monitors the data transfers within an information system or between information systems by means of technical methods without entering the system shall be sentenced to imprisonment from one (1) year to three (3) years; 
• Any person who prevents the functioning of a data processing system or renders such system useless shall be subject to a penalty of imprisonment for a term of one (1) to five (5) years; 
• Any person who deletes, alters, corrupts, or bars access to data, or introduces data into a system or sends existing data to another medium shall be subject to a penalty of imprisonment for a term of six (6) months to three (3) years; 
• Where a person obtains an unjust benefit for themself or another by committing the acts defined in the aforementioned paragraphs, and such acts do not constitute a separate offence, this person shall be subject to a penalty of imprisonment from two (2) years to six (6) years and a monetary fine of up to 5,000 days; 
• Any person who produces, imports, transfers, stores, accepts, sells, supplies for sale, purchases, gives to another person, or holds equipment, computer programs, passwords or other security codes which were produced or created for committing abovementioned crimes or other crimes that could be committed by using information systems shall be subject to imprisonment of one (1) to three (3) years and monetary fine of up to 5,000 days.

N/A

Yes. Under the Cybersecurity Law No. 7545, the Authority is designated as the national CSIRT function, operating through the National Centre for Intervention to Cyber Incidents (USOM). USOM is responsible for detecting cyber threats, developing and coordinating mitigation measures, receiving and analysing incident reports, and ensuring information sharing between relevant public and private stakeholders.

Within USOM, Sectoral Cyber Incident Response Teams operate for critical infrastructure sectors such as energy, banking and finance, transportation, critical public services, water management, and electronic communications. These teams ensure proactive measures against cyberattacks, including DoS/DDoS and malware propagation, and coordinate with USOM on incident response.

Institutional Cyber Incident Response Teams operate in a similar capacity for ministries, public institutions, and other public bodies. All teams are required to notify the Authority/USOM within 24 hours of detecting threats or vulnerabilities that could impact critical public services, as per the Regulation on Network and Information Security.

Please see above our responses to “Is there a national computer emergency response team (CERT) or computer security incident response team (CSIRT)?”

In addition to its core regulatory and supervisory functions, the Authority coordinates several national initiatives aimed at strengthening Türkiye’s cyber resilience. These include national and sector-specific cyber exercises, public-private cooperation programs, capacity-building projects for critical infrastructure operators, and information-sharing networks operated under the National Centre for Intervention to Cyber Incidents (USOM). The Authority also engages with academia, industry associations, and international organisations to develop standards, best practices, and awareness programs.

During 2024 - 2025, the Authority, through the Cybersecurity Initiative, partnered with the private sector to conduct large-scale cybersecurity exercises to test the resilience of critical infrastructure operators. This effort led to the development and publication, in early 2025, of updated best-practice guidelines on incident reporting protocols.

• Information and Communication Technologies Authority (Bilgi Teknolojileri ve İletişim Kurumu - BTK)
• Ministry of Transportation and Infrastructure, General Directorate of Communications (Cyber Security Council)
• Website of the Authority
• Webpage of the Team (National Center for Intervention to Cyber Incidents)
• National Cybersecurity Incident Management Structure