Cyber Law in Turkey: KVKK, Cybercrime, Content, and Compliance

Cyber law in Türkiye operates as multi-statute framework integrating personal data protection, cybercrime, internet content regulation, cybersecurity, and electronic communications. Each substantive area produces distinct compliance obligations and substantive risks for businesses, individuals, and platforms operating in Turkish digital space. Foreign nationals, multinational corporations, and platforms with Turkish users face the framework regardless of their physical operations location — Türkiye's substantive jurisdiction extends to operators serving Turkish data subjects and Turkish users through specific extraterritoriality framework.

The substantive law operates through Kişisel Verilerin Korunması Kanunu (Personal Data Protection Code, KVKK, Law No. 6698) of 24 March 2016 (Resmi Gazete 7 April 2016 No. 29677) governing personal data processing with substantial 2024-2025 amendments expanding the framework; Türk Ceza Kanunu (Turkish Criminal Code, TCK, Law No. 5237) Articles 243-246 establishing core cybercrime offenses; İnternet Ortamında Yapılan Yayınların Düzenlenmesi ve Bu Yayınlar Yoluyla İşlenen Suçlarla Mücadele Edilmesi Hakkında Kanun (Internet Publications Regulation Code, Law No. 5651) of 4 May 2007 governing internet content with 2020 social media amendments and Law No. 7418 of 2022 dezenformasyon framework; Siber Güvenlik Kanunu (Cybersecurity Code, Law No. 7545) of March 2025 establishing comprehensive cybersecurity framework with Siber Güvenlik Başkanlığı (Cybersecurity Directorate); Elektronik İmza Kanunu (Electronic Signature Code, Law No. 5070) of 2004 governing electronic signatures; Elektronik Haberleşme Kanunu (Electronic Communications Code, Law No. 5809) of 2008 governing telecommunications; Ödeme Hizmetleri ve Elektronik Para Kanunu (Payment Services and Electronic Money Code, Law No. 6493) of 2013 governing fintech; Ceza Muhakemesi Kanunu (Criminal Procedure Code, CMK, Law No. 5271) Article 134 governing digital evidence; and Budapest Cybercrime Convention (Council of Europe Convention on Cybercrime, ETS No. 185) with Türkiye party status via Law No. 6533 (Resmi Gazete 2 May 2014 No. 28988).

The institutional architecture runs through Kişisel Verileri Koruma Kurumu (KVK Kurumu — Data Protection Authority) under KVKK framework, Bilgi Teknolojileri ve İletişim Kurumu (BTK — Information and Communication Technologies Authority) under Law No. 5809 framework, Siber Güvenlik Başkanlığı (Cybersecurity Directorate) under Law No. 7545 framework, Erişim Sağlayıcıları Birliği (ESB — Access Providers Association) under Law No. 5651 framework, Cumhuriyet Başsavcılığı (Public Prosecutor's Office) for cybercrime prosecution, specialised police units including Siber Suçlarla Mücadele Daire Başkanlığı (Cybercrime Combat Department), and where applicable BDDK (Banking Regulation and Supervision Agency) for fintech and SPK (Capital Markets Board) for capital markets cybersecurity.

The Multi-Statute Framework: KVKK, TCK, Laws 5651, 7545, and Beyond

Cyber law in Türkiye does not operate through single comprehensive statute — multiple statutes operate concurrently with distinct substantive scopes and institutional administration. Foreign-affiliated organisations benefit from understanding how the framework's components interact because compliance requirements differ across substantive areas.

KVKK (Law No. 6698) of 24 March 2016 (Resmi Gazete 7 April 2016 No. 29677) governs personal data processing through comprehensive framework. Substantive scope under Article 2 covers any automated or non-automated systematic processing of personal data. Geographic scope reaches both Turkish-established processors and foreign processors processing Turkish data subjects' data with substantive Turkish connection. The framework draws substantially from EU Data Protection Directive 95/46/EC with subsequent alignment toward GDPR principles, though specific differences remain in operational details.

TCK (Law No. 5237) Articles 243-246 establish core cybercrime offenses. Article 243 governs bilişim sistemine girme (unauthorized access to information system) with substantive elements including system access without authorisation and various aggravating circumstances. Article 244 governs sistem ve verilere müdahale (system and data interference) covering data destruction, modification, and similar substantive harm to digital systems. Article 245 governs banka veya kredi kartlarının kötüye kullanılması (payment card abuse) with specific framework for card-related cybercrime. Article 246 establishes tüzel kişiler için güvenlik tedbirleri (corporate security measures for legal entities) framework producing corporate liability framework alongside individual liability.

Law No. 5651 (Internet Publications Regulation Code) of 4 May 2007 governs internet content regulation with substantial subsequent amendments. The framework distinguishes between content provider (içerik sağlayıcı), hosting provider (yer sağlayıcı), and access provider (erişim sağlayıcı) with specific obligations and protections for each category. Article 8 establishes content blocking grounds; Article 9 establishes personal rights-based blocking; Article 9/A establishes privacy violation blocking. The 2020 social media amendments (commonly referred to as Sosyal Medya Yasası) introduced Turkish representative requirement for major social media platforms with Turkish user base. Law No. 7418 of 2022 introduced dezenformasyon (disinformation) framework with specific substantive offenses.

Law No. 7545 Siber Güvenlik Kanunu of March 2025 (12 March 2025 enactment, Resmi Gazete 19 March 2025 No. 32846) establishes comprehensive cybersecurity framework. The law established Siber Güvenlik Başkanlığı (Cybersecurity Directorate) under Cumhurbaşkanlığı (Presidential Office) with substantive policy and supervisory authority. The framework integrates with USOM (Ulusal Siber Olaylara Müdahale Merkezi — National Cyber Incident Response Centre) and SOME (Siber Olaylara Müdahale Ekipleri — Cyber Incident Response Teams) producing tiered cyber incident response capability. Sectoral cybersecurity obligations operate alongside the framework with specific obligations for finance (BDDK), energy (EPDK), telecommunications (BTK), and similar critical infrastructure sectors.

Law No. 5070 Elektronik İmza Kanunu (Electronic Signature Code) of 2004 governs electronic signature legal effect framework. Güvenli elektronik imza (secure electronic signature) under specific framework produces equivalent legal effect to handwritten signature for most purposes. Mobil imza (mobile signature) and similar specific frameworks supplement the basic electronic signature framework.

Law No. 5809 Elektronik Haberleşme Kanunu (Electronic Communications Code) of 2008 governs telecommunications framework with BTK as primary regulator. Operator licensing, consumer protection in telecommunications, technical regulations, and specific cybersecurity obligations for electronic communications service providers all operate under the framework.

Law No. 6493 Ödeme Hizmetleri ve Elektronik Para Kanunu (Payment Services and Electronic Money Code) of 2013 governs fintech framework with BDDK supervision. Payment service provider licensing, electronic money institution licensing, anti-money-laundering integration with MASAK framework, and specific cybersecurity obligations for payment ecosystem operators all face the framework.

Budapest Cybercrime Convention (Council of Europe Convention on Cybercrime) with Türkiye party status since 2014 (Law No. 6533 ratification, Resmi Gazete 2 May 2014 No. 28988) provides international cooperation framework for cybercrime investigations. Mutual legal assistance for cybercrime, extradition for cybercrime offenses, and harmonised substantive offense definitions all operate under the Convention's framework.

Personal Data Protection Under KVKK Law No. 6698

Personal data protection framework under KVKK produces substantial compliance obligations for operators processing Turkish data subjects' personal data. The framework's substantive depth produces meaningful operational requirements rather than superficial compliance theatre.

Personal data definition under Article 3 covers any information relating to identified or identifiable natural person. The broad definition encompasses contact information, identification numbers, online identifiers, location data, behavioural data, and similar information categories. Special category personal data (özel nitelikli kişisel veri) under Article 6 includes race, ethnicity, political opinion, philosophical belief, religion, sect, association membership, health, sexual life, criminal records, biometric data, and genetic data with enhanced processing requirements.

Lawful processing grounds under Articles 5-6 establish substantive prerequisites for legitimate data processing. Article 5 lawful grounds include explicit consent of data subject, legal obligation compliance, contract necessity, vital interests protection, public interest task, and legitimate interest balancing. Article 6 special category processing operates under more restrictive framework with specific lawful grounds.

Data subject rights under Article 11 include: information about processing; access to processed data; correction of inaccurate data; deletion or anonymisation in specific circumstances; processing restriction in specific circumstances; data portability for specific data; objection to processing under specific grounds; and withdrawal of consent for consent-based processing. The framework produces operational requirements for handling subject access requests with specific timeline framework.

Data controller obligations include data minimisation principle (collecting only necessary data), purpose limitation (using data only for specified purposes), accuracy maintenance, retention limitation (keeping data only as long as necessary), and security measures (technical and organisational measures protecting data). The framework operates as substantive obligation rather than merely documentation requirement.

VERBIS (Veri Sorumluları Sicil Bilgi Sistemi — Data Controllers Registry Information System) under Article 16 requires data controller registration with specific information including controller identification, processing purposes, data categories, recipient categories, retention periods, technical and organisational measures, and similar substantive content. Threshold criteria determine which data controllers require VERBIS registration with specific framework on small operators exemptions.

Cross-border transfer framework under Article 9 governs data transfer outside Türkiye. Sufficient protection list (yeterli korumaya sahip ülkeler listesi) maintained by KVK Kurumu identifies countries with sufficient data protection allowing transfer without additional safeguards. Transfers to non-listed countries require KVK Kurumu authorisation with specific safeguards including binding corporate rules, standard contractual clauses, or specific consent. The framework's structure produces specific compliance pathway for international data flows.

Breach notification framework under KVK Kurulu Kararı No. 2019/10 of 24 January 2019 establishes 72-hour notification timeline for data breaches affecting personal data. The framework requires substantive content including breach description, affected data categories, affected data subject numbers, potential consequences, and remedial measures taken. Notifications operate through specific procedure with KVK Kurumu and affected data subjects depending on breach severity.

Penalties under KVKK include administrative fines from KVK Kurumu with substantial maximum amounts (current framework reaches several million TRY for major violations) and additional sectoral penalties where applicable. Criminal liability under TCK Article 135 (kişisel verilerin kaydedilmesi — personal data recording) and Article 136 (verileri hukuka aykırı olarak verme veya ele geçirme — unlawful disclosure or acquisition of data) produces additional criminal exposure for specific intentional violations.

Cybercrime Under TCK Articles 243-246

Cybercrime framework under TCK Articles 243-246 establishes core cyber offenses with specific substantive elements and procedural framework. The framework operates alongside specific offenses in other code areas (financial crimes, intellectual property crimes, etc.) producing comprehensive criminal coverage.

Article 243 bilişim sistemine girme (unauthorized access to information system) establishes the foundational unauthorized access offense. Substantive elements include: system access; absence of authorisation; intent (kasıt) to access; and specific aggravating circumstances. Penalty framework establishes imprisonment (typically up to 1 year basic; up to 2 years with damages; up to 4 years for sensitive systems) plus judicial fine. Aggravating circumstances include access to specific protected systems (banking, public, healthcare), causing data damage, and obtaining sensitive data.

Article 244 sistem ve verilere müdahale (system and data interference) covers substantive harm to digital systems and data. Article 244/1 covers interference with system functionality through hindrance, disruption, destruction, alteration, or making inaccessible. Article 244/2 covers interference with data through alteration, destruction, or similar harm. Article 244/3 establishes aggravated framework where the conduct produces substantial damage. Penalty framework reaches imprisonment up to 5 years for basic offenses with longer terms for aggravated forms.

Article 245 banka veya kredi kartlarının kötüye kullanılması (payment card abuse) covers various payment card-related offenses. Article 245/1 covers using another's card without authorisation. Article 245/2 covers producing or possessing card-cloning equipment with specific intent. Article 245/3 covers producing or selling counterfeit cards. Article 245/4 covers card fraud through other means. Penalty framework reaches imprisonment up to 8 years for serious offenses with judicial fine.

Article 246 establishes tüzel kişiler için güvenlik tedbirleri (corporate security measures for legal entities) framework. Where Articles 243-245 offenses are committed for the benefit of legal entity (tüzel kişi), specific corporate security measures (güvenlik tedbirleri) apply alongside individual prosecution of natural persons responsible. Measures include monetary sanctions, dissolution of corporate entity, and similar substantive corporate consequences.

Procedural framework for cybercrime cases operates under CMK with specific applications. Article 134 governs digital evidence framework including forensic imaging, hash verification, and admissibility procedures. Article 135 lawful interception framework supports cybercrime investigation through electronic communications surveillance. Article 139 undercover agent framework supports specific cybercrime investigations including online undercover operations. Article 140 technical surveillance supports digital surveillance.

Specialised institutional framework includes Siber Suçlarla Mücadele Daire Başkanlığı (Cybercrime Combat Department) under Emniyet Genel Müdürlüğü (General Directorate of Security), specialised cyber units within Cumhuriyet Başsavcılıkları (prosecutors' offices), and digital forensics capability through Adli Tıp Kurumu Bilişim ve Teknoloji Suçları İhtisas Dairesi (Forensic Medicine Institution Information Technology Crimes Specialty Department). The institutional framework supports specialised cybercrime investigation and prosecution.

Cross-border cybercrime cooperation operates through Budapest Cybercrime Convention framework with mutual legal assistance, expedited preservation procedures, and specific cooperation mechanisms. Türkiye's party status since 2014 enables substantive cooperation with the 60+ Convention party countries. Convention's substantive offense harmonisation supports cross-border prosecution of multi-jurisdictional cybercrime.

Victim remedies for cybercrime include criminal complaint pathway through prosecutor framework, civil compensation under TBK general framework with specific applications to cybercrime damages, and KVKK administrative pathway for data-related cybercrime. The frameworks operate concurrently rather than alternatively — victims may pursue multiple pathways depending on substantive harm.

Internet Content Regulation Under Law No. 5651

Internet content regulation framework under Law No. 5651 of 4 May 2007 with substantial subsequent amendments produces specific obligations on internet ecosystem participants. The framework's structure distinguishes between actor categories with specific obligations and protections for each category.

Actor categorisation under Articles 4-6 establishes substantive framework. İçerik sağlayıcı (content provider) under Article 4 includes parties producing or making available specific internet content; faces direct liability for content. Yer sağlayıcı (hosting provider) under Article 5 includes parties providing technical services for content hosting; faces secondary liability framework with notice-and-takedown protection. Erişim sağlayıcı (access provider) under Article 6 includes parties providing internet access to users; faces specific obligations including blocking compliance and traffic data retention.

Content blocking framework operates through multiple grounds. Article 8 establishes blocking grounds for specific catalogue offenses including obscenity, prostitution, narcotics, gambling, suicide encouragement, and children's protection violations. Article 9 establishes personal rights-based blocking for content violating specific personal rights. Article 9/A establishes privacy violation blocking for specific privacy violations. Article 8/A establishes additional grounds added through subsequent amendments addressing terrorism, public order, and similar substantive grounds.

Blocking procedure operates through specific judicial framework. Sulh Ceza Hakimliği (Magistrates' Criminal Judgeship) issues blocking orders under Article 8 catalogue offense framework. Aile, İş, Tüketici, Asliye Hukuk Mahkemesi (relevant courts) issues Article 9 personal rights blocking. Prime Ministry Communications Directorate produced specific orders before recent amendments. Erişim Sağlayıcıları Birliği (ESB — Access Providers Association) administers technical blocking implementation.

Notice-and-takedown framework under Article 9 produces specific obligations on hosting providers. Personal rights violation notices trigger specific response timeline (typically 24 hours) with content removal or court application by complainant. The framework provides safe harbour for compliant hosting providers while ensuring effective remedies for individuals affected by harmful content.

2020 social media amendments (commonly referred to as Sosyal Medya Yasası) introduced specific obligations on major social media platforms. Yerel temsilci (local representative) requirement obligates platforms with substantial Turkish user base (specific threshold) to appoint Turkish-resident representative for legal communications. Content removal compliance, transparency reporting, and specific other obligations operate alongside the representative requirement. Non-compliance produces escalating sanctions including bandwidth throttling and advertising bans.

Law No. 7418 of 2022 dezenformasyon (disinformation) framework introduced specific substantive offense criminalising publication of false information producing public order or public health concerns. The framework's substantive scope has produced controversy regarding free speech implications. Specific framework on interpretation and enforcement continues to evolve through judicial application.

Foreign platform compliance operates through framework's extraterritorial reach. Platforms serving Turkish users face the framework regardless of corporate domicile. Major global platforms (Facebook/Meta, Twitter/X, YouTube, TikTok, similar) have appointed Turkish representatives in compliance with 2020 framework. Specific platforms have faced enforcement action including bandwidth throttling for non-compliance phases.

Court application framework for content blocking and removal includes specific procedural requirements. Filing through appropriate court (Sulh Ceza Hakimliği for Article 8, civil courts for Article 9 grounds), substantive grounds demonstration, and specific procedural compliance produce blocking orders with binding effect. Appeal framework supports challenge of blocking orders through specific procedural pathway.

Cybersecurity Framework Under Law No. 7545

Comprehensive cybersecurity framework under Siber Güvenlik Kanunu (Law No. 7545) of March 2025 (12 March 2025 enactment, Resmi Gazete 19 March 2025 No. 32846) ended the prior period of cybersecurity regulation through fragmented sectoral frameworks. The reform's substantive content reshaped institutional architecture and compliance expectations.

Siber Güvenlik Başkanlığı (Cybersecurity Directorate) establishment under Law No. 7545 created central coordination authority under Cumhurbaşkanlığı (Presidential Office). Substantive responsibilities include: national cybersecurity policy development; sectoral coordination across critical infrastructure; cyber incident response coordination; international cybersecurity cooperation; substantive supervision of cybersecurity compliance; and similar cybersecurity governance functions. The framework's structure produces unified national cybersecurity governance.

USOM (Ulusal Siber Olaylara Müdahale Merkezi — National Cyber Incident Response Centre) operates as national-level cyber incident response capability. SOME (Siber Olaylara Müdahale Ekipleri — Cyber Incident Response Teams) operate at sectoral and organisational levels providing tiered response capability. The framework produces capability layers from organisational SOME through sectoral SOME to national USOM coordination.

Critical infrastructure cybersecurity obligations under Law No. 7545 framework operate alongside sector-specific obligations. Banking sector cybersecurity under BDDK framework with specific Communique on Information Systems Security; energy sector cybersecurity under EPDK framework; healthcare sector cybersecurity under Sağlık Bakanlığı (Ministry of Health) framework; telecommunications sector cybersecurity under BTK framework; and similar sector-specific frameworks all integrate with Law No. 7545 framework.

Cybersecurity standards integration produces specific framework for major recognised standards. ISO 27001 information security management system, ISO 22301 business continuity, NIST Cybersecurity Framework, and similar major standards integrate with Turkish framework through specific recognition mechanisms. Adoption is mandatory for specific sectors and organisational types; voluntary for others.

Incident reporting framework requires specific cyber incidents to be reported through prescribed pathways. KVKK Kurulu Kararı No. 2019/10 72-hour notification framework applies to data breaches. Sector-specific frameworks add specific reporting obligations including BDDK for banking incidents, BTK for telecommunications incidents, Sağlık Bakanlığı for healthcare incidents, and similar specific frameworks. Law No. 7545 produces additional reporting framework for substantial cyber incidents affecting national infrastructure.

International cooperation framework includes Türkiye's participation in major international cybersecurity initiatives. Budapest Cybercrime Convention provides cybercrime cooperation framework. NATO cybersecurity cooperation through specific frameworks. Bilateral cybersecurity cooperation agreements with major partners. ENISA (European Union Agency for Cybersecurity) cooperation despite Türkiye's non-EU member status. The framework supports substantive international cooperation alongside domestic implementation.

Personal cybersecurity considerations operate alongside organisational obligations. Individual users face specific obligations including secure account management, awareness of phishing and social engineering threats, and similar substantive cybersecurity practices. The framework's individual dimension complements organisational dimension producing comprehensive cybersecurity culture.

Foreign organisation cybersecurity coordination produces specific framework. Organisations operating in Türkiye through subsidiaries, branches, or specific other arrangements face Turkish cybersecurity framework alongside home jurisdiction frameworks. Foreign cybersecurity standards (NIST in US, BSI standards in Germany, similar) often satisfy Turkish framework requirements with specific procedural compliance demonstrating equivalence.

Data Breach Response and Notification

Data breach response framework operates through KVK Kurulu Kararı No. 2019/10 of 24 January 2019 establishing 72-hour breach notification framework alongside KVKK substantive obligations. Operational compliance produces specific procedural requirements for affected organisations.

Breach definition under framework covers unauthorized acquisition, alteration, destruction, or disclosure of personal data resulting from technical or organisational security failure. The substantive scope captures: cyberattacks producing data exfiltration; insider misconduct causing unauthorized data access; technical failures producing data exposure; vendor misconduct producing data compromise; physical security failures producing data theft; and similar substantive breach scenarios.

72-hour notification framework requires substantive content including: breach circumstances description (when, how, scope); affected personal data categories (general categories, special categories); affected data subject numbers (estimated where exact unknown); potential consequences for data subjects; remedial measures taken or planned; contact point for data protection authority and affected individuals; and similar substantive content. The framework operates as specific written notification rather than informal communication.

Internal investigation framework supports breach analysis. Forensic investigation determining breach cause, scope, and impact produces substantive content for notification and remedial measures. Coordination with cybersecurity providers, legal counsel, and where applicable foreign jurisdiction counsel for cross-border breach scenarios produces comprehensive response.

Affected individual notification operates through framework's specific provisions. Substantial breaches affecting data subjects' fundamental rights or causing significant harm risk require direct notification of affected individuals. Notification content includes breach description in clear language, affected data categories, potential consequences, recommended protective measures, and contact information for further information.

Penalty framework for breach notification failures includes administrative fines under KVKK with substantial amounts. Failure to notify within 72-hour framework, incomplete notification content, and failure to take adequate remedial measures all produce specific penalty exposure. Aggregating multiple violations across systemic non-compliance produces substantial aggregate penalty exposure.

Cross-border breach scenarios produce specific framework complications. Breaches affecting Turkish data subjects through foreign-controlled processing produce Turkish notification obligations alongside home jurisdiction obligations. GDPR interaction for breaches with EU data subject components requires coordinated notification across frameworks. Foreign jurisdiction notification obligations may produce conflicts requiring specific resolution through legal counsel coordination.

Litigation defense framework addresses breach-related civil claims and regulatory enforcement. Civil claims by affected data subjects for damages produce specific defense framework. Regulatory enforcement through KVKK administrative process produces specific defense framework. Class action-equivalent collective action frameworks produce additional litigation considerations.

Insurance coordination affects breach response framework. Cyber insurance policies typically cover specific breach response costs including forensic investigation, legal counsel, notification expenses, and litigation defense. Insurance notification timing alongside regulatory notification timing produces specific procedural framework requiring coordination.

Cross-Border Data Transfers and KVKK Article 9

Cross-border data transfer framework under KVKK Article 9 governs data transfers from Türkiye to foreign jurisdictions. The framework's structure produces specific compliance pathway for international data flows characteristic of multinational operations and cloud-based services.

Substantive framework under Article 9 establishes general rule that personal data cannot be transferred outside Türkiye without compliance with framework requirements. The framework's exceptions and authorisation pathways produce practical operational framework for legitimate cross-border transfers.

Sufficient protection list (yeterli korumaya sahip ülkeler listesi) maintained by KVK Kurumu identifies countries deemed to provide sufficient personal data protection. Transfers to listed countries operate with reduced procedural requirements compared to non-listed country transfers. The list is published by KVK Kurumu with specific criteria for inclusion based on substantive data protection adequacy assessment.

Transfers to non-listed countries require KVK Kurumu authorisation under specific framework. Authorisation mechanisms include: explicit consent of data subject for specific transfer; binding corporate rules (BCR) for intra-corporate transfers within multinational corporate group; standard contractual clauses (taahhütname) approved by KVK Kurumu providing specific safeguards; specific contractual arrangements with KVK Kurumu approval; and specific other safeguards demonstrating adequate protection.

Binding corporate rules framework supports intra-corporate transfers within multinational corporate groups. Specific framework requires substantive content including: data protection commitments binding all corporate entities; data subject rights enforcement mechanisms; KVK Kurumu interface for compliance verification; and similar substantive content. Approval process operates through KVK Kurumu with specific submission and review framework.

Standard contractual clauses framework provides simplified pathway for routine transfers. KVK Kurumu has approved standard clauses for specific transfer scenarios providing substantive safeguards equivalent to GDPR standard contractual clauses. Operators using approved standard clauses face simpler compliance pathway than custom-arrangement scenarios.

Cloud computing scenarios produce specific framework application. Major cloud providers (AWS, Microsoft Azure, Google Cloud, similar) operating in Türkiye through specific arrangements produce specific transfer framework analysis. Storage in Turkish data centres may avoid cross-border transfer framework; storage outside Türkiye produces transfer framework application even where provider has Turkish operations.

Third-party processor framework integrates with cross-border framework. Where data controller engages third-party processor (data processing services), transfer to processor in foreign jurisdiction faces cross-border framework. Data processing agreements (DPA) operating alongside transfer mechanisms produce comprehensive framework compliance.

Sub-processor scenarios add framework complexity. Processors engaging sub-processors in additional foreign jurisdictions produce multi-layered transfer framework. Each layer requires specific framework compliance with appropriate safeguards. Documentation framework supports compliance demonstration across layered processing arrangements.

Specific scenarios producing framework concerns include: emergency international transfers for security or vital interests scenarios; transfers required by foreign legal orders (subpoenas, warrants, government requests); transfers for legitimate business interests where consent or specific safeguards are challenging; and similar substantive scenarios requiring case-specific analysis. Counsel coordination supports specific scenario navigation.

Sector-Specific Cyber Compliance: Finance, Healthcare, Telecommunications

Sector-specific cyber compliance frameworks supplement general cyber law framework with substantive requirements tailored to specific sectoral risk profiles. Foreign organisations entering Turkish market through licensed sectors face both general framework and sector-specific framework concurrently.

Financial sector cybersecurity under BDDK (Bankacılık Düzenleme ve Denetleme Kurumu — Banking Regulation and Supervision Agency) framework produces substantial cybersecurity obligations for banks, payment service providers, electronic money institutions, and similar financial entities. BDDK Bilgi Sistemleri Yönetimi Yönetmeliği (Information Systems Management Regulation) and Tebliğ on Information Systems Security establish specific framework. Substantive content includes risk management framework, technical security measures, business continuity, incident response, third-party risk management, and similar substantive content.

Payment services framework under Law No. 6493 (Ödeme Hizmetleri Kanunu) governs fintech operations with specific cybersecurity integration. Strong customer authentication (SCA) framework, payment card industry compliance considerations, anti-fraud framework, and specific payment ecosystem cybersecurity requirements all face specific framework. PCI-DSS compliance for card-handling entities supplements regulatory framework.

Capital markets cybersecurity under SPK (Sermaye Piyasası Kurulu) framework affects investment service providers, asset management companies, and similar capital markets participants. SPK regulations on information systems security and business continuity produce specific framework. Stock exchange (BİST) operational cybersecurity produces additional framework for trading-related cybersecurity.

Healthcare cybersecurity under Sağlık Bakanlığı (Ministry of Health) framework affects healthcare facilities, health information system operators, and similar healthcare ecosystem participants. Specific framework on patient data protection, medical device cybersecurity, and healthcare facility cybersecurity operates alongside general KVKK framework. Special category data framework under KVKK Article 6 produces enhanced protection for health data.

Telecommunications cybersecurity under BTK (Bilgi Teknolojileri ve İletişim Kurumu) framework affects electronic communications service providers. Critical telecommunications infrastructure cybersecurity, subscriber data protection, lawful interception cooperation, and specific other telecommunications-specific cybersecurity all face specific framework. Mobile operator cybersecurity, ISP cybersecurity, and similar substantive content produce sectoral framework.

Energy sector cybersecurity under EPDK (Enerji Piyasası Düzenleme Kurumu) framework affects energy ecosystem participants. Critical energy infrastructure cybersecurity, smart grid cybersecurity, and specific energy cybersecurity all face sectoral framework. The substantive framework integrates with Law No. 7545 critical infrastructure framework.

Defence and national security cybersecurity operates under specific frameworks distinct from general cybersecurity framework. Defence sector procurement, national security infrastructure, and specific other categories face specific frameworks with limited public disclosure. Foreign organisations engaging in defence sector face specific framework that may produce limitations on operations.

Public sector cybersecurity under Devlet Personeli Başkanlığı and specific other frameworks affects government IT operations and public sector contractors. Foreign organisations contracting with Turkish government face specific framework with substantive cybersecurity requirements.

Sectoral framework coordination produces overall compliance complexity for organisations operating across multiple regulated sectors. Banking-fintech-payments cross-sector operations face multiple regulatory frameworks; technology providers serving multiple regulated sectors face customer-specific compliance requirements alongside general framework. Coordinated compliance strategy across sectoral frameworks produces operational efficiency.

Counsel Engagement Across Cyber Law Compliance

Cyber law compliance benefits from substantive counsel engagement across multiple scenarios. The framework's multi-statute character, evolving regulatory expectations, and substantial penalty exposure produce meaningful value from professional support throughout the compliance lifecycle. A Turkish Law Firm experienced in technology and cyber law engages with the technical content of statutes including KVKK, TCK 243-246, Law No. 5651, and Law No. 7545 rather than treating cyber compliance as generic regulatory work.

Foundational compliance program development establishes substantive baseline for ongoing operations. Key elements include: comprehensive substantive law analysis across applicable frameworks (KVKK, TCK, Law 5651, Law 7545, sectoral frameworks); operational mapping identifying specific compliance touchpoints; gap analysis comparing current state with framework requirements; remediation roadmap with prioritised initiatives; and ongoing maintenance framework. The development produces case-specific compliance program rather than generic templates.

KVKK compliance specifically requires substantive ongoing engagement. VERBIS registration with accurate substantive content, privacy notices and consent mechanism design, data subject rights handling procedures, breach response framework, vendor management framework, and similar substantive content all require specialised expertise. Foreign organisations face specific complications including cross-border transfer compliance and coordination with home jurisdiction frameworks.

Cybersecurity program coordination addresses Law No. 7545 framework alongside sectoral frameworks. Risk assessment framework, technical and organisational measures, incident response capability, business continuity, and similar substantive content require coordinated handling across cybersecurity, IT, and legal functions. Counsel coordination supports specific compliance demonstrations including documentation supporting framework alignment.

Content moderation and takedown handling for platforms and content operators addresses Law No. 5651 framework. Content policy development reflecting Turkish framework, takedown request handling procedures, transparency reporting, Turkish representative coordination for major social media platforms, and similar substantive content require specialised expertise. The framework's evolving character through periodic amendments produces ongoing monitoring requirements.

Cybercrime victim representation addresses substantive harms from cyber attacks, data breaches, and similar incidents. Criminal complaint preparation with substantive evidence framework under TCK Articles 243-246, civil compensation pursuit alongside criminal proceedings, and KVKK administrative pathway coordination produce comprehensive remedy pursuit. Foreign nationals facing Turkish cybercrime require coordinated handling with home jurisdiction.

Cybercrime defense addresses individuals and corporate entities facing cyber-related criminal allegations. CMK Article 134 evidence framework analysis, substantive elements challenge, and procedural compliance challenges produce specific defense pathways. Corporate defense under TCK Article 246 framework addresses corporate exposure for individual employee misconduct.

Regulatory enforcement defense addresses KVK Kurumu inspections, BTK enforcement actions, BDDK examinations, and similar regulatory engagement. Substantive engagement with regulators, documentation production, response coordination, and where applicable judicial review through İdare Mahkemesi (Administrative Court) framework produces effective defense. Pre-emptive compliance reduces regulatory enforcement risk.

Cross-border coordination becomes essential for multinational operations. EU GDPR-KVKK coordination, US privacy framework coordination, foreign cybersecurity framework alignment, and specific cross-border incident response require coordinated handling across Turkish counsel and home jurisdiction counsel. Mutual legal assistance for cross-border cybercrime operates through Budapest Convention framework with specific procedural requirements.

Litigation strategy addresses cyber-related civil disputes. Privacy litigation, content-related disputes, contract disputes involving technology services, intellectual property disputes with cyber components, and similar substantive matters require coordinated handling. Counsel engagement at dispute identification produces better outcomes than reactive handling after disputes escalate.

The Turkish Law Firm value-add concentrates in substantive engagement with the technical content of Turkish cyber law framework alongside operational coordination across the compliance lifecycle. An Istanbul Law Firm experienced in cyber and technology law approaches the engagement at the intersection of multi-statute substantive framework, sectoral specifics, and cross-border coordination supporting clients across compliance, defense, and strategic planning dimensions.

Frequently Asked Questions

1. What is the substantive cyber law framework in Türkiye? Multiple statutes operate concurrently: Kişisel Verilerin Korunması Kanunu (KVKK, Law No. 6698) for personal data protection; Türk Ceza Kanunu (TCK, Law No. 5237) Articles 243-246 for cybercrime; İnternet Ortamında Yayınların Düzenlenmesi Kanunu (Law No. 5651) for internet content; Siber Güvenlik Kanunu (Law No. 7545) of March 2025 for cybersecurity; Elektronik İmza Kanunu (Law No. 5070) for electronic signatures; Elektronik Haberleşme Kanunu (Law No. 5809) for telecommunications; Ödeme Hizmetleri Kanunu (Law No. 6493) for fintech.
2. What is KVKK? Kişisel Verilerin Korunması Kanunu (Law No. 6698) of 24 March 2016 (RG 7 April 2016 No. 29677). Comprehensive personal data protection framework with 2024-2025 amendments. Substantive scope covers any automated or systematic processing of personal data. Geographic scope reaches Turkish-established and foreign processors with Turkish data subjects. Administered by Kişisel Verileri Koruma Kurumu (KVK Kurumu).
3. What is VERBIS registration? Veri Sorumluları Sicil Bilgi Sistemi (Data Controllers Registry Information System) under KVKK Article 16. Required for data controllers above specific thresholds with substantive content including controller identification, processing purposes, data categories, recipient categories, retention periods, technical and organisational measures.
4. What about breach notification? KVK Kurulu Kararı No. 2019/10 of 24 January 2019 establishes 72-hour notification framework. Substantive content includes breach circumstances, affected data categories, affected data subject numbers, potential consequences, remedial measures. Notification to KVK Kurumu and affected individuals depending on severity. Failure produces administrative fines.
5. What about cross-border data transfers? KVKK Article 9 framework. Sufficient protection list (yeterli korumaya sahip ülkeler listesi) by KVK Kurumu identifies countries with adequate protection. Non-listed country transfers require KVK Kurumu authorisation with specific safeguards: explicit consent; binding corporate rules; standard contractual clauses; specific arrangements with KVK Kurumu approval.
6. What are TCK Articles 243-246 cybercrime offenses? Article 243 bilişim sistemine girme (unauthorized access). Article 244 sistem ve verilere müdahale (system and data interference) covering destruction, alteration, hindrance. Article 245 banka veya kredi kartlarının kötüye kullanılması (payment card abuse). Article 246 tüzel kişiler güvenlik tedbirleri (corporate security measures for legal entities). Penalties scale with offense severity reaching imprisonment up to 8 years for serious offenses.
7. What is Law No. 5651? İnternet Ortamında Yayınların Düzenlenmesi ve Bu Yayınlar Yoluyla İşlenen Suçlarla Mücadele Edilmesi Hakkında Kanun of 4 May 2007. Internet content regulation framework distinguishing content provider, hosting provider, access provider with specific obligations. Article 8 catalogue offense blocking; Article 9 personal rights blocking; Article 9/A privacy violation blocking. 2020 social media amendments require Turkish representative for major platforms. Law No. 7418 of 2022 added dezenformasyon framework.
8. What is the Sosyal Medya Yasası? Common reference to 2020 Law No. 5651 amendments introducing yerel temsilci (local representative) requirement for major social media platforms with substantial Turkish user base. Requires Turkish-resident representative for legal communications. Content removal compliance, transparency reporting, and specific other obligations. Non-compliance produces escalating sanctions including bandwidth throttling and advertising bans.
9. What is the new Cybersecurity Law? Siber Güvenlik Kanunu (Law No. 7545) of March 2025 (12 March 2025 enactment, RG 19 March 2025 No. 32846). Established Siber Güvenlik Başkanlığı (Cybersecurity Directorate) under Cumhurbaşkanlığı with national cybersecurity policy and supervisory authority. Integrates with USOM (Ulusal Siber Olaylara Müdahale Merkezi) and SOME (Siber Olaylara Müdahale Ekipleri) framework producing tiered cyber incident response.
10. What about Budapest Cybercrime Convention? Council of Europe Convention on Cybercrime (ETS No. 185). Türkiye party since 2014 via Law No. 6533 (RG 2 May 2014 No. 28988). Provides international cooperation framework for cybercrime investigations including mutual legal assistance, expedited preservation procedures, harmonised substantive offense definitions. Supports cross-border cybercrime prosecution with 60+ Convention party countries.
11. How is digital evidence handled? CMK Article 134 governs digital evidence framework with 2014 amendments addressing mobile devices and modern technology. Sulh Ceza Hakimliği authorisation with specific scope including device identification, data categories, procedural protections. Forensic imaging with hash verification, chain of custody, and authenticity protections. Adli Tıp Kurumu Bilişim ve Teknoloji Suçları İhtisas Dairesi provides specialised forensic capability.
12. What about KVKK vs GDPR? KVKK draws substantially from EU framework but specific differences exist. Differences include: VERBIS registration framework specific to Türkiye; cross-border transfer framework with sufficient protection list rather than GDPR adequacy decision framework; specific sectoral interactions; KVK Kurumu enforcement approach versus EDPB. 2024-2025 KVKK amendments aligned framework closer to GDPR with continuing differences. Multinational compliance requires coordinated handling.
13. What sectoral cybersecurity applies? Banking under BDDK with Bilgi Sistemleri Yönetimi Yönetmeliği framework. Capital markets under SPK. Healthcare under Sağlık Bakanlığı with KVKK Article 6 special category integration. Telecommunications under BTK. Energy under EPDK. Defence under specific frameworks. Public sector under specific frameworks. Foreign organisations entering regulated sectors face both general and sectoral framework concurrently.
14. How are content takedown requests handled? Notice-and-takedown framework under Law No. 5651 Article 9 produces specific obligations on hosting providers. Personal rights violation notices trigger 24-hour response timeline with content removal or court application. Content blocking through Sulh Ceza Hakimliği for catalogue offenses or relevant courts for personal rights grounds. Erişim Sağlayıcıları Birliği (ESB) administers technical blocking implementation.
15. Where does ER&GUN&ER Law Firm support cyber law engagements? As a Turkish Law Firm experienced in technology and cyber law, support across the engagement lifecycle: KVKK Compliance Programme Development under Kişisel Verilerin Korunması Kanunu (Law No. 6698) of 24 March 2016 (RG 7 April 2016 No. 29677) framework with comprehensive substantive analysis including Article 3 personal data definition, Articles 5-6 lawful processing grounds for general and special category data, Article 9 cross-border transfer framework with sufficient protection list and KVK Kurumu authorisation pathways including binding corporate rules, standard contractual clauses, and specific arrangements, Article 11 data subject rights including information, access, correction, deletion, portability, objection, consent withdrawal, Article 16 VERBIS registration framework, KVK Kurulu Kararı No. 2019/10 of 24 January 2019 72-hour breach notification framework with substantive content requirements; Cybercrime Investigation and Defence under Türk Ceza Kanunu (Law No. 5237) Articles 243-246 with Article 243 bilişim sistemine girme (unauthorized access) substantive elements and aggravating circumstances analysis, Article 244 sistem ve verilere müdahale (system and data interference) framework, Article 245 banka veya kredi kartlarının kötüye kullanılması (payment card abuse) framework, Article 246 corporate security measures (güvenlik tedbirleri) for legal entities, complementary offenses under TCK Articles 135-136 personal data offenses, procedural framework under Ceza Muhakemesi Kanunu (CMK, Law No. 5271) Article 134 digital evidence with 2014 amendments addressing mobile devices, Article 135 lawful interception, Article 139 undercover agent for cybercrime investigations, Article 140 technical surveillance; Internet Content Regulation under İnternet Ortamında Yapılan Yayınların Düzenlenmesi ve Bu Yayınlar Yoluyla İşlenen Suçlarla Mücadele Edilmesi Hakkında Kanun (Law No. 5651) of 4 May 2007 framework with Articles 4-6 actor categorisation (içerik sağlayıcı, yer sağlayıcı, erişim sağlayıcı), Article 8 catalogue offense blocking, Article 9 personal rights blocking, Article 9/A privacy violation blocking, 2020 social media amendments (Sosyal Medya Yasası) yerel temsilci framework, Law No. 7418 of 2022 dezenformasyon framework, Erişim Sağlayıcıları Birliği (ESB) coordination, content removal procedures with 24-hour response timeline; Cybersecurity Programme under Siber Güvenlik Kanunu (Law No. 7545) of March 2025 (RG 19 March 2025 No. 32846) framework with Siber Güvenlik Başkanlığı coordination, USOM (Ulusal Siber Olaylara Müdahale Merkezi) and SOME (Siber Olaylara Müdahale Ekipleri) integration, ISO 27001 information security management system alignment, ISO 22301 business continuity, NIST Cybersecurity Framework integration, sectoral cybersecurity frameworks across BDDK banking with Bilgi Sistemleri Yönetimi Yönetmeliği and Tebliğ on Information Systems Security, BTK telecommunications, EPDK energy, Sağlık Bakanlığı healthcare, SPK capital markets; Electronic Signature framework under Elektronik İmza Kanunu (Law No. 5070) of 2004 with güvenli elektronik imza framework and mobil imza integration; Electronic Communications under Elektronik Haberleşme Kanunu (Law No. 5809) of 2008 with BTK regulatory framework; Payment Services under Ödeme Hizmetleri ve Elektronik Para Kanunu (Law No. 6493) of 2013 with BDDK supervision and strong customer authentication framework; Budapest Cybercrime Convention (ETS No. 185) party status framework via Law No. 6533 (RG 2 May 2014 No. 28988) with mutual legal assistance, expedited preservation procedures, and international cooperation across 60+ party countries; Data Breach Response coordination including 72-hour KVK Kurumu notification, affected individual notification, internal forensic investigation, vendor coordination, insurance coordination, regulatory enforcement defense; Cross-Border Data Transfer Coordination under KVKK Article 9 framework with EU GDPR-KVKK harmonisation, US privacy framework alignment, sufficient protection list verification, binding corporate rules development, standard contractual clauses implementation, cloud computing scenarios analysis, third-party processor framework integration; Foreign Platform Compliance under Law No. 5651 framework including Turkish representative appointment for major social media platforms, content moderation policy alignment, takedown request procedures, transparency reporting; Civil Litigation including data protection violations, content-related disputes, technology contract disputes, intellectual property cyber components; Regulatory Enforcement Defence including KVK Kurumu inspections, BTK enforcement actions, BDDK examinations, sectoral enforcement coordination; Power of Attorney (vekaletname) coordination through Turkish consulate abroad without apostille requirement or foreign notary with apostille under 1961 Hague Apostille Convention plus Turkish sworn translation; coordination with cybersecurity providers, forensic specialists, foreign jurisdiction counsel for cross-border matters; integrated multi-disciplinary engagement across substantive cyber law, sectoral compliance, criminal procedure, civil litigation, and regulatory enforcement dimensions throughout the cyber law engagement lifecycle from compliance programme development through ongoing operations to incident response and dispute resolution where applicable.

Author: Mirkan Topcu is an attorney registered with the Istanbul Bar Association (Istanbul 1st Bar), Bar Registration No: 67874. His practice at this Turkish Law Firm focuses on cross-border and high-stakes matters where evidence discipline, procedural accuracy, and risk control are decisive.

He advises multinational corporations, technology platforms, fintech operators, healthcare technology providers, e-commerce operators, telecommunications operators, and data-intensive businesses across Turkish cyber law engagements under Kişisel Verilerin Korunması Kanunu (Personal Data Protection Code, KVKK, Law No. 6698) of 24 March 2016 (Resmi Gazete 7 April 2016 No. 29677) framework with 2024-2025 amendments expanding the framework, including Article 2 substantive scope covering automated and systematic processing, Article 3 personal data and special category data definitions, Articles 5-6 lawful processing grounds with explicit consent, legal obligation, contract necessity, vital interests, public interest task, legitimate interest balancing for general data and Article 6 specific framework for special category data, Article 9 cross-border transfer framework with sufficient protection list (yeterli korumaya sahip ülkeler listesi) and KVK Kurumu authorisation pathways through binding corporate rules, standard contractual clauses, explicit consent, and specific arrangements, Article 11 data subject rights including information about processing, access to processed data, correction, deletion or anonymisation, processing restriction, data portability, objection, consent withdrawal, Article 16 VERBIS (Veri Sorumluları Sicil Bilgi Sistemi) registration framework, KVK Kurulu Kararı No. 2019/10 of 24 January 2019 72-hour breach notification framework; Cybercrime under Türk Ceza Kanunu (TCK, Law No. 5237) Articles 243-246 framework with Article 243 bilişim sistemine girme (unauthorized access to information system), Article 244 sistem ve verilere müdahale (system and data interference) covering Article 244/1 system functionality interference and Article 244/2 data interference and Article 244/3 aggravated circumstances, Article 245 banka veya kredi kartlarının kötüye kullanılması (payment card abuse) covering Article 245/1 unauthorized use of another's card and Article 245/2 card-cloning equipment and Article 245/3 counterfeit cards and Article 245/4 card fraud through other means, Article 246 corporate security measures framework for legal entities; complementary offenses under TCK Article 135 kişisel verilerin kaydedilmesi (personal data recording) and Article 136 verileri hukuka aykırı olarak verme veya ele geçirme (unlawful disclosure or acquisition); İnternet Ortamında Yapılan Yayınların Düzenlenmesi ve Bu Yayınlar Yoluyla İşlenen Suçlarla Mücadele Edilmesi Hakkında Kanun (Internet Publications Regulation Code, Law No. 5651) of 4 May 2007 framework with Articles 4-6 actor categorisation (içerik sağlayıcı content provider, yer sağlayıcı hosting provider with notice-and-takedown safe harbour, erişim sağlayıcı access provider), Article 8 catalogue offense blocking through Sulh Ceza Hakimliği for obscenity, prostitution, narcotics, gambling, suicide encouragement, children protection violations, Article 9 personal rights-based blocking through civil courts, Article 9/A privacy violation blocking, Article 8/A additional grounds, 2020 social media amendments (Sosyal Medya Yasası) introducing yerel temsilci (local representative) requirement for major platforms with Turkish user base, Law No. 7418 of 2022 dezenformasyon (disinformation) framework, Erişim Sağlayıcıları Birliği (ESB) technical blocking implementation; Siber Güvenlik Kanunu (Cybersecurity Code, Law No. 7545) of March 2025 (12 March 2025 enactment, Resmi Gazete 19 March 2025 No. 32846) framework establishing Siber Güvenlik Başkanlığı (Cybersecurity Directorate) under Cumhurbaşkanlığı with national cybersecurity policy and supervisory authority, USOM (Ulusal Siber Olaylara Müdahale Merkezi — National Cyber Incident Response Centre) and SOME (Siber Olaylara Müdahale Ekipleri — Cyber Incident Response Teams) tiered response framework, critical infrastructure cybersecurity obligations, sectoral coordination across financial, energy, healthcare, telecommunications sectors; Elektronik İmza Kanunu (Electronic Signature Code, Law No. 5070) of 2004 with güvenli elektronik imza (secure electronic signature) and mobil imza (mobile signature) frameworks; Elektronik Haberleşme Kanunu (Electronic Communications Code, Law No. 5809) of 2008 with BTK (Bilgi Teknolojileri ve İletişim Kurumu) regulatory framework; Ödeme Hizmetleri ve Elektronik Para Kanunu (Payment Services and Electronic Money Code, Law No. 6493) of 2013 with BDDK supervision, strong customer authentication framework, anti-fraud framework integration; Sectoral Cybersecurity Frameworks including BDDK (Bankacılık Düzenleme ve Denetleme Kurumu) Bilgi Sistemleri Yönetimi Yönetmeliği and Tebliğ on Information Systems Security for banking and payment sector, SPK (Sermaye Piyasası Kurulu) information systems security regulations for capital markets, Sağlık Bakanlığı (Ministry of Health) healthcare cybersecurity framework with KVKK Article 6 special category data integration, BTK telecommunications cybersecurity, EPDK (Enerji Piyasası Düzenleme Kurumu) energy sector cybersecurity, defence sector specific frameworks; Procedural Framework under Ceza Muhakemesi Kanunu (CMK, Law No. 5271) Article 134 digital evidence with 2014 amendments, Article 135 lawful interception, Article 139 undercover agent, Article 140 technical surveillance, with chain of custody and forensic methodology coordination through Adli Tıp Kurumu Bilişim ve Teknoloji Suçları İhtisas Dairesi; International Frameworks including Budapest Cybercrime Convention (Council of Europe Convention on Cybercrime, ETS No. 185) with Türkiye party status via Law No. 6533 (Resmi Gazete 2 May 2014 No. 28988), mutual legal assistance for cybercrime, expedited preservation procedures, harmonised substantive offense definitions, NATO cybersecurity cooperation, ENISA cooperation despite non-EU member status, bilateral cybersecurity cooperation agreements; Standards Integration including ISO 27001 information security management, ISO 22301 business continuity, NIST Cybersecurity Framework, COBIT framework, PCI-DSS for card-handling entities, Common Reporting Standard (CRS) and FATCA framework integration where applicable; Compliance Programme Development including substantive law analysis, operational mapping, gap analysis, remediation roadmap, ongoing maintenance framework; Data Breach Response including 72-hour KVK Kurumu notification, affected individual notification, internal forensic investigation, vendor coordination, insurance coordination, regulatory enforcement defense, civil compensation defense; Cross-Border Coordination including EU GDPR-KVKK harmonisation including 2024-2025 KVKK amendments aligning closer to GDPR with continuing specific differences, US privacy framework alignment including FATCA reporting where applicable, multinational data flow management, cloud computing scenarios across AWS, Microsoft Azure, Google Cloud with specific Turkish data centre arrangements, third-party processor framework integration, sub-processor scenarios; Foreign Platform Compliance including Turkish representative appointment under 2020 Sosyal Medya Yasası, content moderation policy alignment, takedown request procedures, transparency reporting; Litigation Strategy including data protection violations, content-related disputes, technology contract disputes, intellectual property cyber components, civil compensation pursuit; Regulatory Enforcement Defence including KVK Kurumu inspections under KVKK procedural framework, BTK enforcement actions, BDDK examinations, SPK examinations, judicial review through İdare Mahkemesi (Administrative Court) framework where applicable; Power of Attorney (vekaletname) coordination through Turkish consulate abroad without apostille requirement or foreign notary with apostille under 1961 Hague Apostille Convention (Türkiye party since 1985) plus Turkish sworn translation enabling representation across compliance programme development, ongoing operations, incident response, and dispute resolution; coordination with cybersecurity service providers, forensic specialists including digital forensic experts, accounting professionals, foreign jurisdiction privacy and cybersecurity counsel for cross-border matters; integrated multi-disciplinary engagement across substantive cyber law including KVKK 6698, TCK 243-246 cybercrime, Law No. 5651 internet content, Law No. 7545 cybersecurity, Law No. 5070 electronic signatures, Law No. 5809 telecommunications, Law No. 6493 payment services, sectoral compliance, criminal procedure, civil litigation, regulatory enforcement, and international cooperation dimensions throughout the cyber law engagement lifecycle from compliance programme development through ongoing operations to incident response and dispute resolution where applicable.

Education: Istanbul University Faculty of Law (2018); Galatasaray University, LL.M. (2022). LinkedIn: Profile. Istanbul Bar Association: Official website.