Cloud Computing 2024 Comparisons

Basic National Regime

Türkiye lacks a dedicated legal framework specifically regulating data privacy for cloud computing. Instead, the legal structure is fragmented, with various regulations imposing specific conditions and restrictions.

The most pertinent legal instruments are as follows.

The Constitution of the Turkish Republic

The Constitution of the Turkish Republic (the “Constitution”) does not explicitly address privacy issues in relation to cloud computing. However, cloud computing frequently involves processing personal data, making Article 20(3) of the Constitution, which protects the right to data privacy ‒ though it provides no definition for personal data ‒ applicable. Under Article 20(3), individuals have the right to:

• be informed about personal data processing;
• access their personal data;
• request correction or deletion of data; and
• be informed if data is used for appropriate purposes.

The Article also stipulates that personal data may only be processed if authorised by law or with the explicit consent of the data subject. Additionally, it mandates that the procedures and principles for processing personal data must be defined by law.

The Turkish Data Protection Law

The Turkish Data Protection Law No 6698 (the “DP Law”) was enacted to specifically regulate the procedures and principles governing the processing of personal data in Türkiye.

The DP Law defines personal data as any information related to an identified or identifiable natural person, making its scope inherently broad. However, the DP Law provides an exhaustive list of special categories of personal data (ie, sensitive data), which includes information concerning an individual’s:

• race;
• ethnic origin;
• political opinion;
• philosophical belief;
• religion, religious sect or other beliefs;
• appearance;
• membership to associations, foundations or trade unions;
• data concerning health and sexual life;
• criminal convictions and security measures;
• biometric data; and
• genetic data.

The DP Law defines the processing of personal data as any operation carried out wholly or partially by automated means or by non-automated means, provided it forms part of a data filing system. This encompasses activities such as collecting, recording, storing, protecting, transferring, retrieving and categorising personal data, all of which are relevant to cloud computing.

The DP Law establishes a framework for controllers and processors, outlining the general obligations and principles related to personal data processing. The Personal Data Protection Authority (DPA), Türkiye’s supervisory and regulatory body, further shapes data-processing practices by issuing secondary legislation, guidelines and resolutions.

While the DP Law does not set specific requirements for processing personal data in a cloud environment beyond the general obligations of controllers and processors, the DPA provides additional measures in its guidelines and resolutions (see 2.1 Data Security and the Cloud).

The Turkish Civil Code

Under Turkish law, personal data is considered an aspect of an individual’s personality and is thus protected under the Turkish Civil Code (TCiC). This protection extends to personal data processed in the context of cloud computing.

The Turkish Criminal Code

The Turkish Criminal Code (TCrC) criminalises certain actions that violate personal data protection and prescribes penalties for these offences (see 1.3 Penalties for Non-compliance with Data Privacy Regulations).

The TCrC also imposes penalties for disclosing commercial, banking or customer secrets obtained through one’s title, duty, occupation or profession to unauthorised individuals, which may include transferring such data to cloud systems. 

The Law on Banking

Under the Law on Banking (the “Banking Law”), in addition to actors such as those defined in the Law, including banks and financial institutions, those who learn the confidential information of banks and their customers due to their title and duties, as well as third parties, are subject to confidentiality obligations. In this context, they are prohibited from disclosing such information to anyone other than authorised authorities. This obligation may extend to both transfers to cloud systems and the transfers of this data between cloud systems or to another environment.

The Law on Payment and Securities Settlement Systems, Payment Services, and Electronic Money Institutions

The Law on Payment and Securities Settlement Systems, Payment Services, and Electronic Money Institutions (the “Payment Systems Law”) provides a similar confidentiality provision. Accordingly, confidentiality obligations are imposed on those providing support services to the actors defined in the Law (system operators, payment institutions and electronic money institutions) and third parties, prohibiting them from disclosing this information to anyone other than authorised authorities.

The Law on Electronic Communication

The Law on Electronic Communication bans the transfer of traffic and location data abroad unless the data subject’s explicit consent is obtained. This means such data must be stored in local cloud systems in Türkiye if explicit consent is not duly obtained.

The Law on the Regulation of Publications via the Internet and Combating Crimes Committed by Means of Such Publications

The Law on the Regulation of Publications via the Internet and Combating Crimes Committed by Means of Such Publications aims to regulate the obligations of content providers, hosting providers, internet service providers, social network providers and access providers to combat crimes committed via the internet. In this sense, cloud computing providers must also comply with obligations such as notifying the Information and Communication Technologies Authority (ICTA) before providing cloud computing services.

Sector-specific regulations

Various sector-specific regulations also impose specific requirements on cloud users and providers. Some of these regulations enforce strict data localisation requirements, including provisions related to personal data stored in cloud environments (see 2.1 Data Security and the Cloud and 6.2 Data Localisation).

The key sector-specific regulations are as follows:

• By-Law on the Information Systems of Banks and Electronic Banking Services (the “By-Law on Banks and Electronic Banking Services”);
• Communiqué on Information Systems of Payment and Electronic Money Institutions and Data Sharing Services in the Field of Payment Services of Payment Service Providers;
• Decree on Information and Communication Security Measures No 2019/12 issued by the Presidency of Türkiye;
• Communiqué on Information Systems Management;
• Communiqué on Management and Control of Information Systems of Financial Leasing, Factoring, and Financing Companies; and
• Communiqué on Commercial Electronic Messages Management System Integrators.

The DP Law, along with the By-Law on the Procedures and Principles for the Transfer of Personal Data Abroad, are the primary regulations establishing the rules for cross-border transfers of personal data.

The By-Law defines data transfer abroad as the transmission of personal data by a controller or processor, within the scope of the DP Law, to a controller or processor outside Türkiye or making the data accessible to them by any other means. Therefore, both transmitting personal data to a cloud system and making it accessible from abroad constitute a transfer of personal data abroad. Consequently, the general rules outlined in the DP Law apply to such transfers (see 6.1 Cross-Border Transfer Regulation).

While no specific data privacy regulations for cloud environments impose penalties for non-compliance, the general penalties established in the DP Law and the sanctions outlined in the TCrC apply when processing activities in the cloud involve handling personal data.

The DP Law outlines five categories of violations, with administrative fines for these violations adjusted annually. The following categories are particularly relevant for cloud systems, along with their amounts as of 2024:

• failure to implement necessary technical and organisational measures (interpreted broadly to include unlawful data transfer abroad and breaches of fundamental principles) may result in a fine ranging from TRY141,934 to TRY9,463,213; and
• non-compliance with the DPA’s decisions may lead to a fine between TRY236,557 and TRY9,463,213.

It is important to note that the right to seek compensation is explicitly stated as one of the rights of data subjects under the DP Law. Furthermore, data subjects can pursue compensation and request that courts prevent a threatened infringement, halt an existing infringement, and declare an infringement unlawful under the TCiC.

Criminal sanctions for actions that violate personal data protection are regulated under the TCrC. Unlawful recording, transfer, publication or acquisition of personal data and failing to destroy personal data after the legally mandated retention period may lead to imprisonment ranging from one to six years. Public prosecutors can initiate investigations ex officio without requiring a formal complaint.

Furthermore, in cases where data transfers to or from cloud systems involve the disclosure of commercial, banking or customer secrets to unauthorised third parties, this may lead to imprisonment of one to three years and judicial fines upon complaint.

The Banking Law and Payment Systems Law also impose similar penalties of imprisonment for one to three years and judicial fines for failing to comply with confidentiality obligations.

Moreover, certain supervisory authorities, such as ICTA for the information and communication sector and the Banking Regulation and Supervision Agency (BRSA) for the banking and financial sector, are empowered to oversee compliance with sector-specific legislation. This may include specific obligations for cloud users and service providers, along with the authority to impose fines for non-compliance.

Technical and Administrative Measures

The DPA’s guidelines and resolutions elaborate technical and administrative measures for controllers processing personal data. For instance, according to the Personal Data Protection Guideline on Technical and Administrative Measures (the “Technical and Administrative Measures Guideline”) and the Guideline on Erasure, Destruction or Anonymization of Personal Data published by the DPA, controllers are subject to certain requirements that extend to evaluating the security measures taken by cloud service providers.

Security measures for storing data in the cloud

Key measures applicable to cloud computing, among others, as outlined in the Technical and Administrative Measures Guideline, include:

• encrypting data using cryptographic methods;
• encrypting data when transferring to cloud environments;
• implementing encryption key management;
• where possible, using encryption keys specific to each cloud service solution;
• securely disposing of encryption keys when the cloud service is terminated or expires;
• using authorisation matrix and authorisation control systems;
• keeping access logs and log records;
• ensuring network and application security;
• implementing penetration tests;
• deploying attack detection and prevention systems;
• implementing data masking techniques;
• using data loss prevention software systems;
• performing regular backups;
• implementing firewalls;
• keeping antivirus systems up to date;
• deleting, destroying or anonymising data;
• establishing internal data security policies and procedures;
• executing data processing and confidentiality agreements;
• conducting regular information security training and awareness-raising activities;
• conducting internal periodic and/or random audits; and
• performing risk analyses.

Several sector-specific measures, such as maintaining an information asset inventory and establishing an information security management system, as mandated by the By-Law on Banks and Electronic Banking Services, are essential to consider.

Security measures for managing access controls and preventing unauthorised access

Robust security measures are essential for preventing unauthorised access and data breaches, especially in cloud systems. Therefore, it is crucial for controllers to implement specific measures for managing access controls.

For instance, the Technical and Administrative Measures Guideline advises restricting access to environments where personal data is processed, limiting it to authorised individuals using usernames and passwords. Passwords should be complex, renewed periodically and strengthened with additional authentication methods like two-factor or multi-factor authentication. In market practice, this is often reinforced by a triggering mechanism that sends a notification message to authorised individuals, informing them of access to the system.

To enhance security further, the number of password entry attempts should be limited to defend against common cyber-attacks, such as brute force attacks, where an unauthorised user systematically tries different combinations to gain access.

Administrator accounts and privileges should be enabled only when necessary, and accounts for former employees should be promptly deleted or disabled. Controllers are advised to develop an access authorisation and control matrix and establish separate access policies and procedures to implement these within the organisation.

To mitigate cybersecurity vulnerabilities, continuous recording and monitoring of access to cloud systems are crucial. Additional measures to detect and track potential security breaches, such as regular audits, penetration tests, and deploying incident response protocols and breach notification alerts, are essential for enabling the organisation to respond promptly and effectively to security incidents.

Specific measures for special categories of personal data

In 2018, the DPA issued a resolution requiring controllers to implement additional technical and organisational measures to ensure adequate protection when processing special categories of personal data. 

For example, controllers must establish a specific policy dedicated to the security of these special categories of personal data. The resolution emphasises the need for additional measures concerning employees involved in processing such data, as well as for the retention, access and transfer of this data.

While the DPA does not specify any particular standards or algorithms for the encryption of personal data in cloud systems, transferring special categories of personal data requires a VPN (virtual private network) or an sFTP (secure file transfer protocol) connection. For non-special categories of personal data, encryption standards are primarily guided by international best practices, such as AES (Advanced Encryption Standard) and RSA (Rivest-Shamir-Adleman) for data at rest, and TLS (Transport Layer Security) and HTTPS (Hypertext Transfer Protocol Secure) for data in transit.

Furthermore, the DPA provides specific guidelines for handling certain types of special categories of personal data, such as the Guidelines on Issues to be Considered in the Processing of Genetic Data, which states that genetic data should, in principle, not be stored in the cloud. Per the Guidelines, if storage in the cloud is necessary, additional measures such as maintaining a detailed record of the data, keeping backups outside the cloud and using two-factor authentication for access should be considered. Moreover, industry standards and best practices should be followed for cryptographic algorithms, and access to cryptographic keys must be restricted to personnel with the appropriate clearance (crypto security certification).

Security Accidents and Breaches

According to the DPA’s decisions, controllers must establish procedures for responding to data breaches. These procedures typically include internal policies to assess whether a security incident qualifies as a data breach and outline the steps for notifying the DPA and affected data subjects.

Controllers must report all data breaches to the DPA, regardless of the risk level to individuals’ rights and freedoms. Notifications must be made within 72 hours of the controller becoming aware of the incident, and affected data subjects should be informed as soon as possible (see 5.3 Notifying Data Breaches).

Additionally, controllers must take immediate action to prevent or mitigate potential harm from data breaches by assessing the scope and nature of the breach. In the context of cloud computing, these measures may involve isolating affected systems to minimise damage, implementing recovery actions to restore normal operations and conducting a post-incident review for future improvement.

Data Ownership and Control in Cloud Agreements

The legal rights and control over data stored or processed in cloud systems, including all information derived from such data, is a complex issue that currently lacks specific regulations.

There are basically two main types of data: (i) data uploaded by cloud users and (ii) data created by the cloud platform. The latter raises questions about who owns the data and how intellectual property rights apply.

Thus, contractual clauses are essential for determining ownership and control over data upfront in writing as well as the conditions for data migration conditions in case of termination of the contractual relationship. By clearly outlining these aspects in the agreement, potential disputes can be mitigated, ensuring both parties understand their rights and responsibilities regarding the data.

In market practice, data ownership and control are primarily defined in cloud agreements, which generally lie with the cloud user, as this party typically collects the data and determines the purposes and means of processing. For instance, major cloud providers such as Microsoft Azure, Google Cloud and AWS typically position themselves as processors, stating that cloud users are the owners and controllers of the data in their cloud agreements.

From the DP Law perspective, the DPA appears to adopt a similar stance by categorising cloud providers as processors without clarifying its position on data ownership, as this falls outside its scope and is primarily a civil law issue. For example, in its Guidelines on Recommendations for Protecting Privacy in Mobile Applications, the DPA notes that personal data collected from mobile applications is often stored in the cloud, and when the application developer utilises cloud services, they may function as processors.

Data Subject’s Rights

Data subjects’ rights regarding their personal data, as specified under Article 11 of the DP Law, are as follows:

• learning whether their personal data is processed;
• requesting information on whether their personal data has been processed;
• learning the purpose(s) of the processing and whether their personal data is used in compliance with the purpose;
• knowing the third parties to whom their personal data is transferred, in-country or abroad;
• requesting rectification of incomplete or inaccurate data;
• requesting erasure or destruction of their personal data under certain conditions outlined in the DP Law;
• requesting reporting of the operations related to their request of rectification, erasure or destruction to third parties to whom their personal data has been transferred;
• objecting to the occurrence of a result against themselves by analysing the data processed solely through automated systems; and
• claiming compensation for the damage arising from unlawful processing of their personal data.

These rights are also applicable to the personal data in the cloud system.

Exercising the Right to Access, Rectify and Delete

Data subjects can exercise their rights by submitting a request to the controller or its representative. However, controllers may engage their processors to handle these requests, allowing data subjects to submit their requests directly to the processor. This internal division of responsibilities is typically governed by the data processing agreement (the “DP Agreements”) between the parties; however, it does not diminish the controller’s accountability to the DPA or the data subjects.

Controllers must respond to data subjects’ requests within 30 days of receipt, either by fulfilling the requests or providing justifications for any objections. In cases where controllers fulfil these requests, such as rectifying or deleting personal data in a cloud environment, they must co-ordinate with the cloud provider acting as the processor, and the cloud provider should collaborate with the controller to implement such requests. While this collaboration does not create administrative responsibility for the processor before the DPA, it may result in other liabilities, such as breaches of the DP Agreement with the controller.

If data subjects do not receive a response within this period or are unsatisfied with the reasons for the objection, they have the right to submit a complaint to the DPA.

Unlike the EU General Data Protection Regulation (GDPR), the right to data portability is not established under the DP Law or any other regulation in Turkish jurisdiction. However, market practice addresses the right to data portability through specific contractual provisions in cloud agreements (see 4.4 Exit Strategies and Data Migration).

There is no specific regulation regarding personal data retention and deletion policies for cloud systems. However, general principles provided by the DP Law apply.

According to the By-Law on the Deletion, Destruction, or Anonymization of Personal Data, controllers required to register with the Data Controller Registry (VERBIS) must adopt a personal data retention and destruction policy. This policy must include, at a minimum:

• the purpose of the policy;
• the recording environments regulated by the policy;
• definitions of legal and technical terms included in the policy;
• explanations regarding the legal, technical or other reasons necessitating the retention and destruction of personal data;
• technical and administrative measures taken to ensure the secure storage of personal data and to prevent unlawful processing and access;
• technical and administrative measures taken to ensure the lawful destruction of personal data;
• the titles, units, and job descriptions of those involved in the processes of retention and destruction of personal data;
• a table showing the retention and destruction periods;
• periodic destruction timelines; and
• information regarding any updates to the existing policy.

It is crucial for controllers to establish clear retention periods and proper measures for data disposal. They must also ensure that their processors (eg, cloud providers) comply with data disposal requests from controllers, including deletion, anonymisation and destruction of data. Additionally, it is advisable to include specific terms for proper data deletion in cloud agreements, covering backups and archived copies. Regular reviews of stored data are also essential to ensure its accuracy.

Thorough due diligence is essential when selecting a cloud provider to enhance data protection in cloud environments and ensure compliance with legal requirements, primarily the DP Law.

Although no formal list is published by the authorities, cloud users should consider the following key matters before selecting a cloud provider:

• location of servers where personal data is stored;
• legal jurisdiction governing the data, especially if stored across multiple countries;
• cloud provider’s compliance with legislation, industry regulations and standards;
• liability and indemnity clauses, ensuring the cloud provider complies with regulatory and contractual requirements, as well as the right to audit the cloud provider’s compliance;
• adequate system capacity (eg, maximum resource capacity, input processing rate over time and data transfer volume over a specified period);
• specific methods used to facilitate service resilience and fault tolerance;
• specific clauses regarding the backup and restoring of data;
• specific clauses regarding data ownership rights and how they are enforced;
• appropriate technical and administrative measures for processing personal data (see 2.1 Data Security and the Cloud);
• available cloud service support plans and methods;
• service level agreements (SLAs) for uptime guarantees, performance metrics and support response times;
• data migration process to the cloud;
• a clear exit strategy, including data portability support in transitioning to another provider or back to on-premises solutions, as well as the process for securely deleting data;
• disaster recovery plan for incidents such as cyber-attacks or natural disasters;
• policies and procedures for ensuring data security and responding to law enforcement requests;
• changes to features and functionality and the process of termination of services, including the length of time that data and logs are retained, notification procedure and return of assets; and
• relevant certifications, such as ISO 27001.

It is important to emphasise that the key points mentioned above should be considered not only when selecting a cloud provider and negotiating the service agreement but also throughout the entire duration of the service relationship. This is because the controller is responsible for ensuring that processors implement the necessary measures while engaged in data processing on their behalf.

Data Protection Requirements in Cloud Agreements

Cloud agreements typically include data protection clauses that commit the parties to comply with applicable data protection laws, such as the DP Law and other legislation relevant to cross-border transfer, if it occurs.

These provisions are often reinforced by confidentiality clauses and intellectual property provisions that clarify the protection of confidential information, restrictions on disclosure, and the ownership of personal data processed or derived in cloud environments.

In its Guidelines on Data Controllers and Processors (the “Guidelines on Controllers and Processors”) and various resolutions, the DPA explicitly states that processors must conduct their data processing activities on behalf of controllers strictly in accordance with the controller’s instructions.

Therefore, controllers should include the processor’s commitment to comply with their instructions in writing within the cloud agreements, ensuring that they are clear and aligned with the controller’s needs. For instance, relevant technical and administrative measures to be implemented by processors (see 2.1 Data Security and the Cloud) can be detailed in cloud agreements, along with the processor’s commitment to comply with data disposal requests from controllers (see 3.3 Data Retention and Deletion).

Although the DP Law does not directly mandate controllers and processors to conclude DP Agreements, the Guidelines on Controllers and Processors indicate that the DPA expects the parties to establish DP Agreements to clarify their respective duties and responsibilities (see 4.3 Data Processing Agreements and the Cloud).

For this purpose, in market practice, the parties typically adhere to separate DP Agreements, which regulate data processing activities related to the service agreement between them. These agreements generally outline the obligations of controllers and processors by referencing the DP Law and often include penalty and indemnity clauses in cases of non-compliance.

Measures for Ensuring Cloud Providers Comply with Data Privacy Regulations

Administrative fines and criminal penalties generally serve as strong deterrents for ensuring compliance (see 1.3 Penalties for Non-compliance With Data Privacy Regulations).

However, cloud providers are typically classified as processors and are thus exempt from administrative fines, except for failing to notify the DPA within five business days following the execution of standard contractual clauses (SCCs). Therefore, processors’ accountability to the controller is reinforced through DP Agreements, which clearly define the cloud providers’ roles, responsibilities and obligations, with particular emphasis on penalties and indemnity clauses (see 4.3 Data Processing Agreements and the Cloud). These clauses promote accountability among processors and facilitate dispute resolution by outlining procedures for addressing breaches, ultimately safeguarding the interests of both parties and enhancing overall data governance.

Furthermore, controllers must ensure that appropriate technical and administrative measures are implemented by their processors. Therefore, DP Agreements should include clauses granting the controller the right to audit processors’ activities. Regular and unannounced audits are essential to verify that these measures are continuously applied and that processors comply with the DP Law.

Additionally, it is crucial for DP Agreements to include provisions ensuring that processors adhere to the controller’s policies on personal data storage and destruction.

On the other hand, in market practice, the technical measures implemented by cloud providers are often reinforced by supplementary technology services-related agreements, such as IP licences and SLAs. For instance, SLAs often incorporate clauses related to incident management to effectively manage risks and enhance overall service reliability. They establish clear expectations and include provisions for penalties or service credits if performance standards are unmet.

The DP Law does not explicitly mandate a DP Agreement; however, it can be inferred from the DPA guidelines that the DPA expects controllers to enter into a DP Agreement when entrusting data processing activities to a processor (see 4.2 Data Protection in Cloud Service Agreements).

DP Agreements typically include the following key elements:

• roles, responsibilities and obligations of the parties;
• requirements for the use of sub-processors;
• technical and organisational measures;
• procedures for data export, migration and deletion;
• data transfer and cross-border transfer provisions;
• documentation and records of processing;
• data breach notification procedures;
• liability and indemnification clauses; and
• certifications and audit procedures.

Although the authority to decide on the purpose and means of data processing activities belongs to controllers, the DPA clarifies in its Guidelines on Controllers and Processors that controllers may grant processors (eg, cloud providers in cloud environments) the authority to make decisions on certain matters. The following matters are listed as examples:

• which IT systems or other methods will be used for the collection of personal data;
• methods by which personal data will be stored;
• details of security measures to be taken for the protection of personal data;
• methods by which personal data will be transferred;
• methods to be used for the accurate application of retention periods for personal data; and
• methods for deleting, destroying and anonymisation of personal data.

In market practice, the cloud sector is dominated by a few major operators such as AWS, Microsoft Azure and Google Cloud. As a result, cloud users (controllers) often accept DP Agreements or terms and conditions unilaterally drafted by cloud providers. This is largely due to the imbalance in bargaining power and the impracticality of providers signing individual agreements with each user, which often results in a “take it or leave it” approach with little to no room for negotiation.

Termination and Exit Strategies in Cloud Service Agreements

Cloud service agreements are not specifically regulated under Turkish law. Therefore, there are no specific legal requirements for their termination. In such cases, general rules and principles of contract law apply.

One of the key principles established by the Turkish Code of Obligations (TCO) is the freedom of contract, which allows parties to define nearly every aspect of their relationship, including the inclusion or exclusion of specific termination rights, as long as these terms do not conflict with mandatory legal provisions.

In the context of a cloud environment, cloud agreements are typically executed for a definite term and include renewal options at the end of this period. Parties may terminate the agreement by providing notice to the other party within the agreed notice period before the term ends or choose to renew the agreement.

The most commonly used termination clauses are as follows.

• Termination for convenience clauses allow either party to terminate the contract before the end of the term with notice. Parties typically define a reasonable notice period that must be followed when terminating the cloud agreement. However, under the TCO, parties may also terminate without notice if: (i) granting time would be ineffective, (ii) the obligation becomes useless due to the other party’s fault, or (iii) the contract specifies that performance at a particular time or within a specific period is essential and will no longer be accepted due to non-performance.
• Termination for cause clauses enable parties to terminate the contract immediately, without notice, for justified reasons related to a significant breach of the agreement, such as non-compliance with data protection laws, failure to pay fees or failure to meet other critical contractual obligations.
• Force majeure clauses allow both parties to terminate the agreement without penalties in the event of unforeseen circumstances (eg, natural disasters, regulatory changes) that prevent the fulfilment of obligations.

Data and Services Migration Between Cloud Providers

While no specific legislation regulates migration requirements, controllers must implement appropriate measures when transferring personal data to ensure compliance and data security (see 2.1 Data Security and the Cloud).

It is crucial for cloud users to conduct comprehensive due diligence before initiating cloud migration, carefully assessing the risks to the confidentiality, integrity and availability of data while also considering applicable legal requirements. Controllers should also conduct a data protection impact assessment (DPIA) if the data are transferred to a third country (see 6.1 Cross-Border Transfer Regulation).

There are different types of cloud migration methods, which are selected based on the situation's needs, used by cloud providers. The most common cloud migration methods are:

• rehosting involves moving an exact copy of your on-premises system to the cloud without major changes;
• replatforming makes minor optimisations for the cloud while keeping the core architecture intact;
• repurchasing replaces existing applications with cloud-native products, such as SaaS platforms;
• refactoring involves rebuilding applications from the ground up to leverage advanced cloud features like auto-scaling;
• retiring decommissions outdated applications that are no longer needed; and
• retaining postpones application migration due to compliance, recent upgrades or other reasons, allowing for future reassessment when cloud adoption makes more sense.

It is important to consider any sector-specific requirements when selecting from the aforementioned migration methods and to ensure that data loss prevention measures are implemented during the migration process.

In the market, major cloud platforms like AWS, Microsoft Azure and Google Cloud offer portability solutions, ensuring that services can run on new cloud infrastructures with minimal modifications.

The rules for notifying data breaches under the DP Law also apply when breaches occur in a cloud environment. The obligation to notify the DPA rests solely with the controller, even if the breach originates from the processor (eg, cloud provider).

In practice, cloud providers often detect breaches before cloud users, as they own and manage the cloud systems. As a result, cloud providers are typically obligated to report these breaches promptly to the cloud users, as stipulated in DP Agreements. This obligation may include strict deadlines for notification, such as within 12 hours of the provider becoming aware of the breach. This urgency is crucial, given the limited timeframe for controllers to notify the DPA (see 5.3 Notifying Data Breaches).

Moreover, failure to report breaches in a timely manner is typically addressed by penalty and revocation clauses within these agreements, designed to hold cloud providers accountable. For instance, if a controller incurs an administrative fine due to a delay in notifying the DPA ‒ resulting from the provider’s negligence in reporting the breach ‒ the controller may exercise their right to seek revocation or other remedies as outlined in the contractual agreement.

In the event of a data breach, the following steps are usually followed by cloud providers to mitigate the damage caused and improve the security system as per best market practice:

• promptly containing the data breach by disabling affected accounts, changing passwords and isolating compromised systems to prevent further damage;
• assessing the impact of the data breach by determining the scope of the compromised data, identifying affected cloud services and understanding the type of data breached (personal, financial or sensitive business information);
• notifying relevant parties promptly about the data breach, as this is often a legal requirement ‒ communication should include details about the breach, affected data and measures being taken to address the issue;
• understanding legal obligations, which may include reporting the breach to authorities and affected individuals within specific timeframes ‒ failure to comply with legal requirements may result in significant fines and further damage to reputation;
• developing a recovery plan to ensure the resumption of normal operations while enhancing the cloud environment's security against future breaches; and
• conducting a post-breach analysis to investigate the causes of the breach ‒ this may include action plans to improve security measures, awareness training and enhancements to the incident response plan for better future preparedness.

In contrast to the GDPR, the DP Law requires that all personal data breaches be notified to the DPA, regardless of whether the breach is unlikely to pose a risk to individuals’ rights and freedoms.

While the DP Law does not specify a timeframe for breach notifications, the DPA’s resolutions suggest that controllers must notify the DPA within 72 hours of becoming aware of a breach.

This notification should be made by submitting the online form available on the DPA’s website. The controller must provide the following information, along with relevant annexes serving as proof.

• Details on the Controller:
1. title/name and address of the controller; and
2. name and contact information of third parties preparing the notification on behalf of the controller (if applicable).
• Details on the Data Breach:
1. type of notification (initial or follow-up);
2. start, end, and detection dates and times of the breach;
3. if the breach was reported to the controller by the processor, the processor’s name and address, detection date and time, and notification details;
4. sources and details of how the breach occurred;
5. affected security aspects (data confidentiality, integrity and/or availability) and specifics;
6. detection method of the breach;
7. categories of personal data affected;
8. number of data subjects and records affected, including reasons for any estimates;
9. affected data subject groups; and
10. impact on data subjects.
• Details on the Notifications Made:
1. reasons for any delay if the notification to the DPA was not made within 72 hours of breach detection;
2. details of notifications to data subjects (including date, method, and ways to obtain further information); and
3. information on notifications to other domestic or international organisations/institutions.
• Potential Consequences of the Data Breach:
1. severity of the impact on data subjects; and
2. severity of the impact on the controller’s organisation.
• Details on the Measures Taken:
1. information on training received by employees involved in the breach over the past year;
2. technical and organisational measures implemented before the breach;
3. technical and organisational measures taken or planned post-breach; and
4. estimated completion time for the planned measures.

If the controller cannot provide all requested information within the 72-hour period, they are allowed to submit an initial notification with the available details, followed by a follow-up notification as additional information becomes available.

In addition to notifying the DPA, controllers are required to inform data subjects affected by the breach within a reasonable timeframe and without undue delay. If the contact information for the affected data subjects is available, the notification can be sent directly. If not, appropriate methods should be employed, such as publishing the notification on the controller's website.

The communication of the breach from the controller to the data subject should be made in clear and plain language and must include at least the following:

• when the data breach occurred;
• categories of personal data that are affected by the breach;
• possible consequences of the breach;
• measures that have been taken or advised to be taken by the data subject after the breach to mitigate the negative effects of the data breach; and
• the contact ways to inform the data subjects about the data breach.

The DP Law does not specify a particular type of administrative fine for failing to notify data breaches. However, according to DPA’s decisions, controllers who fail to notify the DPA and affected data subjects of a data breach are considered to have failed to implement necessary technical and organisational measures (see 1.3 Penalties for Non-compliance with Data Privacy Regulations).

On the other hand, in addition to the personal data breach notification requirements under the DP Law, a few sector-specific regulations also mandate notifying relevant authorities (eg, ICTA, BRSA) in the event of data breaches. Some of these regulations include the following.

• In the telecommunications sector, under the By-Law on Network and Information Security in the Electronic Communications Sector, operators are mandated to notify the ICTA of any network and information security breaches affecting more than 5% of subscribers and disrupting business continuity.
• In critical sectors, the Communiqué on the Principles and Procedures Regarding the Establishment, Duties, and Operations of Cyber Incident Response Teams requires critical infrastructure service providers to establish cyber-incident response teams that implement measures against cyber-attacks and conduct activities to prevent incidents or mitigate damages, including notifying the National Cyber Incident Response Center of cybersecurity incidents.
• In the banking sector, according to the By-Law on Banks and Electronic Banking Services, banks are required to report cyber incidents to the BRSA.

Co-ordination With Cloud Service Providers

Under the DP Law, processors are not directly responsible for notifying the DPA or informing affected individuals in the event of a data breach; this responsibility falls on the controller. However, in its Announcement on the Procedures and Principles for Notification of Personal Data Breaches, the DPA states that processors must promptly inform the controller upon becoming aware of any breach, allowing the controller to take appropriate action.

If processors fail to inform the controller of a breach, the controller may still face penalties for failing to notify the DPA, even if the failure is due to the processor’s fault or negligence.

Therefore, it is essential to have a written DP Agreement that clearly defines the responsibilities of both the cloud user and the cloud provider and outlines breach notification procedures. This ensures proper co-ordination between the parties, allowing the cloud user to fulfil its legal notification obligations (see 5.1 Requirements to Report Data Breaches).

International data transfers in the context of cloud computing under Turkish law are primarily governed by the DP Law, which imposes strict rules to ensure that the rights of data subjects are adequately protected when transferring personal data outside of Türkiye.

The mechanisms for transferring personal data abroad were recently amended to align with the GDPR. The new regime provides two primary gradual options for non-occasional data transfers abroad and an alternative solution for occasional data transfers abroad.

The main gradual options for non-occasional transfers are:

• adequacy decisions; and
• appropriate safeguards.

Per the DP Law, data transfers abroad can first be conducted based on adequacy decisions. If no adequacy decision exists, such transfer can be carried out by appropriate safeguards. If this is not possible, the solution for occasional transfers can be used for certain situations.

In line with the former regime, adequacy decisions remain a valid legal basis for international data transfers. The DPA is now empowered to issue adequacy decisions not only for countries but also for international organisations (eg, EU, United Nations) and certain sectors (eg, automotive sector, postal sector) within third countries. However, the DPA has not yet announced any adequacy decision.

In the absence of an adequacy decision, data transfers abroad are still possible through the implementation of appropriate safeguards. These safeguards are only applicable if the conditions for processing personal data are met, and data subjects can exercise their rights and access effective legal remedies in the third country where the data will be transferred.

Although not explicitly stated as a requirement for appropriate safeguards under the DP Law, conducting a transfer impact assessment can be regarded as essential for ensuring that data subjects can adequately exercise their rights and access effective legal remedies in the third country of the data importer.

There are primarily four established methods for implementing appropriate safeguards:

• an agreement (excluding international treaties) between public institutions and organisations or international organisations abroad and public institutions and organisations or public professional organisations in Türkiye, subject to the DPA’s approval;
• binding corporate rules (BCRs), subject to the DPA’s approval;
• SCCs announced by the DPA, with a requirement for notification to the DPA within five business days from the date of the signature of SCCs; and
• a written undertaking containing provisions that will provide adequate protection, subject to the DPA’s approval.

If occasional data transfers abroad occur without an adequacy decision, and appropriate safeguards cannot be ensured, the transfer may still be allowed under the following conditions, provided the transfers are not regular, occur only once or a few times, are not continuous, and are not in the ordinary course of business and one of the following criteria is met:

• the data subject has explicitly consented to the transfer after having been informed of the possible risks of such transfers;
• transfer is necessary for the performance of a contract between the data subject and controller or the implementation of pre-contractual measures taken at the data subject’s request;
• transfer is necessary for the conclusion or performance of a contract concluded between the controller and another natural or legal person in the interest of the data subject;
• transfer is necessary for an overriding public interest;
• transfer is necessary for the establishment, exercise or defence of a right;
• transfer is necessary for the protection of the life or physical integrity of the person who is unable to give themself consent due to actual impossibility or whose consent is not legally valid; and
• transfer is made from a register that is open to the public or to persons with a legitimate interest, provided that the conditions required to access the registry in the relevant legislation are met and the person with a legitimate interest requests it.

It is important to emphasise that the regulations outlined in the DP Law concerning the transfer of personal data abroad and to international organisations also apply to onward transfers carried out by both controllers and processors.

Controllers must ensure that their processors implement appropriate technical and administrative measures, particularly when transferring personal data abroad. Due to their international operations, cloud providers often utilise subprocessors located in various third countries, which introduces additional complexities regarding data protection compliance.

Cloud users acting as controllers are obliged to confirm that the cloud providers implement adequate safeguards for any data transfers to these subprocessors outside of Türkiye. If the service provider fails to establish these safeguards, the responsibility may ultimately fall on the cloud user, exposing them to potential fines.

To mitigate these risks, cloud users should ensure that DP Agreements clearly delineate the responsibilities and obligations of both parties. This includes incorporating specific instructions from the controller regarding data handling practices, such as the cloud provider’s responsibility to implement adequate safeguards and robust liability and indemnity clauses.

While there is no general requirement for companies to maintain cloud computing infrastructure or conduct data storage activities exclusively within Türkiye, certain sector-specific regulations do apply (see 1.1 Data Privacy and Cloud Computing).

Banking and Finance Entities

The following entities must keep their primary and secondary information systems in Türkiye:

• banks;
• payment institutions and electronic money institutions;
• insurance and private pension companies (excluding services like email, teleconference or videoconference);
• capital markets institutions; and
• financial leasing, factoring and finance companies.

Electronic Communications Providers

In principle, electronic communications providers cannot transfer traffic data and location data abroad, for national security reasons. However, in certain cases, such data may be transferred abroad by obtaining the explicit consent of data subjects.

Social Network Providers (SNPs)

SNPs whose daily access is more than one million must take necessary measures to retain their Turkish users’ data in Türkiye.

Public Institutions and Organisations

Data from public institutions and organisations must not be stored in cloud services, except within the institutions’ own private systems or with local service providers under their control.

Additionally, critical information (eg, population records, health records, communication data, genetic data and biometric data) must be securely stored within Türkiye. This obligation also applies to entities providing critical infrastructure services.

Commercial Electronic Message Management System Integrators

The information processing system used in integrator services, including software, hardware and server infrastructure, must be located within a database inside Türkiye.

Conflicts of Law in Cross-Border Data Transfers

Unlike the GDPR, the DP Law does not provide clear regulations on territorial scope. As a general rule, the DP Law applies to controllers and processors established in Türkiye.

However, based on the DPA’s decisions, it appears that when data processing activities occur in Türkiye or involve data subjects located in Türkiye, the DP Law is applicable. In an unpublished decision, the DPA emphasised that the territorial scope provisions of the TCrC, which apply to offences committed in Türkiye or deemed to have been committed in Türkiye, meaning the offence is either partially or entirely committed in Türkiye or its effects occur within Türkiye, should serve as the basis for applying administrative fines defined under the DP Law. This implies that the DP Law shall be applicable if the behaviour or the result occurs in Türkiye.

Therefore, DP Law requirements should be considered for processing activities in cloud environments, when applicable. Controllers must be aware that while the DP Law aims to align with the GDPR, compliance with the GDPR does not ensure compliance with the DP Law.

Risks and Challenges Associated with International Data Transfers in the Cloud

International data transfers in the cloud context can pose various risks and challenges under applicable legislation, particularly the DP Law in Turkish law.

Controllers must select appropriate mechanisms for such transfers and implement necessary technical and administrative measures as mandated by DP Law. For instance, it can be inferred from the DP Law that a data transfer impact assessment should be conducted when relying on appropriate safeguards, as different countries may have varying levels of data protection and security standards (see 6.1 Cross-Border Transfer Regulation).

Although controllers must rely on appropriate safeguards for non-occasional transfers, obtaining regulatory approval is quite challenging; since the enactment of the DP Law, only ten controllers have managed to obtain such approval. Additionally, each application for regulatory approval poses the risk of incurring administrative fines if the data transfer abroad occurs before receiving the DPA’s approval (see 6.1 Cross-Border Transfer Regulation).

As a result, recent market practices indicate a tendency to prefer SCCs with an obligation to notify the DPA, rather than seeking regulatory approval through written undertakings or BCRs.

On the other hand, relying on SCCs presents its own set of challenges. In the cloud computing landscape, a handful of major operators dominate the market, complicating the negotiation process for clients seeking to implement SCCs. While some of these providers have begun the process of aligning their contracts with SCC requirements, the sheer volume of clients they serve often results in a one-size-fits-all approach to agreements. This dominance limits the flexibility for individual clients to negotiate terms that may better suit their specific needs.

Another challenge associated with SCCs is the requirement for wet signatures from all parties, along with notarised and, if applicable, apostilled documents that certify the authority of the signatories.

This requirement can create significant logistical hurdles for cloud providers with a large client base, as co-ordinating these processes for numerous clients can be time-consuming and resource-intensive, potentially delaying the establishment of necessary data transfer agreements.

As the regime for data transfer abroad is relatively new, many aspects still require clarification through guidelines and resolutions to be issued by the DPA.

Cloud Audits as Technical Measures

Under DP Law, controllers are obligated to conduct regular audits within their organisations. This requirement also extends to the processing activities conducted by their processors, ensuring that compliance measures are effectively implemented throughout the entire data handling chain. Therefore, cloud computing audits can be regarded as mandatory for implementing appropriate compliance measures, and failure to conduct these audits may lead to administrative fines under the DP Law (see 1.3 Penalties for Non-compliance With Data Privacy Regulations). Additionally, the controller's right to audit is typically incorporated into DP Agreements and reinforced with penalty and liability clauses.

On the other hand, in market practice, certain industry actors are expected to adopt standards such as ISO 27017:2015, which offers guidance on the information security aspects of cloud computing, including specific audit standards and effective security controls tailored to the cloud environment.

Compliance audits can be conducted either by internal IT teams or outsourced to third-party service providers. Sector-specific regulations must also be considered, as some industries, such as banking, are subject to legal requirements when outsourcing third-party services.

Engaging independent auditors is also a common practice that enhances credibility by providing impartial assessments, which is crucial for ensuring the integrity and accuracy of audit reports for compliance. Organisations often utilise standardised frameworks like ISO 27001 to maintain consistency and comprehensiveness in reporting, complemented by internal quality assurance processes that review findings before finalising reports.

Key Matters to be Considered for Cloud Audits

Compliance audits aim to ensure that cloud infrastructure meets laws and regulations while identifying vulnerabilities, inefficiencies, and security gaps. Key focus areas for compliance audits, particularly in cloud computing, include:

• identifying all cloud assets to determine what needs protection;
• reviewing identity and access management policies, including authentication and authorisation mechanisms;
• assessing the effectiveness of encryption methods and key management processes;
• evaluating data backup and disaster recovery policies;
• checking network security, firewalls, and intrusion detection/prevention systems;
• ensuring adherence to industry regulations and standards;
• verifying that proper monitoring and logging solutions are in place;
• confirming the existence of an effective incident response plan and procedures to identify and report security incidents;
• assessing compliance of third-party vendors and suppliers; and
• reviewing the physical security of data centres to ensure the safety of cloud servers.

Effective management of audit trails and logs is also crucial for maintaining security and compliance. Organisations often implement centralised logging solutions that aggregate logs from various cloud services and applications, facilitating easier monitoring and analysis. Establishing retention policies is also essential (See 3.3 Data Retention and Deletion). Access to logs is controlled through restrictive measures, allowing only authorised personnel to view and manage logs, thereby preventing unauthorised access.

Addressing audit findings requires a systematic approach. Organisations typically develop action plans that outline specific steps to address specific steps, timelines and assigned responsibilities. Follow-up audits may also be conducted to verify that the issues have been appropriately addressed and mitigated.