Legal framework

Legislation

Summarise the main statutes and regulations that promote cybersecurity. Does your jurisdiction have dedicated cybersecurity laws?

Turkey does not have any dedicated cybersecurity laws. The data protection legislation, including the Personal Data Protection Law No. 6698 (PDPL), however, contains general requirements with regard to the security of personal data. Cybersecurity breaches can therefore lead to a breach of data protection law.

The Council of Ministers issued a decision on national cybersecurity strategy, published in the Official Gazette on 20 June 2013, in the form of an action plan aimed at ensuring the protection of ser­vices, transactions and data provided by the government through IT systems and critical IT infrastructure operated by the public and pri­vate sectors. On that basis, the Ministry of Transport, Maritime Affairs and Communication prepared a 2016–2019 national cybersecurity strategy and action plan, under which definitions, principles, cyberse­curity risks and strategic cybersecurity purposes and actions are pre­sented. This plan aimed to shape Turkey’s cybersecurity legislation in accordance with international standards and establish a public authority that ensures coordination in the field of cybersecurity.

The 11th Development Plan of the Turkish Republic for the 2019–2023 period (the Plan) states that to mitigate national security and ensure technological transformation in primary sectors (eg, chemical industry, medicine and medical equipment, electronics, automotive and rail system equipment), Turkey must enhance its ability to develop cybersecurity and data privacy technologies, fill the gap in the number of qualified persons, further develop its administrative structures and keep its legislation in pace with ever-developing technology. Various plans and strategies are expected to be implemented within the period covered by the Plan, including the establishment of new public organisations and committees dealing with cybersecurity. On the other hand, the Turkish Presidency’s Digital Transformation Office (DTO), which was established in 2018, has been carrying out a series of studies and projects in the area of cybersecurity and data security for the purpose of ensuring digitalisation in public services and increasing public awareness thereof.

The Presidential Circular on Information and Communication Security Measures, which was published by the Presidency on 6 June 2019 (the Circular), sets forth a series of measures aimed at increasing the security of critical data, including requirements for the domestic localisation of data and limitations on the use of cloud services. The Circular primarily concerns public institutions and organisations, but it also concerns private organisations that provide services in critical infrastructure sectors, namely banking and finance, electronic communications, transportation, energy, water management and critical public services. The Circular also provides that the DTO shall prepare an Information and Communication Security Guide (the Guide) to be implemented by public institutions and organisations, as well as organisations providing critical infrastructure services. The current information systems of these institutions shall be gradually aligned with the principles to be determined in the Guide. The Guide is expected to be published in early 2020.

Despite the lack of general legislation to date, certain sector-specific pieces of legislation apply. The Electronic Commerce Law No. 6563 and the Banking Law No. 5411 and are the most important. In the banking sector, a draft Regulation on the Information Systems of Banks and Electronic Banking (the Draft Regulation) has been published, bring­ing a renewed focus on data protection and cybersecurity issues. The Draft Regulation is meant to repeal the Communiqué on the Principles Applicable to the Information Systems of Banks (the Communiqué) issued by the Banking Regulation and Supervision Agency (BRSA) in 2007. The Draft Regulation requires at least 90 hours per year of mandatory training for bank personnel and the annual conduct of penetration tests by independent firms.

In the health and insurance sectors, the data protection legislation imposes stricter requirements in terms of cybersecurity to the extent healthcare pro­viders and health insurers process health personal data, which qualifies as a special category of data and requires enhanced protection. These two sectors also have their own legislation with regard to confiden­tiality obligations, thus making cybersecurity even more critical. In the telecommunications sector, the Information and Communication Technologies Authority (ICTA) has detailed regulations with regard to technical precautions to be taken by telecommunications providers.

Which sectors of the economy are most affected by cybersecurity laws and regulations in your jurisdiction?

Since the PDPL is of general application, companies in all sectors have to comply with data protection law to the extent they process personal data. In addition, the banking, insurance, e-commerce, telecommunications and health sectors have sector-specific legislation and are thus more affected by cybersecurity issues. Owing to their data-intensive nature, these sectors have showed faster progress than other sectors in the field of cybersecurity.

In the telecommunications sector, for instance, the ICTA published a decision on 28 March 2019 with regard to localisation requirements for remote programmable SIM technologies (eg, eUICC, e-SIM) used in devices that are manufactured to be used in Turkey, imported into the country or brought by passengers from abroad. The decision sets forth that where remote programmable SIM technologies are used in Turkey, SIM modules embedded in these devices must be programmed in such a way that they can be managed by authorised operators, and that only local operator profiles must be installed on the devices. One of the grounds for this decision is to maintain cybersecurity and prevent possible security breaches.

The issuance of additional rules specific to the telecommunications sector is also expected according to the NATO Cooperative Cyber Defence Centre of Excellence’s National Cybersecurity Organisation: Turkey report. Developments are also expected in the military sector. The DTO has numerous projects in this field and is soon expected to become more active. On the other hand, under the modernisation programme of the Cyber Defence Command, a new military-CERT and dedicated cyber defence training laboratory has been launched. This will bring a new set of rules for cyber defence.

Has your jurisdiction adopted any international standards related to cybersecurity?

For the Turkish Armed Forces, cybersecurity and defence standards are prepared in accordance with those of NATO. As Turkey is a member of the International Organization for Standardization (ISO), the require­ments set out under the ISO/IEC 27001 standard have to be complied with in the field of data security. ISO/IEC 27001 is a common standard that is also applicable and mandatory under Turkish law for entities providing electronic communication services, electronic networks and infrastructure, and energy facilities.

Institutions in the banking sector must comply with the Control Objectives for Information and Related Technology (COBIT) standards, which are audited by the BRSA on an annual basis to ensure data security and integrity. Although the ISO/IEC 23001 and ISO/IEC 19790 standards have been used with respect to sustainability and cryptography of the data, these are not mandatory.

In practice, payment system providers that support the e-commerce industry comply with the Payment Card Industry Data Security Standard (PCI DSS), imposed by international credit card institutions to keep online payment records and sensitive data, such as credit card numbers, secure.

What are the obligations of responsible personnel and directors to keep informed about the adequacy of the organisation’s protection of networks and data, and how may they be held responsible for inadequate cybersecurity?

The PDPL does not regulate the concept of data protection officer. As per the DPLD and the guidelines on necessary technical and organi­sational measures published by the Turkish Data Protection Authority (DPA), organisations that act as a data controller or data processor have to use and implement the necessary technical and organisational meas­ures listed therein to ensure an appropriate security level to prevent data breaches. In the event of a breach, if the behaviour that led to the breach can be characterised as a crime, a sanction can only be imposed on the natural person perpetrator, meaning the person who actually commit­ted the act defined as an offence by the law. If an offence is committed upon the instruction of another person, the person who committed the act will be charged as the offender, while the person who instructed the perpetrator will be considered an abettor. Both will be exposed to the applicable sanction for the offence at hand. Where the breach leads to an administrative penalty under the PDPL, the organisation itself can be fined. The liability of responsible personnel and directors will thus not be directly triggered under the provisions of the PDPL unless they personally took part in the behaviour that led to the breach. On the other hand, directors can find themselves liable to their company under the provisions of the Turkish Commercial Code if their failure to adequately manage and supervise the com­pany, including by ensuring that the organisation’s networks and data are adequately protected against cyberthreats, amounts to a breach of their fiduciary duties. This could lead to their dismissal and to actions for compensation against individual directors. Responsible personnel on the company’s payroll could face consequences under labour law, including termination without severance.

More specific precautions in terms of cybersecurity are imposed on organisations active in regulated sectors. In the banking sector, the primary and secondary systems of banks, payment service pro­viders and electronic money institutions should be located within the Turkish territory for data security purposes. In the event of a breach, a disas­ter recovery plan must be used to ensure data integrity. In addition, the Regulation on Bank Cards and Credit Cards states that institutions that issue credit cards must keep all personal data in confidence, refrain from using such data for marketing activities, and take all necessary precautions to keep records safe. Banks have a general obligation to supervise their information systems and ensure their secrecy, integrity and accessibility. Otherwise, administrative fines may be imposed by the BRSA. As per the Draft Regulation published by the BRSA, it would become mandatory to appoint a person who is responsible for cybersecurity issues and incident management. In the event of a data breach or cyberattack, this person would be responsible for informing the rel­evant departments and the BRSA immediately.

Similar rules were issued by the ICTA for the telecommunications sector.

In terms of individual liability of responsible personnel or directors in the banking and telecommunications sectors, under the current state of the legislation, the rules are the same as under the data protection legislation (ie, criminal liability would require personal involvement in the offence), while inadequate cybersecurity that leads to administra­tive fines for the organisation could ultimately trigger the directors’ lia­bility for breach of fiduciary duty under the Turkish Commercial Code.

How does your jurisdiction define cybersecurity and cybercrime?

There is no clear definition of cybersecurity under Turkish law. Although cybersecurity as a concept is used in several regulations, it has not been specifically defined yet, whether by statute or through case law. The distinction between cybersecurity and data privacy has not been made by any authority, and cybersecurity requirements remain largely defined in terms of complying with data privacy obligations.

Various definitions have, however, been used by regulatory authori­ties. The ICTA has adopted the following definition: ‘Cybersecurity aims to ensure that the security features of institutions, organisations and users’ assets are created and maintained in a way that they are able to withstand the security risks of cyber environments. The main objec­tives of cybersecurity are accessibility, integrity (fidelity and undeni­able logs) and confidentiality.’

What are the minimum protective measures that organisations must implement to protect data and information technology systems from cyberthreats?

Data controllers have the obligation to implement the technical and organisational measures necessary to ensure an appropriate security level to prevent personal data from being processed or accessed unlaw­fully and to ensure its protection. The PDPL does not explicitly spec­ify the technical and organisational measures to be taken, and these should be evaluated on a case-by-case basis.

The DPA has published guidelines on technical and organisational measures that are not binding. These guidelines recommend sev­eral steps to be taken by those who process personal data. A proper firewall should be put in place. All applications and software should be protected against cyberattacks, which implies that they need to be kept up to date. Access to the systems that contain personal data should be limited. Employees should only be able to access information on a need-to-know basis. The use of brute-force algorithm, the requirement to use strong passwords and limitations on the number of password entry attempts to ensure protection against most common attacks are also suggested. Anti-spam products that periodically review the system and detect malware should be used. The integration of data leakage programs would also count as a protective measure. The guidelines further suggest pseudonymisation, micro merging, global coding, differentiated password systems, partial hiding and extraditing variables as technical methods to protect data.

Furthermore, in the banking sector, the Communiqué makes it mandatory to use a two-factor authentication method to protect data and requires that risk analysis be carried out by the relevant depart­ment of the bank. As per the Draft Regulation, providing cybersecurity training will also become a requirement.

Scope and jurisdiction

Does your jurisdiction have any laws or regulations that specifically address cyberthreats to intellectual property?

Turkey does not have any specific law addressing cyberthreats to intel­lectual property. Intellectual property rights are generally protected under the Intellectual Property and Artistic Works Law No. 5846, which provides for sanctions in case of infringement, regardless of the environment in which it is committed.

On the other hand, it is a crime for any person to produce, put up for sale, sell or possess for non-private use programs or technical equipment that aim to circumvent additional programs developed to prevent the illegal reproduction of a protected work. This offence is punished by six months to two years’ imprisonment, which may in some cases be converted into a corresponding judicial fine.

Does your jurisdiction have any laws or regulations that specifically address cyberthreats to critical infrastructure or specific sectors?

Turkey does not have any specific legislation addressing cyberthreats to critical infrastructure. However, sector-specific regulations lead to the protection of critical infrastructure in the relevant sectors, such as financial services systems. Furthermore, the use of the ISO/IEC 27001 standard is mandatory for entities providing electronic communication services, electronic networks and infrastructure and energy facilities.

Does your jurisdiction have any cybersecurity laws or regulations that specifically restrict sharing of cyberthreat information?

The Turkish Criminal Code makes it a crime to access or record tel­ephone communications, or intercept and open private mail. While this should in principle extend to electronic communications, there are no express provisions in this respect in the legislation. It is, however, gener­ally admitted that the confidentiality of electronic communications is protected as well, and this is expected to be expressly provided under the new cybersecurity law.

The only exception to the confidentiality of private communi­cations is provided under the Turkish Code of Criminal Procedure No. 5271, under which the communications of persons suspected of illegal activities can be accessed and recorded for the needs of an inves­tigation, with the permission of the public prosecutor. There is no law allowing access to private communications for the purpose of protect­ing networks or data against cyberthreats.

There are no laws governing access to metadata.

What are the principal cyberactivities that are criminalised by the law of your jurisdiction?

The following cyberactivities are criminalised under the Turkish Criminal Code No. 5237: providing unlawful or unauthorised access to information systems, blocking or destroying information systems and altering or destroying data; improper use of bank or credit cards; creat­ing or putting together devices, software, passwords or other security codes to commit the above-mentioned crimes; and producing, import­ing, delivering, transporting, storing, accepting, selling, supplying, purchasing or carrying the same. These offences can lead to sanctions ranging from one to three years’ imprisonment.

The PDPL provides for a number of criminal sanctions of the event of a breach of its provisions. Persons who illegally collect personal data are subject to one to three years’ imprisonment. If the data is sensitive personal data, the offender is subject to one-and-a-half to four-and-a-half years’ imprisonment. Persons who illegally transfer personal data or make personal data available to the public are subject to two to four years’ imprisonment. Finally, persons who are responsible for deleting data following the expiry of the retention period but fail to do so are subject to one to two years’ imprisonment.

How has your jurisdiction addressed information security challenges associated with cloud computing?

Turkish Law has not yet specifically addressed security challenges associated with cloud computing. An informative note was issued in 2013 by the ICTA, leading to the publication of draft standards for cloud computing systems by the Turkish Standards Institution in 2014. These have not been finalised yet and are thus not binding. The Strategy Plan for 2019–2023 prepared by the ICTA mentions that necessary legal and administrative arrangements will be made for the development and expansion of cloud computing services.  

The use of cloud services is indirectly regulated under the PDPL to the extent that the storage of personal data processed by a Turkish organisation on cloud servers located outside Turkey will be consid­ered as an international transfer of data, even if the data cannot be accessed by persons located in the third country. The PDPL rules with regard to the transfer of personal data outside Turkey will thus have to be complied with. Under the PDPL, personal data cannot be trans­ferred to foreign countries unless the explicit consent of the data sub­ject is obtained, or the organisation can rely on one of the exceptions set out by the law. In addition, if the recipient is located in a country that is not considered to provide adequate protection, the transfer is subject to the execution of a written undertaking by the sender and the recipient, as well as the prior approval of the DPA. The list of adequate protection countries has not been published to date.

The DPA’s non-binding guidelines on technical and organisational measures also mention cloud computing systems. These mostly warn data controllers of the data protection risks associated with the use of cloud technology.

In the banking sector, the Draft Regulation provides that banks will be able to benefit from private cloud computing services only if the servers of the cloud services provider are located within Turkish territory.

How do your jurisdiction’s cybersecurity laws affect foreign organisations doing business in your jurisdiction? Are the regulatory obligations the same for foreign organisations?

Regulatory obligations are the same for all organisations doing busi­ness in Turkey whether they are Turkish organisations with Turkish or foreign capital or foreign organisations doing business through a local branch. Turkish organisations with foreign capital and foreign organi­sations doing business in Turkey are, however, more likely to need to consolidate data generated in Turkey in jurisdictions outside Turkey, for which they will face restrictions under the PDPL as explained above.

Best practice

Increased protection

Do the authorities recommend additional cybersecurity protections beyond what is mandated by law?

The ICTA, as the telecommunications regulatory and supervisory authority of Turkey, is authorised to regulate cybersecurity issues. While the ICTA’s decisions are directly binding upon companies, the authority also publishes recommendations and guidelines. As per the recommendations of the ICTA, each organisation dealing with data should conduct annual penetration tests to identify weaknesses in its informa­tion systems. The aim of the test is also to evaluate incident manage­ment methods. This test is already required in the banking sector, but under the Draft Regulation, it will become mandatory to have the test be conducted annually by an independent firm. The ICTA also recommends data classification, data governance projects and cryptol­ogy methods to be adopted to increase data security and minimise the risk of data leakage.

How does the government incentivise organisations to improve their cybersecurity?

The Turkish government does not currently provide any form of incen­tive for organisations to improve cybersecurity. It is, however, working on increasing cybersecurity standards and awareness within public institutions. In this respect, the Turkish Cyber Security Cluster was established to develop the Turkish cybersecurity ecosystem with the contribution of all public agencies, academia and private sector representatives under the leadership of the Presidency of Defence Industries.

Identify and outline the main industry standards and codes of practice promoting cybersecurity. Where can these be accessed?

There are sector-based standards applicable in Turkey, the most common being ISO/IEC 27001. It is a legal requirement for energy companies, licensed operators in accordance with ICTA regulations and certified operators in accordance with customs law to obtain ISO/IEC 27001 certification. Companies providing payment systems services must comply with the PCI DDS, which is imposed in practice by international credit card institutions.

Are there generally recommended best practices and procedures for responding to breaches?

The DPA has not published any guidance with regard to best practices and procedures for responding to personal data breaches. Under the PDPL, the retention of third-party data forensic firms is not required but may be useful to respond to the questions of the DPA, which is likely to request all available information related to the breach. There are no generally recommended best practices as regards communications to employees or with the media, which will be devised on a case-by-case basis.

The ICTA has published guidelines regarding general and sectoral best practices and procedures for responding to breaches in the tele­communications sector. These require operators affected by a breach to take certain technical measurements immediately in compliance with international standards. There is no requirement to retain third-party forensic firms. Operators should have incident management and disaster recovery policies in place.

In the banking sector, the BRSA requires banks to comply with COBIT standards. Payment systems providers should comply with the practices and procedures set out under the PCI DSS standard.

Information sharing

Describe practices and procedures for voluntary sharing of information about cyberthreats in your jurisdiction. Are there any legal or policy incentives?

Turkey does not have any regulated practices or procedures for vol­untary sharing of information about cyberthreats. According to the Strategy Plan for 2019–2023 issued by the ICTA, coordination and bidirectional information flow should be ensured between the National Cyber Incidents Response Centre (established under the ICTA) and public authorities, the private sector, universities, NGOs and cybersecurity volunteers to ensure coordination on cyberthreat intelligence with national and international stakeholders and to fight cyberthreats through rapid detection and early intervention.

How do the government and private sector cooperate to develop cybersecurity standards and procedures?

The ICTA periodically convenes a meeting with cybersecurity profes­sionals to obtain their input to determine cybersecurity standards and procedures. This is an ongoing process, and no such standards and pro­cedures have been officially determined yet.

Insurance

Is insurance for cybersecurity breaches available in your jurisdiction and is such insurance common?

Since cybersecurity insurance is not an obligation, there are few insur­ance firms offering cybersecurity insurance policies in Turkey. Owing to the lack of reliable standards and parameters to detect the risk of a cyber­security breach, the actuarial risk assessment is difficult to make, and insurance companies in Turkey struggle to price this type of insurance product.

For the banking sector, cybersecurity breach insurance is recom­mended in the Draft Regulation and can be counted as one of the tech­nical measures to ensure cybersecurity. However, insurance for cybersecurity breaches will not be mandatory.

Enforcement

Regulation

Which regulatory authorities are primarily responsible for enforcing cybersecurity rules?

The ICTA is the regulatory body authorised to take decisions and actions regarding the protection of information systems. However, since the PDPL is the only general piece of legislation that cur­rently imposes requirements in terms of cybersecurity, the DPA is the regulatory authority competent to conduct investigations, issue binding decisions and impose administrative fines. To the extent that cybercrimes are defined under the Turkish Criminal Code, public pros­ecutors and criminal courts are also competent to investigate, prose­cute and impose sanctions in relation to such crimes.

Describe the authorities’ powers to monitor compliance, conduct investigations and prosecute infringements.

Under the PDPL, the DPA has the right to audit data controllers and processors, including the right to conduct site inspections and request documents. In the banking sector, the BRSA has the right to audit the banks’ information systems. Pursuant to the Regulation on Bank Information Systems and Banking Processes Audit to be Performed by External Audit Institutions, issued by the BRSA in 2010, banks have to be in compliance with COBIT standards and are subject to yearly audits conducted by certified independent firms at the request of the BRSA. The BRSA is also authorised to audit other financial institu­tions, including payment systems providers and e-money companies. In addition, institutions that hold a PCI DSS certification and obtain credit card information can be audited and investigated by the PCI DSS auditors.

What are the most common enforcement issues and how have regulators and the private sector addressed them?

The practice of regulators is generally to afford cure periods to organi­sations to remedy instances of non-compliance. If the DPA identifies deficiencies in the technical and organisational measures taken to pro­tect personal data, it can give a 15-day period to cure the situation under the PDPL and eventually issue administrative fines. The ICTA and the BRSA also have the power to request that deficiencies be cured within a certain period of time and to issue administrative fines if the necessary measures are not taken. Where fines are imposed, they can be quite substantial, especially in the banking sector where there is no statutory cap. There are market precedents in which fines well in excess of 10 per cent of the affected bank’s revenue were imposed following a failure to take necessary measures against cyberthreats and report the breach immediately. On the other hand, it is difficult to have a clear picture of the enforcement environment to the extent most regulatory decisions imposing fines are not made public; the lack of transparency in this respect is a recurrent issue in Turkey.

What regulatory notification obligations do businesses have following a cybersecurity breach? Must data subjects be notified?

In the event of a cybersecurity breach potentially affecting personal data, the data controller must notify the DPA without undue delay and, where feasible, no later than 72 hours after becoming aware of the data breach. Data subjects must also be notified via appropriate methods as soon as possible after determination of the persons affected by the data breach.

The following elements must be included in the notification made to the data subjects: date of the breach; information on the categories of personal data affected by the breach; possible consequences of the breach; measures taken or proposed to be taken to reduce or eliminate possible adverse effects; and the names and contact details of the persons who can provide information about the breach or the full contact details of the data controller.

Penalties

What penalties may be imposed for failure to comply with regulations aimed at preventing cybersecurity breaches?

The PDPL provides that the failure to comply with the obligation to ensure data security can result in a fine ranging from 15,000 to 1 million lira. In addition, failure to comply with the decisions of the DPA, which may include injunctions to comply with cybersecurity require­ments, can result in a fine ranging from 25,000 to 1 million lira.

In the telecommunications sector, the ICTA has broad powers to impose fines of up to 3 per cent of the operator’s net revenue in the previous year for the failure to comply with laws, regulations and the ICTA’s own decisions. In the banking sector, the BRSA also has the power to impose fines calculated by reference to the bank’s revenue, but this is not subject to a formal cap and will be determined by the BRSA on a per breach basis.

If it is determined following an inspection by ISO mandated auditors that a company has failed to comply with the ISO 27001 standard, its certification may be suspended or cancelled. In the field of payment systems, if a company fails to comply with the PCI DSS standards twice, the certificate is taken away from the company. For companies that are required to comply with the ISO 27001 standard by their own regula­tory authority, such as the Energy Market Regulatory Authority in the energy sector, administrative fines can be directly imposed by the com­petent regulator in case of failure to comply.

While this would only apply in extreme cases, Turkish regulatory bodies also have the power to suspend or cancel an organisation’s oper­ating licence in case of non-compliance with laws, regulations or regula­tory decisions.

What penalties may be imposed for failure to comply with the rules on reporting threats and breaches?

Under the PDPL, the failure to report a data breach to the DPA and the data subjects can lead to administrative fines ranging from 15,000 to 1 million lira. In the telecommunications sector, the ICTA may impose fines of up to 3 per cent of the operator’s net revenue in the previous year for the failure to report a security breach. In the banking sector, the BRSA also has the power to impose fines calculated by reference to the bank’s revenue, but this is not subject to a formal cap and will be determined by the BRSA on a case-by-case basis.

How can parties seek private redress for unauthorised cyberactivity or failure to adequately protect systems and data?

Compensation lawsuits may be initiated on the basis of general princi­ples of law, including by seeking liability in tort or in contract if there was a contractual relationship between the parties. If the data breach affects personal data, the PDPL expressly provides for the data sub­jects’ right to compensation if their data has been processed in breach of the law. If the data breach resulted in the infringement of intellec­tual property rights, compensation can also be sought on the basis of intellectual property law. If a company has suffered damage as a result of its directors’ failure to implement adequate cyberse­curity measures within the organisation, this could qualify as a breach of fiduci­ary duties and form the basis of liability claims against the directors under the Turkish Commercial Code.

Threat detection and reporting

Policies and procedures

What policies or procedures must organisations have in place to protect data or information technology systems from cyberthreats?

See ‘Legislation’.

Describe any rules requiring organisations to keep records of cyberthreats or attacks.

There is no general legal requirement to keep cyberthreat records, although it is strongly advisable to keep records of all activity affect­ing personal data in the event of a DPA inspection. Most companies will also have the obligation to keep internet log records for three years under the Internet Law No. 5651 and related regulations as long as they provide access to the internet, even if only to their own employees.

In the telecommunications sector, the Regulation on Network and Information Security in the Electronic Communications Sector, issued by the ICTA in 2008, requires that records regarding network and secu­rity breaches be kept for three years. In the banking sector, banks are obliged to keep records of data and logs, but it is currently unclear how long the records should be retained. In accordance with the Draft Regulation, banks will be under the obligation to keep records of all transactions for three years as well. Banks and telecoms operators are also required to report breaches to the regulator in annual reports. The Internet Law also requires organisations to keep logs of all e-commerce and call cen­tre transactions, which can be later be used for evidence purposes.

Describe any rules requiring organisations to report cybersecurity breaches to regulatory authorities.

If the breach affects personal data, the PDPL provides that in case personal data is illegally obtained by third parties, the data controller must inform the DPA and the relevant data subjects as soon as possi­ble. The PDPL further states that the DPA may publish an announce­ment regarding the data breach on its website or by any other method it deems appropriate. The failure to comply with this obligation would expose the affected organisation to administrative fines.

In the telecommunications sector, a binding decision of the ICTA requires operators to notify any type of cybersecurity breach, includ­ing data leakage and cyberattacks, to the authority. Reports should include, among other things, logs, time stamps, the identification numbers of affected devices, a description of the lost data and the time at which the breach was discovered.

In the banking sector, banks currently have to prepare a form con­taining substantially the same information as listed above, as well as an identification of potential harm to end users (such as affected transac­tions) and submit it to the BRSA. Under the Draft Regulation, it would become mandatory to appoint a person responsible for cybersecurity issues whose duties would include informing the departments of the bank and the relevant authorities in event of a breach. Banks would also be obliged to report cyberthreats in addition to breaches.

In addition, if a public company is affected by a cyberattack, it must notify the Capital Markets Board, which will make the information pub­licly available. In the insurance sector, even though it is not mandatory, it is strongly advisable for companies to notify the Undersecretariat of Treasury, which is the insurance regulator.

Time frames

What is the timeline for reporting to the authorities?

Pursuant to the PDPL, the DPA and the relevant data subjects must be notified as soon as possible after a data breach or cyberattack is discov­ered. There is no requirement to report about cybersecurity on a regu­lar basis under the PDPL.

Likewise, all regulatory authorities mentioned above should be notified as soon as the breach is discovered.

Regular reporting obligations only exist in the banking and tel­ecommunications sectors. Banks must submit a COBIT report to the BRSA in the first month of each year, and telecommunications com­panies must submit a report including an assessment of cyber risks, encountered cyberattacks and precautions taken against them, to the ICTA in the first three months of each year.

Reporting

Describe any rules requiring organisations to report threats or breaches to others in the industry, to customers or to the general public.

The PDPL requires that data breaches affecting personal data be notified to data subjects in addition to the DPA. There are no formal requirements to report threats or breaches to others in the industry or to the general public.

Update and trends

Update and trends

What are the principal challenges to developing cybersecurity regulations? How can companies help shape a favourable regulatory environment? How do you anticipate cybersecurity laws and policies will change over the next year in your jurisdiction?

Together with the publication of various strategy and development plans that set promising goals for the government and regulatory authorities to develop cybersecurity and information technologies in several sectors, there has been an increasing trend towards digitalisation in the country. Turkish public authorities have started to use digital platforms to increase efficiency, integrity and sustainability. One of the most recent examples is the electronic online apostille services to be provided by the Post, Telegraph and Telephone Institution.

The Ministry of Environment and Urbanisation has published its smart cities strategy plan for 2019–2022, which introduces various enhancements in the areas of data security, information technologies, smart infrastructures and so on. The Istanbul Municipality is working on a smart cities system and on the collection of data for payment systems in public transportation and vendor machines. The intent is to introduce a city card, the Kent Kart, for payments in public places. This will bring about the need for increased cybersecurity precautions. The establishment of an Istanbul Cyber Security Platform is also on the agenda. Another significant development concerns the land registry system, with land registries starting to keep online records and to accept online payments for land registry transactions. A series of other formalities, such as trade registry applications or registration with the data controller registry, must now be made through online systems.

In view of this growing trend towards digitalisation, the ICTA has started to draft a code regarding cybersecurity issues that should follow the approach taken in the draft EU Cybersecurity Act (the Draft Cybersecurity Act), expected to be approved in 2020 to introduce a new standardised cybersecurity framework and provide an EU-wide certification system identifying resilience to cyberattacks. Since the PDPL and the Payment Systems Law are largely modelled on EU legislation, Turkey’s future cybersecurity code is expected to be similar to the Draft Cybersecurity Act. In the meetings convened with cybersecurity experts, ICTA officials have largely referred to the Draft Cybersecurity Act as an example.

Overall, the cybersecurity ecosystem in Turkey is gaining further depth as more strategies, plans and projects are being drawn up, in particular in the public sector and in critical private sectors, such as banking, health, telecommunications and energy. One obvious challenge for authorities devising legislation in this field is to keep up with fast-paced technological developments and the changing needs of private sector players. Turkish public authorities dealing with cybersecurity issues have however shown themselves quite open to seeking feed-back from market players and involving them in the process to shape the new regulations. In this area more than others, it is the latter’s interest to engage with regulatory authorities as early as possible in the process, make their needs known to these authorities and provide constructive feed-back as to the proposed regulations.

Law Stated Date

Correct On

Give the date on which the information above is accurate.