- Home
- News & Insights
Search by
Latest
New Cybersecurity Law in Türkiye
On 19 March, 2025, Türkiye enacted Cybersecurity Law No. 7545 (the “Law”), which introduces comprehensive regulations to enhance cyber resilience in Türkiye. The Law reflects a significant step toward strengthening the security of critical infrastructure, data protection, and incident response mechanisms. Organisations operating in Türkiye must understand these requirements to ensure compliance and mitigate potential risks. What are the main objectives of the Law? The primary objective of the Law is to safeguard Türkiye's national cyber infrastructure against both internal and external threats. The Law emphasises the protection of critical infrastructure, the establishment of response teams, and enhanced
Quick Read: Data Protection Law Updates in Türkiye – February 2025
In February, the Turkish Data Protection Authority ("DPA") published a guideline on the processing of sensitive personal data and issued a notice regarding the implementation of standard contractual clauses. Additionally, the DPA shared two informative notes concerning the use of artificial intelligence. The preparation of cyber security legislation also gained momentum in February, as discussions on the draft Cyber Security Law began in the General Assembly of the Grand National Assembly of Türkiye. AI Applications are Under Radar of the DPA Through its social media account, the DPA published two information notes in February, "Recommendations for the Protection of Personal Data in the Use of AI" and "Key
Standart Sözleşmelerde Dikkat Edilmesi Gereken Hususlar
Mart 2025 – Kişisel Verileri Koruma Kurumu (“Kurum”) 6 Şubat 2025 tarihinde yaptığı duyuru ile Standart Sözleşme hazırlık ve imza süreçlerine ilişkin uygulamada karşılaşılan hataları gidermek amacıyla bu süreçte dikkat edilmesi gereken hususları paylaştı. Yapılan duyuru kapsamında Standart Sözleşmelerin aşağıdaki hususlara dikkat edilerek hazırlanması ve imzalandıktan sonra beş iş günü içerisinde Kurum’a sunulması gerektiği belirtilmiştir. Yer verilen hususlara uygun olmayan Standart Sözleşmelerin geçerli kabul edilmeyeceği vurgulanmıştır. İmza Zorunluluğu: Standart Sözleşme, veri aktarım tarafları veya yetkili temsilcileri tarafından imzalanmalıdır. Eksik imza olması
Key considerations for standard contracts
The Personal Data Protection Authority (“DPA”) issued an announcement on February 6, 2025, outlining key considerations for the preparation and signing processes of Standard Contracts (“SCC”) to address common errors encountered in practice. According to the announcement, SCC must be prepared in compliance with the specified requirements and submitted to the DPA within five business days after signing. It was emphasized that SCCs failing to meet these criteria will not be considered valid. Following the review of Standard Contracts submitted to the DPA the key considerations to be considered have been identified as follows: Signature requirement: The SCC must be signed by the data transfer parties
Quick Read: Data Protection Law Updates in Türkiye – January 2025
As 2025 begins, Türkiye continues to strengthen its data protection framework with new regulatory updates and strategic initiatives. The Turkish Data Protection Authority ("DPA") and Turkish president have introduced significant measures affecting multiple sectors. Key updates from January include; the Turkish president established the Cybersecurity Presidency; the National Intelligence Service carried out a cybersecurity operation against unauthorised data access; the DPA clarified obligations for data processing in mediation activities; the DPA updated the Guidelines on Banking Sector Best Practices; the DPA signed a cooperation protocol with the Turkish Capital Markets Board;
Quick Read: Data Protection Law Updates in Turkey – December 2024
In this edition of Quick Read, we summarise the latest updates in data protection law and sector news in Türkiye. In the past month, the Turkish Data Protection Authority (“DPA”): released Guidelines on Cross-border Data Flows; issued a memorandum regarding temporal application of the new amendment to the DP Law; published its 2024 Activity Report; announced updated administrative fines for 2025; disclosed two data breaches. New guidelines on cross-border data transfers now available On 2 January 2025, the DPA released updated guidelines on cross-border data transfers (“Guidelines”), providing critical clarity for organisations handling international data
Summary of Guidelines on the Transfer of Personal Data Abroad from Türkiye
The Turkish Data Protection Authority has recently published its long-awaited guidelines ("Guidelines") on the conditions for cross-border transfers of personal data. The Guidelines aim to clarify the legal framework for cross-border transfers of personal data, incorporate criteria from European Union regulations and regulators and provide concrete examples. It is crucial for data controllers and processors of personal data with cross-border transfer characteristics to plan their processes in accordance with this Guidelines. Click on one of the images below or use the following links to read our summary in English or in Turkish. Download in English: Download in Turkish
Türkiye establishes Cybersecurity Presidency: Paving the way for a secure digital future
In a landmark move, Türkiye has established the Cybersecurity Presidency (in Turkish: Siber Güvenlik Başkanlığı) under a newly published Presidential Decree on 8 January 2025. This development marks a pivotal moment to enhance the digital security infrastructure of Türkiye and reflects a growing recognition of the critical importance of cybersecurity in today’s interconnected world. Below, we provide an overview of the key aspects of this new institution. What is the Cybersecurity Presidency? The Cybersecurity Presidency is a newly established public legal entity affiliated with the Presidency of Türkiye. With its headquarters in Ankara, the institution will have a special budget and a wide-ranging
Quick Read: Data Protection Law Updates in Turkey – November 2024
In this edition of Quick Read, we summarise the latest updates on data protection law and sector news in Turkey. In this issue: fines imposed on two social media giants; Turkish Data Protection Authority (“DPA”) releases an informative note regarding ChatGPT; president of the DPA attends the 46th Conference of the Global Privacy Assembly; one data breach is announced. Twitch faces fine of TRY 2 million over massive data breach On 16 November 2024, the DPA imposed an administrative fine of TRY 2 million (approximately EUR 55,000) on the social media platform Twitch due to a significant data breach. This fine consists of: TRY 1.75 million Tfor failing
Quick Read: Data Protection Law Updates in Turkey – September 2024
The Turkish Data Protection Authority (“DPA”) did not publish any decisions or announcements in September; however, several important events took place. We summarise these for you below. A New Era of Cross-Border Data Transfers As of 1 September 2024, data controllers must now comply with the new rules regarding cross-border data transfers introduced by the amendments to the Turkish Data Protection Law ("DP Law") on 12 March 2024. Among the new rules are the introduction of Standard Contractual Clauses (“SCCs”), which are now a key mechanism for managing cross-border data transfers. Data controllers must sign SCCs with their data importers and submit the signed SCCs to the DPA within five days of
New Communiqué on Commercial E-Message Management Integrators in Turkey
On 18 September 2024, Turkey’s Ministry of Trade published in the Official Gazette the Communiqué on Commercial Electronic Message Management System Integrators ("Communiqué"). The Communiqué introduces new procedures relating to the registration and management of consent for commercial electronic messages in Turkey’s Message Managing System (“MMS”)—a national database where various e-communications approvals are stored and managed. Among the changes introduced, the Communiqué defines business partners that assist service providers with registering approvals in the MMS, approval tracking, and management processes as “Integrators” and authorisation is required for service provision. The Communiqué also
Ticari Elektronik İleti Yönetim Sistemi Entegratörleri Hakkında Tebliğ
Ekim 2024 – Ticaret Bakanlığı tarafından 18 Eylül 2024 tarihli Resmî Gazete ile Ticari Elektronik İleti Yönetim Sistemi Entegratörleri Hakkında Tebliğ (“Tebliğ”) yayınlanarak yürürlüğe girdi. Tebliğ ile uygulamada hizmet sağlayıcıların onaylarının İleti Yönetim Sistemi’ne (“İYS”) kaydı, onay takibi ve yönetimi süreçleri için destek aldıkları iş ortakları; bu Tebliğ kapsamında “Entegratör” olarak tanımlanarak hizmet sunumu için yetkilendirme şartı getirildi. Ayrıca, Tebliğ uyarınca 2025 Mart ayına kadar Ticaret Bakanlığından entegratörlük yetkisi almayanların hizmet sağlayıcı adına ticari elektronik iletilere ilişkin işlem tesis etmesi yasaklandı. Tebliğ’deki