Answer ... The main law regulating protection of personal data in Turkey is Law 6698 on Protection of Personal Data. This law is modelled on the now repealed EU Data Protection Directive (95/46/EC) and implements the European principles on data protection. The law includes no specific provisions on fintech companies or financial information, so its general provisions will apply. The main regulatory body for the protection of personal data in Turkey is the Personal Data Protection Board. The board is authorised to enforce the Law on Protection of Personal Data and issue sanctions in case of violations.
Foreign fintech service providers that process the personal data of persons residing in Turkey are also bound by the Law on Protection of Personal Data, even if they have no physical or legal presence in Turkey. For example, they must register with the Personal Data Protection Board as a data controller, and must submit a data breach notification to the board should a possible data breach affect the data of Turkish citizens which is processed by the foreign fintech company.
Answer ... Turkey does not have a specific catch-all cybersecurity regime in place, but certain IT systems-related obligations apply to financial service providers. The most relevant for fintech companies is the Communiqué on Management and Auditing of Information Systems of Payment and Electronic Money Institutions of 27 July 2014. The communiqué sets out certain cybersecurity-related technical and administrative requirements (eg, data and system localisation requirement; obligation to supervise the cybersecurity maturity of merchants; obligation to undergo independent IT auditing) for payment and e-money institutions licensed in Turkey.