Turkish Personal Data Protection Authority ("DP Authority) has published an announcement on measures to be taken to ensure website/mobile application user security, on its website on 15 February 2022 ("Announcement").

In this factsheet, we summarize the measures set forth in the Announcement.

1. Who is concerned?

The Announcement is related to all data controllers who operate a website and/or a mobile application, and whose systems have an account sign-in/log-in feature.

2. What does the Announcement say?

The Announcement sets forth the technical and organisational measures that should be taken by website/mobile application operators. These measures are as follows:

  • Implementing a two-factor authentication system and offering it to users as an alternative security measure in the course of registration,
  • Informing users via e-mail/SMS etc. in case of logging to their account by devices other than devices they usually log in,
  • Protecting web/mobile applications with HTTPS (Hypertext Transfer Protocol Secure) or by a method that provides the same level of security,
  • Using safe and hashing algorithms, ensuring the protection of user passwords against cyber-attacks,
  • Limiting the number of unsuccessful log-in attempts by an IP address,
  • Informing users on at least the last five successful and unsuccessful log-in attempts,
  • Reminding users not to use the same passwords on different platforms,
  • Preparing a password policy and ensuring that user passwords are changed periodically or reminding users to change their passwords periodically,
  • Preventing newly created passwords from being the same as old passwords (at least the last three passwords), using technologies such as security codes which distinguish computer and human behaviours (CAPTCHA, asking four basic arithmetic operations etc.), limiting the IP addresses which are authorised to access,
  • Ensuring the use of strong passwords for website/mobile application's systems, with a minimum of ten characters, upper-lower case, number, and special characters,
  • If a third-party software or service is used to connect to the website/mobile application's systems, performing regular security updates on such software and services, and performing necessary checks, etc.

Key points

  • Although the DP Authority states that these measures are advisory, failure to comply with such advice may result in an administrative fine in case of a data breach.
  • Hence, we kindly advise data controllers operating websites/mobile applications to take the measures set forth in the Announcement.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.