Turkish Information Technology Lawyer: Data Protection, IT Contracts, and Cybersecurity

Turkish information technology law is not a single statute — it is a collection of overlapping legal frameworks that each impose specific obligations on technology businesses, and the failure to comply with any one framework can create simultaneous liability across multiple dimensions. The Law on Protection of Personal Data (Kişisel Verilerin Korunması Kanunu, KVKK, Law No. 6698) governs how personal data is collected, processed, transferred, and protected — with administrative fines up to ₺1,000,000 per violation category and the emerging prospect of criminal referral for intentional violations. The Law on Intellectual and Artistic Works (Fikir ve Sanat Eserleri Kanunu, FSEK, Law No. 5846) protects software as a literary work and creates specific copyright, licensing, and enforcement frameworks for software developers and technology companies. The Law on the Regulation of Electronic Commerce (Elektronik Ticaretin Düzenlenmesi Hakkında Kanun, Law No. 6563) and its implementing regulation impose specific disclosure, consent, and registration obligations on e-commerce operators including the mandatory ETBIS registration with the Ministry of Trade. The Payment Services and Electronic Money Law (Law No. 6493) and the Central Bank of Turkey's regulatory framework govern payment services and electronic money issuance, while the 2024 Law on the Markets in Crypto Assets brought crypto asset service providers under SPK supervision. The Turkish Penal Code (Türk Ceza Kanunu, TCK) creates criminal liability for unauthorized computer access, data interference, and other cybercrime categories. Understanding which framework applies to any given technology business — and where the frameworks overlap — is the foundation of effective Turkish IT law representation. Practice may vary by authority and year — verify current regulatory requirements under each applicable framework directly with the relevant Turkish authority before acting on any information on this page.

KVKK data protection — compliance and enforcement

A lawyer in Turkey advising on KVKK compliance must explain that the KVKK's compliance obligations operate on two parallel tracks: the substantive obligations (lawful basis for processing, purpose limitation, data minimization, storage limitation, data subject rights) and the procedural obligations (VERBİS registration, breach notification, data transfer restrictions, privacy notice requirements). Many technology companies focus on the substantive obligations and underestimate the procedural requirements — particularly the VERBİS registry obligation, which requires data controllers above defined size thresholds to register their data processing activities in the KVK Kurumu's (Turkish Data Protection Authority) online registry. A data controller that is subject to the VERBİS obligation but has not registered is exposed to administrative fines regardless of whether the underlying data processing is otherwise substantively compliant. We conduct KVKK compliance assessments that specifically address both tracks — mapping processing activities against the substantive obligations and confirming VERBİS registration status as a parallel compliance obligation. Practice may vary by authority and year — verify current KVK Kurumu VERBİS registration thresholds and the specific data processing category descriptions required in the registry before completing any VERBİS registration for a technology company.

An Istanbul Law Firm advising on cross-border data transfers must explain that KVKK Article 9 prohibits transfers of personal data outside Turkey without either explicit consent of the data subject; a KVK Kurumu determination that the destination country provides adequate protection; or use of a binding commitment mechanism (taahhütname) approved by the KVK Kurumu. The KVK Kurumu's list of adequate countries does not currently include most major technology processing destinations — meaning that explicit consent or the binding commitment mechanism must be used for transfers to common cloud and processing jurisdictions. The binding commitment approval process can take several months and requires a formal application. For technology companies that process Turkish users' data on servers outside Turkey, or that transfer data to foreign group companies, third-party processors, or cloud providers, this cross-border transfer restriction is one of the most operationally impactful KVKK compliance obligations. GDPR Standard Contractual Clauses are not automatically sufficient for Turkish law — a Turkish law equivalent binding commitment must be separately approved by the KVK Kurumu. Practice may vary by authority and year — verify the current KVK Kurumu list of adequate countries and the specific binding commitment approval procedures before structuring any cross-border personal data transfer architecture.

A law firm in Istanbul advising on KVKK enforcement defense must explain that the KVK Kurumu's enforcement activity includes both ex officio investigations and complaint-based investigations where data subjects or competitors file formal complaints. For technology companies that receive a KVK Kurumu investigation notification, the response strategy is critical — because the authority's first request typically asks for documentation (processing records, VERBİS registration, breach notification history, data subject rights response records) that the company either has or does not have. A company that receives an investigation and discovers at that point that its VERBİS registration is incomplete or its data subject rights responses are undocumented faces both the original violation and aggravated circumstances from responding without adequate documentation. The KVK Kurumu's administrative fines are assessed per violation category — a single incident can trigger multiple concurrent fines if multiple KVKK obligations were simultaneously violated. We advise technology companies on building the KVKK compliance documentation infrastructure before any investigation is initiated, creating the records that will be needed in an enforcement context as a matter of ordinary compliance practice. Practice may vary — verify current KVK Kurumu investigation procedures and the specific documentation categories most frequently requested in KVKK investigations before building any KVKK compliance program.

Software copyright, licensing, and IP protection

An English speaking lawyer in Turkey advising on software copyright in Turkey must explain that Turkish law protects software as a literary work under FSEK — and this protection attaches automatically upon creation, without any registration requirement. For software developed within an employment relationship, FSEK Article 18 provides that the employer acquires the property rights (malvarlığı hakları) to work-for-hire software as of the employment relationship, provided the software was developed in connection with the employee's duties or based on the employer's instructions. This employer ownership provision is more automatic than in some other jurisdictions — but it requires careful structuring where software is developed by contractors rather than employees, because the contractor exception to the work-for-hire rule means that contractor-developed software may remain owned by the contractor unless specifically assigned by contract. For software development companies that use a combination of employees and external freelancers or development companies, a clear understanding of which work product is automatically owned by the employer and which requires a specific contractual assignment is essential before any product launch. Practice may vary — verify current Turkish court interpretation of FSEK Article 18 work-for-hire scope and the specific assignment language required for valid contractor software copyright transfer before finalizing any software development agreement.

A Turkish Law Firm advising on software licensing agreements under Turkish law must explain that a Turkish software license agreement must comply with FSEK's provisions on scope, form, and limitations of copyright licenses. Key FSEK requirements include: the principle that licenses are interpreted narrowly (a license for a specific use does not extend to related uses unless explicitly stated); the requirement that exclusive licenses for significant rights be in writing to be enforceable; and the restrictions on the assignment of moral rights (kişilik hakları), which cannot be transferred even in an employment context. For software licensing agreements localized from international templates, these FSEK-specific requirements can create enforceability gaps where the international template assumes a legal framework that FSEK does not provide — particularly for sublicense rights, scope-of-use restrictions, and open-source compatibility provisions. A SaaS agreement that does not specifically address FSEK's scope-of-use rules may grant the customer more rights than intended, or fewer rights than the commercial relationship requires. We draft and review software licensing agreements with specific attention to FSEK compliance in areas where the standard international template approach does not translate directly to Turkish law. Practice may vary — verify current Turkish court software license interpretation standards and the specific FSEK writing requirement applicable to exclusive licenses before finalizing any software licensing agreement.

A lawyer in Turkey advising on software copyright enforcement must explain that Turkish law provides both civil and criminal remedies for software copyright infringement. The criminal route (TCK provisions on copyright violation, supplemented by FSEK criminal provisions) can produce faster preliminary evidence seizures than the civil litigation route in many infringement cases — a criminal complaint with the public prosecutor can trigger searches that make the infringer's unauthorized copies accessible to the rights holder more quickly than civil discovery processes. The civil route provides compensation including statutory damages under FSEK and restitution of the infringer's profits, but proceeds more slowly. For technology companies facing ongoing infringement (for example, an unlicensed competitor using the rights holder's proprietary codebase), the combination of criminal complaint for evidence preservation and civil preliminary injunction (ihtiyati tedbir) for cessation of use provides the most comprehensive immediate protection. Turkish commercial courts can grant preliminary injunctions on an expedited ex parte basis in urgent IP cases. Practice may vary — verify current FSEK criminal infringement provisions and the specific civil preliminary injunction standards applicable to software copyright infringement before selecting any enforcement strategy.

IT contracts — SaaS, development, and cloud agreements

An Istanbul Law Firm advising on SaaS agreements under Turkish law must explain that a SaaS agreement for the Turkish market must address the specific Turkish law requirements that affect enforceability and compliance: KVKK obligations for the SaaS provider as a data processor (veri işleyen) where the customer's users' personal data is processed on the SaaS platform; FSEK provisions governing the access rights license to the SaaS software; Turkish Consumer Protection Law (TKHK) disclosure and 14-day withdrawal right requirements for B2C subscribers; and the Turkish Code of Obligations (TBK) mandatory minimum liability floors that cannot be contractually reduced for intentional and gross negligence. A SaaS template designed for the international market may not address these Turkish-specific requirements — and a SaaS provider serving Turkish enterprise customers using an unlocalized template creates compliance risk for itself (KVKK processor obligations) and enforceability risk for its customers (inadequate data processing agreement). We localize SaaS agreements for Turkish market deployment with specific attention to the KVKK processor obligations, the applicable liability floor under TBK, and the FSEK license scope. Practice may vary — verify current KVK Kurumu data processor agreement requirements and the specific TBK liability limitation standards applicable to commercial IT service agreements before finalizing any SaaS agreement for the Turkish market.

A law firm in Istanbul advising on software development agreements must explain that a Turkish software development contract must specifically address the intellectual property ownership questions that will determine whether the commissioning party actually owns the software built for them. Under FSEK Article 18, the work-for-hire provision applies to employees — but a Turkish software development company engaged as an independent contractor does not automatically transfer copyright to the customer. The customer's ownership of the commissioned software requires a specific written assignment clause identifying the works being assigned, the assignment consideration, and the scope of the assignment. Without this specific assignment language, the development company retains copyright in the software and the customer holds only a license, the scope of which is determined by the contract's implied terms. For customers commissioning bespoke software development from Turkish developers, the copyright ownership analysis is the most commercially critical element of the contract — because ownership determines who controls the codebase if the relationship breaks down or the development company is later acquired. Practice may vary — verify current Turkish court standards for software copyright assignment validity and the specific written form requirements under FSEK before finalizing any software development agreement with a Turkish developer.

An English speaking lawyer in Turkey advising on cloud service agreements must explain that cloud computing agreements involving Turkish data subjects' personal data require attention to three overlapping legal layers: KVKK's cross-border transfer restrictions (which may require KVK Kurumu-approved binding commitments for data stored on servers outside Turkey); BDDK requirements for financial institutions (which impose specific Turkish server localization requirements for certain financial data categories); and BTK requirements for electronic communications service providers (which impose specific data retention and localization requirements for communication data). For a cloud service provider serving Turkish enterprise customers in regulated industries — banking, insurance, healthcare, telecoms — the cloud agreement must specifically address each of these layer-specific requirements. The standard cloud provider's data processing addendum addresses GDPR requirements but may not address the Turkish-specific compliance layers, creating gaps that the Turkish customer's counsel must identify and negotiate. We advise both cloud service providers and their Turkish enterprise customers on the compliance obligations that must be reflected in the cloud service agreement, the data processing addendum, and any supplementary Turkish law exhibits. Practice may vary by authority and year — verify current BTK cloud service requirements and the specific BDDK data localization standards applicable to the customer's industry before finalizing any cloud service agreement for a Turkish regulated industry customer.

Cybersecurity law and incident response

A Turkish Law Firm advising on cybersecurity legal obligations must explain that Turkish cybersecurity law operates through several overlapping frameworks: TCK Articles 243–246 create criminal liability for unauthorized access to computer systems (bilişim sistemlerine izinsiz girme), data interference (verileri bozma, yok etme veya değiştirme), and obstruction of systems (sistemi engelleme) — with imprisonment terms for serious violations; KVKK Article 12 requires data controllers to implement technical and administrative security measures and to notify the KVK Kurumu of security breaches within 72 hours of discovery; BTK regulations impose specific security requirements on electronic communications service providers and platform intermediaries; and the National Cybersecurity Authority (USOM, under BTK) establishes incident reporting obligations for critical infrastructure operators. For technology companies operating across multiple of these frameworks simultaneously, the incident response protocol must be designed to satisfy all applicable notification and documentation obligations in the correct sequence and within the applicable deadlines. Practice may vary — verify current KVK Kurumu breach notification requirements and the specific USOM critical infrastructure incident reporting obligations applicable to the company's operations before designing any cybersecurity incident response protocol.

An Istanbul Law Firm advising on cybersecurity incident legal management must explain that the first 72 hours after a technology company discovers a data breach is the most legally consequential period — because KVKK's 72-hour KVK Kurumu notification deadline begins running from when the data controller's management becomes aware of the breach, and missing this deadline creates additional KVKK administrative liability on top of any liability for the breach itself. The 72-hour notification must contain specific information about the breach that may not be fully known within the first 72 hours — and the KVK Kurumu's guidance permits a preliminary notification supplemented later once additional facts are established. A company simultaneously managing a live security incident (containment, forensic investigation, system recovery) and trying to meet legal notification obligations needs a pre-established incident response protocol that separates the technical and the legal tracks. The legal team must receive timely notification from the technical team to enable legal notification deadlines to be met regardless of the status of technical remediation. We advise technology companies on incident response protocol design and provide in-the-moment legal support when actual incidents occur. Practice may vary — verify current KVK Kurumu breach notification content requirements and the specific preliminary notification format accepted before designing any cybersecurity incident response protocol.

A lawyer in Turkey advising on criminal liability exposure in cybersecurity incidents must explain that a technology company that suffers a data breach is not automatically criminally liable for the breach — the TCK cybercrime provisions create liability for the perpetrators of the attack. However, if the breach occurred because the company failed to implement basic security measures that KVKK Article 12 requires, the company's responsible managers may face criminal referral under KVKK's criminal liability provisions if the KVK Kurumu determines the breach resulted from a culpable failure to implement adequate security measures. Additionally, if a Turkish company's systems are used as a vector for attacks on third parties (for example, a compromised server distributing malware), the company may face civil liability claims from affected third parties under TBK general tort provisions. The practical risk management approach is to build the technical and organizational security measures that KVKK Article 12 requires into the company's operations as ordinary compliance practice — because the same measures that reduce KVKK administrative liability also reduce criminal and civil liability exposure in the event of a breach. The Istanbul Bar Association at istanbulbarosu.org.tr provides resources for identifying qualified practitioners. Practice may vary — verify current KVKK criminal liability provisions and the specific KVK Kurumu referral standards for management criminal liability in data breach cases before assessing any cybersecurity liability exposure.

E-commerce — compliance under Law No. 6563 and consumer protection

An English speaking lawyer in Turkey advising on e-commerce compliance under Law No. 6563 must explain that the Law on the Regulation of Electronic Commerce and its implementing regulation create specific obligations for all businesses conducting commercial activities through electronic communications — including mandatory pre-contract information disclosure; mandatory consent management for commercial electronic messages through the İYS (İleti Yönetim Sistemi) registry; mandatory 14-day withdrawal right for B2C distance contracts; and mandatory ETBIS (Electronic Commerce Information System) registration for operators above defined annual transaction thresholds. The İYS requirement means that companies sending commercial SMS or email campaigns must register the underlying consents in the centralized registry and provide an İYS-accessible opt-out mechanism — a company that maintains its own consent records without İYS registration is not compliant under current Law No. 6563 requirements. The ETBIS registration is a Ministry of Trade administrative requirement that is not visible to end users but is checked in regulatory audits — an operator above the threshold that is not registered faces administrative fines. Practice may vary by authority and year — verify current Law No. 6563 ETBIS registration thresholds and the specific İYS commercial message consent registration requirements before designing any e-commerce operator's compliance framework for the Turkish market.

A Turkish Law Firm advising on marketplace platform liability under Law No. 6563's 2022 amendment must explain that the amendment created a specific regulatory category of "large-scale electronic commerce intermediary service provider" (büyük ölçekli aracı hizmet sağlayıcı) for marketplace platforms above defined transaction volume thresholds — with enhanced obligations including non-discrimination requirements for sellers, data sharing obligations, algorithmic transparency, and restrictions on the platform's own commercial activities that compete with sellers on its marketplace. These platform-specific obligations are modeled partly on the EU Digital Markets Act framework. For smaller marketplaces below the large-scale threshold, the standard Law No. 6563 intermediary service provider obligations apply — primarily content moderation and notification obligations for illegal content, and seller onboarding compliance requirements. A marketplace platform that grows above the large-scale threshold without updating its compliance program faces retroactive administrative liability for the period during which it was above the threshold without the required compliance measures in place. We advise both large-scale and standard-scale marketplace platforms on the Law No. 6563 compliance obligations applicable to their transaction volume category. Practice may vary — verify current Law No. 6563 large-scale intermediary threshold amounts and the specific compliance obligations triggered by each threshold level before designing any marketplace platform's Turkish legal compliance framework.

A lawyer in Turkey advising on digital advertising compliance must explain that digital advertising in Turkey is subject to multiple overlapping regulatory frameworks: the Advertisement Board (Reklam Kurulu) of the Ministry of Trade regulates deceptive advertising, comparative advertising, and specific product category restrictions (alcohol, tobacco, medicine, financial services); BTK regulates online advertising related to electronic communications services; and KVKK regulates behavioral advertising and the use of cookies and tracking technologies for advertising purposes. For technology companies that monetize through digital advertising, the advertising compliance framework requires addressing all three layers: the Reklam Kurulu rules governing content; the KVKK rules governing consent for behavioral advertising targeting; and the Law No. 6563 rules governing consent for commercial messages. The intersection of these frameworks with programmatic advertising networks, social media platform advertising APIs, and retargeting systems creates a compliance architecture that must be specifically designed for the company's advertising technology stack. Practice may vary — verify current Reklam Kurulu guidelines applicable to the specific product or service category and the current KVK Kurumu guidance on cookie-based behavioral advertising consent before designing any digital advertising compliance framework for a Turkish market operation.

Fintech law — payment services, crypto, and AML compliance

An Istanbul Law Firm advising on payment services licensing in Turkey must explain that any company providing payment services or issuing electronic money in Turkey must obtain a license from the Central Bank of Turkey (TCMB) under Law No. 6493 on Payment and Securities Settlement Systems, Payment Services, and Electronic Money Institutions. The license categories include payment institution (ödeme kuruluşu) licenses for companies providing payment initiation, account information, or money transfer services, and electronic money institution (elektronik para kuruluşu) licenses for companies issuing electronic money or operating digital wallets. The licensing process requires demonstrating minimum capital, submitting a detailed business plan and compliance program, passing TCMB fit-and-proper review of shareholders and management, and establishing the technical infrastructure for payment processing. Providing payment services without a license is a criminal offense under Law No. 6493, and the TCMB actively enforces unlicensed activity. The line between a technology fee processing service and a regulated payment service is not always clear in practice — many technology companies discover they require a license only after launch, at which point retroactive compliance is more complex and more costly. Practice may vary by authority and year — verify current Law No. 6493 minimum capital requirements and the specific licensing application documentation requirements with the TCMB before initiating any payment services business in Turkey.

A law firm in Istanbul advising on cryptocurrency exchange compliance must explain that the 2024 Law on the Markets in Crypto Assets (Kripto Varlık Piyasaları Kanunu) brought crypto asset service providers (kripto varlık hizmet sağlayıcıları) under the supervision of the Capital Markets Board (SPK) and imposed licensing, capital, operational, and AML compliance obligations on Turkish crypto exchanges and wallet providers. The 2024 law requires crypto asset service providers to obtain an SPK license before offering trading, storage, or transfer services to Turkish users. For AML compliance, crypto asset service providers are subject to MASAK (Financial Crimes Investigation Board) regulations requiring KYC (Know Your Customer) procedures, suspicious transaction reporting (STR), and transaction record retention. The TCMB's 2021 regulation prohibiting use of cryptocurrencies as payment instruments remains in force alongside the 2024 licensing regime — meaning that while crypto exchanges are now specifically licensed, the use of crypto as a payment medium for goods and services remains prohibited. We advise crypto asset service providers on the SPK licensing process, MASAK AML compliance program design, and ongoing compliance obligations. Practice may vary — verify current SPK crypto asset service provider licensing requirements and MASAK AML reporting obligations before designing any Turkish crypto exchange compliance program.

An English speaking lawyer in Turkey advising on embedded finance and fintech-banking partnerships must explain that Turkish technology companies that want to offer financial services (lending, insurance, investment products) through their digital platforms without holding a financial services license typically do so through embedded finance partnerships with licensed Turkish banks or financial institutions — where the regulated institution provides the licensed service and the technology company acts as the distribution or customer interface channel. These embedded finance arrangements require careful structuring under the Banking Law (Bankacılık Kanunu) and Capital Markets Law (Sermaye Piyasası Kanunu) to ensure that the technology company's role does not inadvertently constitute unlicensed financial intermediation. Both laws prohibit unlicensed financial services activity, and the line between technology platform distribution and financial services intermediation is not always clear in practice. We advise technology companies on the legal characterization of their planned embedded finance arrangements and structure the contractual architecture to achieve the commercial objective within the licensed institution's regulatory perimeter. Practice may vary — verify current BDDK and SPK guidance on embedded finance arrangements and the specific activities that constitute regulated financial intermediation requiring licensing before finalizing any embedded finance product architecture. The crypto taxation Turkey framework — covering the MASAK obligations for crypto platforms — is analyzed in the resource on crypto taxation Turkey.

Technology disputes and IT litigation

A Turkish Law Firm advising on IT dispute resolution must explain that technology disputes in Turkey can proceed through commercial court litigation, arbitration (domestic or international under ICC, ISTAC, or UNCITRAL rules), or consumer arbitration boards (where the end user of a digital service is a consumer under TKHK). The choice of forum requires assessing: whether the parties have agreed on a dispute resolution mechanism; whether the dispute involves a consumer party (which may override a commercial dispute resolution clause); and what interim relief is available and effective in the chosen forum. For urgent IP infringement cases where immediate cessation of the infringing activity is required, Turkish commercial courts can grant preliminary injunctions (ihtiyati tedbir) on an expedited ex parte basis — and the ability to obtain a preliminary injunction quickly is often determinative of whether the rights holder can effectively stop the infringement before irreparable commercial damage occurs. For SLA violation and delivery failure disputes, the bilirkişi (court-appointed technical expert) process is typically the determinative evidentiary step — because the technical assessment of whether a deliverable was delivered, or whether an SLA metric was breached, requires expert evaluation. Practice may vary — verify current Turkish commercial court IT dispute procedure and the specific preliminary injunction standards applicable to software copyright and IT contract disputes before selecting any dispute resolution strategy.

An Istanbul Law Firm advising on evidence handling in technology disputes must explain that Turkish commercial court litigation involving technology disputes requires presenting technical facts in a format that the court can assess — which means translating technical evidence (server logs, code repositories, configuration records, system screenshots) into legally accessible form through expert testimony and documented authentication. A technology dispute where the evidence consists primarily of raw technical outputs that have not been properly documented, authenticated, and explained in legally accessible terms is a dispute where the stronger technical position may not produce the better legal result. We advise technology clients on evidence preservation and documentation from the moment a technology dispute is anticipated — ensuring that the technical evidence is preserved in a form that can be presented to a Turkish court and authenticated through the bilirkişi process. For disputes involving software functionality claims, development delivery failures, or system outage liability, the bilirkişi's technical assessment is typically determinative of the court's judgment, and the quality of the technical evidence submitted to the bilirkişi determines the quality of the assessment. Practice may vary — verify current Turkish commercial court bilirkişi appointment standards for technology disputes and the specific technical evidence format accepted before structuring any technology dispute evidence preparation strategy.

A lawyer in Turkey advising on IT contract dispute prevention must explain that the most cost-effective technology dispute management strategy is prevention — specifically, drafting IT contracts with dispute-prevention architecture that minimizes the scope of the most common technology disputes before they arise. The most frequently litigated issues in Turkish IT contracts are: software delivery timelines and scope creep (addressed by specific milestone definitions, change order procedures, and explicit scope-of-work documentation); SLA violation and credit calculation (addressed by specific SLA metrics, credit formulas, and exclusion conditions); software ownership and license scope (addressed by the IP ownership and assignment clauses); and post-contract data handling (addressed by specific data return, deletion, and certification obligations upon termination). A well-drafted IT contract that specifically addresses each of these areas — with concrete definitions, measurable standards, and clear consequences — dramatically reduces the scope of the most common technology disputes. TBK allows courts to reduce disproportionate liquidated damages provisions — so liquidated damages clauses must be calibrated to be enforceable rather than merely punitive. Practice may vary — verify current Turkish court interpretation standards for IT contract provisions and the specific enforceability conditions applicable to limitation of liability and liquidated damages clauses in Turkish IT agreements before finalizing any IT contract for commercial deployment. Practice may vary — check current guidance before acting on any information on this page.

How we work in Turkish IT law mandates

A best lawyer in Turkey managing an information technology law mandate begins with a legal landscape mapping exercise — identifying which of the overlapping Turkish IT law frameworks applies to the client's specific operations (KVKK, FSEK, Law No. 6563, Law No. 6493, TCK, BTK regulations, MASAK, and any sector-specific regulations), and where there are gaps between what the client's current practices assume and what Turkish law actually requires. For international technology companies entering the Turkish market, this mapping exercise frequently reveals that their standard global compliance programs designed primarily for GDPR or US law have specific gaps in the Turkish context — particularly on KVKK cross-border transfer restrictions, ETBIS registration, Law No. 6493 payment service licensing thresholds, and Turkish software copyright specifics. For Turkish technology companies that have grown rapidly and whose legal infrastructure has not kept pace with the company's size, the mapping exercise identifies the compliance obligations triggered by the company's current scale (VERBİS registration, large-scale marketplace obligations, MASAK AML program requirements) but not yet implemented.

ER&GUN&ER represents technology companies, software developers, digital platforms, fintech operators, e-commerce businesses, and international technology clients in Turkish IT law matters — including KVKK compliance programs, VERBİS registration, cross-border transfer mechanism implementation, breach response management, KVKK enforcement defense, software copyright licensing and enforcement, IT contract drafting and negotiation (SaaS, development, cloud, data processing), e-commerce Law No. 6563 compliance, Law No. 6493 payment services licensing, MASAK AML compliance, SPK crypto asset service provider licensing, cybercrime defense, and IT dispute resolution. We work in English throughout all international mandates. For the comprehensive KVKK compliance framework applicable to all data controllers in Turkey — including the VERBİS registration process, data subject rights management, and the KVK Kurumu enforcement framework — see the resource on information technology lawyer Turkey. For the Turkish crypto tax and MASAK compliance framework — see the resource on crypto taxation Turkey. Practice may vary — check current guidance before acting on any information on this page.

Frequently Asked Questions

• What is KVKK and who does it apply to? KVKK (Law No. 6698) is Turkey's personal data protection law, applicable to any data controller that processes the personal data of individuals in Turkey — including foreign companies that process Turkish users' data. Key obligations include: lawful basis for processing, VERBİS registry registration above defined thresholds, cross-border transfer restrictions, data subject rights management, and 72-hour breach notification to the KVK Kurumu. GDPR compliance does not automatically satisfy KVKK — the two laws have divergent requirements on cross-border transfers and the VERBİS registration obligation. Practice may vary — verify current KVK Kurumu VERBİS thresholds before any compliance program design.
• What is VERBİS and is registration mandatory? VERBİS (Veri Sorumluları Sicil Bilgi Sistemi) is the KVK Kurumu's data controllers registry where qualifying data controllers must register their processing activities, purposes, data categories, retention periods, and transfer destinations. Registration is mandatory for data controllers above defined size thresholds (employee count and annual turnover). Failure to register is an independent KVKK violation regardless of substantive compliance. Practice may vary — verify current VERBİS registration thresholds and deadlines with the KVK Kurumu.
• Can Turkish companies transfer personal data outside Turkey? Only with specific legal basis: explicit data subject consent; a KVK Kurumu determination that the destination country provides adequate protection (the current adequate countries list is limited); or a KVK Kurumu-approved binding commitment mechanism (taahhütname). GDPR Standard Contractual Clauses are not automatically sufficient for Turkish law — a Turkish law equivalent must be specifically approved by the KVK Kurumu through a separate approval process. Practice may vary — verify current KVK Kurumu cross-border transfer mechanism status before any cross-border data transfer architecture decision.
• Who owns software created by a Turkish development company? Under FSEK Article 18, software created by employees in connection with their duties is owned by the employer (work-for-hire). Software created by independent contractors or third-party development companies is owned by the creator unless specifically assigned by written agreement. A commissioning company that does not include a specific copyright assignment clause in its development contract may not own the software built for it. Ensure all development agreements include a specific, written FSEK-compliant copyright assignment clause with identified works and stated consideration.
• What is ETBIS and when must an e-commerce operator register? ETBIS (Electronic Commerce Information System) is the Ministry of Trade's registry for e-commerce operators in Turkey. Registration is mandatory for operators above defined annual transaction volume thresholds under Law No. 6563. The registration requires submitting information about the platform, its operators, and its transaction volumes. Failure to register results in administrative fines. Practice may vary — verify current Law No. 6563 ETBIS registration thresholds before assessing any e-commerce operator's registration obligation.
• Is a payment services license required in Turkey? Yes — providing payment services (payment initiation, account information, money transfer) or issuing electronic money in Turkey requires a TCMB license under Law No. 6493. Operating without a license is a criminal offense. The license requires minimum capital, a detailed compliance program, and TCMB fit-and-proper review. Many technology fee models are close to the regulated payment services boundary — verify the characterization of the specific business model with the TCMB before launch. Practice may vary — verify current Law No. 6493 licensing requirements directly with the TCMB.
• Are cryptocurrency exchanges regulated in Turkey? Yes — as of the 2024 Law on the Markets in Crypto Assets, crypto asset service providers (exchanges, wallet providers) are licensed and supervised by the SPK. They are also subject to MASAK AML requirements including KYC, suspicious transaction reporting, and record retention. Operating without an SPK license is prohibited. The 2021 TCMB prohibition on using crypto as payment for goods and services remains separately in force. Practice may vary — verify current SPK crypto asset service provider licensing requirements before any Turkish crypto exchange business design.
• What is the 72-hour breach notification requirement under KVKK? KVKK Article 12 requires data controllers to notify the KVK Kurumu of personal data breaches within 72 hours of the data controller's management becoming aware of the breach — not from when the IT department first detects the issue. The notification must include specific information about the breach scope, affected data categories, and remediation measures. A preliminary notification supplemented by later details is acceptable. Missing the 72-hour deadline creates additional KVKK administrative liability independent of the breach itself.
• What are the criminal consequences for cybersecurity violations under Turkish law? TCK Articles 243–246 create criminal liability for unauthorized computer access (imprisonment up to 3 years), data interference (imprisonment 6 months to 3 years), and system obstruction (imprisonment 1 to 5 years). These criminal provisions protect against external attackers and internal security failures by company personnel. KVKK also provides for criminal referral of company managers where a breach resulted from culpable failure to implement required security measures under KVKK Article 12.
• What are the specific Turkish requirements for SaaS agreements? Turkish SaaS agreements must address: KVKK data processor obligations (between the SaaS provider as processor and the customer as controller); FSEK software license scope (specific access rights, territorial limits, sublicense restrictions); Turkish Consumer Protection Law 14-day withdrawal right for B2C subscribers; and TBK mandatory liability floors (cannot contractually exclude liability for intentional conduct or gross negligence). Standard international SaaS templates may not address these Turkish requirements. Practice may vary — verify current KVK Kurumu data processing agreement requirements before finalizing any Turkish market SaaS agreement.
• What is the İYS and why is it important for digital marketing? The İleti Yönetim Sistemi (İYS) is Turkey's central registry for commercial electronic message consent under Law No. 6563. Companies that send commercial SMS, email, or automated call campaigns must register consents in the İYS and provide an İYS-accessible opt-out mechanism. Maintaining consent records outside the İYS without İYS registration does not satisfy current Law No. 6563 requirements. Sending commercial messages without valid İYS-registered consent is subject to administrative fines from the Ministry of Trade. Practice may vary — verify current İYS registration and consent management requirements before any commercial messaging program launch in Turkey.
• Can I sue a software developer in Turkey for delayed delivery? Yes — a software development contract is a service agreement under Turkish TBK, and a developer who misses delivery milestones defined in the contract is in breach. Remedies include specific performance, contract termination, and damages (actual damages for provable losses, plus any liquidated damages specified in the contract). TBK allows courts to reduce disproportionate liquidated damages provisions. Expert bilirkişi evidence on the deliverable's status and the delay's commercial impact is typically required in Turkish commercial court proceedings. Practice may vary — verify current Turkish court standards for software delivery breach claims before initiating any developer dispute.
• What is BTK and what does it regulate for technology companies? BTK (Bilgi Teknolojileri ve İletişim Kurumu) regulates electronic communications services, internet access providers, content hosting platforms, and certain digital services including large social media platforms above defined user thresholds. BTK obligations for large social media platforms include local representative appointment, data localization for Turkish users' data, and content moderation requirements. Electronic communications service providers are subject to BTK licensing and operational requirements separate from the KVKK compliance framework. Practice may vary — verify current BTK platform obligations for the relevant platform type and user threshold before assessing any platform's Turkish regulatory compliance requirements.
• What are the specific IP protections for software in Turkey? Software is protected as a literary work under FSEK from the moment of creation, without registration. The author (or employer under the work-for-hire provision) holds both moral rights (which cannot be transferred) and property rights (which can be licensed or assigned). Software patents are not available in Turkey — computer programs are excluded from patentability under Turkish patent law. Trade secret protection is available under TBK for confidential technical information subject to reasonable confidentiality measures. Trademark protection for software product names and logos is available through the Turkish Patent and Trademark Office (TÜRKPATENT). Practice may vary — verify current FSEK software copyright scope and the specific protection mechanisms available for different types of software IP in Turkey.
• Do you handle cross-border technology transactions? Yes — we advise international technology companies entering the Turkish market, Turkish technology companies expanding internationally, and cross-border IT contracts between Turkish and foreign parties. We coordinate with foreign counsel where parallel jurisdictions apply, provide Turkish law opinions for international transactions, and manage the Turkish law elements of multi-jurisdictional technology deals including KVKK-GDPR alignment, Law No. 6493-PSD2 compatibility analysis, and Turkish software copyright interaction with other IP regimes. We work in English throughout all international mandates.

Author: Mirkan Topcu is an attorney registered with the Istanbul Bar Association (Istanbul 1st Bar), Bar Registration No: 67874. His practice focuses on cross-border and high-stakes matters where evidence discipline, procedural accuracy, and risk control are decisive.

He advises technology companies, digital platforms, fintech operators, and international technology clients across KVKK Data Protection Law, FSEK Software Copyright, Law No. 6563 E-Commerce Compliance, Law No. 6493 Payment Services, MASAK AML Compliance, IT Contract Drafting, Cybersecurity Law, and Technology Dispute Resolution matters where multi-framework regulatory coordination is decisive.

Education: Istanbul University Faculty of Law (2018); Galatasaray University, LL.M. (2022). LinkedIn: Profile. Istanbul Bar Association: Official website.