{"id":139366,"date":"2026-04-22T09:25:40","date_gmt":"2026-04-22T09:25:40","guid":{"rendered":"https:\/\/my.legal500.com\/guides\/?post_type=comparative_guide&#038;p=139366"},"modified":"2026-04-30T10:05:54","modified_gmt":"2026-04-30T10:05:54","slug":"turkiye-data-protection-cybersecurity","status":"publish","type":"comparative_guide","link":"https:\/\/my.legal500.com\/guides\/chapter\/turkiye-data-protection-cybersecurity\/","title":{"rendered":"Turkey: Data Protection &amp; Cybersecurity"},"content":{"rendered":"","protected":false},"template":"","class_list":["post-139366","comparative_guide","type-comparative_guide","status-publish","hentry","guides-data-protection-cybersecurity","jurisdictions-turkiye"],"acf":[],"appp":{"post_list":{"below_title":"<div class=\"guide-author-details\"><span class=\"guide-author\">Balc\u0131o\u011flu Sel\u00e7uk Eymirlio\u011flu Ard\u0131yok Keki Attorney Partnership<\/span><span class=\"guide-author-logo\"><img src=\"https:\/\/my.legal500.com\/guides\/wp-content\/uploads\/sites\/1\/2020\/09\/BASEAK-logo-Core-CMYK.jpg\"\/><\/span><\/div>"},"post_detail":{"above_title":"<div class=\"guide-author-details\"><span class=\"guide-author\">Balc\u0131o\u011flu Sel\u00e7uk Eymirlio\u011flu Ard\u0131yok Keki Attorney Partnership<\/span><span class=\"guide-author-logo\"><img src=\"https:\/\/my.legal500.com\/guides\/wp-content\/uploads\/sites\/1\/2020\/09\/BASEAK-logo-Core-CMYK.jpg\"\/><\/span><\/div>","below_title":"<span class=\"guide-intro\">This country specific Q&amp;A provides an overview of Data Protection &amp; Cybersecurity laws and regulations applicable in Turkey<\/span><div class=\"guide-content\"><div class=\"filter\">\r\n\r\n\t\t\t\t<input type=\"text\" placeholder=\"Search questions and answers...\" class=\"filter-container__search-field\">\r\n\t\t\t<\/div>\r\n\r\n\t\t\t\r\n\r\n\r\n\t\t\t<ol class=\"custom-counter\">\r\n\r\n\t\t\t\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Please provide an overview of the legal and regulatory framework governing data protection, privacy and cybersecurity in your jurisdiction (e.g., a summary of the key laws; who is covered; what sectors, activities or data do they regulate; and who enforces the relevant laws).<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Protection of personal data is mainly regulated by Article 20\/3 of the Turkish Constitution and the Personal Data Protection Law (the \u201c<strong>DPL<\/strong>\u201d), which came into force on April 7, 2016. The Turkish Constitution mainly sets forth that each individual has right to request protection of their personal data. The DPL regulates general principles of data processing and imposes several obligations on data controllers and data processor for their data processing activities. Secondary regulations of the DPL include the following:<\/p>\n<ul>\n<li>Regulation on the Data Controllers\u2019 Registry (\u201c<strong>VERBIS<\/strong>\u201d)<\/li>\n<li>Regulation on Erasure, Destruction and Anonymization of Personal Data<\/li>\n<li>Communiqu\u00e9 on Rules and Procedures for Application to Data Controller<\/li>\n<li>Communiqu\u00e9 on Rules for Fulfilling the Obligation to Inform Data Subjects<\/li>\n<\/ul>\n<p>The DPL applies to <strong>(i)<\/strong> natural persons whose personal data are processed and <strong>(ii)<\/strong> natural or legal persons who process such data, wholly or partly by automatic means, or otherwise than by automatic means that form part of a data registry. The DPL applies to all data processing activities, regardless of the sector in which that data controller is operating. In addition, several regulations are specific to sectors such as banking, capital markets, telecommunication, health, payment services, etc.<\/p>\n<p>The DPL does not have a specific provision on its territorial scope. The Turkish Personal Data Protection Authority and Board (the \u201c<strong>DPA<\/strong>\u201d) is the regulatory authority that enforces the DPL and the recently published Guidelines on Cross-Border Data Transfers by the DPA make reference to the principle of territoriality regulated under the Turkish Penal Code since there is no explicit provision in the DPL for determining of its territorial scope. However, the Guidelines further underline the fact that the strict application of the principle of territoriality does not serve the purpose of ensuring an effective protection in view of the emergence and widespread use of technologies that enable cross-border data processing.<\/p>\n<p>The DPA therefore concludes that when interpreting the territorial scope, the principle of effect should be applied instead of the principle of territoriality. In fact, in one of the example scenarios provided in the Guidelines, the DPA illustrates that processing activity in relation to orders received through a website operated by a third country company that is not resident in T\u00fcrkiye but targets data subjects in T\u00fcrkiye falls within the territorial scope of the DPL. Accordingly, in broader terms, the DPA applies the DPL to data processing activities that concern individuals in T\u00fcrkiye and\/or have a consequence on individuals in T\u00fcrkiye.<\/p>\n<p>With respect to legal and regulatory framework governing cybersecurity, T\u00fcrkiye adopted its first comprehensive law in the field of cybersecurity called the Cybersecurity Law No. 7545 \u201c<strong>CSL<\/strong>\u201d on 19 March 2025. The CSL establishes a unified cybersecurity framework, consolidating cybersecurity activities under the newly created Cybersecurity Presidency (\u201c<strong>Presidency<\/strong>\u201d) and the restructured Cybersecurity Board, bringing together responsibilities previously held by the Ministry of Transport and Infrastructure, the Information and Communication Technologies Authority, and the Digital Transformation Office of the Presidency.<\/p>\n<p>The CSL applies broadly to all entities operating in cyberspace, including public institutions, private sector entities and critical infrastructure operators, and introduces a risk-based, centralised governance model. It sets out obligations relating to cybersecurity measures, incident notification, cooperation with authorities and compliance with standards to be determined by the Presidency, while also providing a framework for certification, authorisation and audit of cybersecurity products, services and providers. Further implementation details are expected to be specified through secondary legislation.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any expected changes in the data protection, privacy or cybersecurity landscape in 2025 - 2026 (e.g., new laws or regulations coming into effect, enforcement of such laws and regulations, expected regulations or amendments)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>There has been an ongoing initiative to fully harmonize the DPL with the GDPR for some time. According to the Presidential Annual Program for 2026 and the Medium-Term Program (2026-2028), published in the Official Gazette, efforts to align the DPL with the GDPR are expected to accelerate, with a target of completing the harmonization by the third quarter of 2026.<\/p>\n<p>That said, as of today, there is no publicly available draft legislation or formal bill submitted to the Turkish Grand National Assembly in this regard, and such legislative changes do not appear to be an immediate priority in practice. Nevertheless, the DPA generally follows the approach of the European Data Protection Board (EDPB) in its guidelines and decisions, frequently referring to EU data protection principles and precedents.<\/p>\n<p>Following the enactment of the CSL, secondary regulations were originally anticipated to emerge in the first quarter of 2026. However, the administrative and organizational establishment of the Cybersecurity Board experienced significant delays, which disrupted the expected rulemaking timeline. During this interim period, the Cybersecurity Board&#8217;s authority and mandate were expanded through an administrative decision as well, broadening its jurisdictional scope. As a result, the issuance and further development of secondary regulations, including those intended to align the national cybersecurity framework with international benchmarks such as the EU&#8217;s NIS2 Directive and the Cyber Resilience Act, are now anticipated to materialize during the remainder of 2026 or, alternatively, in early 2027.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any identifiable trends or regulatory priorities in privacy, data protection and\/or cybersecurity-related enforcement activity in your jurisdiction?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>On 30 December 2024, the DPA published the Activity Report for the year 2024 which summarizes its activities. The Activity Report indicates that the DPA has issued in the total amount of TRY 552,668,000 administrative fines in 2024. Moreover, the Activity Report indicates that 1345 standard contracts were notified to the DPA in 2024. As of the date of this report, the DPA has not yet published its Activity Report for 2025. Therefore, no updated aggregate data is currently publicly available; however, enforcement trends continue to be shaped by the DPA\u2019s ongoing decisions and public announcements.<\/p>\n<p>That being said, the DPA actively aims for achieving effective compliance with the DPL through ex-officio investigations and data subject complaints. Subjects that the DPA gives utmost importance are, among others, data controllers\u2019 obligation to inform, lawful use of explicit consent as a legal basis and registration to VERBIS before carrying out data processing activities.<\/p>\n<p>In practice, the DPA continues to prioritize compliance with core data protection principles, particularly transparency obligations and the lawful use of legal bases, with an increasing focus on ensuring that explicit consent mechanisms are properly structured and not bundled with other processing purposes. Recent developments also indicate heightened scrutiny of digital practices, including the use of cookies, online tracking technologies and mobile application features, with particular emphasis on ensuring that consent is granular and freely given where different processing purposes are involved.<\/p>\n<p>In addition, the DPA continues to actively enforce VERBIS registration obligations, with public announcements confirming that administrative sanctions are being imposed on non-compliant data controllers. Furthermore, data breach notification practices remain an enforcement priority, with emphasis on timely notification and transparency towards both the authority and affected individuals, while recent communications also suggest an increasing regulatory focus on emerging areas such as artificial intelligence and the protection of children\u2019s personal data.<\/p>\n<p>From a cybersecurity perspective, the most significant structural development has been the establishment of a stronger institutional and legislative cybersecurity framework, increasing regulatory oversight and compliance expectations, particularly for critical sectors. A key recent development is the significant expansion of the Cybersecurity Presidency\u2019s powers through Presidential Decree No. 192. This expansion goes beyond traditional cybersecurity and introduces a broader regulatory scope covering digital infrastructure, public IT governance, and artificial intelligence. In particular, the Presidency is now positioned as a central authority not only for cybersecurity enforcement but also for AI policy development and public-sector digital transformation, signalling a clear enforcement trend towards increased centralisation, stronger oversight, and more intrusive regulatory involvement across critical sectors and technology-related activities. Notwithstanding the foregoing, it should be noted that the Cybersecurity Board has not yet taken any concrete enforcement initiative under the CSL framework. Despite the absence of formal enforcement action, a notable market trend has emerged whereby entities operating in cyberspace, particularly those active in critical sectors, have proactively initiated compliance and readiness programmes in anticipation of the forthcoming regulatory framework. Furthermore, with the CSL now in force, domestic courts have begun to take the CSL into account when adjudicating matters involving incidents that simultaneously constitute both a personal data breach and a cybersecurity violation.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any registration or licensing requirements for entities covered by these data protection and cybersecurity laws, and if so what are the requirements? Are there any exemptions? What are the implications of failing to register \/ obtain a licence?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The DPL requires real persons and legal entities processing personal data to register with VERBIS before carrying out personal data processing activities. The registration process is carried out through an online system and is free of charge.<\/p>\n<p>During registration, data controllers must provide the following information to the DPA (from a drop-down list):<\/p>\n<ul>\n<li>Data subject categories<\/li>\n<li>Personal data categories<\/li>\n<li>Processing purposes<\/li>\n<li>Data recipients<\/li>\n<li>Retention periods<\/li>\n<li>Information on a cross-border transfer<\/li>\n<li>Administrative and technical measures taken for data protection.<\/li>\n<\/ul>\n<p>The registration obligation applies if the data controller fulfils any of the following:<\/p>\n<ul>\n<li>Who is resident abroad and carry out personal data processing activities that have a consequence on individuals in T\u00fcrkiye,<\/li>\n<li>Who is resident in T\u00fcrkiye;\n<ul>\n<li>and has more than 50 employees or whose yearly financial balance exceeds TRY 100 million or<\/li>\n<li>and whose main operations are based on processing special categories of personal data.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>Under the decisions of the DPA, the following types of data controllers are exempt from this obligation:<\/p>\n<ul>\n<li>Persons who process personal data as part of any data recording system, solely through non-automatic means,<\/li>\n<li>Notaries,<\/li>\n<li>Associations, foundations, and unions established in T\u00fcrkiye that process personal data limited to their areas of activity,<\/li>\n<li>Political parties,<\/li>\n<li>Lawyers,<\/li>\n<li>Independent accountants, financial advisors and certified public accountants,<\/li>\n<li>Mediators,<\/li>\n<li>Customs brokers and authorized customs brokers.<\/li>\n<\/ul>\n<p>The above-listed exemptions do not apply to data controllers that are resident abroad.<\/p>\n<p>Failure to register with VERBIS may result in administrative fines ranging from TRY 341,809 and TRY 17,092,242 for the year 2026.<\/p>\n<p>As regards the CSL, it stipulates that certain companies will be subject to certification, authorization, and accreditation requirements although the details are not specified. That said, based on the general provisions, it appears that the CSL establishes a targeted, rather than applicable-to-all certification and authorization requirements. In that regard, cybersecurity companies and auditors will be required to obtain approval before commencing activities. Also, although not service providers, public institutions and critical infrastructure operators are required to procure cybersecurity products and services only from authorized and certified providers.<\/p>\n<p>Beyond the certification and authorization framework, the CSL introduces two additional layers of regulatory control relevant to cybersecurity companies specifically: (i) export controls; the sale of cybersecurity products and services abroad requires approval for designated product categories; and (ii) corporate transaction controls; mergers, share transfers and similar transactions that result in a change of control over a cybersecurity company must be notified to and approved by the relevant authority, as a condition for validity of such transactions. Further details regarding licensing and registration obligations is expected to be clarified through secondary regulations.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What does \u201cpersonal data,\u201d \u201cpersonal information\u201d or other equivalent terms (hereafter \u201cpersonal data\u201d) mean under data protection laws in your jurisdiction? Does the definition broadly include information about all individuals? For example, would this include individuals acting in a personal or household capacity, as well as those acting in a business or commercial capacity (such as on behalf of a business or corporate entity or employer) or otherwise?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Under the DPL, personal data means any information relating to an identified or identifiable natural person.<\/p>\n<p>This definition is interpreted broadly and covers all information that can directly or indirectly identify an individual. It applies to individuals in all contexts, including those acting in a personal or household capacity as well as those acting in a professional, business or commercial capacity (e.g. employees, company representatives or contact persons acting on behalf of a legal entity).<\/p>\n<p>Information relating solely to legal entities do not constitute personal data unless it can be linked to an identifiable natural person.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are certain types of personal data considered more sensitive or highly regulated under data protection laws in your jurisdiction?  Please include the relevant defined terms for such data (e.g., special categories of personal data,\u201d \u201csensitive data\u201d or \u201csensitive personal information\u201d?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Yes. Under the DPL, certain types of personal data are defined as \u201cspecial categories of personal data\u201d and are subject to stricter processing conditions.<\/p>\n<p>These include data relating to race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance and dressing, membership in an association, foundation or trade union, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What principles apply to the processing of personal data in your jurisdiction? For example: is it necessary to establish a \u201clegal basis\u201d for processing personal data?; are there specific transparency requirements?; must personal data only be kept for a certain period? Please provide details of such principles.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Personal data processing activities must be conducted in compliance with the following principles that are outlined as \u201cfair processing principles.\u201d They are:<\/p>\n<ul>\n<li>Conformity with the law and good faith,<\/li>\n<li>Being accurate and if necessary, up to date,<\/li>\n<li>Being processed for specified, explicit, and legitimate purposes,<\/li>\n<li>Being relevant, limited and proportionate to the purposes for which the data are being processed,<\/li>\n<li>Being stored only for<br \/>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any circumstances for which consent is required or typically obtained in connection with the processing of personal data? What are the rules relating to the form, content and administration of such consent? For instance, can consent be implied, incorporated into a broader document (such as a terms of service) or bundled with other matters (such as consents for multiple processing operations)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>In cases where none of the legal bases listed under Question 7 is presented, explicit consent is required for the processing activity.<\/p>\n<p>Explicit consent must be given freely (i.e., the data subject must have a real choice) by a clear affirmative act, based on a specific subject matter and obtained upon providing necessary information to the data subject.<\/p>\n<p>Where processing is based on explicit consent, the burden of proof is on the data controller that the data subject has granted its explicit consent. Data subjects have the right to withdraw their consent at any time.<\/p>\n<p>Consent should be explicit; it cannot be incorporated into a broader document such as the terms of service or privacy notices, nor can it be bundled with other matters. Principally, consent should be obtained separately for each processing activity. Also, the consent will be deemed invalid if the data controller requires consent as a pre-condition for providing its services.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What special requirements, if any, are required for processing particular categories of personal data (e.g., health data, children\u2019s data, special category or sensitive personal data, etc.)? Are there any prohibitions on specific categories of personal data that may be collected, disclosed, or otherwise processed?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Article 6 of the DPL sets out special conditions for processing special categories of personal data. Accordingly, all special categories of personal data (including health and sexual life) may be processed based on one of the following legal bases:<\/p>\n<ul>\n<li>The data subject has explicitly consented,<\/li>\n<li>Processing is explicitly provided for under the law,<\/li>\n<li>Processing is necessary for the protection of life or physical integrity of a person themselves or of any other person, who is unable to disclose their consent due to a physical disability or whose consent is not deemed legally valid,<\/li>\n<li>Processing relating to personal data which has been made public by the data subject provided that the processing is limited to the data subject\u2019s aim of making such data public,<\/li>\n<li>Processing is necessary for the establishment, exercise or defence of legal rights,<\/li>\n<li>Processing is necessary for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, planning, management and financing of health services by persons under the obligation of secrecy or authorized institutions and organizations,<\/li>\n<li>Processing is necessary for complying with legal obligations in the fields of employment, occupational health and safety, social security, social services and welfare,<\/li>\n<li>Processing is carried out by foundations, associations and other non-profit organizations or other establishments with a political, philosophical, religious or trade union aim, on the condition that the processing complies with the legislation to which these organizations are subject and their purposes, limited to their fields of activity and not disclosed to third parties; and relates to the members or to former members of these organizations or to persons who have regular contact with them.<\/li>\n<\/ul>\n<p>Moreover, data controllers must take the necessary administrative and technical measures announced by the DPA in its decision dated January 31, 2018, and numbered 2018\/10 to ensure the security of such data.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction have special or particular requirements, restriction, or rules regarding the collection, use, disclosure or processing of personal information from or about children or minors?  If so, what is the age threshold and key requirements\/restrictions that go beyond those applicable, generally?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>There are no specific rules which address children\u2019s and teenager\u2019s personal data directly. However, the implementation of the rules under the DPL are affected by general rules regarding the legal capacity of minors.<\/p>\n<p>Accordingly, under the Turkish Civil Code (\u201cTCC\u201d), any person under the age of 18 is considered a minor. Although the DPL does not stipulate special provisions for processing children\u2019s data, personal data can be processed by relying on legal bases foreseen under the DPL. Obtaining the data subject\u2019s explicit consent is one of these legal bases. If such a legal basis is chosen when processing a minor\u2019s personal data, the validity of explicit consent will depend on whether the minor is of (i) absolute legal incapacity or (ii) limited legal incapacity as stipulated under the TCC.<\/p>\n<p>In this respect, depending on whether the minor is able to understand the results of their explicit consent; from whom (i.e., the minor or their legal guardian) and in what way such consent should be obtained vary. In addition, the privacy notice should be presented to the parent or guardian as well as to the child. The privacy notice addressed to the child should contain a plain and simple language which makes it easier for the child to understand the consequences of relevant processing activities.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction include any derogations, exemptions, exclusions or limitations other than those already described? If so, please describe the relevant provisions.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Article 28 of the DPL sets forth full and partial exemptions for the below-listed activities:<\/p>\n<table width=\"614\">\n<tbody>\n<tr>\n<td rowspan=\"5\" width=\"234\"><strong>Full exemptions from the DPL <em>\u2013 <\/em><\/strong><em>Listed activities are fully exempted from the DPL.<\/em><\/td>\n<td width=\"380\">personal data processing by natural persons for purely personal activities or for household activities<\/td>\n<\/tr>\n<tr>\n<td width=\"380\">personal data processing for official statistics through anonymizing the data for purposes such as research, planning and statistics<\/td>\n<\/tr>\n<tr>\n<td width=\"380\">personal data processing with artistic, historical, literary or scientific purposes, or within the scope of freedom of expression provided that national defense, national security, public security, public order, economic security, right to privacy or personal rights are not violated so long as the process doesn\u2019t constitute a crime<\/td>\n<\/tr>\n<tr>\n<td width=\"380\">personal data processing within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations duly authorized and assigned by law to maintain national defense, national security, public security, public order or economic security<\/td>\n<\/tr>\n<tr>\n<td width=\"380\">personal data processing by judicial authorities or execution authorities with regard to investigation, prosecution, judicial or execution proceedings<\/td>\n<\/tr>\n<tr>\n<td rowspan=\"4\" width=\"234\"><strong>Partial exemptions<\/strong> \u2013<em>Listed activities are exempted from the obligation to inform data subjects, to respond data subjects\u2019 request (except for the request for compensation) and to register with VERBIS<\/em><\/p>\n<p>&nbsp;<\/td>\n<td width=\"380\">necessary processing for the prevention of committing a crime or for criminal investigation<\/td>\n<\/tr>\n<tr>\n<td width=\"380\">processing of data that have been made public by the data subject himself\/herself<\/td>\n<\/tr>\n<tr>\n<td width=\"380\">necessary processing for performance of supervision or regulatory duties and disciplinary investigations and prosecution, to be carried out by the assigned and authorized public institutions and organizations and by public professional organizations, in accordance with the law<\/td>\n<\/tr>\n<tr>\n<td width=\"380\">necessary processing for the protection of economic and financial interests of the state that are related to budget, tax and financial matters<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Does your jurisdiction require or recommend privacy risk or impact assessments in connection with personal data processing activities and, if so, under what circumstances? How are these assessments typically carried out?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The DPL does not directly recognize \u201cData Protection Impact Assessment.\u201d However, data controllers are required to process personal data in line with general data processing principles. Therefore, although this concept is not directly regulated, data controllers should carry out risk assessments before conducting any personal data processing activity.<\/p>\n<p>Additionally, in its decisions the DPA introduced a \u201clegitimate interest balance test.\u201d This must be carried out if the data is processed and\/or transferred by relying on the data controller\u2019s legitimate interest. In such a case, the data controller must demonstrate that it has an existing, specific and clearly legitimate interest; and this interest does not override the rights and freedoms of data subjects.<\/p>\n<p>Moreover, although the DPL or its secondary legislation does not emphasize the need to conduct transfer impact assessments, the amended TR DPL states that a controller or processor may transfer personal data to a third country only if appropriate safeguards are in place and provided that data subjects have enforceable rights and effective remedies in the destination country. The TR DPA may therefore require appropriate documentation (i.e. TIAs) to demonstrate compliance with this obligation.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any specific codes of practice, or self-regulatory codes applicable in your jurisdiction regarding the processing of personal data (e.g., codes of practice for processing children\u2019s data or health data)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>There are no specific codes of practice or self-regulatory codes applicable in T\u00fcrkiye regarding the processing of personal data. That being said, certain guidelines such as \u201cProtection of Minors\u2019 Personal Data \u2013 Things to be Considered by Product and Service Developers\u201d, Recommendations for Protection Privacy in Mobile Applications, Guideline on the Processing of Special Categories of Personal Data, Guideline on Issues to be Considered in the Processing of Genetic Data and Guideline on Issues to be Considered in the Processing of Biometric Data are published by the DPA to further elaborate on the processing of certain personal data categories.<\/p>\n<p>In addition, recent developments indicate an increasing regulatory focus on the protection of children\u2019s personal data. In particular, the Action Plan for Empowering Children in the Digital Environment (2026\u20132030), published by the Ministry of Family and Social Services, envisages legislative amendments and the development of standards concerning children\u2019s data protection and online safety.<\/p>\n<p>Moreover, the DPA has recently initiated ex officio investigations into major social media platforms to assess their processing of children\u2019s personal data and the safeguards they have in place. These developments reflect a growing policy and enforcement trend towards enhanced protection of minors\u2019 data, even in the absence of formal codes of practice. Nevertheless, data controllers and data processors should comply with general principles of data processing set forth under the DPL. <em>Please see Question 1 for details.<\/em><\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are organisations required to maintain any records of their data processing activities or establish internal processes or written documentation? If so, please describe how businesses typically meet such requirement(s).<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Yes, data controllers that are required to register with VERBIS must prepare a personal data processing inventory and keep it up to date. This inventory must stipulate the data controller\u2019s personal data processing activities; they must be based on its business processes and include:<\/p>\n<ul>\n<li>The reasons and legal grounds for processing,<\/li>\n<li>The personal data categories,<\/li>\n<li>The data recipient groups,<\/li>\n<li>The data retention period,<\/li>\n<li>Which personal data (if any) will be transferred to foreign countries and the technical and<\/li>\n<li>The administrative measures in place in order to provide protection of personal data.<\/li>\n<\/ul>\n<p>In practice, organizations can keep such inventory records as excel sheets or can use data management software developed for inventory keeping.<\/p>\n<p>As regards establishing internal processes or written documentation, data controllers that are required to register with VERBIS must prepare a data retention and destruction policy (<em>please see Question 15 for details<\/em>). Furthermore, as per <u>the DPA\u2019s decision dated 24 January 2019<\/u>, data controllers must implement a data breach incident plan, which should include matters such as the internal reporting line, responsible persons for notification and the assessment process of possible outcomes of breaches.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction specifically impose data retention limitations? If so, please describe such requirement(s).<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>As per the Regulation on Deletion, Destruction or Anonymization Personal Data (\u201c<strong>Deletion Regulation<\/strong>\u201d), data controllers that are required to register with VERBIS are also obliged to draft a data retention and destruction policy. This policy should at least include following items:<\/p>\n<ul>\n<li>Purpose of issuing the policy,<\/li>\n<li>The recording mediums regulated by the policy,<\/li>\n<li>Definitions of technical and legal terms used in the policy,<\/li>\n<li>Explanations of the legal, technical or other reasons requiring storage and disposal of personal data,<\/li>\n<li>Technical and organizational measures taken to prevent unlawful processing of and access to personal data and to store personal data securely,<\/li>\n<li>Technical and organizational measures taken for lawful disposal of personal data,<\/li>\n<li>Definitions of titles, units and job descriptions of those who are involved in personal data storage and disposal processes,<\/li>\n<li>Table demonstrating storage and disposal periods,<\/li>\n<li>Periodical destruction periods,<\/li>\n<li>Any alterations being made to the current policy, if any.<\/li>\n<\/ul>\n<p>According to the Deletion Regulation, data controllers are required to define retention periods for each type of personal data and delete\/destruct or anonymize the personal data periodically (these can be at most six months). Also, data controllers should keep the records related to the deletion, destruction and anonymization of personal data for three years, excluding other legal obligations.<\/p>\n<p>Additionally, under the DPL, personal data must be retained for the period provided under applicable laws or for a period necessary for the purpose of the data processing. Data controllers should consider the following when determining retention periods necessary for the purposes of data processing:<\/p>\n<ul>\n<li>The customary period generally accepted within the relevant sector,<\/li>\n<li>The period required for the data processing and the term of the legal relationship with the data subject,<\/li>\n<li>The period required for satisfying the legitimate interest of the data controller in accordance with the rules of law and good faith,<\/li>\n<li>The legal period for continuance of risks, costs and duties of processing,<\/li>\n<li>The fact that whether the retention period is suitable for true and up-to-date processing,<\/li>\n<li>The statutory retention period arising from applicable law, and<\/li>\n<li>The limitation period for exercise of a right relating to personal data.<\/li>\n<\/ul>\n<p>Data controllers should also delete, destruct or anonymize the personal data ex officio or upon the data subject\u2019s request, if the purposes of processing no longer exist.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Under what circumstances is it required or recommended to consult with the applicable data protection regulator(s)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The DPL, unlike GDPR, does not require data controllers or data processors to consult with the DPA before carrying out data processing activities.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction require the appointment of a data protection officer, chief information security officer, or other person responsible for data protection? If so, what are their legal responsibilities?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The DPL does not require the appointment of a data protection officer. However, it is advisable to establish a privacy committee or appoint a person who will be responsible for the implementation of internal privacy policies and procedures to ensure compliance with the DPL.<\/p>\n<p>Furthermore, there are no general requirement to appoint a chief information security officer under Turkish legislation. However, certain regulated sectors such as banking, payment services and telecommunication entail the designation of personnel who is in charge of information security. In this respect, contrary to the discretional approach in relation to the requirement of appointment of a data protection officer, these regulated sectors oblige actors that fall within the scope of related legislations to appoint an information security officer. For instance, a telecommunications operator must designate an information security management system. Similarly, personnel must be assigned with duties, powers and responsibilities regarding the information security management system in payment sector and such personnel should continuously monitor the compliance of the information security management system with the legislation on information security standards, take the necessary measures to ensure compliance and regularly report on the compliance status.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction require or recommend employee training related to data protection? If so, please describe such training requirement(s) or recommendation(s).<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>There is no specific requirement or recommendation under the DPL for providing employee training. However, in its Guideline on Technical and Administrative Measures, the DPA considers employee training as one of the necessary administrative measures that data controllers should take in order to ensure personal data security. Additionally, in data breach investigations, the DPA generally requests evidence from data controllers demonstrating that employee training has been duly provided. Therefore, it is recommended to have regular employee training in place.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction require controllers to provide notice to data subjects of their processing activities? If so, please describe such notice requirement(s) (e.g., posting an online privacy notice).<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Data controllers must provide data subjects with the following information at the time of collecting their personal data, in clear and simple language:<\/p>\n<ul>\n<li>The identity of the data controller and its representative, if any,<\/li>\n<li>The purpose(s) for processing the personal data,<\/li>\n<li>The purposes for transferring the personal data and the persons to which the data may be transferred,<\/li>\n<li>The method and legal grounds for collecting the personal data,<\/li>\n<li>The data subjects\u2019 rights under Article 11 of the DPL.<\/li>\n<\/ul>\n<p>If personal data is not collected from the data subject, the information provision obligation must be fulfilled (i) within a reasonable period after the collection of personal data, (ii) (if the personal data will be used for communication with data subject) at the time of the first contact with data subject, and (iii) (if the personal data will be transferred), at the time of the first transfer of personal data.<\/p>\n<p>The information obligation must be complied with in all cases, whether data processing is based on explicit consent or on another legal ground.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction distinguish between the responsibilities of \u201ccontrollers\u201d and those of \u201cprocessors\u201d (or equivalent terms) of personal data? If so, how are such terms defined and what are the key distinctions between the obligations of controllers and processors (or equivalent terms)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Yes, the DPL distinguishes between the responsibilities of data controllers and data processors.<\/p>\n<p>Key definitions include:<\/p>\n<ul>\n<li><strong>Data Processing:<\/strong> Any operation that is performed on personal data as part of a data filing system, wholly or partially by automated or non-automated means. This includes collection, recording, storage, protection, alteration, adaptation, disclosure, transfer, retrieval, making data available for collection, categorization or preventing its use.<\/li>\n<li><strong>Data Controller:<\/strong> The natural or legal person who determines the purpose and means of the data processing and is responsible for establishing and managing the data registry system.<\/li>\n<li><strong>Data Processor: <\/strong>The natural or legal person that processes personal data based on the authority granted by and on behalf of the data controller.<\/li>\n<li><strong>Data Subject:<\/strong> The natural person whose personal data is processed.<\/li>\n<li><strong>Data Controller Representative:<\/strong> A legal entity resident in T\u00fcrkiye or a natural person who is a citizen of T\u00fcrkiye authorized to represent non-resident data controllers in the matters such as such as receiving or accepting notifications and correspondence by the TR DPA, transmitting the requests directed at the data controller by the TR DPA, transmitting the data controller\u2019s response to the data subjects and conducting transactions concerning VERBIS on the data controller\u2019s behalf.<\/li>\n<\/ul>\n<p>The provisions of the DPL and its secondary legislation are applicable to data controllers; thus, liability lies with the data controller. However, data controllers are jointly responsible with data processors for taking the necessary technical and administrative measures to ensure the appropriate level of security, to prevent illegal access to personal data and to ensure the protection of personal data. On the other hand, the Amendment introduces new provisions that are also applicable to data processors (e.g., obligations in relation to cross-border personal data transfers) and the DPA may impose an administrative fine to data processors for failure to notify the DPA within 5 business days of the execution of the standard contractual clauses for cross-border transfers.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Please describe any restrictions on monitoring, automated decision-making or profiling in your jurisdiction, including through the use of tracking technologies such as cookies. How are these or any similar terms defined?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Under the DPL, there are no specific provisions related to monitoring or profiling activities through tracking technologies. However, the use of cookies and other trackers for processing personal data must be performed in compliance with the DPL\u2019s principles since cookies are considered personal data according to the interpretation of the DPA within the scope of the definition of personal data provided under the DPL.<\/p>\n<p>In June 2022, the DPA published Cookie Guideline, which is heavily based on the EU\u2019s cookie guidelines. In the Cookie Guideline, the DPA lists several types of cookies and explicit consent requirement for the use of such cookies, according to the purpose of each cookie type. For instance, the Cookie Guideline states that cookies used for online behavioral advertising require explicit consent. In addition, the consent requirement extends to all cookies used in advertising (e.g., cookies used for the purpose of frequency capping, financial logging, ad affiliation, click fraud detection, research and market analysis, product improvement and debugging). On the other hand, the DPA states that several types of cookies (functional cookies, website security cookies, load balancing session cookies, etc.) might be used by relying on legal bases (e.g., legitimate interest) other than explicit consent.<\/p>\n<p>In addition to above, pursuant to the Banking Sector the Good Practices Guide updated by the DPA on January 2025, the DPA lists the criteria to be considered in automated decision making, including but not limited to the following:<\/p>\n<ul>\n<li>If the data controller is able to achieve its desired purpose with a less intrusive method (e.g., by using anonymous data), it cannot be said that the automated decision-making activity is based on legitimate interest.<\/li>\n<li>The type, nature, source and amount of personal data to be processed should be evaluated and excessive processing activities should be prevented (e.g., representative data may be used to model real personal data).<\/li>\n<li>Risk assessment in data processing should be made in a more sensitive manner, taking into account the characteristics of artificial intelligence and big data.<\/li>\n<\/ul>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the laws in your jurisdiction include specific rules, requirement or regulator guidance regarding the use of cookies, pixels, online tracking and\/or targeted advertising? Please describe any restrictions on targeted advertising and\/or cross context behavioral advertising. How are these terms or any similar terms defined?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>There is no definition of targeted advertising and\/or behavioural advertising under the DPL. However, the Cookie Guideline state that online behavioural advertising practices constitute of; (i) monitoring data subjects\u2019 activities on the internet, (ii) analysing and profiling these activities, (iii) matching the advertisements with the ads and displaying these ads to relevant data subjects. Nevertheless, any activity should comply with the general rules and principles stipulated under the DPL.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction specifically restrict or regulate  the \u201csale\u201d of personal data and\/or \u201cdata brokers\u201d? How is \u201csale\u201d and\/or \u201cdata broker\u201d or (similar\/related terms) defined?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Turkish law does not regulate the sale of personal information or data brokers. As the sale would inherently require the transfer of personal data, any such transfer to third parties should be carried out by considering the transfer rules stipulated under Article 8 and 9 of the DPL.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction specifically regulate or restrict marketing and electronic communications, including telemarketing\/telephone solicitations and \u2018robocalls\u2019, email marketing, SMS\/text messaging or other direct marketing? Please provide an overview.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Law No. 6563 on the Regulation of Electronic Commerce (\u201c<strong>E-Commerce Law<\/strong>\u201d) and its secondary regulations regulates commercial marketing communications. Commercial electronic messages are defined as messages containing data, audio or visual content that are transmitted electronically for commercial purposes by making use of communication channels such as telephone, call centers, faxes, automated calling machines, smart voice recording systems, email and SMS. Therefore, direct marketing activities fall within the scope of the E-Commerce Law. As a general rule, in order to send commercial electronic messages, the recipients\u2019 consent should be obtained, except for the exceptions foreseen in the E-Commerce Law (e.g., sending transactional messages). Moreover, since direct marketing communications involve personal data processing activities, such activity must also be carried out in accordance with applicable legal bases under the DPL.<\/p>\n<p>Under the E-Commerce Law, a central database, known as the Commercial Electronic Message Management System (\u201c<strong>IYS<\/strong>\u201d), was established. The system is designed to store all consent records (opt-in records) of subscribers\/users that can be reviewed and monitored by the government and subscribers\/users via the system. Companies wishing to send B2B or B2C electronic communications in all sectors are required to register with IYS and to transfer their consent records (for B2C communication only) to IYS.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction regulate, restrict or impose specific obligations on the processing of biometric data, such as facial recognition. If so, how are the relevant terms defined?  Are these obligations focused on the collection, use and processing of unique biometric \u2018identifiers\u2019 (rather than any sort of biometric measurements) ?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Biometric data is considered a special category of personal data under the DPL, but the DPL does not define what comprises biometric data. The DPA, in several decisions and within its Guide on Matters to be Considered in the Processing of Biometric Data published on September 17, 2021, has defined biometric data by referring to the GDPR\u2019s definition, which is personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopy data.<\/p>\n<p>In practice, the obligations focus primarily on biometric data used as unique identifiers, particularly where such data enables the identification or authentication of individuals, rather than on all types of biometric measurements. The processing of biometric data is subject to strict necessity and proportionality requirements and should only be used where less intrusive methods are not sufficient, together with the implementation of appropriate technical and administrative safeguards.<em> Please see Question 9 for the conditions for processing biometric data.<\/em><\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any data protection laws in your jurisdiction that specifically address or apply to artificial intelligence or machine learning (\u201cAI\u201d).  If so, do these laws specifically apply to the processing of personal information related to AI, or more broadly?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>There are no data protection laws in T\u00fcrkiye addressing artificial intelligence or machine learning. On the other hand, in its Recommendations on the Protection of Personal Data in the Field of Artificial Intelligence and the Bulletin numbered 1 and dated July 2023, DPA underlines that AI practices based on personal data processing must be in compliance with the DPL and suggests the following, among others:<\/p>\n<ul>\n<li>Personal data processing principles must be adhered to, and a data security-based approach must be adopted,<\/li>\n<li>A perspective that focuses on preventing and reducing potential risks and considers human rights, the functioning of democracy, and ethical values should be adopted,<\/li>\n<li>If a high risk is foreseen in terms of protection of personal data, a DPIA should be implemented, and the legality of the data processing activity should be decided within this framework,<\/li>\n<li>Data protection by design and default should be implemented,<\/li>\n<li>If special categories of personal data will be processed, technical and administrative measures should be applied more strictly,<\/li>\n<li>If the same result can be achieved without processing personal data, anonymization of the collected personal data should be preferred,<\/li>\n<li>The data controller or data processor status of the parties should be determined at the beginning of the practice and the legal relationship in this regard, in accordance with the DPL and the secondary legislation,<\/li>\n<li>Individuals should be given the right to object to data processing activities by using the technologies that affect their views and personal development.<\/li>\n<\/ul>\n<p>In addition, DPA guidance on emerging AI technologies (including generative AI and agentic AI) issued in late 2025 and the first quarter of 2026 highlights that AI systems involving personal data must comply with the DPL, and that a risk-based and human-centric approach should be adopted in such processing activities.<\/p>\n<p>It also is announced in the Presidential Annual Program for 2026 and the Medium-Term Program (2026-2028) that necessary legal regulations will be made to meet the needs arising from AI technologies, and that the framework is expected to be aligned with the EU legislation. In that regard, the legislative trajectory has gained significant momentum with the publication of the Report of the Parliamentary Inquiry Commission on Artificial Intelligence submitted to the Turkish Parliament in late February 2026. Whilst the said report is not in itself binding legislation, it carries formal institutional weight and expected to serve as an instrument for any forthcoming Turkish AI specific legislation. The report recommends, among other things: the enactment of a general framework AI law; the establishment of a dedicated AI coordination authority; supplementary data protection rules specifically tailored to AI; and international alignment with EU legislation. In light of this, the enactment of dedicated AI legislation in the short to mid-term appears highly probable.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any data localization requirements in your jurisdiction?  In other words, are there any circumstances where some or all personal data is required to be stored locally, or prohibited from being transferred to or stored in certain jurisdictions?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The DPL does not impose a general data localization obligation on data controllers or processors. Localization requirements under Turkish law are sector-specific, applying exclusively to regulated industries such as banking, payment and electronic money institutions, insurance, and healthcare services.<\/p>\n<p>Cross-border transfers of personal data are subject to strict conditions under the DPL (<em>please see Question 28 below<\/em>), which in practice may limit the ability to store or process data outside T\u00fcrkiye.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Is the transfer of personal data outside your jurisdiction restricted, under certain circumstances? If so, please describe these restrictions and how businesses typically comply with them (e.g., does a cross-border transfer of personal data require a specified mechanism or notification to or authorization from a regulator?)<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Article 9 of the DPL and the Regulation on Cross-Border Transfers (\u201c<strong>Regulation<\/strong>\u201d) set out rules and restrictions regarding cross-border transfers of personal data. In this respect, the following mechanisms may be utilized for cross-border transfers of personal data by both data controllers and processors:<\/p>\n<ul>\n<li><strong><u>Adequacy decisions:<\/u><\/strong> The cross-border transfer of personal data to a country, specified sector within that country or an international organization can be realized in the existence of <strong>(i)<\/strong> any of the legal bases provided under the DPL (e.g., legitimate interest or contractual necessity) and <strong>(ii)<\/strong> an adequacy decision adopted for the country to which data will be transferred, or a specified sector within that country or an international organization to which the transfer shall be made.<\/li>\n<li><strong><u>Appropriate safeguards:<\/u><\/strong> In the event that the DPA does not adopt an adequacy decision, cross-border personal data transfers may nevertheless occur if <strong>(i)<\/strong> one of the legal bases set forth under the DPL is present, <strong>(ii)<\/strong> the data subject has the means to exercise their rights and to have recourse to effective legal remedies in the recipient country and <strong>(iii)<\/strong> the parties have provided one of the following appropriate safeguards provided under the DPL. The safeguards include, <strong>(i)<\/strong> execution of binding corporate rules approved by the DPA, <strong>(ii) <\/strong>execution of standard contracts published by the DPA and notifying the DPA within 5 business days of execution of these contracts, and <strong>(iii)<\/strong> execution of an undertaking letter and approval of the undertaking letter by the DPA.<\/li>\n<li><strong><u>Transfers for specific situations:<\/u><\/strong> In addition to the aforementioned, for a variety of legal bases, including explicit consent, personal data may be transferred outside of T\u00fcrkiye in the absence of an adequate decision or appropriate safeguards provided that such transfers will not be repetitive (i.e., the transfers will only take place one or a few times).<\/li>\n<\/ul>\n<p>Moreover, the Guidelines on Cross-Border Data Transfers provide details on procedures and principles regarding cross border personal data transfers and shed light on the territorial scope of the DPL, which has been highly controversial in terms of application of the DPL to data controllers abroad.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What personal data security obligations are imposed by the data protection laws  in your jurisdiction?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Data controllers and data processors are obliged to ensure that all necessary technical and organizational measures for ensuring an appropriate level of security is in place to prevent unlawful processing of personal data, to prevent unlawful access to personal data and, to ensure the protection of personal data.<\/p>\n<p>There is no exhaustive list of measures to be taken by the data controllers or data processors, and data controllers themselves are expected to decide which security measures should be adopted in order to ensure the appropriate level of security in line with the nature of the personal data and the risks posed by the data processing activity concerned. In its Data Security Guidelines, the DPA recommends certain administrative and technical measures including:<\/p>\n<ul>\n<li>Regular awareness trainings,<\/li>\n<li>Preparation of the relevant policies for personal data processing (e.g., data retention policy, data security policy, etc.),<\/li>\n<li>Carrying out a risk analysis to define the risks and solutions related to the data processing activities,<\/li>\n<li>Carrying out internal periodical and\/or random audits,<\/li>\n<li>Preparing an access authorization matrix and ensuring authorization controls,<\/li>\n<li>Ensuring network security and application security,<\/li>\n<li>Conducting penetration tests,<\/li>\n<li>Deletion, destruction and anonymization of personal data.<\/li>\n<\/ul>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there more specific security obligations for certain types of personal data (e.g., sensitive data or special categories of personal data)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Yes. The DPL imposes stricter obligations for the processing of special categories of personal data. In particular, for the processing of special category personal data, the DPL stipulates that \u201csufficient measures,\u201d as determined by the DPA, must be adopted.<\/p>\n<p>The DPA has issued a decision dated 31 January 2018 and numbered 2018\/10 setting out detailed administrative and technical safeguards that must be adopted. These measures include, among others:<\/p>\n<ul>\n<li>Establishing a separate, structured and sustainable policy and procedure specifically for the security of special categories of personal data,<\/li>\n<li>Providing regular training to employees involved in such processing and executing confidentiality agreements,<\/li>\n<li>Clearly defining and periodically reviewing access authorizations, and immediately revoking access upon role change or termination,<\/li>\n<li>Implementing enhanced technical safeguards such as encryption, secure storage of cryptographic keys, logging of all data access and processing activities, regular security testing and updates, and multi-factor authentication for remote access,<\/li>\n<li>Ensuring strict physical security controls where data is stored in physical environments,<\/li>\n<li>Applying enhanced safeguards during data transfers<\/li>\n<\/ul>\n<p>In addition, data controllers must also take into account the general data security measures set out in the DPA\u2019s Data Security Guidelines (<em>please see Question 29<\/em>).<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction impose obligations in the context of security breaches which impact personal data? If so, how do such laws define a security breach (or similar term) and under what circumstances and within what timeframe must such a breach be reported to regulators, impacted individuals, law enforcement, or other persons or entities?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The DPL does not explicitly define \u201csecurity breach.\u201d However, the DPL provides that if personal data is obtained illegally by third parties, the data controller must inform the DPA and the relevant data subject(s) as soon as possible.<\/p>\n<p>Pursuant to the DPA\u2019s decision dated 24.01.2019 and numbered 2019\/10 on Procedures and Principles Regarding Notification of Data Breaches, the DPA indicated that the term \u201cas soon as possible\u201d should be interpreted as 72 hours after becoming aware of the data breach. Therefore, in the event of a security breach affecting personal data, the data controller must notify the DPA within 72 hours after becoming aware of the data breach.<\/p>\n<p>Data subjects must also be notified via appropriate methods as soon as possible after determination of the persons affected by the data breach. Unlike the GDPR, the DPL does not recognize the \u201crisk-based approach\u201d in terms of data breach notification requirements; thus, all personal data breaches require notification.<\/p>\n<p>A notification submitted to the DPA should include the following information, among others:<\/p>\n<ul>\n<li>A description of the nature of the data, where possible the categories and approximate number of personal data and individuals concerned,<\/li>\n<li>The contact details of the data controller,<\/li>\n<li>A description of the likely consequences of the breach, and<\/li>\n<li>The remedial measures taken or proposed to be taken by the data controller.<\/li>\n<\/ul>\n<p>The following information should be included in the notification made to the data subjects:<\/p>\n<ul>\n<li>The date of the breach,<\/li>\n<li>Information about the categories of personal data affected by the breach,<\/li>\n<li>The likely consequences of the breach,<\/li>\n<li>The measures taken or proposed to be taken to reduce or eliminate possible adverse effects,<\/li>\n<li>The names and contact details of the persons who can provide information about the breach or the full contact details of the data controller.<\/li>\n<\/ul>\n<p>There is also certain legislation specific to certain sectors, such as telecommunications and finance, that requires notification of security breaches to the relevant sectoral regulatory bodies.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction establish specific rights for individuals, such as the right to access and the right to deletion? If so, please provide a general description of such rights, how they are exercised, and any exceptions.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>As per the DPL, all data subjects have the right to apply to the controller about themselves:<\/p>\n<ul>\n<li>To learn whether their personal data is being processed,<\/li>\n<li>To request information regarding the processing of their personal data,<\/li>\n<li>To learn the purposes for which their data is being processed and whether the data are used in accordance with these purposes,<\/li>\n<li>To know the third parties to whom their personal data are transferred domestically or abroad,<\/li>\n<li>To request a rectification of their personal data in the event the data are incompletely or inaccurately processed,<\/li>\n<li>To request the deletion or destruction of their personal data,<\/li>\n<li>To request the transmission to third parties who have received transfers of their personal data of requests for correction, deletion and destruction of their personal data,<\/li>\n<li>To object to the processing of personal data that leads to an unfavourable consequence for the data subject, in cases where the processed data has been analysed only through automatic systems,<\/li>\n<li>To request compensation for damage arising from the unlawful processing of their personal data.<\/li>\n<\/ul>\n<p>Although the data subject\u2019s right to access is not expressly regulated under the DPL, the DPA recognizes this right within the scope of data subject\u2019s right to obtain information. Data subjects may exercise the above-stated rights in line with the Communiqu\u00e9 on Rules and Procedures for Application to Data Controller.<\/p>\n<p><em>Please refer to Question 11 above for the exceptions.<\/em><\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction allow or provide for a private right of action for violations?  If so, does your jurisdiction also allow \u201cclass action\u201d litigation (i.e., on behalf of a class or (\u2018many\u2019) claimants)? Please explain under what circumstances in which a private right of action applies and\/or a class action may be brought, and whether types of claims\/violations present a higher risk of a private right of action or class action (e.g., are there statutory damages or presumed harm for certain violations)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The DPL reserves data subjects\u2019 rights to seek damages in cases of violations of personal rights; therefore, data subjects can claim damages before the courts in this respect.<\/p>\n<p>The Turkish Criminal Code defines several unlawful data processing activities as a crime. Thus, data subject can also file a complaint before the public prosecutor\u2019s office if the activities in question also constitute a crime.<\/p>\n<p>Turkish law does not provide for a class action mechanism comparable to common law jurisdictions. There are no statutory damages or presumed harm mechanisms under Turkish law; therefore, claimants must demonstrate their damages.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are individuals entitled to monetary damages or compensation if they are affected by breaches of data protection law? Does the law require actual and material damage to have been sustained, or is non-material injury to feelings, emotional distress or similar sufficient for such purposes?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Individuals are entitled to request compensation for damage arising from the unlawful processing of their personal data or unlawful access to an information system and similar acts in relation to cybersecurity. Damage may be material as well as non-material.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">How are data protection laws in your jurisdiction typically enforced? What regulatory body(ies) have enforcement authority?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The DPA has a range of powers it can exercise, including investigating whether the personal data is processed in line with the DPL\u2014either upon a complaint or ex officio\u2014if it learns of an alleged violation, or it can take temporary measures (e.g., restricting or stopping the processing of personal data). The DPA can also impose administrative fines on data controllers or processors for breaching the obligations set out under the DPL.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What is the range of sanctions (including fines and penalties) for violation of data protection laws in your jurisdiction?  Are there any guidelines or rules for the calculation of such fines or the imposition of sanctions?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><table style=\"font-size: 1rem\" width=\"624\">\n<tbody>\n<tr>\n<td colspan=\"2\" width=\"624\"><strong><u>Administrative Fines Under the DPL<\/u><\/strong><\/td>\n<\/tr>\n<tr>\n<td width=\"334\"><strong>Misdemeanour<\/strong><\/td>\n<td width=\"290\"><strong>Fine<\/strong><\/td>\n<\/tr>\n<tr>\n<td width=\"334\">Violation of obligation to inform<\/td>\n<td width=\"290\">TRY 85,437 to TRY 1,709,200<\/td>\n<\/tr>\n<tr>\n<td width=\"334\">Violation of obligation to register with VERBIS<\/td>\n<td width=\"290\">TRY 341,809 to\u00a0TRY 17,092,242<\/td>\n<\/tr>\n<tr>\n<td width=\"334\">Noncompliance with liabilities on\u00a0data security<\/td>\n<td width=\"290\">TRY\u00a0256,357 to\u00a0TRY 17,092,242<\/td>\n<\/tr>\n<tr>\n<td width=\"334\">Noncompliance with the\u00a0DPA\u2019s decisions<\/td>\n<td width=\"290\">TRY 427,263 to\u00a0TRY 17,092,242<\/td>\n<\/tr>\n<tr>\n<td width=\"334\">Failure to notify the DPA within 5 business days of the execution of the standard contractual clauses for cross-border transfers<\/td>\n<td width=\"290\">TRY 90,308 to TRY 1,806,177<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>&nbsp;<\/p>\n<table width=\"624\">\n<tbody>\n<tr>\n<td colspan=\"2\" width=\"624\"><strong><u>Criminal Penalties Under the Turkish Criminal Code<\/u><\/strong><\/td>\n<\/tr>\n<tr>\n<td width=\"334\"><strong>Crime<\/strong><\/td>\n<td width=\"290\"><strong>Penalty<\/strong><\/td>\n<\/tr>\n<tr>\n<td width=\"334\">Recording personal data unlawfully<\/td>\n<td width=\"290\">Imprisonment from 1 to 3 years*<\/p>\n<p><em>(*Up to 4.5 years in cases of unlawful\u00a0recording of special categories of personal data)<\/em><\/td>\n<\/tr>\n<tr>\n<td width=\"334\">Delivering, acquiring, or publishing personal data unlawfully<\/td>\n<td width=\"290\">Imprisonment from 2 to 4 years<\/td>\n<\/tr>\n<tr>\n<td width=\"334\">Not destroying data that should be destroyed<\/td>\n<td width=\"290\">Imprisonment from 1 to 2 years<\/td>\n<\/tr>\n<tr>\n<td width=\"334\">Unlawfully accessing or continuously staying in information systems, blocking, or breaking the operation of information systems and altering or destroying data<\/td>\n<td width=\"290\">Imprisonment or judicial fine up to 1 year*<\/p>\n<p><em>(*Judicial fines range between TRY 100\u2013500 per day; therefore, for up to 1 year, the total amount may reach up to approximately TRY 36,500\u2013182,500 in total)<\/em><\/td>\n<\/tr>\n<tr>\n<td width=\"334\">Unlawfully monitoring data transfers within or between information systems by technical means without accessing the system<\/td>\n<td width=\"290\">Imprisonment from 1 to 3 years<\/td>\n<\/tr>\n<tr>\n<td width=\"334\">Preventing or disrupting the functioning of an information system<\/td>\n<td width=\"290\">Imprisonment from 1 to 5 years*<\/p>\n<p><em>(*Up to 10 years if these acts have been committed on an information system that belongs to a bank or credit institution or a public institution or organization.)<\/em><\/td>\n<\/tr>\n<tr>\n<td width=\"334\">Corrupting, destroying, altering, or making inaccessible the data in an information system, placing data in the system, sending existing data to another location<\/td>\n<td width=\"290\">Imprisonment from 6 months to 3 years*<\/p>\n<p><em>(*Up to 6 years if these acts have been committed on an information system that belongs to a bank or credit institution or a public institution or organization.)<\/em><\/td>\n<\/tr>\n<tr>\n<td width=\"334\">Using devices, software, passwords, or other security codes to commit crimes and producing, importing, delivering, transporting, storing, accepting, selling, supplying, purchasing, or carrying such items<\/td>\n<td width=\"290\">Imprisonment from 1 year up to 3 years and judicial fine up to five thousand days<\/p>\n<p><em>(*Judicial fines range between TRY 100\u2013500 per day; therefore, for up to 5,000 days, the total amount may reach up to approximately TRY 500,000\u20132,500,000 in total)<\/em><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>The DPL defines the above non-compliance items resulting administrative fines as \u201cmisdemeanours,\u201d which are regulated under the Law on Misdemeanours numbered 5326. As per Article 17 of the Law on Misdemeanours, in cases where the law foresees an administrative fine between lower and upper limits, when calculating the administrative fine to be applied, the authorities should consider the (i) unjust aspects of misdemeanour, (ii) fault of the perpetrator and (iii) economic conditions of the perpetrator.<\/p>\n<p>As for the judicial fines that are imposed on a daily basis, the number of days is determined by taking into account the minimum and maximum limits of the penalty prescribed for each offense. The determined number of days is then converted into a judicial fine, ranging from a minimum of 100 TRY to a maximum of 500 TRY per day, depending on the offender\u2019s social and economic circumstances.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are enforcement decisions open to  appeal in your jurisdiction? If so, please provide an overview of the appeal options.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Yes, the DPA\u2019s decisions can be appealed before the competent courts (i.e., administrative courts) if the relevant decision issued by the DPA is unlawful.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the cybersecurity laws in your jurisdiction require the implementation of specific cybersecurity risk management measures and\/or require that organisations take specific actions relating to cybersecurity? If so, please provide an overview of these obligations and explain their scope\/applicability.  For example, are all organizations subject to the requirement or only to certain organizations (e.g., based on size, sector, critical infrastructure designation, public company)?  Are there specific and\/or additional regulations for different industries (e.g., finance, healthcare, government)?.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Yes. T\u00fcrkiye\u2019s cybersecurity laws require organisations to take cybersecurity-related measures and specific actions. Under the Cybersecurity Law No. 7545, the framework applies broadly to entities operating in cyberspace and requires, among other things, implementation of legally required cybersecurity measures, reporting of vulnerabilities and cyber incidents without delay, cooperation with the Cybersecurity Presidency, and compliance with applicable policies and regulatory measures. The regime is risk-based rather than a single uniform checklist, and stricter obligations are expected for public institutions, critical infrastructure operators, and cybersecurity-sector actors, including audit, risk analysis, inventory, certification, and incident-response related requirements. In addition, sector-specific rules apply, particularly in banking, healthcare, and the public\/critical infrastructure sphere.<\/p>\n<p>As of the date of this Guide, the primary obligation that is currently enforceable under the CSL appears to be the reporting of cybersecurity vulnerabilities and incidents to the authorities. Other potential requirements including (1) certification, (2) licensing, (3) the establishment of an incident response team, (4) log or data inventory retention, and (5) the adoption of specific cyber resilience strategies that will be determined by the regulators are not yet actionable and will only become enforceable once the relevant implementing regulations are issued.<\/p>\n<p>Furthermore, the Presidency has yet to designate the sectors that will qualify as &#8220;critical infrastructure&#8221; under the CSL. Until such designation is made, the scope of heightened compliance requirements that will apply to operators in those sectors remains unclear. Based on established regulatory practice in T\u00fcrkiye, new regulatory frameworks are typically accompanied by transition periods affording affected stakeholders sufficient time to adapt to new requirements.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the cybersecurity laws in your jurisdiction impose formal cybersecurity audit or certification requirements? If so, please provide an overview.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Under the CSL, the Presidency is empowered to carry out cybersecurity audits, conduct certification\/authorisation\/documentation processes for cybersecurity products, services, experts and companies, and determine the relevant technical criteria and standards.<\/p>\n<p>Under the CSL, the Presidency is authorised to audit all entities within scope, either through its own personnel or authorised independent auditors, and to conduct on-site inspections where necessary. Entities subject to audit are required to keep their systems accessible, provide the necessary infrastructure, and cooperate fully with audit activities.<\/p>\n<p>In addition, certain targeted obligations exist. In particular, public institutions and critical infrastructure operators must supply cybersecurity products and services only from authorised and certified providers, and cybersecurity companies subject to certification\/authorisation\/documentation requirements must obtain approval before commencing activities.<\/p>\n<p>Accordingly, while the CSL clearly establishes a formal audit and certification framework, it does not yet introduce a uniform, mandatory audit or certification requirement applicable to all entities; instead, enforcement operates through supervisory powers and targeted compliance obligations, with further detail expected to be introduced through secondary legislation.<\/p>\n<p>In this context, a relevant distinction arises regarding products and services that incorporate security features as part of their general technical architecture but are not marketed or offered as standalone cybersecurity products or services. Such services may not necessarily qualify as &#8220;cybersecurity products or services&#8221; under the CSL and would therefore arguably not be subject to the additional regulatory requirements applicable to those products or services. In this regard, it will be important to closely monitor further developments, particularly in light of the secondary regulations expected to be issued under the CSL, which may provide further clarification on the scope of these concepts.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the cybersecurity laws in your jurisdiction impose specific requirements regarding vendor and supply chain management? If so, please provide details of these requirements.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The CSL indicates the establishment of a vendor\/supply chain compliance regime by requiring public institutions and critical infrastructure operators to procure cybersecurity products and services only from authorised and certified providers, while also subjecting cybersecurity companies to certification and prior approval requirements.<\/p>\n<p>The Presidency is empowered to set technical criteria, standards and certification frameworks for both providers and products. However, the CSL does not yet establish a detailed operational regime. Therefore, a further layer of supply chain compliance risk may arise once the Presidency designates the sectors that will qualify as &#8220;critical infrastructure&#8221; under the CSL. In developing the secondary legislation, the Presidency may draw inspiration from EU frameworks, such as NIS2 and adopt a tiered approach whereby obligations are calibrated not only by sector designation but also by reference to the scale of the entity and the extent to which the service it provides is essential and non-substitutable from a societal perspective. Under such an approach, entities that fall outside a formal &#8220;critical infrastructure&#8221; designation may nonetheless be subject to baseline cybersecurity obligations if their services are deemed sufficiently material to public life or economic continuity.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the cybersecurity laws in your jurisdiction require the appointment of a chief information security officer, regulatory point of contact, or other person responsible for cybersecurity? If so, please provide an overview of the requirement, including whether there are any formalities that must be observed regarding such appointment (e.g., board-approval, reporting line structure, notification to regulatory body).<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>There is no general requirement to appoint a chief information security officer, regulatory point of contact, or other person responsible for cybersecurity under CSL, nor does the CSL prescribe specific formalities such as board approval, reporting lines, or notification of such appointment to the Presidency. However, the CSL empowers the Presidency to issue secondary rules, classify in-scope entities, and impose additional compliance measures; therefore, more specific designation requirements may be introduced through secondary legislation or sector-specific rules.<\/p>\n<p>In addition, considering the extensive obligations and significant administrative and criminal sanctions introduced under the CSL, in practice, organisations may need to designate responsible individuals or internal teams to ensure effective compliance and risk management. This is also consistent with the broader Turkish regulatory landscape, where, although not always explicitly mandated, organisations are generally expected to establish internal governance structures, and in certain regulated sectors such as banking, payment services and telecommunications, the designation of personnel responsible for information security is required under sector-specific regulations.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the cybersecurity laws in your jurisdiction impose specific reporting or notice obligations in the context of cybersecurity incidents?  If so, how do such laws define a cybersecurity incident and what are the reporting and notification requirements (please also note whether these laws require reporting of certain cyber security incidents, regardless of whether there has been a \u2018breach of personal data\u2019)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The CSL defines cyber incident as <em>\u201cviolation of the confidentiality, integrity, or availability of information systems or data\u201c.<\/em> As per the CSL, organizations are obliged to notify the Presidency without delay of any vulnerability or cyber incidents detected in the area in which they provide services. However, the CSL does not foresee any obligation to report the impacted individuals.<\/p>\n<p>Under the current framework, the obligation to report cyber incidents and vulnerabilities constitutes the primary enforceable obligation for entities within scope. The timeframe for such notification is &#8220;without delay&#8221;; however, the CSL does not yet specify a precise deadline (such as the 72-hour window applicable under the DPL for personal data breach notifications to the DPA). Further clarification is expected through secondary legislation.<\/p>\n<p>In addition, the reporting obligation under the CSL applies independently of whether the incident involves a personal data breach. Therefore, any cybersecurity incident affecting information systems or data may trigger a notification requirement.<\/p>\n<p>That said, where a cybersecurity incident also results in a personal data breach, separate notification obligations may arise under the DPL, including the obligation to notify the DPA and, in certain cases, the affected data subjects without undue delay.<\/p>\n<p>Looking at publicly available precedents, there is currently no published case law interpreting or applying the Cybersecurity Law. That said, recent press reports on ongoing investigations and indictments suggest that authorities may start relying on the CSL when dealing with large-scale cyber incidents, particularly those involving personal data. In practice, this could mean that conduct traditionally prosecuted under cybercrime provisions of the TCC may instead be pursued primarily under the CSL where the same facts give rise to overlapping but heavier offenses.<\/p>\n<p>A similar approach may also emerge in relation to personal data breaches. Since data breaches often stem from cybersecurity incidents, authorities may increasingly address such cases under the Cybersecurity Law. Where the same conduct could also trigger administrative liability under personal data protection rules, the general principle that the most severe administrative fine applies may further increase reliance on the Cybersecurity Law and the higher sanctions it introduces.<\/p>\n<p>At this stage, enforcement practice is still developing. It would therefore be prudent to monitor how the authorities apply the Cybersecurity Law as the first investigations and court decisions begin to emerge.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Can individuals bring a private right of action for cybersecurity incidents or other violations of cybersecurity laws?  If so, does your jurisdiction also allow \u201cclass action\u201d litigation (i.e., on behalf of a class or (\u2018many\u2019) claimants)? Please explain under what circumstances in which a private right of action and\/or a class action may be brought?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>While the CSL does not explicitly provide for a private right of action, individuals may seek compensation before civil courts under general provisions of Turkish law if they suffer damage as a result of a cybersecurity incident or unlawful acts.<\/p>\n<p>In addition, certain acts related to cybersecurity incidents may constitute criminal offences under the TCC. Therefore, individuals may also file a complaint before the public prosecutor\u2019s office where the relevant conduct amounts to a crime.<\/p>\n<p>Turkish law does not provide for a class action mechanism comparable to common law jurisdictions.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">How are cybersecurity laws in your jurisdiction typically enforced? What regulatory body(ies) have enforcement authority?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Since the CSL is newly adopted, there is currently limited practice regarding its enforcement.<\/p>\n<p>In addition, Presidential Decree No. 192, published on 25 December 2025, significantly expanded the Cybersecurity Presidency\u2019s institutional mandate beyond the core framework of the CSL, including in areas such as digital infrastructure, public IT governance and AI-related functions. While the practical implications of these changes remain to be seen, the Decree further reinforces the Presidency\u2019s position as the central authority for cybersecurity-related oversight and enforcement.<\/p>\n<p>Although the CSL has been in force for more than a year, no sector-wide inquiry or request for information has come to public attention, which suggests that the regulator may be waiting for the release of upcoming secondary regulations before taking further enforcement action.<\/p>\n<p>Aside from enforcement by the Presidency and Cybersecurity Board, sector-specific regulatory authorities (e.g., in banking, electronic communications and energy sectors) may also exercise supervisory and enforcement powers within their respective domains, which is yet to be clarified following the issuance of the relevant secondary legislation under the CSL, at which point the overall enforcement framework is expected to solidify into a comprehensive cybersecurity enforcement regime in the region.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What powers of oversight \/ inspection \/ audit do regulators have in your jurisdiction under cybersecurity laws.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Under the CSL, the Presidency has broad oversight, inspection and audit powers. It may audit any acts and operations falling within the scope of the law and conduct on-site inspections. Audits may be carried out by Presidency personnel or by authorised and certified independent auditors and audit firms. In respect of public institutions and critical infrastructure, audits must be conducted by or under the supervision of Presidency personnel.<\/p>\n<p>Authorised officials may examine electronic data, documents, infrastructure, devices, systems, software and hardware; take copies or digital samples; request written or oral explanations; prepare records; and inspect facilities and operations. Entities subject to audit are required to keep relevant systems accessible and operational and to provide the necessary infrastructure for inspections.<\/p>\n<p>The Presidency determines the principles, procedures and criteria for audit activities, including risk-based prioritisation, and may also conduct ad hoc audits outside established audit programmes. Public authorities and law enforcement bodies are required to assist audit officials.<\/p>\n<p>Additionally, for purposes such as national security, public order, or the prevention of crime or cyberattacks, search and seizure\/copying measures may be carried out upon a judge\u2019s decision, or in urgent cases upon a written order of the public prosecutor, subject to subsequent judicial approval.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What is the range of sanctions (including fines and penalties) for violations of cybersecurity laws in your jurisdiction? What is the range of sanctions (including fines and penalties) for violation of data protection laws in your jurisdiction?  Are there any guidelines or rules for the calculation of such fines or the imposition of sanctions?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><table width=\"624\">\n<tbody>\n<tr>\n<td colspan=\"2\" width=\"624\"><strong><u>Administrative Fines Under the CSL<\/u><\/strong><\/td>\n<\/tr>\n<tr>\n<td width=\"331\"><strong>Misdemeanour <\/strong><\/td>\n<td width=\"293\"><strong>Fine<\/strong><\/td>\n<\/tr>\n<tr>\n<td width=\"331\">Not taking legally prescribed cybersecurity measures,<\/p>\n<p>Not promptly reporting vulnerabilities or incidents to the Presidency,<\/p>\n<p>Not procuring cybersecurity products, systems, and services for public institutions and critical infrastructures by the Presidency&#8217;s authorized experts, manufacturers, or companies<\/td>\n<td width=\"293\">TRY 1,000,000 to TRY 10,000,000<\/td>\n<\/tr>\n<tr>\n<td width=\"331\">Failure to obtain approval from the Presidency for the export of cybersecurity products subject to licensing,<\/p>\n<p>Failure to notify the Presidency of mergers, demergers, share transfers, or sales (for companies that produce cybersecurity products, systems, software, hardware, and services)<\/td>\n<td width=\"293\">TRY 10,000,000 to\u00a0TRY 100,000,000<\/td>\n<\/tr>\n<tr>\n<td width=\"331\">Failure to provide the requested information, documents, and materials during audits<\/td>\n<td width=\"293\">TRY 100,000* to TRY 1,000,000*<\/p>\n<p><em>(*If these obligations are not fulfilled by commercial companies, an administrative fine shall be imposed up to five percent of the gross sales revenue, on the condition that such amount is no less than TRY 100,000)<\/em><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>&nbsp;<\/p>\n<table width=\"624\">\n<tbody>\n<tr>\n<td colspan=\"2\" width=\"624\"><strong><u>Criminal Penalties Under the CSL<\/u><\/strong><\/td>\n<\/tr>\n<tr>\n<td width=\"331\"><strong>Crime<\/strong><\/td>\n<td width=\"293\"><strong>Penalty<\/strong><\/td>\n<\/tr>\n<tr>\n<td width=\"331\"><strong>a) Obstruction of authorized oversight:<\/strong> Failure to provide the information, documents, software, data, and hardware requested by the authorities and supervisory officials acting within the scope of their powers under the CSL, or obstruction of access thereto<\/td>\n<td width=\"293\">Imprisonment from 1 to 3 years and a judicial fine from 500 to 1,500 days<\/p>\n<p><em>(*Judicial fines range between TRY 100\u2013500 per day; therefore, for 500 days the total amount may range between approximately TRY 50,000\u2013250,000, and for 1,500 days between approximately TRY 150,000\u2013750,000.)<\/em><\/td>\n<\/tr>\n<tr>\n<td width=\"331\"><strong>b) Operating without required approvals, authorizations, or permits:<\/strong> Carrying out activities without obtaining the approvals, authorizations, or permits required under the CSL<\/td>\n<td width=\"293\">Imprisonment from 2 to 4 years and a judicial fine from 1,000 to 2,000 days*<\/p>\n<p><em>(*Judicial fines range between TRY 100\u2013500 per day; therefore, for 1,000 days the total amount may range between approximately TRY 100,000\u2013500,000, and for 2,000 days between approximately TRY 200,000\u20131,000,000.)<\/em><\/td>\n<\/tr>\n<tr>\n<td width=\"331\"><strong>c) Breach of confidentiality obligations of regulatory officers personnel: <\/strong>Failure by regulatory officers personnel to comply with the duty of confidentiality in respect of classified information, personal data, trade secrets and related documents obtained in the course of the Presidency&#8217;s official duties and activities, whether such information pertains to the public, affected parties, or third parties<\/td>\n<td width=\"293\">Imprisonment from 4 to 8 years<\/td>\n<\/tr>\n<tr>\n<td width=\"331\"><strong>d) Unlawful disclosure of leaked data: <\/strong>Making accessible, sharing, or offering for sale whether for payment or free of charge personal data or institutional data falling within the scope of critical public services that was previously exposed through a cyberspace data breach, without the consent of the individuals or institutions concerned<\/td>\n<td width=\"293\">Imprisonment from 3 to 5 years<\/td>\n<\/tr>\n<tr>\n<td width=\"331\"><strong>e) Dissemination of false cybersecurity breach content: <\/strong>Creating or disseminating false content purporting that a cybersecurity data breach has occurred knowing that no such breach has taken place, with the aim of causing public anxiety, fear, or panic, or of targeting institutions or individuals<\/td>\n<td width=\"293\">Imprisonment from 2 to 5 years<\/td>\n<\/tr>\n<tr>\n<td width=\"331\"><strong>f) Cyber-attacks against national cyber power: <\/strong>Conducting a cyber-attack against elements constituting the national cyber power of the Republic of T\u00fcrkiye in cyberspace, or retaining in cyberspace any data obtained as a result of such an attack<\/td>\n<td width=\"293\">\u00a0Imprisonment from 8 to 12 years* &#8211; Provided that the act does not constitute another offense requiring a more severe penalty<\/p>\n<p><em>(*Those who distribute, transfer, or offer such data for sale shall be sentenced to imprisonment from 10 to 15 years)<\/em><\/td>\n<\/tr>\n<tr>\n<td width=\"331\"><strong>g) Non-compete and confidentiality obligations of regulatory officers personnel: <\/strong>Acting in breach of the obligations set out in Article 12 of the CSL, which restricts former cybersecurity directorate personnel from taking up cybersecurity roles, engaging in cybersecurity commerce, or disclosing information acquired during their tenure, without regulatory consent, for a period of two years following separation<\/td>\n<td width=\"293\">Imprisonment from 3 to 5 years<\/td>\n<\/tr>\n<tr>\n<td width=\"331\"><strong>h) Abuse of powers or dereliction causing data breach:<\/strong> Misuse of powers or duties arising under the Cybersecurity Law, or acting contrary to the requirements of one&#8217;s role in the context of protecting critical infrastructure against cyber-attacks in a manner that results in a data breach<\/td>\n<td width=\"293\">Imprisonment from 1 to 3 years<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><strong>\u00a0<\/strong><\/p>\n<p>Aggravating factors: The sentences prescribed under above paragraphs (a) through (f) shall be increased by one-third where the offense is committed by a public official, by one-half where committed by more than one person, and by between one-half and double where committed within the framework of an organized criminal enterprise.<\/p>\n<p>The CSL also adopts a specific administrative sanction aggregation and uplift mechanism. Where multiple violations of the same offense category are detected before an administrative sanction decision is issued, a single fine is imposed rather than a separate fine per violation; however, that fine may be increased by up to double (x2) the base amount. Where the violation results in a financial benefit to the offender or causes loss to a third party, the fine must be set at no less than 3 times and no more than 5 times the value of that benefit or loss.<\/p>\n<p>For thresholds determined in relation to misdemeanours and judicial fines, <em>please see Question 36.<\/em><\/p>\n<p><em>Please see Question 36 for the applicable sanctions under data protection laws.<\/em><\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are enforcement decisions open to appeal in your jurisdiction? If so, please provide an overview of the appeal options.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>CSL foresees both judicial, criminal and monetary sanctions. These sanctions can be appealed before competent courts (i.e., administrative and criminal courts depending on the type of sanction).<\/p>\n<p>The CSL also introduces a specific procedural safeguard prior to the imposition of administrative fines. The authority must obtain the defence of the relevant party before issuing an administrative fine. The concerned party is granted a 30-day period from the notification of the request to submit its defence; failure to do so is deemed a waiver of the right to defence. While this is not an appeal mechanism as such, it constitutes an important pre-enforcement procedural right that is not commonly structured in the same way across all regulatory regimes.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\r\n<div class=\"word-count-hidden\" style=\"display:none;\">Estimated word count: <span class=\"word-count\">13553<\/span><\/div>\r\n\r\n\t\t\t<\/ol>\r\n\r\n<script type=\"text\/javascript\" src=\"\/wp-content\/themes\/twentyseventeen\/src\/jquery\/components\/filter-guides.js\" async><\/script><\/div>"}},"_links":{"self":[{"href":"https:\/\/my.legal500.com\/guides\/wp-json\/wp\/v2\/comparative_guide\/139366","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/my.legal500.com\/guides\/wp-json\/wp\/v2\/comparative_guide"}],"about":[{"href":"https:\/\/my.legal500.com\/guides\/wp-json\/wp\/v2\/types\/comparative_guide"}],"wp:attachment":[{"href":"https:\/\/my.legal500.com\/guides\/wp-json\/wp\/v2\/media?parent=139366"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}