Cloud Computing 2024 - Part 1

1. Data Privacy Regulations

1.1 Data Privacy and Cloud Computing

Basic National Regime

Türkiye lacks a dedicated legal framework specifically regulating data privacy for cloud computing. Instead, the legal structure is fragmented, with various regulations imposing specific conditions and restrictions.

The most pertinent legal instruments are as follows.

The Constitution of the Turkish Republic

The Constitution of the Turkish Republic (the “Constitution”) does not explicitly address privacy issues in relation to cloud computing. However, cloud computing frequently involves processing personal data, making Article 20(3) of the Constitution, which protects the right to data privacy ‒ though it provides no definition for personal data ‒ applicable. Under Article 20(3), individuals have the right to:

• – be informed about personal data processing;

• – access their personal data;

• – request correction or deletion of data; and

• – be informed if data is used for appropriate purposes.

The Article also stipulates that personal data may only be processed if authorised by law or with the explicit consent of the data subject. Additionally, it mandates that the procedures and principles for processing personal data must be defined by law.

The Turkish Data Protection Law

The Turkish Data Protection Law No 6698 (the “DP Law”) was enacted to specifically regulate the procedures and principles governing the processing of personal data in Türkiye.

The DP Law defines personal data as any information related to an identified or identifiable natural person, making its scope inherently broad. However, the DP Law provides an exhaustive list of special categories of personal data (ie, sensitive data), which includes information concerning an individual’s:

• – race;

• – ethnic origin;

• – political opinion;

• – philosophical belief;

• – religion, religious sect or other beliefs;

• – appearance;

• – membership to associations, foundations or trade unions;

• – data concerning health and sexual life;

• – criminal convictions and security measures;

• – biometric data; and

• – genetic data.

The DP Law defines the processing of personal data as any operation carried out wholly or partially by automated means or by non-automated means, provided it forms part of a data filing system. This encompasses activities such as collecting, recording, storing, protecting, transferring, retrieving and categorising personal data, all of which are relevant to cloud computing.

The DP Law establishes a framework for controllers and processors, outlining the general obligations and principles related to personal data processing. The Personal Data Protection Authority (DPA), Türkiye’s supervisory and regulatory body, further shapes data-processing practices by issuing secondary legislation, guidelines and resolutions.

While the DP Law does not set specific requirements for processing personal data in a cloud environment beyond the general obligations of controllers and processors, the DPA provides additional measures in its guidelines and resolutions (see 2.1 Data Security and the Cloud).

The Turkish Civil Code

Under Turkish law, personal data is considered an aspect of an individual’s personality and is thus protected under the Turkish Civil Code (TCiC). This protection extends to personal data processed in the context of cloud computing.

The Turkish Criminal Code

The Turkish Criminal Code (TCrC) criminalises certain actions that violate personal data protection and prescribes penalties for these offences (see 1.3 Penalties for Non-compliance with Data Privacy Regulations).

The TCrC also imposes penalties for disclosing commercial, banking or customer secrets obtained through one’s title, duty, occupation or profession to unauthorised individuals, which may include transferring such data to cloud systems. 

The Law on Banking

Under the Law on Banking (the “Banking Law”), in addition to actors such as those defined in the Law, including banks and financial institutions, those who learn the confidential information of banks and their customers due to their title and duties, as well as third parties, are subject to confidentiality obligations. In this context, they are prohibited from disclosing such information to anyone other than authorised authorities. This obligation may extend to both transfers to cloud systems and the transfers of this data between cloud systems or to another environment.

The Law on Payment and Securities Settlement Systems, Payment Services, and Electronic Money Institutions

The Law on Payment and Securities Settlement Systems, Payment Services, and Electronic Money Institutions (the “Payment Systems Law”) provides a similar confidentiality provision. Accordingly, confidentiality obligations are imposed on those providing support services to the actors defined in the Law (system operators, payment institutions and electronic money institutions) and third parties, prohibiting them from disclosing this information to anyone other than authorised authorities.

The Law on Electronic Communication

The Law on Electronic Communication bans the transfer of traffic and location data abroad unless the data subject’s explicit consent is obtained. This means such data must be stored in local cloud systems in Türkiye if explicit consent is not duly obtained.

The Law on the Regulation of Publications via the Internet and Combating Crimes Committed by Means of Such Publications

The Law on the Regulation of Publications via the Internet and Combating Crimes Committed by Means of Such Publications aims to regulate the obligations of content providers, hosting providers, internet service providers, social network providers and access providers to combat crimes committed via the internet. In this sense, cloud computing providers must also comply with obligations such as notifying the Information and Communication Technologies Authority (ICTA) before providing cloud computing services.

Sector-specific regulations

Various sector-specific regulations also impose specific requirements on cloud users and providers. Some of these regulations enforce strict data localisation requirements, including provisions related to personal data stored in cloud environments (see 2.1 Data Security and the Cloud and 6.2 Data Localisation).

The key sector-specific regulations are as follows:

• – By-Law on the Information Systems of Banks and Electronic Banking Services (the “By-Law on Banks and Electronic Banking Services”);

• – Communiqué on Information Systems of Payment and Electronic Money Institutions and Data Sharing Services in the Field of Payment Services of Payment Service Providers;

• – Decree on Information and Communication Security Measures No 2019/12 issued by the Presidency of Türkiye;

• – Communiqué on Information Systems Management;

• – Communiqué on Management and Control of Information Systems of Financial Leasing, Factoring, and Financing Companies; and

• – Communiqué on Commercial Electronic Messages Management System Integrators.

1.2 Data Privacy and Cross-Border Transfers

The DP Law, along with the By-Law on the Procedures and Principles for the Transfer of Personal Data Abroad, are the primary regulations establishing the rules for cross-border transfers of personal data.

The By-Law defines data transfer abroad as the transmission of personal data by a controller or processor, within the scope of the DP Law, to a controller or processor outside Türkiye or making the data accessible to them by any other means. Therefore, both transmitting personal data to a cloud system and making it accessible from abroad constitute a transfer of personal data abroad. Consequently, the general rules outlined in the DP Law apply to such transfers (see 6.1 Cross-Border Transfer Regulation).

1.3 Penalties for Non-compliance With Data Privacy Regulations

While no specific data privacy regulations for cloud environments impose penalties for non-compliance, the general penalties established in the DP Law and the sanctions outlined in the TCrC apply when processing activities in the cloud involve handling personal data.

The DP Law outlines five categories of violations, with administrative fines for these violations adjusted annually. The following categories are particularly relevant for cloud systems, along with their amounts as of 2024:

• – failure to implement necessary technical and organisational measures (interpreted broadly to include unlawful data transfer abroad and breaches of fundamental principles) may result in a fine ranging from TRY141,934 to TRY9,463,213; and

• – non-compliance with the DPA’s decisions may lead to a fine between TRY236,557 and TRY9,463,213.

It is important to note that the right to seek compensation is explicitly stated as one of the rights of data subjects under the DP Law. Furthermore, data subjects can pursue compensation and request that courts prevent a threatened infringement, halt an existing infringement, and declare an infringement unlawful under the TCiC.

Criminal sanctions for actions that violate personal data protection are regulated under the TCrC. Unlawful recording, transfer, publication or acquisition of personal data and failing to destroy personal data after the legally mandated retention period may lead to imprisonment ranging from one to six years. Public prosecutors can initiate investigations ex officio without requiring a formal complaint.

Furthermore, in cases where data transfers to or from cloud systems involve the disclosure of commercial, banking or customer secrets to unauthorised third parties, this may lead to imprisonment of one to three years and judicial fines upon complaint.

The Banking Law and Payment Systems Law also impose similar penalties of imprisonment for one to three years and judicial fines for failing to comply with confidentiality obligations.

Moreover, certain supervisory authorities, such as ICTA for the information and communication sector and the Banking Regulation and Supervision Agency (BRSA) for the banking and financial sector, are empowered to oversee compliance with sector-specific legislation. This may include specific obligations for cloud users and service providers, along with the authority to impose fines for non-compliance.

2. Data Security Measures

2.1 Data Security and the Cloud

Technical and Administrative Measures

The DPA’s guidelines and resolutions elaborate technical and administrative measures for controllers processing personal data. For instance, according to the Personal Data Protection Guideline on Technical and Administrative Measures (the “Technical and Administrative Measures Guideline”) and the Guideline on Erasure, Destruction or Anonymization of Personal Data published by the DPA, controllers are subject to certain requirements that extend to evaluating the security measures taken by cloud service providers.

Security measures for storing data in the cloud

Key measures applicable to cloud computing, among others, as outlined in the Technical and Administrative Measures Guideline, include:

• – encrypting data using cryptographic methods;

• – encrypting data when transferring to cloud environments;

• – implementing encryption key management;

• – where possible, using encryption keys specific to each cloud service solution;

• – securely disposing of encryption keys when the cloud service is terminated or expires;

• – using authorisation matrix and authorisation control systems;

• – keeping access logs and log records;

• – ensuring network and application security;

• – implementing penetration tests;

• – deploying attack detection and prevention systems;

• – implementing data masking techniques;

• – using data loss prevention software systems;

• – performing regular backups;

• – implementing firewalls;

• – keeping antivirus systems up to date;

• – deleting, destroying or anonymising data;

• – establishing internal data security policies and procedures;

• – executing data processing and confidentiality agreements;

• – conducting regular information security training and awareness-raising activities;

• – conducting internal periodic and/or random audits; and

• – performing risk analyses.

Several sector-specific measures, such as maintaining an information asset inventory and establishing an information security management system, as mandated by the By-Law on Banks and Electronic Banking Services, are essential to consider.

Security measures for managing access controls and preventing unauthorised access

Robust security measures are essential for preventing unauthorised access and data breaches, especially in cloud systems. Therefore, it is crucial for controllers to implement specific measures for managing access controls.

For instance, the Technical and Administrative Measures Guideline advises restricting access to environments where personal data is processed, limiting it to authorised individuals using usernames and passwords. Passwords should be complex, renewed periodically and strengthened with additional authentication methods like two-factor or multi-factor authentication. In market practice, this is often reinforced by a triggering mechanism that sends a notification message to authorised individuals, informing them of access to the system.

To enhance security further, the number of password entry attempts should be limited to defend against common cyber-attacks, such as brute force attacks, where an unauthorised user systematically tries different combinations to gain access.

Administrator accounts and privileges should be enabled only when necessary, and accounts for former employees should be promptly deleted or disabled. Controllers are advised to develop an access authorisation and control matrix and establish separate access policies and procedures to implement these within the organisation.

To mitigate cybersecurity vulnerabilities, continuous recording and monitoring of access to cloud systems are crucial. Additional measures to detect and track potential security breaches, such as regular audits, penetration tests, and deploying incident response protocols and breach notification alerts, are essential for enabling the organisation to respond promptly and effectively to security incidents.

Specific measures for special categories of personal data

In 2018, the DPA issued a resolution requiring controllers to implement additional technical and organisational measures to ensure adequate protection when processing special categories of personal data. 

For example, controllers must establish a specific policy dedicated to the security of these special categories of personal data. The resolution emphasises the need for additional measures concerning employees involved in processing such data, as well as for the retention, access and transfer of this data.

While the DPA does not specify any particular standards or algorithms for the encryption of personal data in cloud systems, transferring special categories of personal data requires a VPN (virtual private network) or an sFTP (secure file transfer protocol) connection. For non-special categories of personal data, encryption standards are primarily guided by international best practices, such as AES (Advanced Encryption Standard) and RSA (Rivest-Shamir-Adleman) for data at rest, and TLS (Transport Layer Security) and HTTPS (Hypertext Transfer Protocol Secure) for data in transit.

Furthermore, the DPA provides specific guidelines for handling certain types of special categories of personal data, such as the Guidelines on Issues to be Considered in the Processing of Genetic Data, which states that genetic data should, in principle, not be stored in the cloud. Per the Guidelines, if storage in the cloud is necessary, additional measures such as maintaining a detailed record of the data, keeping backups outside the cloud and using two-factor authentication for access should be considered. Moreover, industry standards and best practices should be followed for cryptographic algorithms, and access to cryptographic keys must be restricted to personnel with the appropriate clearance (crypto security certification).

Security Accidents and Breaches

According to the DPA’s decisions, controllers must establish procedures for responding to data breaches. These procedures typically include internal policies to assess whether a security incident qualifies as a data breach and outline the steps for notifying the DPA and affected data subjects.

Controllers must report all data breaches to the DPA, regardless of the risk level to individuals’ rights and freedoms. Notifications must be made within 72 hours of the controller becoming aware of the incident, and affected data subjects should be informed as soon as possible (see 5.3 Notifying Data Breaches).

Additionally, controllers must take immediate action to prevent or mitigate potential harm from data breaches by assessing the scope and nature of the breach. In the context of cloud computing, these measures may involve isolating affected systems to minimise damage, implementing recovery actions to restore normal operations and conducting a post-incident review for future improvement.

3. Data Ownership and Control

3.1 Data Ownership in Cloud Agreements

Data Ownership and Control in Cloud Agreements

The legal rights and control over data stored or processed in cloud systems, including all information derived from such data, is a complex issue that currently lacks specific regulations.

There are basically two main types of data: (i) data uploaded by cloud users and (ii) data created by the cloud platform. The latter raises questions about who owns the data and how intellectual property rights apply.

Thus, contractual clauses are essential for determining ownership and control over data upfront in writing as well as the conditions for data migration conditions in case of termination of the contractual relationship. By clearly outlining these aspects in the agreement, potential disputes can be mitigated, ensuring both parties understand their rights and responsibilities regarding the data.

In market practice, data ownership and control are primarily defined in cloud agreements, which generally lie with the cloud user, as this party typically collects the data and determines the purposes and means of processing. For instance, major cloud providers such as Microsoft Azure, Google Cloud and AWS typically position themselves as processors, stating that cloud users are the owners and controllers of the data in their cloud agreements.

From the DP Law perspective, the DPA appears to adopt a similar stance by categorising cloud providers as processors without clarifying its position on data ownership, as this falls outside its scope and is primarily a civil law issue. For example, in its Guidelines on Recommendations for Protecting Privacy in Mobile Applications, the DPA notes that personal data collected from mobile applications is often stored in the cloud, and when the application developer utilises cloud services, they may function as processors.

Data Subject’s Rights

Data subjects’ rights regarding their personal data, as specified under Article 11 of the DP Law, are as follows:

• – learning whether their personal data is processed;

• – requesting information on whether their personal data has been processed;

• – learning the purpose(s) of the processing and whether their personal data is used in compliance with the purpose;

• – knowing the third parties to whom their personal data is transferred, in-country or abroad;

• – requesting rectification of incomplete or inaccurate data;

• – requesting erasure or destruction of their personal data under certain conditions outlined in the DP Law;

• – requesting reporting of the operations related to their request of rectification, erasure or destruction to third parties to whom their personal data has been transferred;

• – objecting to the occurrence of a result against themselves by analysing the data processed solely through automated systems; and

• – claiming compensation for the damage arising from unlawful processing of their personal data.

These rights are also applicable to the personal data in the cloud system.

Exercising the Right to Access, Rectify and Delete

Data subjects can exercise their rights by submitting a request to the controller or its representative. However, controllers may engage their processors to handle these requests, allowing data subjects to submit their requests directly to the processor. This internal division of responsibilities is typically governed by the data processing agreement (the “DP Agreements”) between the parties; however, it does not diminish the controller’s accountability to the DPA or the data subjects.

Controllers must respond to data subjects’ requests within 30 days of receipt, either by fulfilling the requests or providing justifications for any objections. In cases where controllers fulfil these requests, such as rectifying or deleting personal data in a cloud environment, they must co-ordinate with the cloud provider acting as the processor, and the cloud provider should collaborate with the controller to implement such requests. While this collaboration does not create administrative responsibility for the processor before the DPA, it may result in other liabilities, such as breaches of the DP Agreement with the controller.

If data subjects do not receive a response within this period or are unsatisfied with the reasons for the objection, they have the right to submit a complaint to the DPA.

3.2 Data Portability

Unlike the EU General Data Protection Regulation (GDPR), the right to data portability is not established under the DP Law or any other regulation in Turkish jurisdiction. However, market practice addresses the right to data portability through specific contractual provisions in cloud agreements (see 4.4 Exit Strategies and Data Migration).

3.3 Data Retention and Deletion

There is no specific regulation regarding personal data retention and deletion policies for cloud systems. However, general principles provided by the DP Law apply.

According to the By-Law on the Deletion, Destruction, or Anonymization of Personal Data, controllers required to register with the Data Controller Registry (VERBIS) must adopt a personal data retention and destruction policy. This policy must include, at a minimum:

• – the purpose of the policy;

• – the recording environments regulated by the policy;

• – definitions of legal and technical terms included in the policy;

• – explanations regarding the legal, technical or other reasons necessitating the retention and destruction of personal data;

• – technical and administrative measures taken to ensure the secure storage of personal data and to prevent unlawful processing and access;

• – technical and administrative measures taken to ensure the lawful destruction of personal data;

• – the titles, units, and job descriptions of those involved in the processes of retention and destruction of personal data;

• – a table showing the retention and destruction periods;

• – periodic destruction timelines; and

• – information regarding any updates to the existing policy.

It is crucial for controllers to establish clear retention periods and proper measures for data disposal. They must also ensure that their processors (eg, cloud providers) comply with data disposal requests from controllers, including deletion, anonymisation and destruction of data. Additionally, it is advisable to include specific terms for proper data deletion in cloud agreements, covering backups and archived copies. Regular reviews of stored data are also essential to ensure its accuracy.