IN GENERAL
The article includes legal assessments for institutions that receive data storage services through cloud computing systems regarding whether there is an obligation to keep data in storage centers domestically within the scope of data storage services to be received through cloud computing systems.
Cloud computing systems are preferred by many sectors due to their great advantages. However, due to the cyberattacks faced, the data is stored in a distributed manner through cloud systems. Within the framework of the article, the provisions of the several legislation requiring the necessity of having the cloud computing services to be served to companies in the country has been examined in accordance with Turkish Law.
First of all, the definitions of primary and secondary systems are briefly given below, as they will be frequently mentioned in the relevant legislative provisions. “Primary systems” is defined as a whole system consisting of infrastructure, hardware, software and data, which ensures that all necessary information required in order to fulfill obligation of companies aroused from relevant legislation that can be recorded in electronic environment and can be used available for any time. “Secondary systems” is defined as backup systems of primary systems which provides sustainability during the possible interruption in activities carried out through primary systems.
RESTRICTIONS ON BANKING LEGISLATION
Regulations on the usage of cloud computing systems by companies subject to Banking Regulation and Supervision Agency (“BRSA”), have been issued in accordance with the Directive on Banks’ Information Systems and Electronic Banking Services (“Directive”) published Republic of Turkey Official Gazette (“Official Gazette”) dated 15.03.2020 and numbered 31069.
In the 1st (first) paragraph of the 25th (twenty-fifth) article of the Directive titled “Primary and Secondary Systems”, it has been made compulsory for banks to have their primary and secondary systems domestically.
In the 5th (fifth) paragraph of the relevant article, the limits of the provision have been determined for the banks as below:
“In case of getting external service or cloud computing service for an activity that is within the scope of primary or secondary systems, the information systems used by the external service provider to carry out the activities related to the its service and their backups are also considered within the scope of primary and secondary systems and are kept domestically”
Banks are able to benefit from cloud computing systems as external service vehicles provided that these systems are kept domestically in accordance with the provisions of the Directive.
Although the afore-mentioned Directive was published in the Official Gazette on 15.03.2020, it will come into force on 01.07.2020 in accordance with the 46th (fortysixth) article of the Directive.
RESTRICTIONS REGARDING ELECTRIC MONEY INSTITUTIONS AND PAYING AGENCIES
The ability of electronic money institutions and paying agencies to use cloud computing systems as an external service to process, store and transfer data during their activities under the Law No. 6493 on Settlement Systems of Payment and Securities, Payment Services and Electronic Money Institutions (“Law No. 6493”), have been issued in accordance with Communique on Management and Supervision of Information Systems of Paying Agencies and Electronic Money Institutions. (“Communique on Electronic Money Institutions and Paying Agencies”)
Within the scope of the 16th (sixteenth) article titled “Limitations Regarding Information Systems” of the Communique on Electronic Money Institutions and Payment Agencies, primary and secondary systems of paying agencies and electronic money institutions must be kept domestically, as in banks. Therefore, in case that electronic money institutions and paying agencies store data as an external service through cloud computing systems, data centers must be kept domestically as well.
THE RESTRICTION REGARDING TO LEGISLATION ON CAPITAL MARKETS
Another area with legal restrictions on data storage abroad through cloud computing systems is regulated for companies subject to the control of the Capital Markets Board (“CMB”). The
Information Systems Management Communiqué (VII-128.9) (“Communique”) has been issued in the Official Gazette dated 05.01.2018 and numbered 30292 which is made by CMB have been put into order for companies subject to the control of the CMB to fulfill its duties arising from the Capital Markets Law No. 6362 (“SerPK”) and relevant legislations regarding the obligation of storage of data.
It is compulsory that the primary and secondary systems should be kept domestically for institutions, organizations and associations subject to the control of the CMB in accordance with 26th (twentysixth) article titled “Information Systems Sustainability” of the Communique.
Within this framework, companies subject to the CMB are also obliged to have their primary and secondary systems domestically. Thus, the restriction to be applied within the scope of the Communique will also be applied if data is stored through cloud computing systems. As a result, within the scope of the above activities, data storage through cloud computing systems can only be carried out domestically.
THE RESTRICTION ON FINANCIAL LEASING, FACTORING AND FINANCING COMPANIES
Communique on Management and Control of Information Systems of Financial Leasing, Factoring and Financing Companies (“Financing Companies Communique”) has been issued on Official Gazette numbered 30717 and dated 06.04.2019 regarding the information systems used by financial leasing, factoring and financing companies in the scope of Law No. 6361 on Financial Leasing, Factoring and Financing Companies (“Law No. 6361”)
The restriction on use of the cloud computing systems has been put into order for financial leasing, factoring and financing companies in accordance with the 15th (fifteenth) article titled “Other Provisions” of the Communique. Within the scope of this; financial leasing, factoring and financing companies have been obliged to have their primary and secondary systems domestically. Due to this situation, if aforementioned companies will provide its primary and secondary systems by using an external service by using cloud computing database, it is obligatory to have cloud computing databases domestically.
CONCLUSION AND ASSESMENT
As a result of all stated above, in accordance with the legislation in force in Republic of Turkey, in case that companies are getting cloud computing services while carrying out their activities, there would be no restriction for companies to keep the service and primary and secondary systems domestically and not being able to carry out data storage activities abroad. However, as stated in this article;
- Companies and banks subject to BRSA,
- Paying Agencies and Electronic Money Institutions,
- Companies subject to CMB,
- Financial Leasing, Factoring and Financing Companies
In case that organizations listed above, use their cloud computing systems to store data in accordance with the provisions of specific legislation, they are all obliged to keep the data centers within the borders of the country.
In the event that institutions which are planning to receive data storage services through cloud computing systems within this framework does not operate in the sectors subject to the above-mentioned legislations, it can be said that there will be no restriction on the storage of data domestically during data storage through cloud computing systems.
Kind Regards,
Kılınç Law and Consulting