Protecting Your Business from Cyber Attacks in Turkey: KVKK Compliance, Breach Notification, Cybercrime Defense and Cross-Border Coordination

Protecting a business operating in Turkey against cyber attacks combines technical security architecture with multi-layered legal compliance discipline. The legal framework that governs the cybersecurity domain in Turkey is set by the Kişisel Verilerin Korunması Kanunu (Law No. 6698, the KVKK or Personal Data Protection Law), which establishes data protection obligations and breach notification mechanics; the 5651 sayılı İnternet Ortamında Yapılan Yayınların Düzenlenmesi ve Bu Yayınlar Yoluyla İşlenen Suçlarla Mücadele Edilmesi Hakkında Kanun (Law No. 5651, governing internet content liability and certain content-related obligations); the Türk Ceza Kanunu (Law No. 5237, the Turkish Criminal Code), whose cybercrime provisions criminalize unauthorized access to information systems, system disruption and data destruction, and bank/credit card misuse; and a layer of sector-specific cyber regulation issued by the BDDK (Bankacılık Düzenleme ve Denetleme Kurumu) for banks, the BTK (Bilgi Teknolojileri ve İletişim Kurumu) for electronic communications providers, the EPDK (Enerji Piyasası Düzenleme Kurumu) for energy infrastructure, and the Sağlık Bakanlığı for health-data processors. Practice may vary by authority and year.

An English speaking lawyer in Turkey advising multinational and Turkish-operating businesses on cybersecurity legal compliance will explain that the practical exposure operates as a sequence of three coordinated layers: the preventive compliance layer covering data protection registration, governance documentation, technical and organizational measures, vendor contracting and employee policies; the incident response layer covering breach notification to the Kişisel Verileri Koruma Kurulu (the KVKK supervisory authority) and to affected data subjects, sectoral notifications where applicable, and forensic evidence preservation; and the post-incident layer covering regulatory enforcement, criminal complaint pathway against attackers, civil recovery, and cross-border coordination where the incident touches multiple jurisdictions. The body of this guide walks through the legal framework, the preventive compliance architecture, the breach notification mechanics including the KVKK's 72-hour rule, cyber insurance and risk transfer strategies, encryption and hosting compliance, regulatory enforcement procedure, employee policies and internal investigations, and the criminal complaint and civil recovery pathway. For procedural orientation on adjacent topics, our notes on KVKK and personal data protection, KVKK audit defense and cybercrime defense in Turkey can be read alongside this material.

1) Legal Framework: KVKK, the 5651 sayılı Kanun, the Türk Ceza Kanunu and Sectoral Cyber Regulation

A lawyer in Turkey who maps the cybersecurity legal framework will start with the KVKK's substantive structure. The KVKK governs the processing of personal data by data controllers (veri sorumluları) and data processors (veri işleyenler), establishing the lawfulness conditions for processing, the rights of data subjects (ilgili kişi), the obligations of controllers and processors, and the supervisory and enforcement authority of the Kişisel Verileri Koruma Kurumu (the agency) and the Kişisel Verileri Koruma Kurulu (the board within the agency that issues binding decisions). The framework imposes specific obligations on controllers including registration with VERBİS (Veri Sorumluları Sicil Bilgi Sistemi, the data controller registry) where the controller meets defined thresholds, implementation of technical and organizational measures appropriate to the data being processed, breach notification to the Kurul and to affected data subjects under defined timelines, and cooperation with regulatory inspections.

An Istanbul Law Firm coordinating the broader cyber regulatory map will identify the parallel layers that operate alongside the KVKK. The 5651 sayılı Kanun governs internet content provider liability, hosting provider obligations including content-takedown procedures, and access provider responsibilities, with its enforcement administered partly by the BTK and partly through Turkish courts; the Türk Ceza Kanunu's cybercrime provisions criminalize unauthorized access to information systems and the use of bank or credit card information unlawfully obtained, providing both the substantive crime definitions and the procedural pathway for filing criminal complaints (suç duyurusu) against attackers; sectoral regulations issued by the BDDK govern banking-sector cybersecurity including IT risk management requirements and operational risk frameworks; the BTK issues electronic communications cybersecurity requirements for telecommunications providers and ISPs; the EPDK issues energy-sector cybersecurity requirements applicable to critical infrastructure operators; and the Sağlık Bakanlığı together with the Türkiye İlaç ve Tıbbi Cihaz Kurumu (TİTCK) governs health-data processing standards for healthcare providers and medical device operators.

A Turkish Law Firm coordinating the framework's interaction with international standards will explain that Turkish-operating businesses with multinational presence often need to align Turkish compliance with parallel regimes. The KVKK shares structural similarity with the European Union General Data Protection Regulation (GDPR) but is not identical: the lawfulness conditions are similar but not coextensive, the data subject rights cover the same conceptual territory but with different procedural mechanics, and the breach notification timeline framework differs in specific application. The standard approach for multinational compliance programs is to operate a single global data protection framework anchored to the most demanding applicable standard (typically GDPR for EU exposure) with KVKK-specific operational layers (Turkish-language privacy notices, VERBİS registration, Turkish-language breach notifications, Kurul-specific enforcement engagement) layered onto the global framework. The discipline outlined in our note on KVKK and personal data protection covers the underlying KVKK substantive framework in greater depth. Practice may vary by authority and year. The KVKK-versus-GDPR alignment analysis deserves separate attention because the two regimes share conceptual structure but differ in important operational details that produce compliance gaps when global programs are applied to Turkish operations without local adaptation. The KVKK's lawful processing conditions broadly track the GDPR's Article 6 framework but with terminological differences (acık rıza for explicit consent; legitimate interest framing operating under different procedural mechanics); the data subject rights framework parallels the GDPR's rights but with KVKK-specific procedural mechanics for rights exercise (the data subject must first apply to the controller before applying to the Kurul, with defined response timelines for the controller's reply); the international transfer framework operates on different mechanisms (the GDPR's adequacy and SCC framework versus the KVKK's Kurul-approved adequacy list, which has historically been narrow, and contractual safeguards that require Kurul authorization). Turkish-operating businesses with EU-data-subject exposure typically face dual obligations and must coordinate their compliance posture across both regimes simultaneously rather than treating one as a subset of the other.

2) Preventive Compliance and Governance Frameworks

An English speaking lawyer in Turkey advising on preventive cyber compliance will explain that the framework's foundation is data inventory and risk-mapping discipline rather than reactive incident response. The procedure ordinarily requires the company to map all personal data processing activities (envanter and processing record under the KVKK Yönetmeliği's framework), classify data by sensitivity tier (ordinary personal data versus özel nitelikli kişisel veri / sensitive personal data subject to heightened protection), identify the technical and organizational measures appropriate to each processing activity, document the lawful basis for each processing operation, prepare data subject privacy notices in Turkish meeting the KVKK's transparency requirements, register with VERBİS where the controller meets the registration threshold, and maintain the documentation in audit-ready form for potential Kurul inspection. The standard approach is to treat the compliance documentation as a continuous workstream rather than a discrete project, because data flows change as the business evolves and outdated documentation produces enforcement exposure that current operational reality does not. The VERBİS registration framework deserves separate attention within the compliance documentation because registration triggers and information requirements have evolved through Kurul guidance over time. The procedure ordinarily requires controllers meeting the registration thresholds (employee count, annual financial criteria, sensitive data processing scope, public-sector status) to submit detailed information about the controller, the data protection officer (where designated), the categories of personal data processed, the purposes of processing, the categories of data subjects, the recipient categories, the retention periods, and the technical and organizational measures applied. Registration must be maintained current, with material changes triggering update obligations within defined windows; failure to register, late registration, and registration with inaccurate information each produce specific enforcement exposure under the KVKK's administrative fine framework.

Turkish lawyers who handle vendor cyber compliance will note that third-party processor and subprocessor management is one of the most operationally complex compliance areas because the controller remains liable for the processor's compliance failures regardless of contractual allocation. The procedure ordinarily requires written processor agreements (veri işleyen sözleşmesi) covering the processing scope and instructions, technical and organizational measures the processor must implement, subprocessor authorization mechanics, breach notification obligations from processor to controller, audit rights, return-or-deletion obligations on contract termination, and indemnification for processor-side compliance failures. Where processors operate in third countries (countries outside Turkey), the international transfer framework under the KVKK adds further requirements including either Kurul-approved adequacy or specific transfer mechanisms (explicit consent, contractual safeguards, binding corporate rules). The standard approach is to maintain a vendor inventory with each vendor's processing scope, location, contractual basis and last-audit date, with vendor recertification scheduled periodically rather than left unmonitored.

An Istanbul Law Firm advising on internal governance will treat cybersecurity policy architecture as a multi-document framework rather than a single policy. The standard approach covers an information security policy stating the controller's commitments and the framework's authority basis; an acceptable use policy covering employee use of company information systems; a data classification policy covering how data is categorized and what controls apply to each category; an access control policy covering provisioning, modification and deprovisioning of access rights; an encryption policy covering at-rest and in-transit encryption requirements; a backup and recovery policy; a vendor management policy; an incident response policy; a breach notification policy; and a record of processing activities maintained under the KVKK's documentation requirements. Each policy is tied to operational implementation through procedures and standards, with periodic review and management approval documented as evidence of governance discipline. Practice may vary by authority and year. The policy framework's operational integration with day-to-day business processes deserves separate attention because policies that exist on paper but are not embedded into operational reality fail both the substantive cybersecurity test and the regulatory compliance assessment. The standard approach is to integrate each policy into specific operational processes: the access control policy integrates with the HR onboarding and offboarding workflow ensuring that access provisioning and deprovisioning occurs at hire, role change and termination; the data classification policy integrates with the data-handling tools the company uses (file servers, document management systems, email platforms) ensuring that classification labels translate into technical controls applied at the file or message level; the encryption policy integrates with the IT infrastructure ensuring that newly provisioned systems automatically meet the encryption baseline rather than requiring per-system manual configuration; the vendor management policy integrates with the procurement workflow ensuring that vendor cybersecurity due diligence occurs before contracts are signed rather than after the relationship is operational; and the incident response policy integrates with the actual incident detection systems and the response team's escalation procedures so that policy invocation matches the operational triggers built into the technical environment.

3) Incident Response and KVKK Breach Notification: The 72-Hour Rule

A Turkish Law Firm advising on incident response will explain that the breach notification timeline is the single most operationally demanding aspect of the KVKK framework. Under the Kurul's binding decision dated 24 January 2019 (numbered 2019/10), the controller must notify the Kurul of a personal data breach within seventy-two hours of becoming aware of the breach, with notification to affected data subjects following thereafter "within the shortest reasonable time" once the affected individuals have been identified. The procedure ordinarily requires the controller to maintain a documented incident response capability that can identify a notifiable breach, mobilize the cross-functional response team, gather the factual particulars the Kurul requires (nature of breach, categories and approximate numbers of affected data subjects, categories and approximate volume of affected data, likely consequences, mitigation measures), and submit the formal notification through the Kurul's electronic notification mechanism within the seventy-two-hour window. The threshold-question of whether a security incident constitutes a notifiable breach deserves separate analytical attention because not every cyber incident triggers KVKK notification obligations. The standard approach is to apply the Kurul's breach definition (an incident causing the unauthorized or unlawful processing of personal data, including unauthorized destruction, loss, alteration, disclosure, or access) to the specific incident facts; document the analysis supporting the classification (notifiable breach vs non-notifiable security incident); preserve the analysis as evidence that the controller engaged the threshold question rather than reflexively notifying or reflexively avoiding notification; and re-evaluate the classification as the investigation develops, because the initial fact base often understates the breach scope that subsequent forensic analysis reveals.

An English speaking lawyer in Turkey coordinating the operational mechanics will explain that the seventy-two-hour clock starts running when the controller becomes aware of the breach rather than when the breach itself occurred, with "awareness" assessed against what a reasonable controller would have known given the available information. The procedure ordinarily requires the controller to document the breach-discovery timeline carefully because the "awareness" determination drives the notification deadline; ambiguity about when the controller became aware can be exploited by either side in subsequent enforcement, with the Kurul typically applying a fact-specific analysis rather than accepting either the most aggressive or most conservative timestamp without scrutiny. Where the seventy-two-hour timeline cannot be met, the controller can submit a notification with the available information and supplement the notification subsequently as additional facts become available, but cannot defer the initial notification beyond the seventy-two-hour window without justification documented in the file.

Turkish lawyers who handle breach notification to data subjects will note that this second notification layer carries its own discipline and exposure. The procedure ordinarily requires the controller to notify affected data subjects in clear and plain language describing the nature of the breach, the categories of personal data affected, the likely consequences, the mitigation measures the controller has taken or proposes to take, and the contact point through which data subjects can obtain further information. The standard approach is to coordinate the data subject notification with the regulatory notification both substantively (consistent factual narrative) and operationally (notification template prepared in parallel with the Kurul submission so the data subject communication can issue promptly once data subject identification is complete). The discipline outlined in our note on KVKK audit defense covers the broader enforcement framework within which breach notification operates. Practice may vary by authority and year. The notification documentary architecture itself deserves operational attention because notifications submitted under the seventy-two-hour pressure can produce factual inaccuracies that subsequent enforcement uses against the controller. The standard approach is to maintain a structured notification template (notification platform identifying the breach particulars, factual narrative section describing how and when the breach was discovered, affected data category and approximate volume estimates, mitigation actions taken or proposed, identified root cause where available); a contemporaneous incident log maintained from the moment of breach awareness recording each investigative step and its findings with timestamps; a chain-of-custody log for forensic evidence so that subsequent enforcement or litigation can demonstrate evidentiary integrity; and a post-notification update process that submits revised information to the Kurul as the investigation develops, because the Kurul accepts factual updates that strengthen the controller's transparency profile rather than penalizing controllers for revised facts emerging from continued investigation.

4) Cyber Insurance and Risk Transfer Strategies

A lawyer in Turkey advising on cyber insurance coverage will explain that the Turkish market for cyber-specific insurance products has developed substantially in recent years with both Turkish insurers and international markets accessible through Lloyd's syndicates and global insurers offering coverage to Turkish-operating businesses. The procedure ordinarily requires the insured to evaluate coverage scope across the standard coverage categories: first-party costs covering forensic investigation, data restoration, business interruption losses, ransomware payments where lawful, regulatory defense costs, and crisis communications; third-party liability covering data subject claims under the KVKK, defense costs in regulatory proceedings, and business-counterparty claims arising from breach impact; and crisis response services covering incident response coordination, forensic specialists, public relations support, and notification logistics. Coverage exclusions deserve particular attention because the cyber insurance market includes broad exclusions for war and nation-state attacks, prior-known incidents, criminal acts by insureds, and certain regulatory penalties.

An Istanbul Law Firm coordinating insurance procurement will treat the policy as a contractual instrument rather than a standardized commodity, because cyber insurance terms vary substantially across insurers and policy versions. The procedure ordinarily requires reviewing the application warranties carefully because misrepresentation in the application can void coverage; reviewing the coverage triggers (incident-discovery date versus incident-occurrence date) because the trigger determines which policy year covers the incident; reviewing the notice provisions because failure to notify the insurer within the policy's required timeline can void coverage; reviewing the consent-to-defense and consent-to-settlement provisions because the insurer typically retains control over critical claim decisions; and reviewing the sublimit structure because broad headline coverage can be reduced substantially through sublimits applicable to specific cost categories.

Turkish lawyers who handle post-incident insurance claims will note that the claim process intersects materially with the regulatory and litigation response. The procedure ordinarily requires the insured to notify the insurer immediately upon incident discovery (independent of the Kurul notification), coordinate with the insurer's appointed incident response team where coverage so requires, document all incident-response costs against the policy categories, prepare formal proof-of-loss documentation, and respond to insurer information requests promptly. Where the insurer disputes coverage, the standard approach is to engage the dispute through structured documentation rather than through emotional escalation, with the underlying analytical question being whether the incident-and-loss profile fits within the coverage grant after applying the relevant exclusions. The discipline outlined in our note on adjacent cybercrime defense in Turkey covers the criminal-law dimension that often runs in parallel with the insurance claim. Practice may vary by authority and year. The insurer-coordination dimension during incident response deserves operational attention because most cyber insurance policies impose specific procedural requirements that materially affect the company's response options. Many policies require the insurer's prior consent before engaging incident response vendors, which can create timing tension where the company's preferred forensic firm is not on the insurer's approved panel; many policies require specific notice timing (often within seventy-two hours of incident discovery, paralleling the KVKK timeline); many policies impose claim-cooperation obligations that include providing the insurer access to investigation findings, potentially before those findings are mature enough for external sharing. The standard approach is to negotiate panel-flexibility provisions during procurement, document the insurer-notification channel and timing requirements in the incident response plan, and brief the insurer through structured updates rather than allowing the insurer to pull information through ad-hoc inquiries that distract the response team during peak incident pressure.

5) Technical Legal Requirements: Encryption, Data Hosting and Secure Systems

An English speaking lawyer in Turkey advising on the technical compliance dimension will explain that the KVKK and sectoral cyber regulations impose substantive requirements on the technical and organizational measures (teknik ve idari tedbirler) that controllers must implement, with the sufficiency of measures assessed against the sensitivity of the data, the state of the art, and the risk profile of the processing. The procedure ordinarily requires the controller to implement encryption appropriate to the data's sensitivity (with özel nitelikli kişisel veri requiring substantively stronger protection than ordinary personal data); access control mechanisms ensuring that only authorized personnel can access the data within their job-function scope; logging and monitoring systems generating audit trails that support incident detection and post-incident forensic analysis; backup and recovery capabilities supporting business continuity and data restoration; and periodic security testing including penetration testing and vulnerability assessment for systems holding sensitive data.

A Turkish Law Firm advising on data localization and hosting requirements will note that the Turkish framework includes specific localization requirements for certain data categories and certain regulated sectors. The procedure ordinarily requires the controller to map the data categories the company processes against the applicable localization rules: banking-sector data processing under BDDK rules requires specific data localization including primary and backup hosting within Turkey for defined operational systems; payment services under the Türkiye Cumhuriyet Merkez Bankası (TCMB) framework operate under their own localization framework; certain electronic communications data under BTK rules face specific retention and localization requirements. Where the company uses cloud hosting providers, the contracting framework must address the localization requirement either through provider-side contractual commitments or through region-specific service offerings that confirm the data remains within the required geography.

Turkish lawyers who handle the broader secure-systems compliance program will note that the technical-legal requirements integrate with the human and procedural layers rather than operating as standalone IT compliance. The procedure ordinarily requires periodic security awareness training for all personnel with access to information systems; multi-factor authentication for system access especially for elevated-privilege accounts and remote access; secure configuration management for systems and applications; vendor security assessments for third parties accessing the company's systems or data; and incident response capability testing through tabletop exercises and red-team simulations. Practice may vary by authority and year, and the technical-organizational measures framework is the substantive backbone against which the Kurul assesses whether the controller's compliance posture met the KVKK's standard at the time of any incident. The audit-readiness dimension of the technical compliance framework deserves separate attention because the Kurul's assessment of "appropriate" measures applies retrospectively after an incident has occurred, with the retrospective assessment benchmarking the controller's actual implementation against the state of the art available at the relevant time. The standard approach is to maintain a continuously refreshed evidence base demonstrating the technical-organizational measures the controller has implemented (security architecture documentation, configuration baselines, penetration test reports, vulnerability scan results, training completion records, vendor security assessment reports, incident response plan updates), with the evidence base organized to support rapid response to a regulatory information request rather than requiring weeks of internal coordination to assemble. Where the controller's actual implementation has gaps relative to the documented framework, the standard approach is to identify the gaps proactively through self-assessment, document the remediation plan with target completion dates, and execute the remediation rather than allowing the gap to surface during a post-incident regulatory inquiry where the gap will be characterized as a compliance failure rather than as a managed risk in active remediation.

6) Regulatory Enforcement: KVKK, BTK and Sectoral Authorities

A lawyer in Turkey advising on regulatory enforcement will explain that cyber-related enforcement in Turkey operates across multiple authorities with overlapping jurisdiction depending on the incident profile. The Kişisel Verileri Koruma Kurulu has primary jurisdiction over personal data breaches and KVKK compliance failures, with enforcement powers including administrative fines, processing-order issuance, and binding decisions on specific compliance questions. The BTK has regulatory jurisdiction over electronic communications providers and certain content-related obligations under the 5651 sayılı Kanun, with enforcement powers including administrative fines, license restrictions, and operational orders. Sectoral authorities (BDDK for banks, EPDK for energy, Sağlık Bakanlığı for healthcare) issue sector-specific cybersecurity requirements and enforce them through their general supervisory powers. Multi-authority incidents can produce parallel proceedings, with the company's response posture requiring coordination across authority-specific tracks rather than single-authority focus.

An Istanbul Law Firm advising on the Kurul's enforcement procedure specifically will note that Kurul investigations typically begin either through complaints filed by data subjects or through Kurul-initiated investigations triggered by media coverage, regulatory referrals, or breach notifications that the Kurul deems requiring further investigation. The procedure ordinarily requires the Kurul to issue an initial information request, review the controller's response, conduct further investigation as needed, issue a draft decision, allow the controller to submit comments on the draft, and issue the final decision. Administrative fines under the KVKK have been substantial in recent practice, with the fine quantum reflecting the breach severity, the affected individual count, the controller's compliance history, and the cooperation level during the investigation. The standard approach for controllers facing Kurul enforcement is to engage substantively and cooperatively rather than adversarially, because the Kurul's fine quantum methodology gives material credit for cooperation and remediation. The Kurul's published fine methodology factors in several considerations that the controller's response strategy can influence: the severity of the breach measured against the affected-individual count and the data sensitivity; the controller's compliance history including prior enforcement actions and prior breach notifications; the technical and organizational measures the controller had implemented before the breach (with adequate measures reducing fine quantum and inadequate measures increasing it); the controller's response timing and quality including notification compliance, transparent factual disclosure, and remediation progress; and the broader public-interest considerations including industry-wide compliance signaling. Where the controller can demonstrate a documented pre-breach compliance program with reasonable measures appropriate to the data processing risk, the Kurul's analysis typically distinguishes the breach from the broader compliance posture; where the breach itself reveals systemic compliance failures (no documented program, no implemented controls, no breach response capability), the fine quantum reflects both the breach impact and the systemic compliance failure.

Turkish lawyers who handle BTK and sectoral enforcement will note that the procedural environments differ from KVKK enforcement in important ways. BTK enforcement under the 5651 sayılı Kanun framework typically involves content-related orders (access blocking, content removal) with rapid procedural timelines, hosting-provider obligation enforcement, and electronic communications operational requirements. BDDK enforcement covers banking-sector cybersecurity including IT risk management adequacy, operational risk framework compliance, and cyber-incident reporting timelines specific to the banking sector. EPDK enforcement covers energy-sector cybersecurity including critical infrastructure protection and operational technology security. Where cyber incidents touch multiple authorities simultaneously, the company's response strategy must coordinate across authorities to avoid inconsistent representations or missed deadlines that can compound the underlying enforcement exposure. The discipline outlined in our note on KVKK audit defense covers the audit and inspection procedural framework in greater depth. Practice may vary by authority and year. Multi-authority enforcement coordination is one of the most operationally challenging aspects of significant cyber incident response because parallel proceedings can produce inconsistent factual representations, missed deadlines across authorities, and procedural defenses-or-admissions in one proceeding that prejudice another. The standard approach for multi-authority files is to maintain a single coordinated factual narrative across all authority engagements; centralize document production through a single coordinator who reviews each authority's submission for consistency with prior submissions to other authorities; track each authority's procedural calendar through a master deadline log so no authority's deadline is missed because attention focused on another authority; and engage privilege-protected internal counsel coordination so that privileged analysis informing one authority's response is not inadvertently waived by submission to another authority. Where one authority's enforcement timeline produces inevitable disclosure that affects another authority's investigation, the standard approach is to pre-engage with the second authority on the timing rather than allowing the disclosure to emerge through the second authority's discovery of the first authority's public records.

7) Employee Policies, Internal Investigations and Whistleblower Protection

A Turkish Law Firm advising on the human dimension of cyber compliance will note that human error and insider threats remain among the leading causes of cyber incidents in Turkish-operating businesses, making employee policy architecture and internal investigation discipline central to the compliance program. The procedure ordinarily requires the company to maintain an information security policy with clear acceptable-use rules; an employment-contract addendum or separate policy acknowledgment binding employees to the security framework with disciplinary consequences for breaches; a data classification policy clarifying which categories of company information employees may handle and under what controls; a clear desk and clean screen policy; a removable media and bring-your-own-device policy; and periodic security awareness training documented through completion records that support compliance demonstrations during regulatory inspection.

An English speaking lawyer in Turkey advising on internal investigation discipline will explain that suspected insider-driven breaches require careful procedural balance between the employer's legitimate investigation interest and the employee's privacy and labor-law protections. The procedure ordinarily requires the investigation to operate within the company's documented investigation policy, with monitoring activities aligned to the company's processing-of-employee-data lawful basis under the KVKK, employee notification of the investigation conducted in accordance with the company's transparency framework where notification does not compromise the investigation's integrity, evidence collection through forensically sound methods that preserve admissibility for potential subsequent civil or criminal proceedings, and disciplinary action proceedings conducted in accordance with the İş Kanunu (Labor Code, Law No. 4857) including the procedural rights the Labor Code guarantees employees. The standard approach is to involve external counsel early in significant insider-threat investigations because privilege protection and procedural defensibility benefit substantially from external coordination.

Turkish lawyers who handle whistleblower program design will note that whistleblower channel architecture sits at the intersection of cyber compliance, anti-corruption compliance and broader governance frameworks. The procedure ordinarily requires the company to maintain a whistleblower reporting mechanism (anonymous where the program supports anonymous reporting), with reports triaged through a defined process, retaliation prohibition documented in policy and supported by procedural safeguards, investigation discipline for reports that warrant investigation, and feedback mechanisms to the reporter where consistent with the investigation's confidentiality requirements. Whistleblower data processing must operate within the KVKK framework with appropriate lawful basis, transparency to the extent compatible with the program's confidentiality, and retention discipline aligned to the data's purpose and legal-hold requirements. Practice may vary by authority and year, and the whistleblower program's effectiveness depends substantially on the company's documented commitment to the program rather than on the program's existence as a formal policy alone. The program-design dimension extends beyond the channel architecture to include the substantive review process for reports, the escalation matrix for reports requiring immediate action, the investigation methodology applied to reports that warrant investigation, and the outcomes-tracking framework that measures program effectiveness over time. The standard approach is to operate the whistleblower program through a defined intake-and-triage workflow where each report is logged with a unique reference; categorized by report type (cyber incident, data privacy concern, anti-corruption matter, financial irregularity, harassment, other compliance issue); assessed for credibility and investigative priority; routed to the appropriate investigation owner; and tracked through to resolution with documented findings and any remedial action taken. The program's metrics (report volume by category, investigation completion timelines, substantiation rates, remedial action types, retaliation complaints) feed into the periodic compliance committee review that demonstrates ongoing program effectiveness rather than allowing the program to become a paper framework without operational substance.

8) Criminal Complaint Pathway, Civil Recovery and Cross-Border Coordination

An Istanbul Law Firm advising the cyber-incident victim's pursuit of attackers will explain that Turkish criminal law provides specific cybercrime offenses under the Türk Ceza Kanunu that can be invoked against attackers through the criminal complaint (suç duyurusu) pathway. The procedure ordinarily requires the company to file a criminal complaint with the competent Cumhuriyet Başsavcılığı (Chief Public Prosecutor's Office), typically the office covering the place where the company is headquartered or where the attack effects materialized; the complaint identifies the suspected criminal acts under the relevant TCK provisions, describes the factual evidence supporting the allegations, identifies known or suspected perpetrators where available, and requests investigation. The Cumhuriyet Başsavcılığı evaluates the complaint, opens an investigation file, conducts investigation through the Cumhuriyet Savcısı (prosecutor) including police investigation, forensic analysis and witness examination, and either files an indictment with the competent criminal court or issues a non-prosecution decision (kovuşturmaya yer olmadığına dair karar) where the evidence does not support indictment.

A lawyer in Turkey advising on civil recovery will explain that civil-law remedies operate parallel to criminal proceedings, with the Türk Borçlar Kanunu's tort framework providing the substantive cause of action for damages arising from cyber attacks. The procedure ordinarily requires the company to identify recoverable damages (incident response costs, business interruption losses, data restoration costs, regulatory defense costs, third-party claim costs); identify the responsible parties (attackers, where identifiable; vendors with contractual liability; insurers under applicable coverage); quantify damages through documented evidence supporting each category; and pursue recovery through the civil court system before the competent Asliye Hukuk Mahkemesi or Asliye Ticaret Mahkemesi depending on the parties involved. Where insurance coverage exists, the insurer typically subrogates to the insured's recovery rights for amounts paid under the policy, with subrogation recovery proceedings pursued by the insurer against responsible third parties. The vendor-liability dimension of civil recovery deserves separate treatment because vendor cyber failures are among the most common substantive causes of cyber incidents at Turkish-operating businesses, and the contractual liability framework typically structured into vendor agreements determines the realistic recovery quantum. The standard approach is to review the vendor agreement's liability provisions early in the post-incident analysis (liability cap structure, carve-outs from cap for security failures and data breaches where typical, indemnification scope, breach-of-warranty triggers); preserve the documentary chain demonstrating the vendor's contractual commitments and the breach of those commitments; coordinate with the vendor's insurer where vendor-side cyber insurance exists; and pursue recovery through structured claim correspondence before litigation where the vendor's response posture suggests negotiated resolution remains feasible. Where the vendor's contractual liability is capped well below the realistic recovery exposure, the recovery analysis must factor in the cap as a practical ceiling on negotiated outcomes, with litigation pursued only where the cap is uncertain or where extra-contractual claims (negligence, willful misconduct exclusions to the cap) provide pathways beyond the contractual ceiling. The cap-versus-litigation analysis is therefore an integral part of post-incident recovery strategy rather than a downstream operational concern, and counsel who anticipates the cap structure during the incident response stage produces materially better recovery outcomes than counsel who discovers the cap structure only after committing to a litigation pathway that the cap will ultimately constrain. Realistic strategy formulation therefore begins at the contract review stage rather than at the post-incident litigation stage where the contractual posture is already fixed and the recovery options have correspondingly narrowed.

Turkish lawyers who handle cross-border cyber incidents will note that international coordination is one of the most operationally complex aspects of significant cyber attack response. The procedure ordinarily requires identifying the cross-border touch points (data subjects in multiple jurisdictions, attackers operating from foreign territory, vendors located abroad, insurance markets across multiple countries), mapping the parallel regulatory obligations across affected jurisdictions (GDPR notifications for EU-based data subjects, parallel notifications under other applicable data protection regimes, sectoral notifications across affected jurisdictions), coordinating the substantive narrative across jurisdictions to avoid inconsistencies that produce credibility problems in any single proceeding, and managing the timeline pressure where different jurisdictions impose different notification windows. Where the attack involves criminal-law cross-border elements (foreign-based attackers, international cybercrime networks), coordination with international law enforcement through the Interpol framework and bilateral mutual legal assistance treaties operates as a separate parallel track. The discipline outlined in our note on cybercrime defense in Turkey covers the substantive criminal-law dimension in greater depth. Practice may vary by authority and year. The attribution dimension of cyber attack investigation deserves separate operational treatment because most cyber attacks involve technical obfuscation through compromised infrastructure, anonymizing networks, and cross-border routing that complicates identification of the actual perpetrators. The standard approach is to engage technical forensics specialists at the incident response stage to preserve attribution-relevant evidence (network logs, malware samples, command-and-control infrastructure indicators, attack technique fingerprints); coordinate with Turkish law enforcement through the formal complaint process while also engaging directly with the cybercrime units that maintain technical capability for cross-border attribution work; and coordinate with international law enforcement through the Interpol framework where the attack pattern matches known international criminal networks. Where attribution is ultimately impossible (a common outcome in cyber attack cases), the criminal-law track may produce limited recovery while the civil-recovery track focuses on contractually liable third parties (vendors with breached security commitments, insurers with applicable coverage) where evidence requirements are different from criminal attribution.

9) Frequently Asked Questions for Turkish-Operating Businesses and International Groups

1. What laws govern cybersecurity in Turkey? The principal laws are the KVKK (Law No. 6698, Personal Data Protection Law); the 5651 sayılı Kanun governing internet content liability and hosting/access provider obligations; the Türk Ceza Kanunu's cybercrime provisions; and sectoral cybersecurity regulations issued by the BDDK for banks, the BTK for electronic communications, the EPDK for energy, and the Sağlık Bakanlığı together with TİTCK for healthcare.
2. What is the KVKK breach notification timeline? Under the Kurul's binding decision dated 24 January 2019 (numbered 2019/10), the controller must notify the Kişisel Verileri Koruma Kurulu within seventy-two hours of becoming aware of the breach, with notification to affected data subjects following thereafter "within the shortest reasonable time" once the affected individuals have been identified.
3. When does the seventy-two-hour clock start running? When the controller becomes aware of the breach rather than when the breach itself occurred, with "awareness" assessed against what a reasonable controller would have known given the available information. Documenting the breach-discovery timeline carefully is critical because the awareness determination drives the deadline.
4. What administrative fines does the KVKK impose? The KVKK provides for administrative fines covering registration failures, transparency obligation failures, technical and organizational measures failures, and breach notification failures, with fine quantum reflecting breach severity, affected-individual count, controller compliance history, and cooperation level during investigation. Practice may vary by authority and year.
5. What technical and organizational measures must controllers implement? Encryption appropriate to data sensitivity; access control mechanisms; logging and monitoring; backup and recovery capabilities; periodic security testing including penetration testing and vulnerability assessment; multi-factor authentication for elevated access; and personnel training, with the sufficiency assessed against state of the art and the risk profile of the processing.
6. Are there data localization requirements in Turkey? Yes, for specific sectors: banking-sector data under BDDK rules requires specific localization including primary and backup hosting within Turkey for defined operational systems; payment services under the TCMB framework operate under their own localization framework; certain electronic communications data under BTK rules face specific retention and localization requirements. The general KVKK framework does not impose blanket localization but governs international transfers through specific transfer mechanisms.
7. What cyber insurance coverage is available? The Turkish market offers cyber-specific insurance covering first-party costs (forensic investigation, data restoration, business interruption, regulatory defense, crisis communications), third-party liability (data subject claims, regulatory proceedings, business-counterparty claims), and crisis response services. Coverage exclusions for war, nation-state attacks, prior-known incidents and criminal acts deserve specific review during procurement.
8. How do criminal complaints against cyber attackers work? Through the Türk Ceza Kanunu's cybercrime provisions, with criminal complaints (suç duyurusu) filed with the competent Cumhuriyet Başsavcılığı, investigation conducted by the Cumhuriyet Savcısı through police investigation and forensic analysis, and either indictment before the competent criminal court or non-prosecution decision where evidence does not support indictment.
9. What civil recovery remedies are available? Tort damages under the Türk Borçlar Kanunu's framework for cyber-incident-related damages including incident response costs, business interruption losses, data restoration costs, regulatory defense costs and third-party claim costs, pursued through civil court proceedings before the competent Asliye Hukuk Mahkemesi or Asliye Ticaret Mahkemesi.
10. How are vendor relationships managed under the KVKK? Through written processor agreements (veri işleyen sözleşmesi) covering processing scope and instructions, technical and organizational measures, subprocessor authorization, breach notification from processor to controller, audit rights, return-or-deletion on contract termination, and indemnification. International transfers add transfer-mechanism requirements (Kurul-approved adequacy, contractual safeguards, binding corporate rules, explicit consent).
11. What is VERBİS and who must register? VERBİS (Veri Sorumluları Sicil Bilgi Sistemi) is the Kurul-administered data controller registry. Controllers meeting defined thresholds (employee count, annual financial criteria, sensitive data processing) must register and maintain registration with current information about their processing activities.
12. How are cross-border cyber incidents coordinated? Through parallel regulatory tracks across affected jurisdictions (GDPR notifications for EU-based data subjects alongside KVKK notifications for Turkish data subjects, sectoral notifications across affected jurisdictions), coordinated substantive narrative to avoid inconsistencies, and law-enforcement coordination through Interpol framework and bilateral mutual legal assistance treaties for criminal-law dimensions.
13. What governance documents should controllers maintain? Information security policy; acceptable use policy; data classification policy; access control policy; encryption policy; backup and recovery policy; vendor management policy; incident response policy; breach notification policy; and the record of processing activities maintained under the KVKK's documentation requirements, with periodic review and management approval documented as governance evidence.
14. How are insider-threat investigations conducted? Within the company's documented investigation policy, with monitoring aligned to KVKK lawful basis, employee notification consistent with the transparency framework where notification does not compromise investigation integrity, forensically sound evidence collection preserving admissibility, and disciplinary proceedings conducted in accordance with İş Kanunu procedural rights. External counsel involvement is standard for significant insider-threat investigations.
15. Does ER&GUN&ER Law Firm advise on cybersecurity legal protection? Yes. ER&GUN&ER Law Firm is an Istanbul-based law firm advising Turkish-operating businesses, multinational groups and international clients on cybersecurity legal protection across the complete lifecycle, including KVKK compliance program design, VERBİS registration, vendor cyber compliance, incident response planning, KVKK breach notification under the seventy-two-hour rule, sectoral notification coordination, regulatory enforcement defense before the Kişisel Verileri Koruma Kurulu and the BTK, cyber insurance procurement and claim coordination, encryption and hosting compliance, criminal complaint preparation against cyber attackers, civil recovery proceedings, employee policy and internal investigation framework, whistleblower program design, and cross-border incident coordination — with English-language client communication and bilingual documentation throughout each engagement. Files in this area are typically led personally by the managing partner rather than delegated.

Author: Mirkan Topcu is an attorney registered with the Istanbul Bar Association (Istanbul 1st Bar), Bar Registration No: 67874. His practice focuses on cross-border and high-stakes matters where evidence discipline, procedural accuracy, and risk control are decisive.

He advises Turkish-operating businesses, multinational groups and international clients on cybersecurity legal protection under the Kişisel Verilerin Korunması Kanunu (Law No. 6698), the 5651 sayılı İnternet Kanunu, the Türk Ceza Kanunu's cybercrime provisions and sectoral cyber regulation administered by the BDDK, the BTK, the EPDK and the Sağlık Bakanlığı together with TİTCK, including KVKK compliance program design and VERBİS registration, vendor cyber compliance and processor agreement architecture, incident response planning and KVKK breach notification under the Kurul's seventy-two-hour rule, sectoral notification coordination, regulatory enforcement defense before the Kişisel Verileri Koruma Kurulu and parallel sectoral authorities, cyber insurance procurement and claim coordination, encryption and data hosting compliance including sectoral data localization rules, criminal complaint preparation against cyber attackers through the suç duyurusu pathway and civil recovery proceedings under the Türk Borçlar Kanunu, employee policy and internal investigation framework alongside the İş Kanunu's labor-law dimension, whistleblower program design, and cross-border cyber incident coordination across multi-jurisdictional regulatory and law-enforcement tracks.

Education: Istanbul University Faculty of Law (2018); Galatasaray University, LL.M. (2022). LinkedIn: Profile. Istanbul Bar Association: Official website.