News and developments

Presidential Circular on Information and Communication Security Measures

Presidential

Circular on Information and Communication Security Measures ("Circular") is

published in the Official Gazette of July 6, 2019. The aim of the Circular is

reducing of security risks and governing measures to be taken to ensure safety

of information which is critical to national security and public order.

The Circular

imposes several security obligations on public institutions regarding (i)

storage and transfer of critical information (i.e. health, contact and

biometric information), confidential information and corporate information,

(ii) cyber threat notifications and (iii) industrial check systems.

According to

the Circular, "Information and Communication Security Guidelines" ("Guidelines")

will be prepared and published by the Presidency's Digital Transformation

Office ("Office") in light of the national and international standards on

information security on the Office's website at www.cbddo.gov.tr.

All public

institutions and operators providing critical infrastructure services will be

obliged to (i) comply with the procedures and rules in the Guidelines when

setting up new information systems and (ii) review and revise the existing

systems to ensure compliance with the Guideline.

The Circular

also obliges public institutions to set up internal reviewing mechanisms and

examine compliance with the Guidelines at least once a year. Public

institutions will be reporting the examination results and corrective and

preventative actions taken by the relevant institution to the Office.

While the

Circular generally imposes information security obligations on public

institutions, the following measures listed in the Circular and which are new

to this regulatory landscape can be relevant for the providers of cloud

services and electronic communication services:

-

Information pertaining to public institutions shall not be stored in cloud

services. The exception to this is the storage on relevant institutions'

private systems or on the systems provided by local service providers which are

under the control of the relevant public institution.

- Authorized

electronic communication service providers (operators) are obliged to set up

internet exchange points in Turkey. According to the Circular, measures will be

taken in order to prevent the cross-border transmission of domestic

communication traffic which needs to be exchanged domestically.

Authors: Gönenç Gürkaynak Esq.,

Ceren Yıldız, Burak Yeşilaltay and Ekin Ince, ELIG Gürkaynak

Attorneys-at-Law

(First published

by Mondaq on July 9, 2019)