Man standing in a cafe setting with Samsung Galaxy Book laptop.

Navigating your way to the Cloud
Turkey

A Journey of Digital Transformation
An Interactive Guide for Legal and Compliance Professionals

INTRODUCTION TO CLOUD IN TURKEY

The Turkish government recognises that technology can play a key role in achieving its objectives, including Turkey’s participation in the global digital transformation, achieving a strong IT infrastructure, organization of human resources in line with the needs of the agenda of the information community, reducing inequality and increasing innovation and economic development through the use of technology.1 The Turkish government is aware that it is vitally important to keep up with emerging and disruptive technologies, particularly their use and dissemination in the public and private sectors.

At Microsoft, we agree. We believe that hyper-scale cloud services, in particular, can play a pivotal role in helping Turkey unlock its key socio-economic objectives while ensuring a safer, more secure and more effective environment, which also adheres to accepted international technical standards.

Microsoft is proud to confirm that it meets regulatory and compliance requirements for use of the cloud in some of the most highly regulated industries across the globe and can help you to achieve compliance with the regulatory and compliance requirements applicable in your sector.

Microsoft is deeply committed to the cloud technology revolution in Turkey and provides its customers with state of the art cloud services. Its solutions such as Microsoft Azure, Office 365 and Microsoft Dynamics 365 power many different customers across the Europe Middle East and Africa (EMEA) region, including large global corporates, small and medium enterprise entities, the public sector and non-profit organisations.

THE REGULATORY LANDSCAPE

  • Cloud adoption in Turkey has, as in many other countries, been accompanied by potential concerns about regulatory compliance. These concerns generally relate to the ability of cloud service providers to ensure security and privacy compliance. Globally, this is changing as organisations can now move to the cloud in a way that meets and often exceeds their security and privacy requirements. Cloud solutions from leading providers such as Microsoft are now being recognised for their ability to meet these requirements, and in many cases, offer higher levels of security and privacy compliance.

    At Microsoft, we welcome these positive developments and are pleased to have participated in a large number of compliance conversations with customers and regulators across sectors. As a result, we have developed a range of materials to help our customers in Turkey move to the cloud in a way that meets their regulatory requirements.

  • Despite all the positive attributes of cloud services, the Turkish legal framework has no legislation specifically regulating the use of cloud services. In other words, there is no specific legislation under Turkish law addressing the provision and use of cloud-based services. There are however other laws and regulations which may need to be considered in relation to any move to the cloud.

    The laws governing the adoption of cloud computing in Turkey fall into two categories; general laws and regulations that apply to all organisations; and laws and regulations that only apply to organisations operating within specific sectors. As noted above, there is presently no uniform regulation for cloud services in Turkey.

    • Since the utilisation of cloud systems often entails the transfer of personal data, one of the main regulatory frameworks that should be considered for cloud services in Turkey is the data protection legislation, namely Turkish Personal Data Protection Law No. 6698 (“DPL”)2. Considering that data protection is of high importance and the fact that the legislation envisages the regulatory procedure to be followed with regards to the international transfer of personal data, the rules and procedures of DPL should be respected and fulfilled by entities utilizing cloud-based services.

      DPL, similar to the Directive 95/46/EC3 and the GDPR4, sets out conditions under which personal data may be processed and makes a distinction between data controllers and data processors. In terms of DPL, an international transfer of personal data is subject to certain rules.

      DPL specifically regulates the terms and principles of personal data processing and its consequences. It imposes many obligations on data controllers, including in relation to notice, consent, disclosures, international transfers, security and data subjects' rights. Moreover, according to Article 12/2 of DPL, if personal data is processed on behalf of the data controller by another person, the data controller shall be jointly liable with such person with regard to taking the measures contemplated above. Thus a data controller is obliged to ensure that personal data is processed by a data processor on its behalf in compliance with DPL.

      The Board has also published the Personal Data Security Guide (“Technical and Administrative Measures)5 regarding the measures to be taken in order to ensure data security. The Guide does not set out mandatory requirements, but it is advisory.

      The Board, which is regulated under DPL, is a new regulator with extensive powers to investigate and fine responsible parties, in the event of violation of DPL either upon the Board’s regular investigation or as a result of a complaint. Microsoft intends to work closely with the Board.

    • The Cyber Security Council of Turkey6 has the duty of determining cyber security measures to be taken in accordance with the current legislation and confirming prepared plans, programs, principles and procedures and standards and ensuring their implementation and coordination. Within the scope of its duty, the Cyber Security Council approved the National Cyber Security Strategy and Action Plan for 2013-20147 at its first meeting. Subsequently, the 2015-2018 Information Society Strategy and Action Plan and the National Cyber Security Strategy 2016-20198 were also published.

      The Information Society Strategy provides an implementation framework for institutions, but also defines high level implementation steps to be followed in this regard. The Information Society Strategy highlights that in order to effectively counter newly emerging IT related crimes, a National Cyber Crime Strategy will have to be implemented to improve coordination among institutions with a mandate to fight cybercrime. It further notes that this strategy shall be prepared in line with the Cyber Security Strategy and Action Plan and its implementation shall be overseen by the Cyber Security Council. Enactment of cyber security law and preparation of strategy and an action plan for combatting cybercrimes are also among the action plan list determined under the Information Society Strategy. Furthermore, the 2016-2019 National Cyber Security Strategy and Action Plan has two main objectives. Firstly, it aims to acknowledge that cyber security is an integral part of national security. Secondly, it aims to determine targets and actions to be taken in this regard, while ensuring and supervising their implementation. In line with these objectives, the Strategy highlights that acquiring the competency required for taking administrative and technological precautions to maintain the absolute security of all systems and stakeholders is mandatory.

      While there is no current national cyber security law in Turkey, given the presence of Cyber Security Council, authorized for the implementation of strategies and for drafting policies and strategies in the field, as well as national strategies and action plans, with the enactment of cyber security law on their agenda, many expect a cyber security law to be passed in the future in line with the action plans projected in the Information Society Strategy and Action Plan and National Cyber Security Strategy, and based on the underlying Turkish regulatory infrastructure for cybersecurity.

  • This checklist provides a detailed look into the legal obligations that may affect your usage of Microsoft Cloud Services.

    Click here to download the checklist.

  • In addition to general laws, industry-specific requirements may apply, some of which may regulate cross-border data flows and/or require that certain categories of data be retained within the country. You can find out more about the requirements that apply in your industry sector by selecting from Industries below.

    Government

    Government

    Health

    Health


WE BUILD OUR TRUSTED CLOUD ON FOUR FOUNDATIONAL PRINCIPLES

Security

Security

We build our services from the ground up to help safeguard your data

Learn more
Privacy

Privacy

Our policies and processes help keep your data private and in your control

Learn more
Compliance

Compliance

We provide industry-verified conformity with global standards

Learn more
Transparency

Transparency

We make our policies and practices clear and accessible to everyone

Learn more

INDUSTRY RESOURCES

INDUSTRY RESOURCES

INDUSTRY RESOURCES

INDUSTRY RESOURCES

RECOMMENDED RESOURCES

CUSTOMER STORIES

 
 
SEE MORE STORIES

CUSTOMER STORIES

 
 
SEE MORE STORIES

CUSTOMER STORIES

 
 
SEE MORE STORIES
*EXPLANATORY NOTE AND DISCLAIMER: This website is intended to provide a summary of key legal obligations that may affect customers using Microsoft cloud services. It indicates Microsoft’s view of how its cloud services may facilitate a customer's compliance with such obligations. This website/document is intended for informational purposes only and does not constitute legal advice nor any assessment of a customer's specific legal obligations. You remain responsible for ensuring compliance with the law. As far as the law allows, use of this website/document is at your own risk and Microsoft disclaims all representations and warranties, implied or otherwise.