Data Privacy and Cybersecurity

Data Privacy and Cybersecurity

As Türk Telekom, we manage customer data privacy and cybersecurity in line with the highest standards, ensuring full compliance with the General Data Protection Regulation (GDPR), Türkiye’s Personal Data Protection Law (KVKK), and other national and international regulations. Our company safeguards personal data and rigorously implements classification systems, encryption technologies, access control mechanisms, data loss prevention solutions, and cybersecurity incident management procedures.

We have shaped our company’s information security policies in line with the ISO 27001 Information Security Management System certification and apply them across both fixed and mobile networks. We comply with these standards through our Payment Card Industry Data Security Standard (PCI DSS) certification for mobile and broadband networks, particularly to ensure the security of payment transactions. We protect all data using advanced encryption techniques, both during transmission and while at rest.

To protect the confidentiality of personal data, we implement strict restrictions against unauthorised access, and we activate automated security measures to prevent data from being transferred or leaked outside the company without supervision. We conduct Information Security Internal Audits regularly every year and ensure the implementation of identified actions. We perform penetration tests, source code analysis (within the Software Development Life Cycle – SDLC), and vulnerability assessments on a periodic basis. We share the results, tracking, and reporting of penetration tests conducted on our critical systems inventory with senior management at the beginning of each month. All processes are carried out in compliance with the Presidency of the Republic of Türkiye Digital Transformation Office’s Information and Communication Security Guide.

Cybersecurity Measures

As Türk Telekom, we adopt a multi-layered cybersecurity strategy to maximise the security of our systems. To ensure the security of remote working processes, we implement Virtual Private Networks (VPN), Multi-Factor Authentication (MFA), and periodic security audits.

With our Zero Trust approach, we have meticulously planned authorisation and access processes across systems, and we have strengthened authentication procedures to prevent unauthorised access. We ensure that all remote desktop solutions comply with ISO 27001 security standards and protect them with strict security measures against unauthorised access.

We implement advanced security measures on enduser devices. Through Data Loss Prevention (DLP) agents, we prevent the unauthorised transfer of sensitive data outside the company in accordance with our corporate policies. These agents operate actively not only within the corporate network but also on external networks such as home Wi-Fi. Running at the kernel level, DLP agents detect attempts to transfer sensitive data from devices and prevent leakage.

At Türk Telekom, we adopt a strategy of proactively detecting and responding to potential threats through AI-powered systems. Every month, we detect thousands of phishing, Distributed Denial of Service (DDoS), and malware attacks through our telecom infrastructure. As of 2024, we provide effective protection against attacks over 1 Gbps, which are classified as critical. As part of our broad service portfolio addressing all cybersecurity needs of corporate clients, we offer comprehensive solutions including: Managed Endpoint Detection and Response (EDR) and Extended Detection and Response (XDR) services, incident response, digital forensics, cybersecurity maturity assessments, workforce analysis, Managed Detection and Response (MDR) services, Security Orchestration, Automation, and Response (SOAR), Cyber Threat Intelligence (CTI), Incident Response (IR), and Attack Surface Management (ASM). We also regularly perform security controls such as managing antivirus methods and removing unused security rules.

We adopt a proactive approach to identifying and managing cybersecurity risks, and through regular meetings held by the Cybersecurity Committee, we evaluate new regulations, threat intelligence findings, and zero-day vulnerabilities. We implement necessary precautions by hardening security in cybersecurity systems and technical infrastructure, and we accelerate patch management processes.

At our company, Information Security Incident Management is handled by the Cyber Incident Response Team (SOME) in line with the Information Security Incident Tracking Procedure. All identified incidents are tracked through an Incident Response Form, and the latest technologies are used to detect and prevent data breaches. We evaluate identified breach incidents within the scope of Türk Telekom Information Security Policies and Procedures and share them with the Ethics Committee and the National Computer Emergency Response Centre (USOM) when necessary.

On the other hand, in line with ISO 27001 and PCI DSS standards, we regularly provide information security awareness training to our employees. We conduct these trainings at regular intervals as part of our internal audits, ensuring that all employees are aware of current cyber threats. In addition, we include thirdparty business partners and suppliers in our security awareness programs to minimise external risks.

As of 2024, our cyber incident response teams handled a total of 14,792 incidents, delivering effective solutions against an 11% increase in threats. The Cybersecurity Centre, which provides 24/7 service, continues to strengthen the security infrastructure of organisations without any interruptions.

Customer Privacy

At Türk Telekom, we position cybersecurity as one of our top priorities in the digital ecosystem. By offering more than 50 products and services to over 5,000 organisations, we support the customer experience with a broad cybersecurity portfolio, ensuring maximum continuity and efficiency. Through our Customer Service Centre (CSC) model, we also provide uninterrupted service in areas such as digitalisation, operational analytics, and Wi-Fi operations.

Our company also implements specific measures to protect customer privacy in targeted advertising systems. Customer MSISDN information is never shared with advertisers; instead, we anonymise customer identities using a Unique ID. This ensures that advertisers can only perform targeting through the Unique ID. We carefully review advertisement categories and block ads in categories deemed risky. Advertisements are shown only to customers who have granted consent for digital data processing.

International Accreditation

According to International Data Corporation (IDC) reports, our company has maintained its market leadership for the past four years and holds the distinction of being the first and only Turkish company accredited in three different categories under the Council of Registered Ethical Security Testers (CREST). In addition, in 2024, our company became a member of the Forum of Incident Response Teams (FIRST) and remains the only service provider accredited by both the Türkiye Computer Emergency Response Team (TRCERT) and the Turkish Standards Institution (TSE).

Next-Generation Technologies

In parallel with advancements in cloud computing, artificial intelligence, automation, and mobility, our company has transitioned to the Next Generation Security Operations Centre (NextGen SOC) model. We offer advanced technological security solutions such as EDR, XDR, MDR, SOAR, CTI, IR, ASM, and Detection Engineering.

Thanks to our infrastructure enhanced with AIpowered threat detection systems and a digital forensics laboratory, in 2024, we provided effective protection against a total of 2,317 DDoS attacks of 1 Gb and above. In addition, we carried out capacity upgrades and modernisation efforts for nextgeneration firewalls, web application firewalls, remote access connections, network access control (NAC), and anti-DDoS infrastructures. We also invested in attack surface analysis and automated related processes.

As part of the Gelişim Üssü (Development Base) Programs carried out in the fields of cybersecurity and cloud computing, we organised two separate camps aimed at enhancing participants’ knowledge and skills. In 2024, 32 finalists were selected from among 1,350 applicants, of whom 14 were hired as interns and 2 as full-time employees. These programs contributed to building a qualified workforce in the sector and also helped participants improve their adaptability to innovation and strengthen their practical skills.

GenAI Transformation in Cybersecurity Services from Market Leader Türk Telekom

As a leading service provider in cybersecurity with both global and local accreditations, we offer a 360-degree security approach across network, application, endpoint, data security, and consultancy services. Through our commitment to investing in next-generation technologies and enriching our product/service offerings, we have added new solutions to our portfolio that leverage selflearning artificial intelligence technologies. We deliver faster and more agile services by harnessing the capabilities of artificial intelligence in incident management, endpoint detection and response, intervention, and threat intelligence.

By leveraging both artificial intelligence and the strengths of our expert engineers within our cybersecurity centre organisation, we ensure rapid incident detection and shorten our response times.

In 2025, we initiated efforts to deliver services across various verticals with the first telco SASE infrastructure, offering end-user security, identity/ access management, and xOT security solutions aligned with the remote work trend.

The protection of personal data is critical for safeguarding individuals’ right to privacy and ensuring long-term trust in institutions. As digitalisation becomes more widespread, data processing has grown increasingly complex, making it essential for companies to establish strong, transparent, and sustainable data management policies. At Türk Telekom, we adopt a comprehensive approach to ensure full compliance with both national and international regulations, including Türkiye’s Personal Data Protection Law (Law No. 6698 – KVKK) and the General Data Protection Regulation (GDPR).

We implement a layered security policy specifically to prevent data loss and leakage, taking effective measures against attempts to exfiltrate or leak data to external targets.

In accordance with Law No. 6698, we carefully implement measures aimed at protecting the fundamental rights and freedoms of our customers. Within this scope, we fulfil our disclosure obligations in compliance with personal data protection legislation and request explicit consent from our customers where necessary. The KVKK policies and procedures that are prepared for internal implementation are continuously improved through regular internal audits, employee training, and thirdparty assessments.