Uzun Keskin Attorney Partnership

Legal Obligations of Cyber Security Companies

adminDev — Tue, 01 Jul 2025 19:07:15 +0000

With the Cyber Security Law (“Law”), which entered into force on March 19, 2025, a comprehensive legal framework regulating cyber security was established for the first time in Turkey. The Law established the Cyber Security Presidency (“Presidency”) and granted the Presidency extensive powers in determining, implementing and monitoring cyber security policies. Cyber security is considered a national security issue and significant obligations encompassing both the public and private sectors are envisaged.

The opportunities that cyber security companies will gain with the Law and the obligations imposed on them will be discussed under the following headings.

1- Opportunities for Cybersecurity Companies

The Law increases the activities of the public in the field of cybersecurity and creates various commercial opportunities in the private sector. According to the Law, the systems that will be considered as critical infrastructure will be determined by the Presidency and accordingly, various obligations will be imposed on the companies operating in the sector of the said systems. In parallel with the EU practice, it is evaluated that the sectors that are initially planned to be included in the scope of critical infrastructure within the framework of the Law will be determined as follows:

Energy,
Transportation,
Banking and finance,
Health,
Water facilities (drinking, purification etc.),
Electronic communications and digital infrastructures.

The law stipulates that the Presidency will conduct audits regarding cyber security in critical infrastructures, perform various checks including penetration tests, and authorize independent auditors for this purpose. In addition, it is mandatory for cyber security products or services to be certified, and it is stipulated that priority will be given to domestic and national cyber security products. For all these reasons, it is anticipated that with the full implementation of the law, there will be a high demand for independent audit services and certified cyber security products or services from public institutions or organizations and companies operating in critical infrastructure sectors.

2- Obligations of Cybersecurity Companies

The obligations specifically imposed on cybersecurity companies by the law are listed below:

Export Restriction: The procedures and principles regarding the sale of cybersecurity products, systems, software, hardware and services abroad will be determined by the Presidency. Additional rules regarding exports related to cybersecurity will be foreseen with secondary regulations to be issued within this framework. However, Presidency permission will be required for some export items.
Control of Investment Processes: All mergers, divisions, share transfers or sales transactions of cybersecurity companies operating in the fields listed above will be reported to the Presidency. Transactions that provide direct or indirect control or decision-making rights over the companies in question are subject to the Presidency’s approval. Therefore, the investment processes of these companies have been transferred to the Presidency’s control.
Permission to Operate: Companies, associations, federation of associations or foundations operating in the field of cybersecurity must complete their certification, authorization or documentation processes in accordance with secondary regulations to be issued by the Presidency within 2 years from the effective date of the Law. Cybersecurity activities of those who fail to comply with this obligation will be suspended.
Product or Service Certification: The Presidency will certify cybersecurity products and services to be used in public institutions and organizations and critical infrastructures. Thus, only certified products or services can be used in these places.

In order for the Presidency to fulfill its duties within the framework of the Law, it has very broad access powers such as accessing all kinds of information, documents or data, including log records, and contacting information systems. In addition, the Presidency has the authority to conduct on-site or remote audits. Such requests from the Presidency must be fulfilled urgently.

Cybersecurity companies must immediately report any cyber incidents and vulnerabilities they detect to the Presidency.

The judicial and administrative sanctions foreseen by the Law are shown in the attached table.

3- Evaluation and Recommendations

The law foresees strict obligations for cybersecurity companies. In return, a serious field of activity has been opened up to companies that can meet the obligations. As of the current situation, the following recommendations are presented to cybersecurity companies during the 2-year transition period:

Dividing commercial activities into two as foreign and domestic, and separating foreign and domestic activities (it is thought that the effects of the Law’s restrictions on exports can be mitigated in this way),
Conducting the necessary preliminary studies to comply with the obligations imposed by the Law.

Finally, it is recommended to closely follow the secondary regulations on the subject.

Annex: Table of Relevant Judicial and Administrative Sanctions

Definition of Act Requiring Sanction	Yaptırım
Failure to provide or prevent the receipt of requested information, documents, software, data or hardware within the scope of audits.	1 to 3 years in prison 500 days to 1500 days of judicial fine (up to 750,000 TL)
Operating without obtaining the approval, authorization or permission required by law.	2 to 4 years imprisonment 1000 days to 2000 days of judicial fine (up to 1,000,000 TL)
Failure to comply with confidentiality obligations under the law	4 to 8 years in prison
Abusing duties and powers arising from the law or causing a data breach by acting contrary to the requirements of duty within the scope of protecting critical infrastructures against cyber attacks.	1 to 3 years in prison
Failure to take measures required by legislation regarding cyber security or failure to report cyber incidents or vulnerabilities detected in the area where services are provided.	Administrative fines of 1,000,000 TL to 10,000,000 TL
Procurement of cyber security products, systems or services to be used in public institutions or organizations and critical infrastructures from persons not authorized or certified by the Presidency.	Administrative fines of 1,000,000 TL to 10,000,000 TL
Cybersecurity companies acting in violation of export restrictions or controls on investment processes	Administrative fines of 10,000,000 TL to 100,000,000 TL
Obstructing the audit in any way	Administrative fines of 5% of the gross sales revenue in the independently audited annual financial statements.

Cyber Security Law

adminDev — Thu, 13 Mar 2025 11:46:00 +0000

The Cyber Security Law (“Law”) was accepted by the TBMM General Assembly on 12.03.2025 and became law. The law includes regulations on cyber security and the principles regarding the establishment of the Cyber Security Board (“Board”). The important regulations included in this Law are mentioned below.

I. Scope of the Law

The law covers (i) public institutions and organizations, (ii) professional organizations with the status of public institutions, (iii) real persons and legal entities, and (iv) organizations without legal personality that operate and provide services in cyberspace.

Intelligence activities carried out in accordance with the Police Duties and Authorities Law, Coast Guard Command Law, Gendarmerie Organization, Duties and Authorities Law, and activities carried out in accordance with the State Intelligence Services and National Intelligence Organization Law and Turkish Armed Forces Internal Service Law are excluded from the scope of the regulation.

II. Purpose of the Law

The main purposes of the Law are as follows:

Detection and elimination of cyber threats
The Cyber Security Presidency (“Presidency”) will detect and eliminate current, potential and past violations and attacks in cyberspace through the Cyber Incident Response Teams (“SOME”) to be established and run by the Presidency and the expert personnel to be employed.
Determining strategies and policies to strengthen cyber security and reduce the possible effects of cyber incidents
The Presidency will determine the binding policies, strategies, action plans and other regulatory procedures published for the development of cyber maturity.
Making deterrent arrangements against cyber attacks
The Law provides for serious prison sentences and judicial and administrative fines for cyber attacks, violations or non-compliance with the Law. (See: Section VII)
Establishment of the Cyber Security Board
A Cyber Security Board will be established, consisting of the President, Vice President, Minister of Justice, Minister of Foreign Affairs, Minister of Interior, Minister of National Defense, Minister of Industry and Technology, Minister of Transportation and Infrastructure, Secretary General of the National Security Council, President of the National Intelligence Organization, President of Defense Industries and President of Cyber Security. The Board will (i) make decisions on policies, strategies, action plans and other regulatory procedures regarding cyber security (ii) make decisions on the implementation of the technology roadmap regarding cyber security prepared by the Presidency throughout the country, (iii) determine the priority areas to be encouraged in the field of cyber security, make decisions on the development of human resources in the field of cyber security, (iv) determine the critical infrastructure sectors and (v) decide on the disputes that may arise between the Presidency and public institutions and organizations.

III. Cyber Security Concepts

The Law defines some basic cybersecurity concepts. These concepts are decisive in determining the scope of the Law.

Critical infrastructure: Infrastructures that host information systems that may lead to loss of life, large-scale economic damage, security gaps or disruption of public order when the confidentiality, integrity or accessibility of the information/data they process is compromised.

Critical public service: A service provided with a monopoly or limited substitute throughout the country that is necessary for the continuation of national, social or economic activities and that may have a significant impact on national security, the social or economic welfare of the country, public order or health or the provision of other services in the event of interruption or damage.

Cyberspace: The environment consisting of all information systems directly or indirectly connected to the Internet, electronic communication or computer networks and the networks that connect them.

Cybersecurity: The set of activities that includes protecting information systems that constitute cyberspace from attacks, securing the confidentiality, integrity and accessibility of data processed in this environment, detecting attacks and cyber incidents, activating response and alarm mechanisms against these detections and then returning them to the state before the cyber incident.

Cyber incident: The violation of the confidentiality, integrity or accessibility of information systems or data processed by these systems.

Cyber attack: The intentional actions taken against a person or information systems anywhere in cyberspace in order to eliminate the confidentiality, integrity or accessibility of information systems in cyberspace and data processed by these systems.

IV. Cyber Security Presidency

The main duties of the Presidency are as follows:

To determine critical infrastructures and the institutions and locations they belong to.
To establish, have established and supervise SOMEs,
To regulate the procedures and principles that those operating in the field of cyber security must comply with and to prepare standards regarding the field of cyber security,
To conduct testing and certification processes regarding software, hardware, products, systems and services regarding the field of cyber security,
To conduct cyber security audits and impose sanctions according to the results.
To determine technical criteria regarding the qualifications that the cyber security products and services to be used in public institutions and organizations and critical infrastructures and the businesses that will provide them must have.

V. Inspection

The Presidency may inspect all acts and transactions falling within the scope of the Law.
Inspection covers the activities and transactions of institutions, organizations and other relevant real and legal persons within the scope of this Law, related to the provisions of this Law.
Those subject to inspection must take the necessary measures to keep the relevant devices, systems, software and hardware open to inspection for the given periods, to provide the necessary infrastructure for inspection and to keep them in working order.

VI. Responsibilities Envisaged Under the Law

All public institutions and organizations, real and legal persons are responsible for the implementation of cyber security policies and strategies and taking necessary measures to prevent or reduce the effects of cyber attacks.
In studies to ensure cyber security, domestic and national products are primarily preferred.
In addition, it has been regulated in a way that will be binding for those who provide services, collect, process data and conduct similar activities using information systems within the scope of the Law.
• To forward to the Presidency any data, information, document, hardware, software and any other contribution requested by the Presidency within the scope of its duties and activities, in a timely manner.
• To take measures envisaged by the legislation for the purpose of ensuring national security, public order or public service is carried out properly for cyber security, and to report to the Presidency any vulnerabilities or cyber incidents they detect in the areas they provide services, without delay.
• To be used in public institutions and organizations and critical infrastructures cybersecurity products, systems and services To procure from cybersecurity experts, manufacturers or companies authorized and certified by the Presidency.

• To obtain the Presidency’s approval within the framework of existing regulations before starting operations by cyber security companies subject to certification, authorization and documentation.

• To fulfill the issues included in the policy, strategy, action plan developed by the Presidency and other regulatory procedures published and to take the necessary measures.

VII. Penal Sanctions to be Applied Under Law

The law has stipulated various prison sentences and judicial and administrative fines. Some important provisions are as follows:

• Those who do not provide information, documents, software, data and hardware requested by the authorities and officials authorized by law or who prevent them from being obtained shall be punished with imprisonment from 1 to 3 years and a judicial fine from 500 to 1500 days. Public institutions and organizations are excluded from this crime.
• Those who operate without obtaining the required approvals, authorizations or permits in accordance with the law are punished with imprisonment from 2 to 4 years and a judicial fine from 1000 to 2000 days.

• Those who access, share or sell personal or critical corporate data that falls within the scope of public service in cyberspace due to a previous data leak without the permission of the relevant person or institution are sentenced to 3 to 5 years in prison.

The provision also states that this action can be carried out for a fee or without consideration.

• Those who create false content as if a data leak occurred or who spread content for this purpose, even though they know that there is no data leak in cyberspace, in order to create anxiety, fear and panic among the public or to target individuals or institutions, are sentenced to 2 to 5 years in prison.

• Those who carry out cyber attacks on the elements that constitute the national power of the Republic of Turkey in cyberspace or who keep any data obtained as a result of this attack in cyberspace are sentenced to 8 to 12 years in prison, unless the act constitutes another crime that requires a more severe penalty. In cases where the data obtained as a result of this attack is distributed in cyberspace, sent to another location or offered for sale, they are sentenced to 10 to 15 years in prison. • Those who abuse their duties and authorities arising from the law and those who cause data breaches by acting contrary to the requirements of their duties within the scope of protecting critical infrastructures against cyber attacks are sentenced to 1 to 3 years in prison.

• Those who fail to fulfill their obligations in terms of companies providing cybersecurity products and services are given an administrative fine of 10,000,000 Turkish Lira to 100,000,000 Turkish Lira.

• Within the scope of the audit provisions, if those subject to audit do not take the necessary measures to keep the relevant devices, systems, software and hardware open to audit for the given periods, to provide the necessary infrastructure for audit and to keep them in working order, an administrative fine of between 100,000 Turkish Lira and 1,000,000 Turkish Lira will be imposed; if these obligations are not fulfilled by commercial companies, an administrative fine of up to 5% of the gross sales revenue in their annual financial statements that have undergone independent auditing, but not less than 100,000 Turkish Lira will be imposed.

Amendments Made With The Omnibus Law

adminDev — Wed, 12 Mar 2025 11:45:39 +0000

I. INTRODUCTION

The law foreseeing changes within the scope of the 8th Judicial Package was published in today’s Official Gazette.

The Law on Amending the Code of Criminal Procedure and Some Laws,” published in the Official Gazette dated 12 March 2024, with the number 32487, regulates amendments to the deferred judgment of announcement procedure (“HAGB”), amendments to harmonize the deadlines regulated in various laws, updates on monetary limits, and a regulation on the application procedure for delayed trials.

Below, you will find a summary of the proposed changes, updates, and revisions.

II. REVISIONS REGARDING THE POSTPONEMENT OF THE ANNOUNCEMENT OF THE JUDGMENT METHOD

HAGB was annulled by the Turkish Constitutional Court as contrary to fundamental rights and freedoms. For this reason, it is planned to reorganize the HAGB procedure. In the event that the draft law is enacted, first of all, in order to put an end to the discussions on whether the confiscation procedure can be carried out at the same time in the event of a HAGB decision, it is explicitly regulated that this confiscation is an exception in terms of the judgment not having any consequences.

During the audit, a new judgment on the announcement of the old judgment or other sanctions listed in the article during the audit period for the commission of intentional crimes or failure to comply with obligations related to measures is retained, now the opportunity to object to these decisions is planned to be provided. As a result of the objection, only an examination regarding the specified sanction matters is envisaged.

Another issue is that it is planned to change the previous legal remedy procedure of appeal against the HAGB decision and to provide the possibility to apply to the Court of Appeal. In addition, if the decision is rendered by the Court of Appeal or the Court of Cassation, an application for appeal will also be possible. However, it is regulated that the certainty limits in the appeal application will be taken into consideration in the evaluation of these applications.

Finally, in the current system, it was not possible to issue an HAGB decision without asking the defendant whether they accepted the HAGB decision or not. However, if the draft becomes law, it will now be possible to issue an HAGB decision without considering the defendant’s consent.

III. AMENDMENT OF TIME AND MONETARY LIMITS

Article 37 of the Draft Law will amend the time limits, monetary amounts and application procedures in legislation such as the Enforcement and Bankruptcy Law, the Turkish Criminal Code, the Code of Criminal Procedure and the Law on Consumer Protection.

The amendments are as in the table below:

REGULATION	FORMER VERSION	NEW VERSION
Law No. 2004 on Enforcement and Bankruptcy
Duration of appeal and cassation against the bankruptcy decision	10 Days	2 Weeks
Duration of appeal and cassation against the decision to lift the bankruptcy	10 Days	2 Weeks
Duration of appeal and cassation against the bankruptcy closure decision.	10 Days	2 Weeks
Period of appeal against the rejection of the concordat request	10 Days	2 Weeks
Period of appeal and appeal against the decisions on concordat	10 Days	2 Weeks
Period of appeal against the extraordinary stay order issued by the Enforcement Court	10 Days	2 Weeks
Appeal against decisions of restraint and disciplinary detention	7 days from the date of pronouncement or notification	2 weeks from the date of notification
About the decisions subject to appeal issued by the Enforcement Court	10 days from the date of pronouncement or notification	2 weeks from the date of notification
Law No. 4675 on Execution Judgeship
Appeal against the decisions of the Execution Judge	7 Days	2 Weeks
Turkish Penal Code No. 5237
Offsetting a judicial fine	To be counted as one hundred Turkish liras a day	To be counted as five hundred Turkish liras a day
Calculation of the prepayment amount for imprisonment	Thirty Turkish lira for each day	One hundred Turkish lira for each day
Criminal Procedure Law No. 5271
Period for filing a petition for reinstatement	7 Days	2 Weeks
Appeal against the decision of non-prosecution	15 Days	2 Weeks
Declaration and defense in simple trial procedure	15 Days	2 Weeks
Application period for appeal remedy	7 Days	2 Weeks
Limit of appeal in judicial fines	Three thousand Turkish lira	Fifteen thousand Turkish lira
Duration of appeal against the decision rejecting the appeal and cassation application	7 Days	2 Weeks
Response time to the petition of appeal and cassation	7 Days	2 Weeks
Supreme Court of Appeals and Chief Public Prosecutor of Appeal period	30 Days	1 Month
Response period to the objection of the Chief Public Prosecutor of the Appeal	7 Days	2 Weeks
Request for renewal of the proceedings and response period against the evidence	7 Days	2 Weeks
Law No. 5326 on Misdemeanors
Finality limit for administrative fines imposed pursuant to the Law on Misdemeanors	Three thousand Turkish lira	Fifteen thousand Turkish lira
Appeal application period	7 Days	2 Weeks
Code of Civil Procedure No. 6100
Procedure of appeal and cassation against the decision on the request for recusal of the judge	1 week from the date of pronouncement or notification	2 weeks from the date of notification
Duration of appeal against the denial of legal aid	1 Week	2 Weeks
Duration of appeal against the rejection of the appeal petition	1 Week	2 Weeks
Procedure for appealing against a decision of opposition to an interim injunction	1 week from the date of pronouncement or notification	2 weeks from the date of notification
Law No. 6502 on Consumer Protection
Appeal period against the decision of the Consumer Arbitration Committee	15 Days	2 Weeks
No. 5252 on the Enforcement and Implementation of the Turkish Penal Code Law on
Limit on judicial fines	The lower limit is four hundred and fifty million, upper limit of one hundred billion Turkish lira	The lower limit is two thousand five hundred and the upper limit is five hundred thousand Turkish liras
Imprisonment Period	One hundred million Turkish Lira for one day	Five hundred Turkish Lira for one day
No. 5275 on the Execution of Criminal and Security Measures Law
Provisional Article 1	One hundred	Five hundred
Law No. 5320 on the Enforcement and Law on the Mode of Implementation
Provisional Article 2	Three thousand	Fifteen thousand
Child Protection Law No. 5395
Çocuk teslimi kararına karşı itiraz süresi	1 week	2 week

IV. PROCEDURE FOR APPLYING TO THE COMMISSION REGARDING FAILURE TO CONDUCT A TRIAL IN A REASONABLE TIME

The details of the form and duration of the application process for violation of the right to a fair trial following trials that are not concluded within a reasonable time have been determined. If the draft law is enacted, only applications made within 1 month of the investigation, prosecution, trial processes or within 1 month of learning that they have resulted in a final decision will be examined. In addition, persons who missed the application due to a justifiable excuse will be allowed to apply within 15 days after the disappearance of the reason in question.

The following elements are required to be included in the application and will be rejected if not corrected within one month:

Clear identity and address information,
A processing that causes loss,
The nature and quantity of the damage and the documents showing them.

Climate Law Proposal

adminDev — Fri, 21 Feb 2025 19:36:00 +0000

I. INTRODUCTION

This information note outlines the basic regulations and the envisaged institutional structure included in the Draft Climate Law (hereinafter referred to as the “Law”) proposed in the Turkish Grand National Assembly on 20.02.2025. The purpose and scope of the Law are as follows:
• Purpose: To institutionalize the fight against climate change with the goals of “green growth vision” and “net zero emission” and to achieve the 2053 zero emission target.

• Scope: To regulate the legislation, institutional structure and incentive mechanisms related to the reduction of greenhouse gas emissions and climate change adaptation activities.

In this context, the Law includes basic framework provisions on issues such as planning and implementation tools (e.g. strategy and action plans), administrative sanctions, carbon markets and the Emissions Trading System (ETS).
According to the law, in the fight against climate change, the principles of common but differentiated responsibilities and relative capabilities of our country will be taken into account, and the approaches of equality, climate justice, prudence, participation, integration, sustainability, transparency, just transition and progress will be taken as basis.

II. METHODS AND STRATEGIES IN COMBATING CLIMATE CHANGE

Combating climate change is based on two main pillars in the Law:

1. Reduction of Greenhouse Gas Emissions:

• Energy efficiency, circular economy and renewable energy investments are supported in line with the National Contribution Declaration (NCD) and net zero emission target, where relevant institutions and organizations declare their emission reduction and climate change adaptation targets.

• It is envisaged to increase carbon sink capacities by protecting and expanding forests, agriculture and wetlands.

2. Adaptation to Climate Change:

• Regional risk analyses are conducted and preventive measures are developed in terms of disaster, drought, food security and public health.

• Preparation of “Provincial Climate Change Coordination Boards” and “Local Climate Change
Action Plans” at the local level is made mandatory.

The Climate Change Presidency within the Ministry of Environment, Urbanization and Climate Change is positioned as the main coordinator of climate policy.

According to the law, climate change action plans will be prepared at the local level. Provincial Climate Change Coordination Boards chaired by the Governor will develop solutions specific to the needs of the provinces. It has also been stipulated that strategies and action plans for combating climate change will be prepared and updated periodically.

III. EMISSION TRADING SYSTEM (ETS)

The law establishes an “Emission Trading System” that sets a ceiling on greenhouse gas emissions and foresees the trading of emission rights (allocations) through the market. Within the scope of the ETS, it is mandatory to obtain a greenhouse gas emission permit.

The relevant sectors are obliged to submit verified annual emission reports and deliver allocations equal to the amount of emissions. In case of failure to fulfill this obligation, administrative fines and additional allocation delivery obligations are foreseen.

The actors to be established within the scope of the ETS within the framework of the law are as follows:

• Carbon Market Board: It is a high-level policy and decision-making body; It decides how much free allocation will be provided or the offset (carbon credit usage) rates in which sectors within the scope of the ETS.
• Market Operator (EPİAŞ): It organizes and manages the purchase and sale transactions in the carbon market.

• Central Settlement Institution: Responsible for collateral management and cash clearing processes.

Carbon credits obtained from private or public carbon reduction projects can be used to meet a portion of the obligations under the ETS. This application aims to accelerate projects developed in line with voluntary or legal regulations in carbon markets.

According to the law, a portion of carbon market revenues and administrative penalties will be transferred to a special budget item; thus, green technology investments, renewable energy projects and R&D activities will be supported. Financing mechanisms will be classified in line with the “Turkey Green Taxonomy” and efforts will be made to increase the country’s sustainable investment capacity.

IV. ADMINISTRATIVE SANCTIONS AND INSPECTION

Article 14 of the Law regulates administrative fines for many issues regarding the fight against climate change. The same article has drawn the upper limit of the administrative fine to be applied for each act as 50,000,000.00 TL.

The Inspection Authority has been granted to the Climate Change Presidency. The Environment, Urbanization and Climate Change provincial organization to which the Presidency is affiliated has also been assigned to support the Presidency in its inspection activities.

V. EVALUATIONS

The Draft Climate Law places the reduction of greenhouse gas emissions and adaptation to the negative effects of climate change in an institutional framework. Market-based instruments such as ETS, legal obligations, sanctions and financing mechanisms are envisaged in line with the goals of green growth and net zero emissions; a comprehensive climate regime is being established with the participation of all relevant stakeholders (public, private sector, local administrations).

If this draft becomes law, institutions and businesses will have new obligations in many areas such as emission permit procedures or carbon credit trading. Therefore, it is recommended that the draft’s enactment process be closely monitored.

Draft Law On Consumer Protection And Certain Laws

adminDev — Tue, 23 Jul 2024 13:08:18 +0000

The Draft Law on the Amendment of the Law on Consumer Protection and Certain Laws (“Draft”) was submitted to the Grand National Assembly of Turkey on 18.07.2024. The major amendments to the Law No. 6502 on Consumer Protection (“CPL”) and Law No. 6563 on the Regulation of Electronic Commerce (“E-Commerce Law”) will be summarized below.

I. Regulations Regarding the Administrative Fines Imposed by the Advertisement Board

As stated in the preamble of the Draft, the current administrative fines for commercial advertisements and unfair commercial practices are often insufficient and have lost their deterrent function. In accordance with this scope, the lower and upper limits of the administrative fines imposed by the Advertisement Board are determined as follows. The Advertisement Board has the discretion to determine the amount, taking into account factors such as the fault and economic status of the violator:
- From 110 thousand ₺ to 1 million 100 thousand ₺ if it is incurred through a television channel broadcasting at local level,
- From 2 million 210 thousand ₺ to 22 million 100 thousand ₺ if it is incurred through a television channel broadcasting nationwide,
- Half of the penalties specified in subparagraphs (a) and (b) if the offence is incurred through periodicals,
- From 60 thousand ₺ to 600 thousand ₺ if it is incurred through a radio channel broadcasting at local level or via satellite,
- From 600 thousand ₺ to 6 million ₺ if it is incurred through a radio channel broadcasting nationwide,
- From 600 thousand ₺ to 6 million ₺ if it is incurred through a television channel broadcasting via satellite or via the internet,
- From 280 thousand ₺ to 2 million 800 thousand ₺ if it is incurred via text message,
- From 60 thousand ₺ to 600 thousand ₺ if incurred through other channels.
The basic administrative fine stipulated for unfair commercial practices is planned to be amended from 60 thousand ₺ to 600 thousand ₺, and from 600 thousand ₺ to 6 million ₺ if it is incurred throughout the country.
In addition to the administrative fines imposed by the Ministry of Trade or provincial trade offices, administrative fines imposed by the Advertisement Board will now also be eligible for reconciliation.

II. Regulations Regarding the Consumer and Housing Finance Loans

In addition to the written requirement for the validity of consumer loan and housing finance agreements, it is also regulated that they may be concluded at a distance.
In the event that a bank account is opened for the loan pursuant to fixed-term loan and housing finance agreements, the written request that the consumer must submit in order not to close the account upon the payment of the loan can now also be submitted via a permanent data provider.

III. Regulations Regarding the Direct Sales

The direct selling system, previously regulated by a regulation, is detailed in the Draft. According to the Draft, the direct sales system is a sales model in which direct sellers, who are not employed by the direct sales company and are not under an employment contract, operate under titles such as independent representatives, distributors, consultants, and similar names. These sellers market goods or services to consumers in return for benefits such as commissions, premiums, incentives, and rewards.
Direct sales companies must be capital companies and must also fulfil other conditions to be determined by regulation.
The direct sales system shall not aim to bring new sellers into the system. The profit obtained shall be based on the sale of goods or services to consumers and other principles determined by the regulation shall be complied with.
Direct sellers will not receive documents from consumers under the names of renewal, package, fee, dues and similar names other than the goods or services subject to sale. Receiving goods or services in the quantity or amount determined by the company will not determine the level of the direct seller within the system.
The consumer who purchases goods or services through the direct sales system may exercise his/her right of withdrawal within thirty days without giving any reason and without paying any penal clause. Notification of withdrawal may be made either to the direct seller or to the direct sales company.

IV. Regulations Regarding the Amendments to the E-Commerce Law

Electronic commerce marketplace service providers are already obliged to obtain a license and the calculation of the license fee is planned to be amended. In the Draft, sales made abroad through electronic commerce marketplaces are not included in the calculation and the calculation is as follows:
Provided that the net transaction volume of the electronic commerce intermediary service provider is not more than twenty percent of the sum of the net transaction volumes of the electronic commerce intermediary service provider and electronic commerce service providers calculated using ETBIS data, performed in the following calendar year;

- The amount of sales made abroad through the electronic commerce marketplaces of the electronic commerce intermediary service provider and the electronic commerce intermediary service providers with which it is in economic integrity,
- In accordance with the regulations on supporting investments on a project basis, twice the amount of investment expenditure incurred by obtaining an investment incentive certificate from the Ministry of Industry and Technology is deducted from the net transaction volume for that calendar year.

Regulation On Cross-Border Personal Data Transfer

adminDev — Wed, 10 Jul 2024 15:55:51 +0000

Article 9 of the Law on the Protection of Personal Data (“LPPD”), which regulates cross-border personal data transfer, was amended on March 12, 2024, in order to eliminate legal issues regarding cross-border personal data transfer and to comply with the GDPR. The amendment to the law stipulates that secondary regulation shall be enacted for the purpose of implementing the mentioned article. In this context, the Regulation on the Procedures and Principles Regarding the Cross-Border Personal Data Transfer (“Regulation”) was published in the Official Gazette dated July 10, 2024 and numbered 32589 and entered into force. Information about the regulations introduced by the Regulation is shared below.

Within the scope of the Regulation, the following general rules shall be implemented regarding cross-border personal data transfer.

In order to use the personal data transfer opportunities shown in the table below, the existence of one of the legal reasons in Article 5 or 6 of the LPPD is also required.
Personal data may also be transferred cross-border by a data processor under the instruction of a data controller. In such cases, the data controller shall be responsible for the legality of the personal data transfer.
Compliance with the rules regarding cross-border personal data transfer is not only in the first transfer cross-border; It will also find application to subsequent transfers. For example, when a contract is made with a cloud computing service provider, all persons (such as group companies or subcontractors) to whom the cloud computing provider transfers data shall also comply with the requirements of the Law and the Regulation .

The opportunities for private sector actors to transfer personal data cross-border under the Regulation are shown in the table below:

Personal Data Transfer Basis	Legal Instrument to be used	Board[1] Involvement	Comments
Adequacy decisions on countries, sectors or international organizations	N/A	The qualification decision shall be made by the Board according to the conditions specified in the LPPD and the Regulation.	Since reciprocity is still required for the qualification decision, no significant change is expected compared to the situation before the law change.
Providing appropriate safeguards, provided that data subjects have the opportunity to exercise their rights and apply for effective legal remedies in the country where the transfer will be made	The existence of an agreement that is not an international contract between Turkish and foreign public institutions and organizations and professional organizations.	Board’s permission is required.	It is envisaged that these newly envisaged data transfer opportunities cross-border will facilitate cross-border personal data transfer. On the other hand, since the use of the possibility of explicit consent has been made exceptional, data controllers will need to significantly change their current practices.
	Binding corporate rules signed between companies engaged in joint economic activity.	Board’s permission is required.
	The existence of a standard contract between the parties to the transfer.	Draft standard contracts shall be published by the Board. Each signed standard contract must be notified to the Board within 5 business days[2]. Any amendment or termination of the standard contract is subject to the same notification requirement.
	The signing of a letter of undertaking between the parties on the provision of an adequate level of protection.	Board’s permission is required.
Derogations about cross-border transfers may be available if appropriate safeguards are not provided	Obtaining explicit consent provided that the data subject is informed about the risks arising from the transfer cross-border.	The Board does not have any involvement in derogations about personal data transfer opportunities.	Derogations about cross-border transfers shall be available in incidental circumstances. Incidental transfers are defined in the Regulation as transfers that occur on a single or a few occasions, are not continuous and are not in the ordinary course of activity. Therefore, it is considered that derogations about cross-border transfers will not provide any benefit in terms of main or regular data transfers of companies.
	The transfer is mandatory for the performance of a contract between the data subject and the data controller or for the measures taken prior to the contract upon the request of the data subject.
	The transfer is mandatory for the establishment or performance of a contract between the data controller and a third party for the benefit of the data subject.
	The transfer is mandatory for an overriding public interest.
	The transfer is mandatory for the establishment, exercise or protection of a right.
	The transfer is mandatory for the protection of the life of persons who cannot give their consent due to actual impossibility.
	Transfer to the public or to persons with legitimate interests within the scope of open registries.

[2] Which data transfer party will make the notification in question can be determined by the contract. If there is no such provision, the notification must be made by the data exporter.

Proposal for Amendments to the Capital Markets Law

adminDev — Fri, 17 May 2024 20:00:00 +0000

The Bill of Law on Amendments to the Capital Markets Law, also known as the Crypto Asset Law (“Bill of Law”), was submitted to the Turkish Grand National Assembly on 16.05.2024. The important issues included in this Bill will be discussed below.

I. Regulations Regarding Crypto Asset Service Providers and Crypto Assets

• The establishment and commencement of activities of crypto asset service providers (“Service Providers”) are subject to the permission of the Capital Markets Board (“Board”). According to the proposal, the Board will determine the principles regarding the establishment, commencement of activities, partners, capital and capital adequacy, information systems and technological infrastructures, share transfers (Board permission is mandatory), temporary or permanent suspension of activities and the principles and guidelines to be followed during activities of the Service
Providers.

• The minimum conditions that Service Provider partners and managers must meet have been regulated. In short, these are; not to be bankrupt or to have declared composition, not to have a share of ten percent or more directly or indirectly in bankers subject to liquidation, factoring, financial leasing, payment service providers and institutions operating in money and capital markets whose operating licenses have been canceled except for voluntary liquidation, not to have committed the crimes listed in the Proposal, not to be prohibited from trading,
to have the necessary financial strength and reputation and to have a transparent partnership structure.

Financial strength and reputation conditions are not mandatory for managers. In the event that partners lose the above-mentioned qualifications, they must transfer their shares within 6 (six) months. The Board decides who will manage the shares within the 6 (six) month period.

• Platforms located abroad engaging in activities targeting Turkish residents or offering a prohibited activity related to crypto assets to Turkish residents within the scope of regulations to be made by the Board are also considered unauthorized crypto asset service provision. In the event that any of the following situations exist: opening a business in Türkiye, creating a Turkish website, or engaging in promotional and marketing activities regarding crypto asset services offered directly and/or through persons or institutions located in Türkiye by platforms located abroad, the activities are considered to be targeting Turkish residents.

• In all transactions involving crypto assets, the provisions of the Law on the Protection of the Value of Turkish Currency and related legislation shall apply.

One percent of the annual income of the Service Provider platform of the previous year shall be paid to the Board and one percent shall be paid to the TUBITAK budget.

II. Regulations Regarding the Activities of Service Providers and Transfer of Crypto Assets

• Contracts signed between the Service Provider and the customer will be executed through the information or electronic communication device determined by the Board and will be established by verifying the customer’s identity. Contracts that remove or limit the Service Provider’s liability to the customer are invalid.
• It is essential that customers keep their own crypto assets in their own wallets. If they do not prefer to keep them in their own wallets, they must be kept by banks and institutions approved by the Banking Regulation and Supervision Board.

III. Regulations Regarding Measures to be Applied in the Case of Unlawful Activities of Service Providers

• In the case of unlawful activities of the Service Provider, the Board has all kinds of authority such as; eliminating the unlawfulness, limiting the scope of activity of the Service Provider, temporarily suspending it, imposing administrative fines
or canceling the activity permit of the Service Provider.
• The Board is authorized to temporarily or permanently cancel the licenses of the managers and employees who are determined to be responsible for unlawful activities or transactions, to limit or remove their signature authorities from the decision to file a criminal complaint against them until the conclusion of the trial, to dismiss the board members whose responsibility in unlawful acts or transactions is determined by a court decision, and to appoint new ones in their place until the first general assembly meeting to be held.

IV. Sanctions and Personal Liability

• Crypto asset service providers are responsible for the transactions shared below. If the damage cannot be compensated by the Service Provider or it is clear that it cannot be compensated, the personal liability of the Service Provider’s board of directors, members, other members, and real person partners who have legally or de facto management or control may be limited to the damage they have caused to customers:

(I) Damages arising from failure to fulfill cash payment and/or crypto asset delivery obligations,
(II) Losses of crypto assets arising from acts such as the operation of information systems of crypto asset service providers, any kind of cyber attack,
information security violations or any kind of behavior of the personnel.

• It has been regulated that the chairman and members of the board of directors and other members who commit embezzlement due to their duty at the Service Provider, and the real person partners who have legally or de facto management and control of the Service Provider whose operating license has been revoked, will be sentenced to imprisonment and judicial fines and will be sentenced to compensate the damages of the Service Provider.

V. Transitional Provisions

• As of the effective date of the proposal, existing Service Providers must apply with the documents to be determined by the Board within 1 (one) month or obtain a liquidation decision within 3 (three) months.
• Service Providers located abroad will cease their activities towards persons located in Turkey within 3 (three) months as of effective date.
• The activities of ATMs and similar electronic transaction devices located in Turkey that enable customers to convert crypto assets into cash or cash into crypto assets and to transfer crypto assets will be terminated within 3 (three) months as of effective date.

Amendments On The Law On Protection Of Personal Data

adminDev — Tue, 12 Mar 2024 12:08:42 +0000

I. INTRODUCTION

According to the 8th Judicial Package, the law amending the Law on Protection of Personal Data No. 6698 was published in today’s Official Gazette.

Law No. 32487 dated 12 March 2024, published in the Official Gazette, regulates amendments to the Code of Criminal Procedure and Some Laws. Within the scope of Articles 33-36 of the relevant law, changes to Law No. 6698 on Protection of Personal Data (“PPDL”) are envisaged.

The amendments under the PPDL will take effect on 1 June 2024.

II. CHANGES REGARDING THE TRANSFER OF PERSONAL DATA ABROAD

The approach that explicit consent is the primary option for transferring personal data abroad has been removed by the proposed amendments, transforming explicit consent into a possibility that can be used for temporary or momentary transfers of personal data.

Qualification decisions by the Board may be issued not only for countries but also for sectors within the country or international organizations. A fundamental change regarding the main options for transferring personal data is the removal of the requirement for Board approval for standard contracts to be signed. Additionally, exceptional cases for the temporary or momentary transfer of personal data have also been proposed within the changes.

The proposed changes are considered to significantly address the issues encountered in the practice of transferring personal data abroad and eliminate the obligation to rely on explicit consent.

III. AMENDMENTS REGARDING THE PROCESSING OF SPECIAL CATEGORIES OF PERSONAL DATA

With the proposed amendment, an expansion is suggested in the processing conditions of special categories of personal data, including the addition of new processing conditions to the PPDL such as being expressly provided by laws, being impossible in practice, being made public by the data subject, being mandatory for the establishment, exercise, or protection of a right, fulfilling obligations such as employment, occupational health and safety, and establishing relationships with members of non-profit organizations such as associations and foundations.

It is evaluated that the mentioned amendment will significantly reduce the situations where explicit consent is required for the processing of special categories of personal data, especially in the context of employee recruitment processes.

IV. AMENDMENTS REGARDING SANCTIONS ON PERSONAL DATA

According to the proposed amendment to the PPDL, administrative fines ranging from 50.000,00 TL to 1.000.000,00 TL are envisaged if the standard contracts to be signed for the transfer of personal data abroad are not reported to the Authority within five business days from the date of signature. As there will be no increase in these amounts in line with the revaluation rate, the amounts are considered relatively low compared to other fines.

The proposed changes include data processors as well as data controllers as the subjects of administrative fines. Additionally, administrative courts, rather than criminal peace judgeships, are designated as the appeal authorities against administrative fines.

Uzun Keskin Attorney Partnership

Legal Obligations of Cyber ​​Security Companies

1- Opportunities for Cybersecurity Companies

2- Obligations of Cybersecurity Companies

3- Evaluation and Recommendations

Annex: Table of Relevant Judicial and Administrative Sanctions

Definition of Act Requiring Sanction

Yaptırım

Cyber ​​Security Law

I. Scope of the Law

II. Purpose of the Law

III. Cyber ​​Security Concepts

IV. Cyber ​​Security Presidency

V. Inspection

VI. Responsibilities Envisaged Under the Law

VII. Penal Sanctions to be Applied Under Law

Amendments Made With The Omnibus Law

I. INTRODUCTION

II. REVISIONS REGARDING THE POSTPONEMENT OF THE ANNOUNCEMENT OF THE JUDGMENT METHOD

III. AMENDMENT OF TIME AND MONETARY LIMITS

IV. PROCEDURE FOR APPLYING TO THE COMMISSION REGARDING FAILURE TO CONDUCT A TRIAL IN A REASONABLE TIME

Climate Law Proposal

I. INTRODUCTION

II. METHODS AND STRATEGIES IN COMBATING CLIMATE CHANGE

III. EMISSION TRADING SYSTEM (ETS)

IV. ADMINISTRATIVE SANCTIONS AND INSPECTION

V. EVALUATIONS

Draft Law On Consumer Protection And Certain Laws

I. Regulations Regarding the Administrative Fines Imposed by the Advertisement Board

II. Regulations Regarding the Consumer and Housing Finance Loans

III. Regulations Regarding the Direct Sales

IV. Regulations Regarding the Amendments to the E-Commerce Law

Regulation On Cross-Border Personal Data Transfer

Proposal for Amendments to the Capital Markets Law

I. Regulations Regarding Crypto Asset Service Providers and Crypto Assets

II. Regulations Regarding the Activities of Service Providers and Transfer of Crypto Assets

III. Regulations Regarding Measures to be Applied in the Case of Unlawful Activities of Service Providers

IV. Sanctions and Personal Liability

V. Transitional Provisions

Amendments On The Law On Protection Of Personal Data

I. INTRODUCTION

II. CHANGES REGARDING THE TRANSFER OF PERSONAL DATA ABROAD

III. AMENDMENTS REGARDING THE PROCESSING OF SPECIAL CATEGORIES OF PERSONAL DATA

IV. AMENDMENTS REGARDING SANCTIONS ON PERSONAL DATA

Legal Obligations of Cyber Security Companies

Cyber Security Law

III. Cyber Security Concepts

IV. Cyber Security Presidency