This country-specific Q&A provides an overview to technology laws and regulations relevant in Turkey.
It will cover communications networks and their operators, databases and software, data protection, AI, cybersecurity as well as the author’s view on planned future reforms of the technology market.
This Q&A is part of the global guide to Technology. For a full list of jurisdictional Q&As visit http://www.inhouselawyer.co.uk/index.php/practice-areas/technology
Are communications networks or services regulated? If so what activities are covered and what licences or authorisations are required?
The Electronic Communications Law No. 5809, (“ECL”) and the Regulation on the Authorization in the Electronic Communication Sector (“Authorization Regulation”) are two main laws which govern the authorisation regime in Turkish telecommunications sector.
The ECL defines:
electronic communication as "the transmission, exchange and receiving of all kinds of signals, symbols, sounds, images and data which could be converted into electrical signals, by means of cable, radio, optic, electric, magnetic, electromagnetic, electrochemical, electromechanical and other types of transmission systems".
electronic communication infrastructure as “all kinds of network components, relevant facilities and the supplementary elements including switching equipment, hardware and software, terminals and lines; over or by which the electronic communications is provided”
As explained below under the relevant sections, providing electronic communication service and/or operating an electronic communication infrastructure is subject to authorization requirements. Also, we may state that there is no specific legislation or definition on the regulation of OTT services under the ECL.
Is there any specific regulator for the provisions of communications-related services? Are they independent of the government control?
The main three regulatory institutions for telecommunications in Turkey are:
- Ministry of Transport and Infrastructure (“Ministry”): The Ministry is responsible for policy making for telecommunications.
- Information and Communications Technologies Authority (“ICTA”): ICTA is responsible for the regulation of the telecommunications sector. The ICTA is an independent institution and is not under the authority of any other body. It has the authority to enact regulations, by-laws, communications and other secondary regulations pertaining to the authorisations granted by the Electronic Communications Law. The ICTA is also authorised to carry out activities for the protection of competition in the telecommunications sector. ICTA's functions further include:
- conducting operations for determining, listening and recording communications made via telecommunications;
- evaluating and recording signal information within the scope of the related legislation;
- transmitting the data and the information obtained from the above activities to the National Intelligence Organisation, the General Directorate of National Police, and the General Command of Gendarmerie (depending on the relevance of the subject), or the courts and the republic prosecutor offices upon request.
- conducting activities to prevent internet activities and broadcasting which contains content considered criminal under the Internet Law. The ICTA can also take the necessary measures provided under the Internet Law regarding blocking access to internet.
Does an operator need to be domiciled in the country? Are there any restrictions on foreign ownership of telecoms operators?
Yes, there are restrictions on foreign ownership of telecom operators. The principles and procedures regarding the authorisation of electronic communication services, networks and infrastructure are set out in both the ECL and the Authorisation Regulation.
Under the Electronic Communications Law, the applicant company must be founded under the legal status of either a joint stock company or limited company under the laws of the Republic of Turkey. This condition may be considered a restriction on foreign companies entering the telecommunications. Foreign companies can therefore only be founders or shareholders of companies incorporated subject to Turkish laws.
Are there any regulations covering interconnection between operators? If so are these different for operators with market power?
Yes. Whether an operator is required to give access to its network or infrastructure depends on the level of market competition in the relevant market. Telecommunication operators that are identified as entities with significant market power in a determined market can be subject to certain pre-determined obligations under ECL and the Regulation on Access and Interconnection. Therefore, after conducting some market analysis, the ICTA can impose any of the following obligations on telecommunications operators with significant market power:
- The provision of access and/or interconnection.
- The publication of reference access and/or interconnection offers.
- Facility sharing.
The ICTA can impose an obligation on the operator to meet the other operators' requests for access if it considers that an operator with significant market power in the relevant market would hinder the emergence of a competitive market by either:
- Denying another operator's access request.
- Imposing unreasonable terms and conditions.
Operators obliged to provide access to other operators must unbundle the network in a way that enables access to transmission, switching and interfaces, requested from them. The ICTA determines the scope of obligation of providing unbundled access to all network elements, including the local loop.
What are the principal consumer protection regulations that apply specifically to telecoms services?
Operators must take all necessary measures concerning the establishment and enforcement of contracts signed in electronic environments and provides that the ICTA is authorised to determine the principles and procedures concerning such contracts. Additionally, operators are obliged to provide an original copy of the telecommunication subscription contract to the subscriber either in physical or electronic environments, in accordance with the establishment of the relevant contract. Operators are obliged to provide some information such as their trade name, address, service details, general terms and conditions for the service provision, on their website. Also, subscription contracts need to have minimum content as provided under the customer regulation.
On 28 October 2017, ICTA published the Regulation on Consumer Rights in the Electronic Communications Sector, specifying consumers' rights and principles and procedures to be followed by operators. Articles 7(1) and 7(9) of the regulation, allowing subscription contracts to be made in electronic environments, entered into force as of the publication date.
What legal protections are offered in relation to the creators of computer software?
Under the Law on Intellectual and Artistic Works numbered 5846, the following rights are granted to the creators of computer software (Computer software cannot be patented in Turkey):
- economic rights:
- right of adaptation, i.e. preparing derivative works, reproduction, distribution, performance
- communication to the public i.e. public performance and public display
- the moral rights
- disclose the Work to the public,
- designate the name of the Work, prohibition of modification and the rights against the possessors and proprietors.
- economic rights:
Do you recognise specific intellectual property rights in respect of data/databases?
Yes. Databases are considered as collections and are afforded similar protections to intellectual and artistic works under Article 6 of Law on Intellectual and Artistic Works numbered 5846. The protection afforded with regards to databases are the same as those afforded to any intellectual and artistic works under the same law. However, the protection cannot be extended to the data and materials contained within the database.
Additionally, makers of the databases (i.e. those who has made qualitatively and/or quantitatively substantial investment in either creation, verification or presentation of the contents) shall have the right of permitting or prohibiting;
a) Permanent or temporary transfer to another medium by any means and in any form,
b) Distribution or sale, rental or communication to the public in any way,
of all or a substantial part of the content of the database contents with the exceptions specified in the Law on Intellectual and Artistic Works and required by purposes of public security and administrative and judicial procedures.
The term of protection granted to the maker of a database is 15 years from the date of publication the database.
What key protections exist for personal data?
The protection of personal data is recognized as a fundamental right under Article 20(3) of the Constitution of the Republic of Turkey as of its amendment in 2010. Law on Protection of Personal Data numbered 6698 (“DP Law”) which constitutes the main legislative instrument which specifying the principles and procedures concerning the processing and protection of personal data, has been published in the Official Gazette on 7 April 2016 and is in effect as of this date.
Additionally, data protection authority established by the DP Law, Personal Data Protection Board (Board) is currently active and has been regularly publishing secondary legislation of the DP Law as well as principle decisions and guidance documents concerning the application of the DP Law. Additionally, certain sector specific data protection rules are scattered under sector-specific laws.
The DP Law applies to all natural persons whose personal data are processed. All natural or legal persons processing personal data shall also be considered within the scope of the DP Law.
Article 5 of the DP Law lays down the conditions for conditions for processing of personal data: as a general principle, processing of personal data without obtaining the explicit consent of the data subject is prohibited. However, there are certain conditions provided by the DP Law under which the consent of the data subject shall not be required for the relevant data processing operation.
Accordingly, consent of the data subject is not necessary for lawful personal data processing where the data processing;
a) is expressly envisaged under law;
b) is necessary in order to protect the life or physical integrity of the data subject or another person in cases where the data subject is physically or legally incapable of giving consent;
c) is necessary for the conclusion or performance of a contract, provided that the processing is directly related to the parties of the contract;
d) is necessary for compliance with a legal obligation to which the data controller is subject;
e) shall be conducted on information that has already been revealed to the public by the data subject;
f) is necessary for the establishment, exercise, or protection of a right;
g) is necessary for the legitimate interests of the data controller, provided that the fundamental rights and freedoms of the data subject shall not be overridden.
Lastly, according to Article 11 of the DP Law, data subjects are entitled to the following rights;
- learn whether personal data relating to him/her are being processed,
- request further information if personal data relating to him/her are being processed,
- learn the purpose of the processing of personal data and whether data are being processed in compliance with such purpose
- learn the third-party recipients to whom the data are disclosed within the country or abroad,
- request rectification of the processed personal data which is incomplete or inaccurate and request such process to be notified to third persons to whom personal data is transferred,
- request deletion or destruction of data in the event that the data is no longer necessary in
- relation to the purpose for which the personal data was collected, despite being processed in accordance with the Law and other applicable laws and request such process to be notified to third persons to whom personal data is transferred,
- object to negative consequences resulting to from an analysis conducted exclusively by automated systems,
- demand compensation for the damages suffered as a result of an unlawful personal data processing operation.
Are there restrictions on the transfer of personal data overseas?
The article 9 of Law on Protection of Personal Data numbered 6698 about the transfer of personal data abroad prohibits transfer of personal data without obtaining the explicit consent of the data subject. Nevertheless, second paragraph of the article 9 of the DP Law permits the transfer of personal data abroad without the data subject’s explicit consent where the following cumulative conditions are met:
- If one of the conditions set forth in the second paragraph of article 5 or third paragraph of article 6 is present and
- (i) The foreign country to which the personal data will be transferred has an adequate level of protection, or;
(ii) in case there is not an adequate level of protection, if the data controllers in Turkey and abroad undertake to provide an adequate level of protection in writing and the permission of the Data Protection Board exists.
On 17 May 2018 the Board have announced the minimum undertakings that must be given by the data controller residing in Turkey and the data processor to which the personal data will be transferred residing abroad.
What is the maximum fine that can be applied for breach of data protection laws?
The maximum monetary fine that can be sanctioned for a data breach is 1.000.000 Turkish Liras. Article 18 of the Law on Protection of Personal Data numbered 6698 lists several misdemeanors and the range of the administrative fines tied to them. Please see the table below:
BREACH OF DATA CONTROLLER’S OBLIGATIONS
(a) Breach of Obligation to Inform
– Data controllers are under the obligation to inform data subjects about the data processing activities.
(b) Breach of Data Security Obligations
– Data controllers are under the obligation to take all necessary technical and organizational measures to (i) prevent unlawful processing of personal data, (ii) prevent unlawful access to personal data and (iii) safeguard personal data.
(c) Failure to Comply with Decisions Given by the Board Under Article 15 of the Law
(ç) Failure to Register with or Notify the Data Controller Registry
In addition to the administrative fines, Turkish Criminal Code numbered 5237 lists certain crimes with regards to unlawful acts directly related to personal data between Article 135 and 140. Please see the table below for the list crimes and the range of imprisonment sanctions tied to them:
Unlawful Recording of Personal Data (Art. 135)
Unlawful delivery or acquisition of personal data (Art. 136)
Failure to destroy personal data even though the legal retention period has expired (Art. 138)
Are there any restrictions applicable to cloud-based services?
Although there is no omnibus legislation on cloud-based services several sector specific legislations include data localization requirements (i.e. certain data of the entities must be kept within the borders of the Turkey) which might hinder the use of cloud services by the actors in their corresponding sectors. The following examples can be given for such requirements:
- Financial Sector:
- Article 11/4 of the Regulation on Internal Systems of Banks and Evaluation Process for Efficiency of Internal Capital
- Article 5/2 of the Communiqué on the Principles to be Considered by Information Exchange, Clearing and Settlement Institutions for the Management of the Information Systems and Audit of the Work Flows and the Information Systems
- Article 16 of the Communiqué on the Management and Supervision of the Information Systems of Payment Institutions and Electronic Money Institutions.
- Article 23 of the Law on Payment and Security Settlement Systems, Payment Services and Electronic Money Institutions.
- Fiscal Records:
- Article 6 of the Tax Procedural Law General Communique numbered 397
- Article 9(h) of the Tax Procedural Law General Communique numbered 433.
- General Communique on the E-Ledger numbered 1.
- Capital Markets:
- Article 26/1 of the Communiqué on Information System Management
- Article 50/7 of the Communiqué on the Principles of Establishment and Activities of the Investment Firms No. III-39.1
In addition to above, processing (including storing) of personal data is subjected to requirements under Law on Protection of Personal Data. Please refer to our answer under the question regarding “transfer of personal data overseas”.
- Financial Sector:
Are there specific requirements for the validity of an electronic signature?
Electronic signatures in Turkey are regulated by Law on Electronic Signatures Numbered 5070. For an electronic signature to be considered as a legal substitute for wet signature it must be considered as a “Secure Electronic Signature”. Secure Electronic Signatures are defined under the Law on Electronic Signatures as the electronic signature that
- is related only to the signor;
- is created by using secure electronic signature tool that is only at the possession and of the signor;
- can be used to verify the identity of the signor by relying on a “qualified electronic certificate” and
- can be used for detecting whether any subsequent alteration on a signed electronic data have been done.
“Qualified electronic certificates” can only be issued by Electronic Certificate Service Providers who are public or private institutions that are authorized and accredited by Information Technologies and Communications Authority to provides services in relation to the relevant certificates and electronic signatures.
On an additional note on foreign electronic signatures, Article 14 states that the legal consequences of electronic certificates issued by a foreign electronic certificate service provider established in a foreign country shall be determined by international agreements.
In the event of an outsourcing of IT services, would any employees, assets or third party contracts transfer automatically to the outsourcing supplier?
No. employees, assets or third-party contracts do not transfer automatically. Such outsourcing companies are considered as an ordinary third party contractor.
If a software program which purports to be an early form of A.I. malfunctions, who is liable?
Currently there is no specific legislation regulating such issues. Therefore, general rules on liability under Turkish Law will be applicable. Causal link with the action (or the lack thereof), malfunction, and the loss/damage/injury will be the determining factor when attributing the criminal or legal liability.
What key laws exist in terms of obligations as to the maintenance of cyber security?
There is no catch-all cybersecurity legislation in Turkey, however there are sector specific legislations that regulates cybersecurity obligations for entities that are active in their respective sectors. These legislations include:
- Capital Markets: Communiqué on Information System Management (VII-128.9) and Communiqué on Independent Auditing of Information Systems
- Electronic Communications Sector: Regulation on Network and Information Security in Electronic Communications Sector
- Insurance Sector: The Regulation on Internal Systems of Insurance, Reinsurance and Pension Companies
- Energy Sector : The Regulation on Information Security in Industrial Control System Used in Energy Sector
- Banking Sector: The Regulation on Internal Systems and Internal Capital Adequacy Assessment Process
- Payment and Settlement Systems: The Communiqué on Information Systems of Payment and Settlement Systems
What key laws exist in terms of the criminality of hacking/DDOS attacks?
Section 10 of Turkish Criminal Code numbered 5237 lists certain crimes and penalties sanctioned to them that are directly related to information systems. Please see the table below:
Imprisonment Sanctions and Punitive Fines
Article 243: Unlawful access to information systems
Up to one-year imprisonment and punitive fine
Article 244: Hindrance or destruction of the system, deletion or alteration of data
From one to five years of imprisonment
It is highly likely that act of hacking or “DDOSing” information systems will fall under one of the articles stated in the table above, in particular Article 243 and 244.
What technology development will create the most legal change in your jurisdiction?
We believe AI will create the most legal challenge for the Turkish jurisdiction as the current liability is bound to create in unjust situations when applied to situations where AI is involved. Widespread use of AI and other similar autonomous devices (e.g. autonomous cars) will require a reconstruction of liability principles under Turkish Law.
Which current legal provision/regime creates the greatest impediment to economic development/commerce?
In terms of IT Law provisions under Turkish Law, provisions regarding data localization requirements are found to be the most limiting and hard to comply by the general practice.
Do you believe your legal system specifically encourages or hinders digital services?
Although the Turkish legislation might have difficulties or shortcomings for the recently adopted technologies; legislator and the administration keep closely the developments on the technology market with the intention of creating a productive environment for the digital market.
To what extent is your legal system ready to deal with the legal issues associated with artificial intelligence?
As stated in our above, current legal provisions under Turkish law is not fully ready to deal with legal issues arising from use of AI and other autonomous technologies. Although general provisions of law can be applied to come up with makeshift legal solutions, a legislative overhaul will be necessary to properly deal with legal problems arising from such disruptive technologies.