Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.

Data security and breach notification

Security obligations

Are there specific security obligations that must be complied with?

Pursuant to Article 12 of the Law on the Protection of Personal Data, data controllers must implement any technical or administrative measure necessary to ensure the appropriate security level in order to prevent the personal data from being processed or accessed unlawfully and to ensure its protection.

Further, they must adopt the adequate measures determined by the Personal Data Protection Board when special categories of personal data are processed.

Data controllers that are subject to sector-specific laws (eg, banking and telecoms regulations) must also comply with other sector-specific security obligations.

For example, in the banking sector, pursuant to the Regulation on Banks’ Internal Control and Internal Capital Adequacy Assessment Process and the Law on Payment and Security Reconciliation Systems, Payment Services and Electronic Money Organisations 6493, primary and secondary systems of banks and payment service providers or electronic money institutions should be located in Turkey. In addition, the Regulation on Bank Cards and Credit Cards sets forth that institutions that issue cards must:

  • keep all personal data in confidence;
  • refrain from using such data for marketing activities; and
  • take all necessary precautions to keep records safe.

In the energy sector, Article 30/B/1 of the Regulation on Balancing and Compliance in the Electricity Market sets forth that suppliers must keep and update data records in order to ensure data stability and security. They must also take all necessary precautions to keep personal data safe.

However, the Personal Data Protection Board has published no guidance on the technical measures required.

Breach notification

Are data owners/processors required to notify individuals in the event of a breach?

Yes. If the processed personal data is obtained by other persons illegally, the data controller must inform the relevant person as soon as possible.

Are data owners/processors required to notify the regulator in the event of a breach?

Yes. If the processed personal data is obtained by other persons illegally, the data controller must inform the Personal Data Protection Board as soon as possible. The board may announce the situation on its website or by another method that it deems appropriate.

Click here to view the full article.