Cloud Hosting

To print this article, all you need is to be registered or login on Mondaq.com.

The article includes legal assessments for institutions thatreceive data storage services through cloud computing systemsregarding whether there is an obligation to keep data in storagecenters domestically within the scope of data storage services tobe received through cloud computing systems.

Cloud computing systems are preferred by many sectors due totheir great advantages. However, due to the cyberattacks faced, thedata is stored in a distributed manner through cloud systems.Within the framework of the article, the provisions of the severallegislation requiring the necessity of having the cloud computingservices to be served to companies in the country has been examinedin accordance with Turkish Law.

First of all, the definitions of primary and secondary systemsare briefly given below, as they will be frequently mentioned inthe relevant legislative provisions. "Primarysystems" is defined as a whole system consisting ofinfrastructure, hardware, software and data, which ensures that allnecessary information required in order to fulfill obligation ofcompanies aroused from relevant legislation that can be recorded inelectronic environment and can be used available for any time."Secondary systems" is defined asbackup systems of primary systems which provides sustainabilityduring the possible interruption in activities carried out throughprimary systems.

Regulations on the usage of cloud computing systems by companiessubject to Banking Regulation and Supervision Agency("BRSA"), have been issued in accordancewith the Directive on Banks' Information Systems andElectronic Banking Services("Directive") published Republic ofTurkey Official Gazette ("OfficialGazette") dated 15.03.2020 and numbered 31069.

In the 1st (first) paragraph of the 25th(twenty-fifth) article of the Directive titled "Primaryand Secondary Systems", it has been made compulsory forbanks to have their primary and secondary systems domestically.

In the 5th (fifth) paragraph of the relevant article,the limits of the provision have been determined for the banks asbelow:

"In case of getting external service or cloud computingservice for an activity that is within the scope of primary orsecondary systems, the information systems used by the externalservice provider to carry out the activities related to the itsservice and their backups are also considered within the scope ofprimary and secondary systems and are keptdomestically"

Banks are able to benefit from cloud computing systems asexternal service vehicles provided that these systems are keptdomestically in accordance with the provisions of theDirective.

Although the afore-mentioned Directive was published in theOfficial Gazette on 15.03.2020, it will come into force on01.07.2020 in accordance with the 46th (fortysixth)article of the Directive.

The ability of electronic money institutions and paying agenciesto use cloud computing systems as an external service to process,store and transfer data during their activities under the Law No.6493 on Settlement Systems of Payment and Securities, PaymentServices and Electronic Money Institutions ("Law No.6493"), have been issued in accordance withCommunique on Management and Supervision of Information Systems ofPaying Agencies and Electronic Money Institutions.("Communique on Electronic Money Institutions andPaying Agencies")

Within the scope of the 16th (sixteenth) article titled"Limitations Regarding Information Systems" ofthe Communique on Electronic Money Institutions and PaymentAgencies, primary and secondary systems of paying agencies andelectronic money institutions must be kept domestically, as inbanks. Therefore, in case that electronic money institutions andpaying agencies store data as an external service through cloudcomputing systems, data centers must be kept domestically aswell.

Another area with legal restrictions on data storage abroadthrough cloud computing systems is regulated for companies subjectto the control of the Capital Markets Board("CMB"). The

Information Systems Management Communiqu (VII-128.9)("Communique") has been issued in theOfficial Gazette dated 05.01.2018 and numbered 30292 which is madeby CMB have been put into order for companies subject to thecontrol of the CMB to fulfill its duties arising from the CapitalMarkets Law No. 6362 ("SerPK") andrelevant legislations regarding the obligation of storage ofdata.

It is compulsory that the primary and secondary systems shouldbe kept domestically for institutions, organizations andassociations subject to the control of the CMB in accordance with26th (twentysixth) article titledInformation Systems Sustainability of theCommunique.

Within this framework, companies subject to the CMB are alsoobliged to have their primary and secondary systems domestically.Thus, the restriction to be applied within the scope of theCommunique will also be applied if data is stored through cloudcomputing systems. As a result, within the scope of the aboveactivities, data storage through cloud computing systems can onlybe carried out domestically.

Communique on Management and Control of Information Systems ofFinancial Leasing, Factoring and Financing Companies("Financing Companies Communique") hasbeen issued on Official Gazette numbered 30717 and dated 06.04.2019regarding the information systems used by financial leasing,factoring and financing companies in the scope of Law No. 6361 onFinancial Leasing, Factoring and Financing Companies("Law No. 6361")

The restriction on use of the cloud computing systems has beenput into order for financial leasing, factoring and financingcompanies in accordance with the 15th (fifteenth)article titled Other Provisions of theCommunique. Within the scope of this; financial leasing, factoringand financing companies have been obliged to have their primary andsecondary systems domestically. Due to this situation, ifaforementioned companies will provide its primary and secondarysystems by using an external service by using cloud computingdatabase, it is obligatory to have cloud computing databasesdomestically.

As a result of all stated above, in accordance with thelegislation in force in Republic of Turkey, in case that companiesare getting cloud computing services while carrying out theiractivities, there would be no restriction for companies to keep theservice and primary and secondary systems domestically and notbeing able to carry out data storage activities abroad. However, asstated in this article;

In case that organizations listed above, use their cloudcomputing systems to store data in accordance with the provisionsof specific legislation, they are all obliged to keep the datacenters within the borders of the country.

In the event that institutions which are planning to receivedata storage services through cloud computing systems within thisframework does not operate in the sectors subject to theabove-mentioned legislations, it can be said that there will be norestriction on the storage of data domestically during data storagethrough cloud computing systems.

The content of this article is intended to provide a generalguide to the subject matter. Specialist advice should be soughtabout your specific circumstances.

Read the original post:
Localization Of Data Storage Through Cloud Computing Systems - Finance and Banking - Turkey - Mondaq News Alerts