Data localisation requirements in Turkiye

Turkiye

The concept of data localisation is not specifically governed under Turkish Data Protection Law (DPL) numbered 6698, but the DPL restricts personal data transfers made abroad in such a manner that it can be interpreted as a data localisation requirement. According to Article 9 of the DPL, personal data can only be transferred outside Türkiye if:

  • explicit consent of the data subjects is obtained; or
  • data is processed on the basis of one of the exceptions provided by the law (e.g. performance of contracts, legitimate interest, etc.) and either the destination country is among the countries designated by the Data Protection Authority (DPA) as a country with an adequate level of protection, or the undertaking letter (in the format set out by the DPA) is signed by the transferor and the transferee to ensure adequate protection, and has been approved by the DPA. Note that, because the DPA has not yet issued the list of countries with adequate levels of protection, all countries are deemed as not providing adequate levels of protection at this stage.

For multinational companies where the data obtained will be transferred to more than one foreign country, Binding Company Rules (BCR) can be used instead of an undertaking letter. By applying to BCR, the data processor will not need to obtain explicit consent or provide an additional undertaking to the DPA.

In addition to the DPL, the data localisation requirement is also regulated under other pieces of legislation. According to the Presidential Circular on Information and Communication Security Measures numbered 2019/12 (the “Circular”), critical information and data, such as population, health and communication records, and genetic and biometric data must be securely stored within Türkiye. This rule was not intended to be a data transfer restriction but may be interpreted as a requirement of keeping back-ups of such data domestically. The Circular also states that data pertaining to public institutions and organisations cannot be stored in cloud storage services except for the relevant institution’s own private systems or local service providers controlled by the institution. Accordingly, it can be interpreted that, private entities that provide services to public institutions must have a domestic server. The same issue is also addressed within the Information and Communication Security Guide (the “Guide”) by emphasising the requirement to ensure domestic storage of critical data for the use of cloud services. The Guide also governs precautions to be taken for cloud security and accordingly, for operators, it is emphasized that measures must be taken to keep domestic communication traffic within Türkiye.

There is also legislation governing data localisation in different sectors, such as the following:

Social network providers

As per Additional Article 4(6) of the Law on Internet Broadcasts numbered 5651 (İnternet Ortamında Yapılan Yayınların Düzenlenmesi ve Bu Yayınlar Yoluyla İşlenen Suçlarla Mücadele Edilmesi Hakkında Kanun), social network providers based in Turkey or abroad that have access of more than one million visitors daily must take necessary measures in order to keep the data pertaining to their Turkish users within Türkiye, and these measures must also be reported to the Information and Communication Technologies Authority (ICTA) through bi-annual reports. Priority must be given to basic user information and any other information determined by the ICTA. It is also worth mentioning that the above Circular also states that local applications must be preferred for using social media and communications.

Electronic communication

Pursuant to Article 5(2) of the Regulation on Processing of Personal Data and the Protection of Privacy in the Electronic Communication Sector (Elektronik Haberleşme Sektöründe Kişisel Verilerin İşlenmesi ve Gizliliğin Korunmasına İlişkin Yönetmelik), traffic and location data in principle cannot be transferred abroad due to national security reasons. Security measures to be taken in terms of electronic communication sector are also listed under the Guide, which states that domestic communication must be kept within the borders of the country and that the transfer of this traffic and subscriber records abroad and re-direction of the same to Türkiye must be prevented.

Finance

Banks: According to Article 11(4) of the Regulation on Internal Systems of Banks (Bankaların İç Sistemleri ve İçsel Sermaye Yeterliliği Değerlendirme Süreci hakkında Yönetmelik), Turkish banks must maintain their primary data system (i.e. total systems made up of infrastructure, hardware, software and data enabling records and the use of all information required in order to conduct all banking activities and to fulfil all obligations imposed on banks under banking legislation) and secondary data systems (back-ups of the preceding one) in Türkiye.

Capital Markets: According to Article 26(1) of the Communiqué on Management of Information Systems (Bilgi Sistemleri Yönetimi Tebliği), primary systems (i.e. combinations of the infrastructure, hardware, software and data that allow secure and ready access to the electronic retention and use of the information necessary for company compliance with duties under Capital Markets legislation) and secondary systems (back-ups of the preceding ones) of certain companies and institutions listed with certain types of companies under the supervision of the Capital Markets Board (e.g. publicly held corporations, pension investment funds, etc.) must be kept in Türkiye.

Payment and Electronic Money Institutions: Pursuant to Article 21(1) of the Communiqué on Information Systems of Payment and Electronic Money Institutions (Ödeme ve Elektronik Para Kuruluşlarının Bilgi Sistemleri ile Ödeme Hizmeti Sağlayıcılarının Ödeme Hizmetleri Alanındaki Veri Paylaşım Servislerine İlişkin Tebliğ), payment and electronic money institutions must keep their primary and secondary systems together with their data back-up centres within Türkiye. In addition, as per Article 21(2), all information systems used to conduct payment transactions between the institution and its customers, or the customers of other institutions must be kept within Türkiye together with its back-ups. In case the service is outsourced, information systems used by the service provider and its back-ups must also be kept in Türkiye.

Financial Lease and Factoring Companies: There is also a data localisation requirement regarding primary and secondary systems of financial lease, factoring and finance companies within the scope of the Communiqué on Management and Supervision of Information Systems of Financial Lease, Factoring and Finance Companies (Finansal Kiralama, Faktoring ve Finansman Şirketlerinin Bilgi Sistemlerinin Yönetimine ve Denetimine İlişkin Tebliğ). According to Article 15(2) of the foregoing, primary and secondary systems must be kept domestically. If this service is outsourced, the information systems used by the service provider to conduct relevant activities and its back-ups must be kept within Türkiye.

For more information on data localisation, contact your CMS client partner or local CMS experts: [email protected] and [email protected]