AECO’s Data and Technology practice has been particularly active with high-profile data breaches across multiple sectors, cross-border transfer mandates, and growing client demand around AI adoption and compliance, according to Partner Cagri Cetinkaya. The practice has also seen a rise in life sciences work and expects further activity driven by Turkiye’s new cybersecurity law, NIS2 alignment, and the increasing digitalization of businesses.
CEELM: What’s been keeping your data protection practice busy over the last 12 months?
Cetinkaya: Over the past year, our practice has been kept busy by several distinct streams of work. First and foremost, data breaches have been at the center of our activity. We have been involved in some of Turkiye’s most significant incidents across a wide range of sectors – from luxury retail and industrial production to IT and gaming. These matters are extremely time-sensitive and high-pressure, often requiring crisis management rather than just legal or technical advice. They involve multiple stakeholders and careful coordination on how best to communicate with the Turkish Data Protection Authority, as well as the data subjects themselves. It’s not only a legal challenge but also a PR one.
Cross-border breaches have also been on the rise, and managing them requires us to operate like a well-oiled machine with other firms in other jurisdictions. We work closely with colleagues in other countries to ensure a seamless response. Another area that has grown significantly is advising on international data transfer contracts under Turkish law. In practice, this means aligning GDPR requirements with Turkish rules and helping clients navigate the discrepancies between the two frameworks.
Another big driver has been the adoption of AI. Three years ago, AI was mostly theoretical for our clients, but now it’s generating real products – ranging from customer-facing chatbots to workplace tools. We’ve been advising on how these fit within Turkiye’s numerous applicable laws to AI, including data protection, employment law, e-commerce, and consumer law, as well as the law of obligations, in the absence of comprehensive AI-specific legislation. At the same time, we continue to carry out data protection audits and ongoing compliance reviews. Many of our clients have implemented complex systems over the past decade, and as laws evolve and technologies advance, they need us to reassess and ensure compliance remains up to date.
We also have a growing reputation management practice, integrating litigation, digital forensics, and crisis communication. Clients have a wide spectrum from pop stars to international conglomerates.
We remain “sector-agnostic” in this work, supporting clients from IT and retail to industrial production and social media. That said, over the past year, we’ve seen a noticeable uptick in mandates from life sciences clients, who are digitizing rapidly and need careful attention to data protection.
CEELM: What’s been driving that pipeline of work?
Cetinkaya: Several factors are behind this surge. New legislation has been a major one. The adoption of the new cybersecurity law in March, for example, has prompted clients to map Turkish requirements against the EU’s NIS2 Directive. While Turkiye’s law currently lacks secondary regulations, companies are already seeking clarity and guidance. This, combined with the threat posed by the increased number of cyberattacks globally, drives significant data protection and cybersecurity work our way.
Cross-border data transfers have also kept us busy, as multinationals want to align with the new Turkish personal data transfer rules. Businesses in many sectors are finding innovative ways to interact with customers digitally, and that raises new compliance questions. For example, life sciences companies are digitalizing processes, and the medical professional outreach and retail sector always tries to find new ways to engage customers using physical world and cyberspace harmoniously. Construction companies, on the other hand, are experimenting with AI for safety purposes, which also raises regulatory considerations.
Global alignment is another driver. When clients want to implement GDPR or NIS2 compliance across their organizations, Turkiye often becomes a focal point where differences between EU and Turkish law must be carefully managed. While our system is inspired by the EU, the differences are significant enough to require dedicated guidance. Finally, our very busy M&A and employment law practices also generate additional data protection work, as those areas often overlap.
CEELM: What’s the outlook for the next 12 months?
Cetinkaya: Looking ahead, we expect much of this activity to continue, with some areas intensifying. The cybersecurity law will become even more important once secondary regulations are issued – likely at the beginning of 2026. Licensing requirements and active enforcement by the Cybersecurity Presidency will further transform the sector, creating new demands for companies.
NIS2 implementation will also remain a key driver, as clients seek to understand how their Turkish operations fit into their broader European compliance frameworks. AI is another area where we anticipate strong growth. It is becoming less of a buzzword and more of a practical, pressing issue for clients, who are eager to implement tools but need clear guidance on the regulatory side.
Data protection advisory in general will remain a busy area, with companies launching new initiatives for both employees and customers. And because Turkiye continues to be a regional hub, cross-border work will grow in importance. Combined with our active M&A and employment practices, we expect another very dynamic year ahead.
