Legal Advisory for SaaS Companies in Turkey

Legal advisory for SaaS companies operating in Turkey requires structured coordination across personal data protection compliance, software copyright protection, internet content regulation, e-commerce regulation, consumer protection compliance, B2B subscription contract architecture, intellectual property protection, anti-money-laundering compliance, tax framework integration, and broader strategic positioning producing the comprehensive SaaS regulatory framework that experienced practitioners support across the full operational lifecycle. The framework that governs the relevant questions is set primarily by the 6698 sayılı Kişisel Verilerin Korunması Kanunu (KVKK / Personal Data Protection Law) covering m.3 (tanımlar / definitions including veri sorumlusu / data controller, veri işleyen / data processor, ilgili kişi / data subject), m.4 (genel ilkeler / general principles), m.5 (kişisel verilerin işlenme şartları / processing conditions including açık rıza / explicit consent and statutory bases), m.6 (özel nitelikli kişisel veriler / special-category personal data with enhanced protection framework), m.9 (yurtdışına aktarım / cross-border transfer — substantially reformed by the 7499 sayılı Kanun effective 1 June 2024 introducing structured pathways through (i) yeterlilik kararı / adequacy decision by KVK Kurulu, (ii) uygun güvenceler / appropriate safeguards including BCR / Bağlayıcı Şirket Kuralları and standard sözleşme maddeleri / standard contractual clauses, (iii) istisnai haller / exceptional circumstances), m.10 (aydınlatma yükümlülüğü / information obligation), m.11 (ilgili kişinin hakları / data subject rights), m.12 (veri güvenliği yükümlülüğü / data security obligation), m.13 (başvuru hakkı / right to apply with 30-day response deadline), m.14 (Kurula şikayet / Authority complaint), m.15 (Kurulun re'sen incelemesi / ex officio investigation by KVK Kurulu), m.16 (Veri Sorumluları Sicili / VERBİS registration), and m.18 (kabahatler / administrative fines with structured penalty framework); the 5846 sayılı Fikir ve Sanat Eserleri Kanunu (FSEK) including m.2/I-1 establishing bilgisayar programları (computer programs) as eser (work) protected under copyright framework rather than patent framework; the 5651 sayılı İnternet Ortamında Yapılan Yayınların Düzenlenmesi ve Bu Yayınlar Yoluyla İşlenen Suçlarla Mücadele Edilmesi Hakkında Kanun (İnternet Kanunu) governing structured framework for yer sağlayıcı (hosting provider), içerik sağlayıcı (content provider), erişim sağlayıcı (access provider), and toplu kullanım sağlayıcı (collective use provider); the 6563 sayılı Elektronik Ticaretin Düzenlenmesi Hakkında Kanun (E-Ticaret Kanunu) governing electronic commerce framework including ön bilgilendirme (preliminary information) and ticari elektronik ileti (commercial electronic communication) framework; the 6502 sayılı Tüketicinin Korunması Hakkında Kanun (Tüketici Kanunu) including Mesafeli Sözleşmeler Yönetmeliği (Distance Contracts Regulation) governing B2C subscription framework with structured cayma hakkı (withdrawal right) and disclosure mechanics; the 6098 sayılı Türk Borçlar Kanunu (TBK) including m.27 (kanuna ve ahlaka aykırılık / contract validity), m.30-39 (irade sakatlıkları / defects of consent), m.49 vd. (haksız fiil / tort), and m.112-117 (borca aykırılık / breach of contract); the 6102 sayılı Türk Ticaret Kanunu (TTK) including m.4 (ticari iş / commercial transaction), m.5 (Asliye Ticaret Mahkemesi / Commercial Court of First Instance jurisdiction), and m.5/A (dava şartı arabuluculuk effective 1 January 2019); the 6769 sayılı Sınai Mülkiyet Kanunu (SMK) governing trademark, patent, and design protection framework; the 5070 sayılı Elektronik İmza Kanunu (Electronic Signature Law) governing structured e-signature framework; the 6493 sayılı Ödeme ve Menkul Kıymet Mutabakat Sistemleri Kanunu (Payment Systems Law) governing structured payment-services framework where SaaS handles payments; the 5549 sayılı Suç Gelirlerinin Aklanmasının Önlenmesi Hakkında Kanun (MASAK Law) governing anti-money-laundering compliance; the 5520 sayılı Kurumlar Vergisi Kanunu and broader tax framework; and the 6325 sayılı Hukuk Uyuşmazlıklarında Arabuluculuk Kanunu (Mediation Law). Practice may vary by authority and year.

An English speaking lawyer in Turkey advising SaaS companies will explain that effective Turkish-market positioning requires structured coordination across entity-formation analysis (anonim şirket vs limited şirket selection through MERSİS), software-licensing architecture under FSEK m.2/I-1 framework, comprehensive personal-data-protection compliance under KVKK with critical post-2024 m.9 cross-border transfer reform discipline, internet content regulation under Law No. 5651, e-commerce regulation under Law No. 6563, consumer protection compliance under Law No. 6502 with structured Mesafeli Sözleşmeler Yönetmeliği framework for B2C subscription scenarios, B2B subscription agreement architecture under TBK with SLA, liability-cap, and indemnification mechanics, intellectual property protection coordination across FSEK and 6769 sayılı SMK, anti-money-laundering compliance under MASAK Law No. 5549 where applicable, tax framework integration, and broader strategic positioning. The body of this guide walks through the company-formation framework under TTK; the software licensing framework under FSEK m.2/I-1; the comprehensive KVKK framework with post-2024 m.9 reform analysis; the internet content framework under Law No. 5651 and e-commerce framework under Law No. 6563; the consumer protection framework under Law No. 6502 with distance-contract mechanics; the B2B subscription agreement framework under TBK; the intellectual property protection framework; and the cross-border, MASAK, and funding-readiness framework. For procedural orientation on adjacent topics, our notes on company formation in Turkey, data protection law in Turkey, and intellectual property rights in Turkey can be read alongside this material.

1) Company Formation under TTK Law No. 6102: Anonim Şirket vs Limited Şirket Selection, MERSİS Registration, and Tax-Office Coordination

A lawyer in Turkey advising on SaaS company formation will explain that Turkish corporate law provides structured entity-formation framework with specific procedural mechanics across anonim şirket (joint stock company / JSC) and limited şirket (limited liability company / LLC) pathways producing comprehensive corporate-architecture options. The procedure ordinarily considers the substantive anonim şirket framework under TTK m.329 vd. establishing the structured joint stock company framework with comprehensive coverage including m.330 vd. genel kurul / general assembly, m.359 vd. yönetim kurulu / board of directors, m.380 şirketin kendi paylarını iktisabı / own share acquisition, and broader procedural mechanics — the framework typically suits SaaS scenarios with planned external investment, multiple shareholders, or potential public-offering pathways through SerPK Law No. 6362 framework; the substantive limited şirket framework under TTK m.573 vd. establishing the structured limited liability company framework with specific procedural mechanics — the framework typically suits smaller SaaS scenarios with simpler governance requirements, fewer shareholders, and lower regulatory complexity; the substantive comparative framework where anonim şirket offers structured share-class flexibility, broader external-investment compatibility, and potential public-offering pathways while limited şirket offers simpler governance, lower minimum capital requirements, and reduced procedural complexity; the substantive MERSİS (Merkezi Sicil Kayıt Sistemi / Central Registry Recording System) registration framework establishing structured electronic registration through Türkiye Ticaret Sicili (Turkish Trade Registry); and the broader integration framework where company formation operates within the comprehensive Turkish corporate regulatory framework.

An Istanbul Law Firm advising on the formation procedural mechanics will note that effective Turkish company formation requires structured procedural coordination across multiple parallel categories supporting comprehensive subsequent operational positioning. The procedure ordinarily considers the substantive ana sözleşme (articles of association) framework where structured drafting addresses substantive corporate governance, capital structure, share-class architecture, board composition, and broader procedural mechanics; the substantive notarization framework where ana sözleşme requires structured noter (notary) certification under the 1512 sayılı Notarlık Kanunu producing authenticated foundational documentation; the substantive Türkiye Ticaret Sicili Müdürlüğü (Trade Registry Directorate) coordination framework where structured registration produces formal corporate existence with publication in Türkiye Ticaret Sicili Gazetesi (Turkish Trade Registry Gazette); the substantive vergi dairesi (tax office) coordination framework where structured tax registration produces VKN (Vergi Kimlik Numarası / tax identification number) supporting subsequent tax compliance; the substantive SGK (Sosyal Güvenlik Kurumu / Social Security Institution) registration framework where employer registration supports subsequent employment compliance; the substantive bank account framework where corporate bank account opening requires structured documentation including registered ana sözleşme, signature circular, and tax registration; the substantive foreign-investor framework where foreign-shareholder structures require structured documentation including apostille certification under the 1961 La Haye Konvansiyonu and yeminli tercüman translation; and the broader strategic-coordination framework where company formation operates as foundational positioning supporting all subsequent SaaS operational mechanics.

A Turkish Law Firm advising on the broader strategic SaaS-formation framework will note that effective Turkish-market entry requires structured preparation across multiple categories. The procedure ordinarily considers the substantive entity-selection framework where structured analysis of SaaS-business model (B2B vs B2C), revenue scale, planned investor structure, and exit-strategy considerations supports optimal entity selection; the substantive shareholding-architecture framework where structured shareholder agreements (pay sahipleri sözleşmesi) supplement statutory framework with bespoke governance, pre-emption, drag-along, tag-along, and exit provisions; the substantive IP-allocation framework where SaaS formation typically requires structured IP-assignment from founders to the company supporting clean ownership architecture for subsequent investment; the substantive employment-architecture framework where structured contracts under İş Kanunu Law No. 4857 with appropriate IP-assignment, confidentiality, and non-compete provisions support workforce positioning; the substantive cross-border framework where international SaaS scenarios require structured coordination with foreign counsel for parent-entity, IP-licensing, and broader corporate-architecture coordination; and the broader integration where company formation operates within the comprehensive SaaS regulatory framework. The discipline outlined in our note on company formation in Turkey covers the broader entity-formation framework. Practice may vary by authority and year.

2) Software Licensing under FSEK Law No. 5846 m.2/I-1 (Bilgisayar Programları as Eser) and Commercial Agreements Framework

An English speaking lawyer in Turkey advising on software licensing will explain that the substantive 5846 sayılı Fikir ve Sanat Eserleri Kanunu (FSEK) establishes the foundational Turkish software protection framework with specific procedural mechanics — and importantly, with critical practitioner-discipline distinction from common-law patent-based software protection frameworks. The procedure ordinarily considers the substantive FSEK m.2/I-1 framework establishing bilgisayar programları (computer programs) as eser (work) protected under copyright framework rather than patent framework — this is fundamental practitioner discipline because international counsel sometimes assume patent-based software protection based on jurisdictions like the United States where software patents operate alongside copyright protection; the substantive scope framework where FSEK protection covers structured software-as-eser including (i) source code, (ii) object code, (iii) preparatory design materials, and (iv) related documentation with structured procedural mechanics; the substantive author-rights framework where FSEK m.13 vd. establishes structured manevi haklar (moral rights) including kamuya sunma (public disclosure), eser sahibi olarak tanıtılma (attribution), and eserin bütünlüğünü koruma (integrity protection); the substantive economic-rights framework where FSEK m.20 vd. establishes structured mali haklar (economic rights) including çoğaltma hakkı (reproduction right), yayma hakkı (distribution right), umumi yerlerde temsil hakkı (public performance right), işaret-ses ve görüntü nakline yarayan araçlarla umuma iletim hakkı (broadcasting right), and işleme hakkı (adaptation right); and the substantive registration framework where structured Telif Hakları Genel Müdürlüğü (Directorate General of Copyright) registration supports evidentiary positioning while copyright protection itself arises automatically upon creation rather than through registration.

An Istanbul Law Firm advising on SaaS licensing architecture will note that effective SaaS license design requires structured coordination across multiple parallel categories supporting comprehensive subsequent enforcement positioning. The procedure ordinarily considers the substantive license-grant framework where structured license-grant provisions establish (i) scope (specific permitted uses), (ii) territory (geographical scope), (iii) duration (subscription period), (iv) exclusivity (exclusive vs non-exclusive vs sole licensing), (v) sublicensing rights, and (vi) transferability — clear license-grant architecture supports both immediate licensing and broader subsequent positioning; the substantive ownership-retention framework where structured provisions confirm licensor ownership of all underlying IP rights with specific procedural mechanics; the substantive use-restriction framework where structured provisions specify prohibited uses including reverse engineering (subject to FSEK m.38 limited exceptions), unauthorized copying, and broader procedural restrictions; the substantive open-source-component framework where structured analysis of embedded open-source components supports compatible license obligations including GPL, MIT, Apache, and broader open-source license framework; the substantive update-and-modification framework where structured provisions specify maintenance, updates, and modification scope with specific procedural mechanics; the substantive enforcement framework where FSEK enforcement supports structured remedies including civil damages, injunctive relief, and criminal proceedings under specific procedural mechanics; and the broader strategic-coordination framework where licensing architecture operates as foundational discipline supporting all subsequent SaaS commercial mechanics.

A Turkish Law Firm advising on the broader licensing strategic framework will note that effective SaaS licensing requires structured coordination with broader contract framework supporting comprehensive enforcement positioning. The procedure ordinarily considers the substantive contract-validity framework under TBK m.27 where licenses violating mandatory law or public order face structured invalidity risks supporting structured drafting discipline; the substantive defect-of-consent framework under TBK m.30-39 where licenses obtained through error, fraud, or duress face structured rescission risks; the substantive choice-of-law framework where structured choice-of-law provisions support comprehensive cross-border positioning — Turkish court enforcement of foreign-law-governed licenses operates through MÖHUK Law No. 5718 framework with specific procedural mechanics; the substantive forum-selection framework where structured arbitration-versus-litigation analysis supports comprehensive dispute-resolution positioning — international SaaS scenarios may benefit from MTK Law No. 4686 international arbitration framework or institutional arbitration including ICC, ISTAC, LCIA; the substantive language framework where Turkish-language requirements may apply for structured enforcement scenarios — bilingual contracts with both Turkish and English provisions support comprehensive procedural positioning; the substantive notarization framework where some license categories may benefit from structured noter authentication supporting authenticity verification; and the broader integration framework where licensing operates within the comprehensive contract framework rather than as isolated commercial document. Practice may vary by authority and year.

3) Data Protection under KVKK Law No. 6698: m.5-6 Processing Conditions, m.9 Cross-Border Transfer (Post-7499 Reform Effective 1 June 2024), m.10 Aydınlatma, m.16 VERBİS Registration, and m.18 Idari Para Cezası

An Istanbul Law Firm advising on KVKK compliance will note that the substantive 6698 sayılı Kişisel Verilerin Korunması Kanunu (KVKK) operates as the foundational Turkish personal-data-protection framework with specific procedural mechanics affecting substantially all SaaS operations involving Turkish data subjects. The procedure ordinarily considers the substantive KVKK m.3 definitions framework establishing fundamental concepts including kişisel veri (personal data), veri sorumlusu (data controller — analogous to EU GDPR controller), veri işleyen (data processor — analogous to EU GDPR processor), ilgili kişi (data subject), and işleme (processing); the substantive KVKK m.4 general principles framework establishing structured processing principles including (i) hukuka ve dürüstlük kurallarına uygun olma (lawfulness and fairness), (ii) doğru ve gerektiğinde güncel olma (accuracy and currency), (iii) belirli, açık ve meşru amaçlar için işlenme (purpose limitation), (iv) işlendikleri amaçla bağlantılı, sınırlı ve ölçülü olma (data minimization), and (v) ilgili mevzuatta öngörülen veya işlendikleri amaç için gerekli olan süre kadar muhafaza edilme (storage limitation); the substantive KVKK m.5 processing-conditions framework establishing structured pathways including (i) açık rıza (explicit consent) and (ii) statutory bases including kanunda açıkça öngörülmesi, fiili imkansızlık nedeniyle rızasını açıklayamayacak durumda olan kişinin korunması için zorunlu olması, sözleşmenin kurulması veya ifası için zorunlu olması, hukuki yükümlülüğün yerine getirilmesi için zorunlu olması, ilgili kişinin alenileştirdiği veriler, ve meşru menfaatler; the substantive KVKK m.6 special-category framework establishing enhanced protection for sağlık ve cinsel hayat verileri (health and sexual life data), genetik veriler (genetic data), biyometrik veriler (biometric data), and broader hassas categories with structured procedural mechanics typically requiring explicit consent or specific statutory basis; and the broader integration framework where KVKK operates within comprehensive Turkish privacy regulatory framework.

A lawyer in Turkey advising on the post-2024 m.9 cross-border transfer reform will note that the substantive KVKK m.9 framework reformed by the 7499 sayılı Kanun effective 1 June 2024 establishes comprehensive cross-border-transfer framework with structured procedural mechanics affecting all SaaS scenarios involving non-Turkish processing infrastructure. The procedure ordinarily considers the substantive post-2024 reform background where the prior KVKK m.9 framework operated through narrow consent-based pathways producing significant practical compliance challenges for international SaaS operations — the 7499 sayılı Kanun reform effective 1 June 2024 introduced structured pathways more aligned with EU GDPR Chapter V framework; the substantive adequacy decision (yeterlilik kararı) pathway where the KVK Kurulu may issue structured adequacy decisions for specific countries supporting routine transfers without additional safeguards — practitioners monitor adequacy-decision developments with structured procedural attention; the substantive appropriate safeguards (uygun güvenceler) pathway including (i) Bağlayıcı Şirket Kuralları (BCR / Binding Corporate Rules) for structured intra-group transfers supporting comprehensive cross-border operations within multinational corporate groups, (ii) standart sözleşme maddeleri (standard contractual clauses) approved by KVK Kurulu supporting structured controller-to-processor and controller-to-controller cross-border arrangements, and (iii) other structured undertakings approved through KVK Kurulu coordination; the substantive exceptional circumstances (istisnai haller) pathway including explicit consent for one-time transfers, contract performance, public interest, legal claim establishment, vital interest protection, and public registry data; and the substantive coordination framework where SaaS providers typically require structured pre-transfer compliance analysis supporting comprehensive cross-border processing positioning.

Turkish lawyers who advise on the broader KVKK compliance framework will note that effective SaaS KVKK compliance requires structured coordination across multiple parallel categories supporting comprehensive operational integrity. The procedure ordinarily considers the substantive KVKK m.10 aydınlatma framework establishing structured information-disclosure obligation requiring veri sorumlusu to provide data subjects with structured information including controller identity, processing purposes, recipients, transfer destinations, data sources, and data-subject rights — typically through aydınlatma metni (privacy notice) with specific procedural mechanics; the substantive KVKK m.11 data-subject rights framework including bilgi alma (information access), eksik veya yanlış işlenmiş verilerin düzeltilmesi (rectification), silme veya yok etme (erasure), itiraz (objection), aktarımları için bilgilendirme (transfer notification), and broader rights with structured 30-day response deadline under m.13; the substantive KVKK m.12 data-security framework requiring structured technical and organizational measures including encryption, access controls, audit trails, breach response procedures, vendor management, and broader security architecture; the substantive KVKK m.16 VERBİS framework establishing Veri Sorumluları Sicili registration requirements with specific procedural mechanics — registration thresholds and exemptions require structured analysis; the substantive KVKK m.18 idari para cezası framework establishing administrative-fine architecture with specific penalty ranges affecting compliance economics; the substantive breach-notification framework under m.12 with KVK Kurumu coordination supporting structured incident-response with 72-hour notification deadline to KVK Kurumu; and the broader strategic integration where KVKK compliance operates as integrated component of comprehensive SaaS regulatory framework. The discipline outlined in our note on data protection law in Turkey covers the broader KVKK framework. Practice may vary by authority and year.

4) Internet Content Framework under Law No. 5651 (Hosting Providers / İçerik Sağlayıcı / Yer Sağlayıcı / Erişim Sağlayıcı) and E-Commerce Framework under Law No. 6563

An English speaking lawyer in Turkey advising on internet content framework will explain that the substantive 5651 sayılı İnternet Ortamında Yapılan Yayınların Düzenlenmesi ve Bu Yayınlar Yoluyla İşlenen Suçlarla Mücadele Edilmesi Hakkında Kanun (İnternet Kanunu) establishes the foundational Turkish internet regulatory framework with specific procedural mechanics affecting SaaS providers operating internet-based platforms. The procedure ordinarily considers the substantive provider-classification framework establishing four primary categories: (i) içerik sağlayıcı (content provider) — entities producing, modifying, or providing content; (ii) yer sağlayıcı (hosting provider) — entities providing systems for content storage and access; (iii) erişim sağlayıcı (access provider) — entities providing internet access services; and (iv) toplu kullanım sağlayıcı (collective use provider) — entities providing internet access in collective-use environments; the substantive SaaS-classification framework where most SaaS providers operate as combination of içerik sağlayıcı (for proprietary content) and yer sağlayıcı (for user-generated content storage) with specific procedural mechanics; the substantive takedown-procedure framework under m.8 vd. where structured takedown procedures support content-removal coordination through Bilgi Teknolojileri ve İletişim Kurumu (BTK / Information and Communication Technologies Authority) with specific procedural mechanics; the substantive representative-appointment framework under m.4/2-3 introduced through 2020 reforms requiring foreign social network providers serving Turkey to appoint Turkish representatives — the framework affects specific large-scale SaaS scenarios; the substantive data-localization framework where m.5 introduced limited Turkish-data-localization requirements for specific provider categories; and the broader strategic integration where internet regulatory compliance operates as integrated component of SaaS regulatory framework.

An Istanbul Law Firm advising on e-commerce framework will note that the substantive 6563 sayılı Elektronik Ticaretin Düzenlenmesi Hakkında Kanun (E-Ticaret Kanunu) establishes the foundational Turkish e-commerce regulatory framework with specific procedural mechanics affecting SaaS providers operating commercial-transaction platforms. The procedure ordinarily considers the substantive ön bilgilendirme (preliminary information) framework under m.3 requiring structured pre-contract information including service-provider identity, contact information, contract subject-matter, total price, payment-and-delivery terms, dispute-resolution mechanisms, and broader procedural disclosures; the substantive ticari elektronik ileti (commercial electronic communication) framework under m.6 establishing structured opt-in framework for marketing communications — explicit prior consent generally required with structured exceptions for existing customer relationships, public-information transactions, and broader specific scenarios; the substantive İYS (İleti Yönetim Sistemi / Communication Management System) framework establishing centralized opt-in management supporting structured consent verification — registration through İYS supports compliant marketing-communication framework; the substantive kişisel veri framework where E-Ticaret Kanunu coordinates with KVKK Law No. 6698 supporting integrated personal-data-protection compliance; the substantive TKHK Law No. 6502 coordination where consumer-protection framework supplements e-commerce framework with structured consumer-rights protection; the substantive enforcement framework through Ticaret Bakanlığı (Ministry of Trade) supporting structured administrative oversight with specific penalty mechanisms; and the broader strategic integration where e-commerce compliance operates within the comprehensive Turkish digital-services regulatory framework.

A Turkish Law Firm advising on the broader internet-and-e-commerce strategic framework will note that effective SaaS regulatory positioning requires structured coordination across multiple parallel categories supporting comprehensive operational integrity. The procedure ordinarily considers the substantive content-moderation framework where structured content-moderation procedures supporting takedown-request coordination, illegal-content removal, and broader content-governance operate within the comprehensive 5651 framework; the substantive intermediary-liability framework where structured analysis of host-provider liability under m.5 vd. supports comprehensive procedural positioning — Turkish framework typically follows notice-and-takedown structure with specific procedural mechanics; the substantive 5070 sayılı Elektronik İmza Kanunu coordination framework where electronic-signature framework supports structured contract-formation positioning — qualified electronic signatures (nitelikli elektronik imza) operate as wet-signature equivalent under specific procedural mechanics; the substantive 6493 sayılı Ödeme Sistemleri Kanunu (Payment Systems Law) framework where SaaS providers handling payments face structured payment-services regulation through Türkiye Cumhuriyet Merkez Bankası (TCMB / Central Bank) coordination; the substantive cross-border framework where international SaaS scenarios require structured coordination with foreign internet regulatory frameworks supporting comprehensive multi-jurisdictional positioning; the substantive emerging-technology framework where AI, blockchain, and broader emerging-technology integration requires structured analysis under both existing framework and developing regulatory architecture; and the broader strategic integration where internet and e-commerce compliance operates as integrated component supporting comprehensive SaaS operational architecture. Practice may vary by authority and year.

5) Consumer Protection under Law No. 6502 with Mesafeli Sözleşmeler Yönetmeliği and TBK m.27 Contract Validity Framework

An Istanbul Law Firm advising on consumer protection will note that the substantive 6502 sayılı Tüketicinin Korunması Hakkında Kanun (Tüketici Kanunu) establishes the foundational Turkish consumer-protection framework with specific procedural mechanics affecting B2C SaaS scenarios involving Turkish consumer subscribers. The procedure ordinarily considers the substantive tüketici (consumer) definition framework under m.3 where consumers operate as natural or legal persons acting for purposes outside commercial or professional activity — substantive analysis supports B2C-versus-B2B classification affecting applicable regulatory framework; the substantive Mesafeli Sözleşmeler Yönetmeliği (Distance Contracts Regulation) establishing structured framework for distance-formation consumer contracts including SaaS subscription scenarios — the framework operates under broader Tüketici Kanunu m.48 vd. with comprehensive procedural mechanics; the substantive ön bilgilendirme framework requiring structured pre-contract information including (i) service identification, (ii) total price and payment terms, (iii) duration and renewal mechanics, (iv) cayma hakkı (withdrawal right) information, (v) dispute resolution mechanisms, (vi) service provider identity, and broader procedural disclosures; the substantive cayma hakkı framework establishing structured 14-day withdrawal right for distance-formation consumer contracts with specific exceptions including digital-content services where execution begins with consumer consent; the substantive kalıcı veri saklayıcısı framework requiring structured contract-confirmation through durable medium supporting comprehensive consumer-record preservation; the substantive enforcement framework through Ticaret Bakanlığı with specific administrative-penalty mechanisms; and the broader integration framework where consumer protection operates as critical SaaS B2C compliance category.

A lawyer in Turkey advising on subscription-renewal framework will note that the substantive auto-renewal framework operates with specific procedural mechanics affecting both consumer-protection compliance and broader contractual-integrity positioning. The procedure ordinarily considers the substantive otomatik yenileme framework where SaaS auto-renewal mechanisms require structured pre-renewal notification supporting consumer awareness and opt-out opportunity — typical practice involves notification 30 days before renewal supporting structured consumer-positioning; the substantive fee-disclosure framework where structured fee-change disclosure supports comprehensive consumer-protection positioning — surprise fee increases face structured invalidity risks; the substantive cancellation-mechanism framework where structured cancellation procedures supporting easy consumer cancellation operate as foundational compliance discipline — onerous cancellation procedures face structured consumer-protection challenges; the substantive TBK m.27 coordination framework where contracts violating mandatory consumer-protection law face structured invalidity risks under contract-validity framework; the substantive standard-form framework under TBK m.20-25 where standard-form contract terms (genel işlem koşulları) face structured fairness analysis with specific procedural mechanics — unfair standard-form provisions face structured invalidity risks; the substantive enforcement framework including individual consumer claims, collective consumer organizations, and Ticaret Bakanlığı administrative enforcement; and the broader strategic-coordination framework where subscription architecture operates as critical compliance discipline.

A Turkish Law Firm advising on the broader consumer-protection strategic framework will note that effective B2C SaaS positioning requires structured coordination across multiple parallel categories supporting comprehensive consumer-protection compliance. The procedure ordinarily considers the substantive tüketici hakem heyeti (consumer arbitration committee) framework where structured consumer-dispute resolution operates through tüketici hakem heyetleri (consumer arbitration committees) with specific monetary thresholds for compulsory jurisdiction — disputes below specific monetary thresholds proceed before consumer arbitration committees rather than courts; the substantive tüketici mahkemesi framework where higher-value consumer disputes proceed before specialized tüketici mahkemesi (consumer courts) with structured procedural mechanics; the substantive collective consumer organization framework where structured collective consumer organizations may file representative consumer-protection actions with specific procedural mechanics; the substantive garantı belgesi framework where applicable warranty-document requirements support structured consumer-disclosure positioning; the substantive fiyat etiketi framework where pricing-display requirements support comprehensive consumer-disclosure positioning; the substantive kişisel veri coordination framework where consumer-protection framework coordinates with KVKK Law No. 6698 supporting integrated compliance positioning; the substantive cross-border framework where international B2C SaaS scenarios serving Turkish consumers face structured Turkish consumer-protection compliance regardless of contract-governing-law choice; and the broader strategic integration where consumer protection operates as critical B2C SaaS compliance category. Practice may vary by authority and year.

6) B2B Subscription Agreements under TBK Law No. 6098 with SLA, Liability Caps, Indemnification, Termination, and TTK m.5/A Mandatory Mediation

An English speaking lawyer in Turkey advising on B2B subscription architecture will explain that B2B SaaS contracts operate within the structured Turkish contract framework with comprehensive procedural mechanics supporting both immediate commercial positioning and broader subsequent enforcement. The procedure ordinarily considers the substantive 6098 sayılı Türk Borçlar Kanunu (TBK) establishing the foundational Turkish contract framework including m.1-26 (sözleşmenin kurulması / contract formation), m.27 (kanuna ve ahlaka aykırılık / contract validity — contracts violating mandatory law or public morals face structured invalidity), m.28 (gabin / unconscionability), m.30-39 (irade sakatlıkları / defects of consent including yanılma / error, hile / fraud, and ikrah / duress), m.49 vd. (haksız fiil / tort), m.112-117 (borca aykırılık / breach including temerrüt / default), and broader contract framework; the substantive TBK m.20-25 standard-form framework (genel işlem koşulları) where structured analysis applies to mass-contract scenarios — unfair standard-form provisions face structured invalidity with specific procedural mechanics affecting SaaS Terms of Service positioning; the substantive contract-formation framework where structured offer-and-acceptance mechanics support comprehensive SaaS contract formation including clickwrap-and-browsewrap analysis; the substantive electronic-contract framework under 5070 sayılı Elektronik İmza Kanunu where structured e-signature framework supports comprehensive electronic contract formation; and the broader integration framework where TBK contract framework operates as foundational discipline supporting all SaaS commercial mechanics.

An Istanbul Law Firm advising on SaaS contract architecture will note that effective B2B SaaS contract design requires structured coordination across multiple parallel categories supporting comprehensive subsequent commercial positioning. The procedure ordinarily considers the substantive Service Level Agreement (SLA) framework where structured uptime commitments, performance-metric definitions, measurement methodologies, service-credit mechanisms, and exception-frameworks operate as foundational SaaS contract components; the substantive liability-cap framework where structured limitation-of-liability provisions support comprehensive risk-allocation — Turkish framework supports structured liability-cap enforcement subject to TBK m.115 exceptions for gross negligence or intentional breach; the substantive indemnification framework where structured IP-infringement, data-breach, and broader indemnification provisions support comprehensive risk allocation with specific procedural mechanics; the substantive termination framework where structured termination-for-cause, termination-for-convenience, post-termination data-handling, and post-termination obligations support comprehensive subscription-lifecycle positioning; the substantive data-processing addendum (DPA) framework where structured KVKK-compliant DPA supports comprehensive personal-data-processing positioning aligned with KVKK m.12 data-security framework; the substantive intellectual-property framework where structured IP-ownership, license-grant, and feedback-and-improvement provisions support comprehensive IP architecture; the substantive force-majeure framework under TBK m.136-138 where structured analysis supports comprehensive procedural-disruption positioning; and the broader strategic-coordination framework where contract architecture operates as foundational discipline supporting all SaaS commercial mechanics.

A Turkish Law Firm advising on dispute-resolution architecture will note that effective B2B SaaS dispute-resolution coordination requires structured analysis supporting comprehensive subsequent procedural positioning. The procedure ordinarily considers the substantive TTK m.5/A mandatory mediation framework effective 1 January 2019 establishing dava şartı (precondition) arabuluculuk for commercial disputes — applicants must complete structured mediation through registered arabulucu before filing the substantive dava at Asliye Ticaret Mahkemesi; the substantive 6325 sayılı Hukuk Uyuşmazlıklarında Arabuluculuk Kanunu establishing the foundational mediation framework supporting both mandatory and voluntary mediation; the substantive arbitration framework where structured arbitration provisions may displace court-based dispute resolution — domestic arbitration operates under HMK m.407 vd. while international arbitration operates under MTK Law No. 4686; the substantive institutional arbitration framework including ISTAC (Istanbul Arbitration Center / İstanbul Tahkim Merkezi under Law No. 6570 effective 1 October 2014), ICC, LCIA, and broader institutional frameworks supporting structured cross-border B2B SaaS disputes; the substantive forum-selection framework where structured forum-selection provisions support comprehensive dispute-jurisdiction positioning — Turkish-court enforcement of foreign-court judgments operates through MÖHUK m.50-63 framework with specific procedural mechanics including kesinleşmiş karar, karşılıklılık, and kamu düzeni requirements; the substantive choice-of-law framework where structured choice-of-law provisions operate within MÖHUK framework; the substantive language framework where Turkish-language requirements may apply for structured enforcement scenarios — bilingual contract architecture supports comprehensive procedural positioning; and the broader strategic integration where dispute-resolution architecture operates as critical contract design discipline. Practice may vary by authority and year.

7) Intellectual Property Protection: FSEK Law No. 5846 Copyright + 6769 sayılı SMK Trademark Coordination, and Trade Secret Protection

An Istanbul Law Firm advising on integrated IP protection will note that effective SaaS IP protection requires structured coordination across multiple parallel categories supporting comprehensive substantive positioning. The procedure ordinarily considers the substantive FSEK Law No. 5846 copyright framework with m.2/I-1 establishing bilgisayar programları (computer programs) as eser with comprehensive m.13 vd. moral rights and m.20 vd. economic rights — copyright protection arises automatically upon creation; the substantive 6769 sayılı Sınai Mülkiyet Kanunu (SMK / Industrial Property Law) establishing the comprehensive Turkish industrial-property framework including marka (trademark), patent, faydalı model (utility model), and tasarım (design) protection; the substantive trademark framework under SMK m.4-25 where structured trademark registration through Türk Patent ve Marka Kurumu (TÜRKPATENT / Turkish Patent and Trademark Office) supports brand-protection positioning with structured 10-year protection periods (renewable); the substantive Madrid Protocol coordination framework where international trademark registration through World Intellectual Property Organization (WIPO) supports comprehensive international brand-protection coordination; the substantive patent framework under SMK m.82-176 where structured patent registration supports invention protection with structured 20-year protection periods — software-related patents face structured procedural challenges given software's predominantly copyright-based protection under FSEK; the substantive PCT (Patent Cooperation Treaty) coordination framework supporting comprehensive international patent-protection coordination; and the broader integration framework where IP protection operates as integrated component of comprehensive SaaS strategic positioning.

A lawyer in Turkey advising on trade-secret protection will note that the substantive Turkish trade-secret framework operates through structured coordination across multiple statutory bases supporting comprehensive confidential-information protection. The procedure ordinarily considers the substantive TTK m.55 framework establishing structured haksız rekabet (unfair competition) framework with comprehensive coverage of trade-secret misappropriation; the substantive Türk Ceza Kanunu (TCK) Law No. 5237 m.239 framework establishing criminal sanctions for ticari sır, bankacılık sırrı veya müşteri sırrı niteliğindeki bilgi veya belgelerin açıklanması (disclosure of trade secrets, banking secrets, or customer secrets) with structured criminal-prosecution framework; the substantive employment-confidentiality framework under İş Kanunu Law No. 4857 where structured confidentiality, non-disclosure, and non-compete provisions in employment contracts support comprehensive workforce-related trade-secret protection; the substantive non-disclosure agreement (NDA) framework where structured contractor and partner NDAs support comprehensive third-party trade-secret protection; the substantive technical-protection framework where structured technical measures including access controls, encryption, audit trails, and broader security architecture support comprehensive practical protection; the substantive enforcement framework including civil damages under TBK m.49 vd. (haksız fiil), injunctive relief under HMK m.389-403 (ihtiyati tedbir), and criminal prosecution under TCK m.239; and the broader integration framework where trade-secret protection operates within comprehensive IP architecture.

A Turkish Law Firm advising on the broader IP strategic framework will note that effective SaaS IP positioning requires structured coordination across employment, contractor, and licensing arrangements supporting ownership-architecture integrity. The procedure ordinarily considers the substantive employee-IP framework where structured employment contracts under İş Kanunu Law No. 4857 with appropriate IP-assignment provisions support ownership architecture — without explicit assignment, employee-created IP may face structured ownership disputes; the substantive contractor-IP framework where structured contractor agreements with appropriate work-for-hire and IP-assignment provisions support ownership positioning — Turkish framework operates differently from common-law work-for-hire defaults requiring explicit contractual provisions; the substantive founder-IP-assignment framework where SaaS formation typically requires structured IP-assignment from founders to the company supporting clean ownership architecture for subsequent investment — investor due diligence routinely scrutinizes founder-IP-assignment chain; the substantive open-source-component framework where structured analysis supports compatible obligation positioning — GPL, MIT, Apache, and broader frameworks produce different obligation profiles; the substantive enforcement framework including civil damages under FSEK m.66 vd., criminal prosecution under FSEK m.71 vd., and injunctive relief through specialized İstanbul Fikri ve Sınai Haklar Hukuk Mahkemesi (Istanbul Court of Intellectual and Industrial Property Rights); and the broader strategic integration where IP architecture operates as foundational discipline supporting comprehensive SaaS valuation and enforcement positioning. The discipline outlined in our note on intellectual property rights in Turkey covers the broader IP framework. Practice may vary by authority and year.

8) Cross-Border Coordination, MASAK Compliance under Law No. 5549, Tax Framework, and Funding Readiness

An English speaking lawyer in Turkey advising on cross-border coordination will explain that international SaaS operations require structured coordination across multiple parallel categories supporting comprehensive multi-jurisdictional positioning. The procedure ordinarily considers the substantive MÖHUK Law No. 5718 framework governing private international law including m.50-63 supporting tanıma (recognition) and tenfiz (enforcement) of foreign judgments — the framework requires (i) kesinleşmiş karar, (ii) karşılıklılık, and (iii) kamu düzeni compliance with specific procedural mechanics; the substantive MTK Law No. 4686 international arbitration framework supporting structured international-arbitration coordination for cross-border B2B SaaS disputes; the substantive NY Convention 1958 framework supporting international-arbitral-award recognition with Turkey accession effective 25 September 1991 with reciprocity reservation; the substantive transfer-pricing framework under 5520 sayılı Kurumlar Vergisi Kanunu m.13 where multinational SaaS structures face structured transfer-pricing analysis supporting tax-compliance positioning; the substantive double-taxation-treaty framework where structured double-taxation-treaty analysis supports cross-border tax positioning — Turkey maintains comprehensive double-taxation-treaty network supporting structured cross-border SaaS scenarios; the substantive VAT framework under 3065 sayılı Katma Değer Vergisi Kanunu where SaaS-services VAT treatment faces structured procedural mechanics — recent amendments expanded VAT obligations for foreign digital service providers serving Turkish consumers; and the broader integration framework where cross-border coordination operates as critical multi-jurisdictional SaaS strategic discipline.

An Istanbul Law Firm advising on MASAK compliance will note that the substantive 5549 sayılı Suç Gelirlerinin Aklanmasının Önlenmesi Hakkında Kanun (MASAK Law / Anti-Money-Laundering Law) operates as critical compliance framework for SaaS providers handling payment-related services or operating in financial-technology categories. The procedure ordinarily considers the substantive MASAK (Mali Suçları Araştırma Kurulu / Financial Crimes Investigation Board) framework establishing the central Turkish anti-money-laundering authority with comprehensive regulatory and enforcement responsibilities; the substantive yükümlü (obliged entity) framework where specific SaaS categories handling payment services, virtual asset services, or broader financial activities operate as MASAK yükümlü with structured compliance obligations including (i) müşteri tanıma (customer identification / KYC), (ii) şüpheli işlem bildirimi (suspicious-transaction reporting), (iii) eğitim ve iç kontrol (training and internal controls), and (iv) kayıt tutma (record keeping); the substantive virtual-asset-provider framework where SaaS providers handling cryptocurrency, virtual assets, or broader digital-currency services face structured MASAK compliance obligations through specific regulatory framework; the substantive TCMB (Türkiye Cumhuriyet Merkez Bankası / Central Bank) coordination framework where SaaS providers handling payment services face structured payment-services regulation under 6493 sayılı Ödeme Sistemleri Kanunu; the substantive enforcement framework including administrative fines, criminal prosecution, and broader regulatory measures with specific procedural mechanics; and the broader integration framework where MASAK compliance operates as critical regulatory discipline for specific SaaS categories.

A Turkish Law Firm advising on funding-readiness framework will note that effective SaaS funding-readiness preparation requires structured coordination across multiple parallel categories supporting comprehensive investor-engagement positioning. The procedure ordinarily considers the substantive corporate-architecture framework where structured corporate governance, share-class architecture, and shareholder-agreement framework support comprehensive investor-engagement positioning — most institutional investors require anonim şirket structure given share-class flexibility supporting preferred-share investment architecture; the substantive due-diligence-readiness framework where structured documentary preparation across (i) corporate documentation including ana sözleşme, registry filings, board resolutions; (ii) commercial documentation including key customer contracts, supplier contracts, partnership agreements; (iii) IP documentation including FSEK and 6769 sayılı SMK registrations, trademark portfolio, employment IP-assignment chain; (iv) regulatory documentation including KVKK compliance materials, sectoral compliance materials; (v) employment documentation including employment contracts, equity-incentive plans; (vi) financial documentation including audited financials, tax filings; and (vii) litigation documentation supports comprehensive investor-engagement; the substantive investment-instrument framework where structured analysis of equity, convertible debt, SAFE-equivalent instruments, and broader investment-architecture supports comprehensive funding positioning — Turkish framework supports structured equity investments through pay senedi (share certificate) issuance and convertible instruments through specific procedural mechanics; the substantive shareholder-agreement framework including board-composition, voting, pre-emption, drag-along, tag-along, exit, and broader investor-protection provisions supporting comprehensive investor-engagement positioning; the substantive valuation framework where structured valuation analysis supporting term-sheet negotiation operates within the comprehensive funding-engagement framework; the substantive regulatory-approval framework where some funding scenarios may require Rekabet Kurulu (Competition Authority) approval, BDDK (Banking Regulation and Supervision Authority) approval, or broader regulatory approvals affecting transaction timing; and the broader strategic integration where funding-readiness positioning operates as integrated component of comprehensive SaaS strategic framework. Practice may vary by authority and year.

9) Frequently Asked Questions for SaaS Companies Operating in Turkey

1. What law governs personal data protection for SaaS companies in Turkey? The 6698 sayılı Kişisel Verilerin Korunması Kanunu (KVKK / Personal Data Protection Law) operates as the foundational framework, administered through Kişisel Verileri Koruma Kurumu (KVK Kurumu) with KVK Kurulu (KVK Board) as decision-making body. KVKK m.5 establishes processing conditions, m.6 governs special-category data, m.10 establishes aydınlatma (information) obligations, m.16 requires VERBİS registration, and m.18 establishes administrative fines.
2. What are the post-2024 KVKK m.9 cross-border transfer reforms? The 7499 sayılı Kanun reform effective 1 June 2024 substantially modernized KVKK m.9 cross-border transfer framework introducing structured pathways: (i) adequacy decision (yeterlilik kararı) by KVK Kurulu, (ii) appropriate safeguards (uygun güvenceler) including BCR (Bağlayıcı Şirket Kuralları / Binding Corporate Rules) and standart sözleşme maddeleri (standard contractual clauses), and (iii) exceptional circumstances (istisnai haller) including consent, contract performance, and public interest. The reform aligned the framework more closely with EU GDPR Chapter V.
3. Is data localization mandatory under KVKK? No. KVKK does not generally mandate data localization. KVKK m.9 governs cross-border transfer with structured procedural pathways (adequacy decisions, appropriate safeguards, exceptional circumstances). Specific sectoral requirements may apply: 5411 sayılı Bankacılık Kanunu for banking data, sectoral health data regulations under 3359 sayılı Sağlık Hizmetleri Temel Kanunu, and broader specific frameworks. SaaS providers operating outside these sectors may transfer data abroad through compliant m.9 pathways.
4. How is software protected under Turkish law? Software is protected as eser (work) under the 5846 sayılı Fikir ve Sanat Eserleri Kanunu (FSEK) m.2/I-1 through copyright framework — not through patent framework. FSEK m.13 vd. governs moral rights, m.20 vd. governs economic rights, and m.66 vd. governs civil enforcement. Copyright protection arises automatically upon creation. Patent protection under 6769 sayılı Sınai Mülkiyet Kanunu (SMK) typically does not extend to software per se, though software-implemented inventions may face structured patent-eligibility analysis.
5. What is VERBİS registration? Under KVKK m.16, Veri Sorumluları Sicili (VERBİS / Data Controllers Registry) registration applies to specific veri sorumlusu (data controller) categories with structured procedural mechanics. KVK Kurulu has issued specific exemptions and thresholds — practitioners conduct structured registration analysis based on company size, processing scope, and specific KVK Kurulu guidance. Registration through verbis.kvkk.gov.tr produces structured public-registry positioning.
6. What is the breach-notification timeline under KVKK? Under KVKK m.12 with KVK Kurulu coordination, data-breach notification to KVK Kurumu must occur within 72 hours of discovery with structured procedural mechanics. Subsequent notification to affected ilgili kişi (data subjects) must occur as soon as possible. Notification requirements interact with broader GDPR notification requirements in cross-border scenarios — practitioners coordinate notification across multiple jurisdictions.
7. What is the framework for hosting providers and content providers? Under the 5651 sayılı İnternet Ortamında Yapılan Yayınların Düzenlenmesi Hakkında Kanun (İnternet Kanunu), four primary categories operate: (i) içerik sağlayıcı (content provider), (ii) yer sağlayıcı (hosting provider), (iii) erişim sağlayıcı (access provider), and (iv) toplu kullanım sağlayıcı (collective use provider). Most SaaS providers operate as combination of içerik sağlayıcı and yer sağlayıcı with specific procedural mechanics including takedown procedures through Bilgi Teknolojileri ve İletişim Kurumu (BTK).
8. Does the 5651 representative-appointment framework apply to SaaS? The 2020 reform under m.4/2-3 introduced Turkish-representative requirements for foreign social network providers with daily Turkish-user thresholds (currently 1 million). The framework operates with structured procedural mechanics including representative responsibilities and enforcement consequences. Most pure B2B SaaS scenarios operate outside the social-network-provider framework, but structured analysis is recommended for B2C SaaS with social or communication features.
9. What are e-commerce framework requirements? The 6563 sayılı Elektronik Ticaretin Düzenlenmesi Hakkında Kanun (E-Ticaret Kanunu) establishes structured framework including (i) ön bilgilendirme (preliminary information) under m.3, (ii) ticari elektronik ileti (commercial electronic communication) under m.6 with structured opt-in framework, and (iii) İYS (İleti Yönetim Sistemi) centralized opt-in management. SaaS providers must comply with structured pre-contract information disclosure and marketing-communication consent framework.
10. What about consumer protection for B2C SaaS? The 6502 sayılı Tüketicinin Korunması Hakkında Kanun (Tüketici Kanunu) governs B2C scenarios. Mesafeli Sözleşmeler Yönetmeliği (Distance Contracts Regulation) establishes structured framework including 14-day cayma hakkı (withdrawal right) with specific exceptions for digital-content services where execution begins with consumer consent, structured ön bilgilendirme requirements, and kalıcı veri saklayıcısı (durable medium) confirmation. Consumer disputes proceed through tüketici hakem heyeti (below threshold) or tüketici mahkemesi (above threshold).
11. What is the mandatory mediation framework for commercial disputes? Under TTK Law No. 6102 m.5/A effective 1 January 2019, dava şartı (precondition) arabuluculuk applies to commercial disputes — applicants must complete structured mediation through registered arabulucu before filing the substantive dava at Asliye Ticaret Mahkemesi. The framework operates under the 6325 sayılı Hukuk Uyuşmazlıklarında Arabuluculuk Kanunu.
12. What about anti-money-laundering compliance? Under the 5549 sayılı Suç Gelirlerinin Aklanmasının Önlenmesi Hakkında Kanun (MASAK Law), specific SaaS categories operating as yükümlü (obliged entity) face structured compliance obligations including müşteri tanıma (KYC), şüpheli işlem bildirimi (suspicious transaction reporting), eğitim ve iç kontrol (training and controls), and kayıt tutma (record keeping). Virtual-asset-service providers, payment-service providers, and broader fintech-adjacent SaaS scenarios face MASAK compliance obligations through MASAK (Mali Suçları Araştırma Kurulu) coordination.
13. What is software licensing enforcement framework? FSEK Law No. 5846 supports structured enforcement including (i) civil damages under m.66 vd. with maddi ve manevi tazminat (material and moral damages), (ii) criminal prosecution under m.71 vd. with structured criminal-sanction framework, and (iii) injunctive relief through specialized İstanbul Fikri ve Sınai Haklar Hukuk Mahkemesi (Istanbul Court of Intellectual and Industrial Property Rights). Reverse engineering operates under FSEK m.38 limited exceptions.
14. What is the appellate framework for SaaS-related disputes? Adverse first-instance decisions face structured appellate review through Bölge Adliye Mahkemesi (regional court of appeals) under istinaf framework under HMK m.341 vd. effective 20 July 2016 and Yargıtay (Court of Cassation) under temyiz framework under HMK m.361 vd. AYM bireysel başvuru under the 6216 sayılı Anayasa Mahkemesinin Kuruluşu ve Yargılama Usulleri Hakkında Kanun m.45-49 may apply where ordinary remedies are exhausted and fundamental rights are involved.
15. Does ER&GUN&ER Law Firm advise SaaS companies? Yes. ER&GUN&ER Law Firm is an Istanbul-based law firm advising foreign SaaS companies, Turkish SaaS companies, foreign legal counsel, family offices, foreign institutional investors, and multinational technology participants on Turkish SaaS regulatory matters, including company formation under TTK Law No. 6102 m.329 vd. (anonim şirket) and m.573 vd. (limited şirket) with MERSİS registration; software licensing under FSEK Law No. 5846 m.2/I-1 (bilgisayar programları as eser) including m.66 vd. civil enforcement and m.71 vd. criminal enforcement; comprehensive KVKK Law No. 6698 compliance including m.5-6 processing-condition analysis, m.9 cross-border transfer with critical post-2024 reform under 7499 sayılı Kanun effective 1 June 2024 introducing adequacy decisions, BCR, and standard contractual clauses pathways, m.10 aydınlatma, m.12 data security with 72-hour breach notification, m.16 VERBİS registration, and m.18 administrative fines; internet content framework under Law No. 5651 İnternet Kanunu including yer sağlayıcı / içerik sağlayıcı / erişim sağlayıcı classification with BTK coordination; e-commerce framework under Law No. 6563 E-Ticaret Kanunu including ön bilgilendirme and ticari elektronik ileti with İYS coordination; consumer protection under Law No. 6502 Tüketici Kanunu including Mesafeli Sözleşmeler Yönetmeliği with 14-day cayma hakkı; B2B subscription agreement architecture under TBK Law No. 6098 (m.27 contract validity, m.20-25 standard-form, m.115 liability-cap exceptions, m.136-138 force majeure) with structured SLA, indemnification, termination, and DPA architecture; intellectual property protection under FSEK and 6769 sayılı Sınai Mülkiyet Kanunu (SMK) with TÜRKPATENT coordination; trade-secret protection under TTK m.55 (haksız rekabet) and TCK Law No. 5237 m.239; mandatory mediation coordination under Law No. 6325 and TTK m.5/A; international arbitration coordination under MTK Law No. 4686 with ISTAC, ICC, LCIA; cross-border coordination under MÖHUK Law No. 5718 m.50-63 with NY Convention 1958; MASAK Law No. 5549 anti-money-laundering compliance for fintech-adjacent SaaS scenarios with MASAK coordination; payment systems under Law No. 6493 with TCMB coordination; tax framework integration including KDV (VAT) and kurumlar vergisi with m.13 transfer-pricing; funding-readiness preparation including due diligence, shareholder agreements, and investor-engagement coordination; appellate framework through Bölge Adliye Mahkemesi (istinaf), Yargıtay (temyiz), and AYM bireysel başvuru — with English-language client communication and bilingual documentation throughout each engagement. Files in this area are typically led personally by the managing partner rather than delegated.

Author: Mirkan Topcu is an attorney registered with the Istanbul Bar Association (Istanbul 1st Bar), Bar Registration No: 67874. His practice focuses on cross-border and high-stakes matters where evidence discipline, procedural accuracy, and risk control are decisive.

He advises foreign SaaS companies, Turkish SaaS companies, foreign legal counsel, family offices, foreign institutional investors, and multinational technology participants on Turkish SaaS regulatory matters under the 6698 sayılı Kişisel Verilerin Korunması Kanunu (KVKK / Personal Data Protection Law) covering m.3 (tanımlar / definitions), m.4 (genel ilkeler / general principles), m.5 (kişisel verilerin işlenme şartları / processing conditions), m.6 (özel nitelikli kişisel veriler / special-category personal data), m.9 (yurtdışına aktarım / cross-border transfer — substantially reformed by the 7499 sayılı Kanun effective 1 June 2024 introducing structured adequacy-decision (yeterlilik kararı by KVK Kurulu), appropriate-safeguards (uygun güvenceler including BCR / Bağlayıcı Şirket Kuralları and standart sözleşme maddeleri / standard contractual clauses), and exceptional-circumstances (istisnai haller) pathways), m.10 (aydınlatma yükümlülüğü / information obligation), m.11 (ilgili kişinin hakları / data subject rights), m.12 (veri güvenliği yükümlülüğü / data security obligation with 72-hour breach notification to KVK Kurumu), m.13 (başvuru hakkı / right to apply with 30-day response deadline), m.14 (Kurula şikayet / Authority complaint), m.15 (Kurulun re'sen incelemesi / ex officio investigation), m.16 (VERBİS / Veri Sorumluları Sicili registration), and m.18 (kabahatler / administrative fines); the 5846 sayılı Fikir ve Sanat Eserleri Kanunu (FSEK / Intellectual and Artistic Works Law) including m.2/I-1 (bilgisayar programları as eser — software protected as copyright work, not patent), m.13 vd. (manevi haklar / moral rights), m.20 vd. (mali haklar / economic rights), m.38 (limited reverse-engineering exceptions), m.66 vd. (civil enforcement with maddi ve manevi tazminat), and m.71 vd. (criminal enforcement); the 5651 sayılı İnternet Ortamında Yapılan Yayınların Düzenlenmesi ve Bu Yayınlar Yoluyla İşlenen Suçlarla Mücadele Edilmesi Hakkında Kanun (İnternet Kanunu) governing yer sağlayıcı (hosting provider), içerik sağlayıcı (content provider), erişim sağlayıcı (access provider), and toplu kullanım sağlayıcı (collective use provider) framework with takedown procedures and Bilgi Teknolojileri ve İletişim Kurumu (BTK) coordination, including 2020 reform under m.4/2-3 introducing Turkish-representative requirements for foreign social network providers with 1-million daily-user threshold; the 6563 sayılı Elektronik Ticaretin Düzenlenmesi Hakkında Kanun (E-Ticaret Kanunu) including m.3 (ön bilgilendirme / preliminary information) and m.6 (ticari elektronik ileti / commercial electronic communication) with İYS (İleti Yönetim Sistemi) centralized opt-in management; the 6502 sayılı Tüketicinin Korunması Hakkında Kanun (Tüketici Kanunu) including Mesafeli Sözleşmeler Yönetmeliği (Distance Contracts Regulation) with 14-day cayma hakkı (withdrawal right) framework, tüketici hakem heyeti (consumer arbitration committee), and tüketici mahkemesi (consumer court) coordination; the 6098 sayılı Türk Borçlar Kanunu (TBK) including m.20-25 (genel işlem koşulları / standard-form analysis), m.27 (kanuna ve ahlaka aykırılık / contract validity), m.28 (gabin / unconscionability), m.30-39 (irade sakatlıkları / defects of consent), m.49 vd. (haksız fiil / tort), m.112-117 (borca aykırılık / breach including temerrüt), m.115 (sorumsuzluk anlaşması sınırları / liability-limitation exceptions for gross negligence and intentional breach), and m.136-138 (mücbir sebep / force majeure); the 6102 sayılı Türk Ticaret Kanunu (TTK) including m.4 (ticari iş), m.5 (Asliye Ticaret Mahkemesi jurisdiction), m.5/A (dava şartı arabuluculuk effective 1 January 2019), m.55 (haksız rekabet for trade secrets), m.329 vd. (anonim şirket framework), and m.573 vd. (limited şirket framework); the 6769 sayılı Sınai Mülkiyet Kanunu (SMK / Industrial Property Law) including m.4-25 (marka / trademark with TÜRKPATENT registration and 10-year renewable protection), m.82-176 (patent with 20-year protection and PCT coordination), and tasarım (design) protection; the 5237 sayılı Türk Ceza Kanunu (TCK) m.239 governing criminal sanctions for trade-secret disclosure (ticari sır, bankacılık sırrı, müşteri sırrı); the 5070 sayılı Elektronik İmza Kanunu governing nitelikli elektronik imza (qualified electronic signature) wet-signature equivalence framework; the 6493 sayılı Ödeme ve Menkul Kıymet Mutabakat Sistemleri Kanunu (Payment Systems Law) governing payment-services framework with TCMB (Türkiye Cumhuriyet Merkez Bankası) coordination; the 5549 sayılı Suç Gelirlerinin Aklanmasının Önlenmesi Hakkında Kanun (MASAK Law) governing anti-money-laundering compliance with MASAK (Mali Suçları Araştırma Kurulu) coordination including müşteri tanıma (KYC), şüpheli işlem bildirimi, eğitim ve iç kontrol, and kayıt tutma; the 4857 sayılı İş Kanunu governing employment framework including IP-assignment, confidentiality, and non-compete provisions; the 5510 sayılı Sosyal Sigortalar ve Genel Sağlık Sigortası Kanunu governing SGK framework; the 6325 sayılı Hukuk Uyuşmazlıklarında Arabuluculuk Kanunu and TTK m.5/A establishing dava şartı arabuluculuk; the 4686 sayılı Milletlerarası Tahkim Kanunu (MTK) supporting international arbitration with ISTAC (İstanbul Tahkim Merkezi under Law No. 6570 effective 1 October 2014), ICC, LCIA, and broader institutional frameworks; the 5718 sayılı Milletlerarası Özel Hukuk ve Usul Hukuku Hakkında Kanun (MÖHUK) m.50-63 governing tanıma and tenfiz of foreign decisions with kesinleşmiş karar, karşılıklılık, and kamu düzeni requirements; the NY Convention 1958 with Turkey accession effective 25 September 1991 with reciprocity reservation; the 5520 sayılı Kurumlar Vergisi Kanunu including m.13 transfer-pricing framework; the 3065 sayılı Katma Değer Vergisi Kanunu including digital-services VAT framework; the 6100 sayılı Hukuk Muhakemeleri Kanunu (HMK) including m.341 vd. (istinaf effective 20 July 2016), m.361 vd. (temyiz), m.389-403 (ihtiyati tedbir), m.400 (delil tespiti), and m.407 vd. (domestic arbitration); the 6216 sayılı Anayasa Mahkemesinin Kuruluşu ve Yargılama Usulleri Hakkında Kanun m.45-49 governing AYM bireysel başvuru with 30-day filing period; the 1961 La Haye Konvansiyonu (Hague Convention on Apostille); and the 1512 sayılı Notarlık Kanunu m.71/A governing noter ihtarname framework. His advisory work covers structured company formation including anonim şirket vs limited şirket selection, ana sözleşme drafting, MERSİS registration coordination, vergi dairesi and SGK registration, foreign-shareholder structures with apostille and yeminli tercüman coordination, and shareholder-agreement architecture; software licensing including FSEK m.2/I-1 protection coordination, license-grant architecture (scope, territory, duration, exclusivity, sublicensing, transferability), use-restriction provisions, open-source-component analysis (GPL, MIT, Apache), update-and-modification frameworks, FSEK m.66 vd. civil enforcement, and FSEK m.71 vd. criminal enforcement coordination; comprehensive KVKK compliance including m.5-6 processing-condition analysis, m.9 post-2024 cross-border-transfer reform implementation including adequacy-decision monitoring, BCR design (Bağlayıcı Şirket Kuralları), standard contractual clauses (standart sözleşme maddeleri) implementation, and exceptional-circumstances analysis, m.10 aydınlatma metni drafting, m.12 data-security architecture with 72-hour breach notification protocols, m.16 VERBİS registration coordination, and m.18 idari para cezası analysis; internet content framework coordination under Law No. 5651 including provider classification, takedown-procedure implementation through BTK coordination, and m.4/2-3 representative-appointment analysis for applicable scenarios; e-commerce framework under Law No. 6563 including ön bilgilendirme architecture, ticari elektronik ileti compliance with İYS coordination; consumer protection under Law No. 6502 including Mesafeli Sözleşmeler Yönetmeliği compliance, 14-day cayma hakkı framework, kalıcı veri saklayıcısı confirmation, and tüketici hakem heyeti / tüketici mahkemesi coordination; B2B subscription agreement architecture including SLA design with uptime commitments and performance metrics, liability-cap structuring with TBK m.115 awareness, indemnification provisions for IP-infringement and data-breach scenarios, termination architecture with post-termination data-handling, KVKK-compliant DPA design, IP-ownership and license-grant provisions, force-majeure provisions under TBK m.136-138, and dispute-resolution coordination including TTK m.5/A mandatory mediation, MTK Law No. 4686 international arbitration, and ISTAC institutional coordination; intellectual property protection coordination under FSEK and 6769 sayılı SMK including TÜRKPATENT trademark registration, Madrid Protocol coordination, PCT patent coordination, design protection, employment-IP-assignment framework under İş Kanunu, contractor-IP-assignment framework, founder-IP-assignment for investment scenarios, and trade-secret protection through TTK m.55, TCK m.239, NDA framework, and technical-protection coordination; cross-border coordination under MÖHUK Law No. 5718 m.50-63 including tenfiz şartları analysis, NY Convention 1958 international arbitral award recognition, and bilateral judicial assistance treaty coordination; MASAK Law No. 5549 compliance for fintech-adjacent SaaS scenarios including müşteri tanıma (KYC) framework, şüpheli işlem bildirimi, eğitim ve iç kontrol, and kayıt tutma with MASAK coordination; payment systems coordination under Law No. 6493 with TCMB coordination; electronic signature framework under Law No. 5070; tax framework integration including KDV (VAT) compliance, kurumlar vergisi with m.13 transfer-pricing analysis, and double-taxation-treaty coordination; funding-readiness preparation including due-diligence-readiness across corporate, commercial, IP, regulatory, employment, and financial documentation, investment-instrument analysis (equity, convertible debt, SAFE-equivalent), shareholder-agreement architecture (board composition, voting, pre-emption, drag-along, tag-along, exit), valuation analysis, and regulatory-approval coordination; appellate framework coordination through Bölge Adliye Mahkemesi istinaf, Yargıtay temyiz, and AYM bireysel başvuru; international arbitration coordination including ICC, ISTAC, LCIA, and broader institutional frameworks; documentary discipline including 1961 La Haye Konvansiyonu apostille and yeminli tercüman translation; mandatory mediation coordination under Law No. 6325 and TTK m.5/A; and broader strategic positioning across both substantive and procedural frameworks supporting comprehensive SaaS regulatory outcomes.

Education: Istanbul University Faculty of Law (2018); Galatasaray University, LL.M. (2022). LinkedIn: Profile. Istanbul Bar Association: Official website.