Cybersecurity 2025

TÜRKIYE Law and Practice Contributed by: Bora Yazıcıoğlu, Kübra İslamoğlu Bayer, Aslı Rabia Savaş and Yağmur Yaren Özdabakoğlu, YAZICIOGLU Legal

The Presidency Decree applies to public insti - tutions and organisations as well as business - es providing critical infrastructure services (ie, energy, electronic communications, banking and finance, critical public services, water manage - ment, and transportation). See 2.1 Scope of Critical Infrastructure Cybersecurity Regulation for further details. The Turkish Data Protection Law No 6698 (the “DP Law” ) and its secondary legislation The DP Law covers all personal data-processing activities in Türkiye. From a cybersecurity per - spective, it also regulates the security of per - sonal data and full or partly automated and non- automated data-processing systems. According to the DP Law, controllers are obliged to take all necessary technical and organisational meas - ures to provide a sufficient level of security to: • prevent unlawful processing and accessing of personal data; and • ensure the safekeeping of personal data. See 6.1 Cybersecurity and Data Protection for further information. The Turkish Criminal Code (the TCrC) No 5237 The TCrC criminalises several actions in con - nection to cybersecurity and sets out criminal sanctions of imprisonment between six months and eight years for these actions. Some are as follows: • unlawful access to a cyber-system; • blocking or bricking the cyber-system or destroying, modifying, or making inaccessible

sale, purchasing, giving to others or keeping forbidden devices and software that are used to break a computer program’s password or a code as such in order to commit a crime described in the bullet points above; • committing theft or fraud via cyber-systems; • unlawful recording of personal data; • unlawful transfer, publication or acquisition of personal data; and • failure to destroy personal data after the retention period set forth in the applicable laws. The Law on Intellectual and Artistic Works No 5846 The Law on Intellectual and Artistic Works (focusing on the protection of copyright) also criminalises the following actions with sanctions of imprisonment between six months and two years: • circumventing technological measures such as access control or encryption; • breach of the protected rights of the database manufacturer; and • continuous violation of copyrights and related rights by service and information content pro - viders via transmission tools for signs, sounds and/or images, including digital transmission. The Communiqué on the Procedures and Principles for Connecting to and Auditing the KamuNet Network (The “Communiqué on KamuNet” ) KamuNet (loosely translated as PublicNet) is a closed-circuit, virtual network infrastructure isolated from the private network and internet environment and utilised by public institutions and organisations in their service, transaction, and data traffic transfers. Hence, it is more secure against physical and cyber-attacks. Per the Prime Ministry Decree No 2016/28 on Inte -

the data within a cyber-system; • misuse of debit or credit cards;

• manufacturing, importing, dispatching, trans - porting, storing, accepting, selling, offering for

299 CHAMBERS.COM

Powered by