Cybersecurity 2025

TÜRKIYE Law and Practice Contributed by: Bora Yazıcıoğlu, Kübra İslamoğlu Bayer, Aslı Rabia Savaş and Yağmur Yaren Özdabakoğlu, YAZICIOGLU Legal

3.5 International Data Transfers Banking Law and Its Secondary Legislation Refer to the localisation obligation under 3.3 Key Operational Resilience Obligations . Additionally, customer secrets under the Bank - ing Law cannot be disclosed or transferred to foreign (or domestic) third parties without receiv - ing the customer’s request or explicit instruction. There are two exceptions. • Customer secrets can be transferred to authorities that are authorised by Turkish laws. • Information and documents may be shared to the parent company located abroad, provided that its capital share equals to or exceeds ten percent, and a non-disclosure agreement is signed with the parent company. Even then, only the following information may be shared – preparation of consolidated financial state - ments, risk management, and internal audit practices. The By-Law on the Sharing of Secret Informa - tion, which applies to bank secrets and custom - er secrets collectively, also provides exceptions to the prohibition to share secret information. Accordingly, the following transfers are allowed. • Per a BoD decision to be adopted by the bank, sharing with third parties bank secrets that only contain classified information belonging to the bank. • The disclosures made to the foreign judicial and alternative dispute resolution authorities or to the parties representing the bank in such disputes, where the disclosure is necessary for the proof of the claim or defence.

necessary information and documents request - ed and to keep and operate all kinds of records in a readable format. Moreover, BSRA is authorised to impose admin - istrative fines in case of non-compliance with its regulations in accordance with the Banking Law. The Turkish Republic Central Bank (the TRCB) The TRCB is authorised to audit banks, payment institutions, electronic money institutions, and their branches, representatives or outsourced service providers of the Post and Telegraph Organisation A.Ş. The TRCB may request the payment institution and electronic money institution to take the nec - essary measures in relation to the issues identi- fied. In case of failure to take these measures in a reasonable time, TRCB may revoke the operat - ing licence. Depending on the case, TRCB may impose a wide range of administrative fines for non-com - pliance with the regulations on payment services and electronic money institutions. The Capital Markets Board (the CMB) The CMB has the authority to audit the activi - ties concerning capital markets of all institutions and organisations under the scope of the Capi - tal Markets Law and other relevant real or legal persons. The auditing personnel may request relevant documents and information. The fail - ure to provide these and obscuring the audit are criminalised under the Capital Markets Law. Depending on the case, CMB may impose a wide range of administrative fines on persons who fail to comply with the Capital Markets Law and its secondary legislation.

310 CHAMBERS.COM

Powered by