Moroglu Arseven > Istanbul, Turkey > Firm Profile

Moroglu Arseven > Firm Profile

The firm: For over twenty years, Moroğlu Arseven has provided sophisticated business clients with a full range of legal support. We offer the kind of integrated counselling and representation which is only available from a full-service firm. Our proactive ethos of anticipation rather than reaction is the foundation upon which we stand our four pillars, the areas of legal practice in which our practical and academic expertise is unrivalled in Turkey; they are business and finance, compliance, dispute resolution, and intellectual property.

Our expert attorneys advise publicly traded multinationals and large, closely held domestic companies. Clients seeking counselling within one of our pillar practice areas quickly realize the depth of sub-specialization and take advantage of the full breadth of our expertise. Indeed, when advising clients on matters of novel complexity within a particular practice area our attorneys often take a team approach, recruiting from our other practice groups, specialist practitioners, and academics to provide highly specialized analysis and advice.

The firm represents and serves a diverse clientele, in a wide range of industries. In-depth sector knowledge ensures seamless service across practice areas, enabling Moroğlu Arseven to meet all of a client’s legal needs in Turkey. Key areas include industrial and manufacturing, retail and consumer, TMT, energy, healthcare and life sciences, entertainment and sports, pharmaceuticals, real estate and construction, banking, insurance and financial services.

Our attorneys publish frequently and widely both in local and international legal journals on topics practical and academic. Our website contains current and archived in-house articles on new legislation and important court decisions, and our yearly practice areas law reviews.

Practice groups
Business and finance: Moroğlu Arseven approaches business and finance clients holistically. Our counselling is rooted both in a profound understanding of the businesses and goals of our clients, and the nuances of the sectors within which they operate. This approach allows us to effectively evaluate and provide sophisticated, informed guidance to our clients on mergers and acquisitions, capital sourcing, shareholder derivative matters, restructuring, and myriad complex transactions and commercial contracts.  In addition, we service as local corporate counsel for several multinationals with operations in Turkey.

Compliance: Moroğlu Arseven maintains a broad practice covering anticorruption, antitrust, investigations, medical and pharmaceutical regulatory compliance, as well as data privacy and security. Our compliance group is a pioneer in these areas, where we have developed an expertise that can be found in no other full-service Turkish law firm.

Dispute resolution: Thanks to the expertise of our attorneys, we represent clients in high profile and complex arbitration and litigation cases. Our alternative dispute resolution practice continues to expand negotiating fair settlements of commercial, corporate, shareholders’ and large portfolio of employment disputes.

Intellectual property: We maintain a robust intellectual property practice with clients from a variety of industries. We assist clients to cost-effectively establish, define, maintain, protect, grow and leverage their Turkish intellectual property portfolios of trademarks, patent, industrial design, domain names. We have broad experience advising clients on copyrighting and protecting their creative works. We represent clients of all sizes to defend, enforce and exploit all their intellectual property rights before the Turkish courts, often in complex or high-stakes contexts. In addition, customised anti-counterfeiting and market clean-up projects are also a speciality for Moroğlu Arseven.

Lawyer Profiles

Photo	Name	Position	Profile
	Gökçe İzgi	Gökçe advises clients on a full range of intellectual property issues and…	View Profile
	Işık Özdoğan	Işık leads Moroglu Arseven’s intellectual property team. She has wide experience in…	View Profile
	Benan Arseven	Benan has wide experience in corporate and commercial law, along with related…	View Profile
	Nejla Aydın Özer	Nejla primarily concentrates on lawsuits, contracts, debt collection and other dispute resolution…	View Profile
	Ezgi Baklacı Gülkokar	Ezgi advises clients on a full range of intellectual property issues and…	View Profile
	E. Seyfi Moroglu	Seyfi advises closed and public corporations, funds, financial services companies, and banks…	View Profile
	Burcu Tuzcu Ersin	Burcu’s work includes all aspects of business law, specializing particularly in mergers…	View Profile

Doing Business In

TRENDS AND DEVELOPMENTS IN IT LAW

PAYMENT SYSTEMS, DIGITAL BANKING AND CRYPTO ASSETS

General

Banking and payment systems are heavily regulated in Turkish Law. Banking Law No. 5411 (“Banking Law”) is the main legal document that regulates banking sector; and, the payment systems are regulated by Law on Payment and Securities Settlement Systems, Payment Services and Electronic Money Institutions (“Payment Law”), with their secondary legislation.

Under the Payment Law, payment system and securities settlement system can only be operated with a license acquired from the Central Bank of the Republic of Turkey (“Central Bank”). Payment system is defined under the Payment Law as “the structure that has common rules and provides the infrastructure required for clearing and settlement transactions carried out in order to realize fund transfers arising from transfer orders among three or more participants” and securities settlement system is defined as “the structure that has common rules and provides the infrastructure required for the clearing and settlement transactions carried out in order to realize securities transfers arising from transfer orders among three or more participants”.

Moreover, the following activities are defined as payment services under Article 12 of the Payment Law:

• All the transactions required for operating a payment account including the services enabling cash to be placed on and withdrawn from a payment account,
• Execution of payment transactions, including transfers of funds on a payment account with the user’s payment service provider, direct debits, including one-off direct debits, payment transactions through a payment card or a similar device, credit transfers including standing orders,
• Issuing or acquiring payment instruments,
• Money remittance,
• Execution of payment transaction, where the consent of the payer to execute a payment transaction is given by means of any telecommunication, digital or IT device and the payment is made to the telecommunication,
• Corresponding services enabling bill payments.
• At the request of the payment service user, the payment initiation service related to the payment account at another payment service provider.
• Upon approval of the payment service user, the online provision of consolidated information of one or more payment accounts held at payment service providers by payment service users.
• Other transactions and services reaching the level to be determined by the Bank in terms of total size or impact in payments.

According to the Payment Law, payment institutions are legal persons authorized pursuant to the Payment Law to provide and execute payment services.

As an important step the Regulation on Payment Services, Electronic Money Issuance and Payment Service Providers (“PSR”) and the Communiqué on Information Systems of Payment and Electronic Money Institutions, and Data Sharing Services of Payment Service Providers in the Field of Payment Services (“DS Communiqué”) drafted by the Central Bank was published in Official Gazette numbered 31676 on 1 December 2021 and entered into force. With the PSR and Communiqué drafted based on the following amendments made in Payment Law, which was published in Official Gazette on 22 November 2019, Turkish legislation has been aligned with Directive (EU) 2015/2366 of European Commission, Payment Services Directive 2 (“PSD2”).

Moreover, digital banks are regulated under the Turkish law for the first time.

Crypto assets are, on the other hand, mainly unregulated under Turkish law, and until 2021 there was no provision directly addressing crypto assets. The very first legal document, specifically regulating crypto assets, is the Regulation on the Use of Crypto-Assets in Payment promulgated in 2021, which prohibits the use of crypto assets in payments. Non-Fungible Token (“NFT”) usage and fan token issuance has rapidly grown in Turkey. Fan tokens especially became very popular among sport teams including major league football clubs such as Fenerbahçe and Altay providing additional income.

On a further note, blockchain on its own is not regulated, but rather, governed by the rules applicable to the area where it is used.

Recent Key Developments in Payment Systems, Digital Banking and Crypto Assets

The Regulation on Payment Services, Electronic Money Issuance and Payment Service Providers

The regulation aims to draw the procedures and principles regarding the authorization and activities of payment institutions and electronic money institutions (“Institutions”), the provision of payment services to payment service providers, and the issuance of electronic money.

The PSR regulates licensing conditions and proceedings of the Institutions One of the most critical regulations is that intangible assets that are only issued in exchange for a one-to-one fiat currency, created virtually and distributed over digital networks are considered as electronic money in case they are issued against funds accepted by the issuing institution, stored electronically, used to perform the payment transactions defined in Payment and accepted as a payment instrument by real and legal persons other than the issuing institution. The Central Bank will determine how the secondary regulations enacted pursuant to Payment Law will be applied to intangible assets that will be considered as electronic money within the scope of this paragraph, and other procedures and principles needed for such electronic money.

According to the PSR payment order refers to the instruction given by the customer to the payment service provider for the purpose of realizing the payment transaction, and in accordance with Law No. 6493, the institutions have the right to issue a payment order initiation service (“PIS”). In case of initiations of payment through the PIS provider, the institution holding the sender’s payment account will promptly return the unfulfilled or incorrectly executed part of the payment transaction to the sender and restore the payment account if the amount has been deducted from the payment account. In such transactions, the obligation to prove that the payment order has been received by the institution where the payment account is held, the transaction has been approved by the customer, is recorded correctly, processed into the accounts and is not affected by a technical failure or problem in the services under its responsibility will belong to the PIS provider.

The procedures and principles regarding the execution of transactions related to the PIS and the account information service (“AIS”) and the technical and operational requirements to be complied with by the parties are determined by the Central Bank. Compliance with the technical and operational requirements of the Central Bank is audited through technical control and evaluation process to be carried out by Interbank Card Center (“BKM”). Parties who complete this technical control and evaluation process without any problems are registered by BKM and publicly announced on the website and are accepted as authorized PIS and AIS providers after the necessary permissions are given by the Central Bank by Institutions operating as of the date of entry into force of the PSR are obliged to harmonize with the PSR within one year from the date of publication of the PSR.

Digital Banking Regulation

As a result of the amendments made in article 76 of the Banking Law, and with entry into force the Regulation on the Establishment of a Contractual Relationship in the Electronic Environment and the Remote Identity Detection Methods to be Used by Banks; establishing contractual relations between banks and their customers in electronic environment became possible. With these developments, Banking Regulation and Supervision Agency (“BRSA”) has aimed to construct the foundations of the digital banking model, which operates only in the digital environment. Therefore, BRSA published the Regulation on the Operating Principles of Digital Banks and Service Model Banking (“DBR”)

The DBR aims to determine the operating principles of branchless banks that serve exclusively through digital channels and the conditions for the provision of banking as a service model (banking as a service, “BaaS”) to businesses and innovative enterprises – in other words, start-ups.

The DBR defines digital banks as “credit institutions that provide banking services mainly through electronic banking services distribution channels instead of physical branches”. Unlike the branchless banking application in Europe, the DBR allows neo banks to obtain a license to operate directly over the BaaS infrastructure, without the requirement to have a licensed sponsor bank.

Unless otherwise stated in the DBR or the relevant legislation, digital banks can perform all the activities that credit institutions can perform, depending on whether they are deposit or participation banks. Digital banks are obliged to comply with the provisions of the DBR in addition to all the legislative provisions that credit institutions are obliged to comply with within the framework of the Banking Law and related legislation.

The DBR sets forth certain restrictions for the activities of digital banks. According to the DBR, customers of digital banks can only be financial consumers and small and medium enterprises (“SMEs”). In this respect, digital banks were prevented from carrying out commercial banking activities exceeding the SME size. The total of unsecured cash loans that digital banks can make available to a certain financial consumer cannot exceed four times the average monthly net income of the relevant customer, and if the customer’s average monthly net income cannot be determined, the total of unsecured cash loans that can be extended for such customer cannot exceed ten thousand Turkish Liras.

The DBR defines the BaaS as “a service model in which customers can perform banking transactions through the service bank by connecting directly with the systems of service banks via open banking services by the interface offered by the interface providers.” The service bank can only provide service model banking services to domestically resident interface providers and only within the framework of their own operating permits.

Regulation on the Use of Crypto-Assets in Payment

Regulation on the Use of Crypto Assets in Payments has been published on 16 April 2021 to be effective as of 30 April 2021 and became the first legal document specifically regulating crypto assets under Turkish Law.

Crypto asset is defined under Article 3 as “intangible assets that are created virtually using distributed ledger technology or a similar technology and distributed over digital networks but are not qualified as fiat money, dematerialized money, electronic money, payment instrument, security or another capital market instrument”. As per Article 3, crypto assets may not be used directly or indirectly in payments. Article 4 prohibits payment service providers to develop business models or provide services regarding those business models where crypto assets are used in the provision of payments services and issuance of electronic money. Article 4 also prohibits payment and electronic money institutions to mediate platforms and fund transfers from the platforms offering trading custody, transfer, or issuance services for crypto assets.

Regulations Allowing IBAN Issuance by Payment Service Providers

Communiqué numbered 2021/5 (“Amendment Communiqué”), published in Official Gazette dated 5 August 2021, numbered 31559, amends Communiqué number 2008/6 on International Bank Account Numbers to allow payment service providers to issue international bank account numbers (“IBAN”).

Amendment Communiqué provides that (i) payment service provider codes for use in issuing IBAN will be determined by the Central Bank, and (ii) non-bank payment service providers can issue IBAN for customer accounts subject to money transfers but are obligated to do so only where applicable payment system rules established pursuant to Payment Law so require.

Regulation on Remote Identity Verification and Remote Contract Execution

The Regulation on Remote Identification Methods to be Used by Banks and Establishment of Contractual Relations in Electronic Environment was published in the Official Gazette No. 31441, dated April 1, 2021. With the regulation, it became possible to perform identity verification proceedings by video calls online without the need for the customer representative and the customer to be physically present at the same environment. In addition, after identity verification was made remotely or through branches, it became possible to establish remote banking contracts

General Communiqué of Financial Crimes Investigation Board No. 19 on Remote Identity Verification

General Communiqué of Financial Crimes Investigation Board No. 19, effective as of 1 May 2021, on remote identity verification (“Communiqué 19”), was published in Official Gazette No. 31470 of 30 April 2021.

The Communiqué 19 allows, in accordance with extant applicable law, remote consumer identity verification to facilitate establishment of a commercial relationship. The method designed and utilized by the parties must minimize the risk of unauthorized publication of protected data. Notably, a signature sample need not be obtained in the process.

Crypto Asset Service Providers’ Obligations Regarding Anti Money Laundering and Terrorist Financing

The Regulation on Amendment of Regulation on the Measures for Prevention of Laundering Proceeds of Crime and Terrorist Financing, effective as of 1 May 2021 (“Crypto AML Regulation”), was published in Official Gazette numbered 31471 of even date.

The Crypto AML Regulation expands the definition of obligated entities under article 4 of the Regulation on the Measures for Prevention of Laundering Proceeds of Crime and Terrorist Financing (“AML Regulation”), – published in Official Gazette numbered 26751 of 9 January 2008 – with the following subparagraphs:

• (ü) crypto asset service providers,
• (v) savings financing companies.

Accordingly, as of 1 May 2021, crypto-asset service providers, savings financing companies, their branches, agents, representatives, commercial agents, and affiliated entities are required to comply with the AML Regulation.

E-COMMERCE

General

E-commerce is regulated under Turkish law especially regarding e-commerce platforms and electronic commercial messages. Law on Regulation of Electronic Commerce No. 6563 is the main legislative document that governs e-commerce  along with the Law on Protection of Consumer No. 6502 (“Consumer Law”) for the B2C side. In accordance with the E- Commerce Law; with certain exceptions, commercial electronic messages can be sent to recipients by service providers, only with recipient’s prior consent. Service providers, wishing sending commercial electronic messages, must register with and transfer their consent records to the commercial electronic communication management system before carrying out any commercial communication. A draft has been brought to Turkish parliament for the amendment of Consumer Law. The proposed amendments, if passed, will bring certain aggravated obligations to the intermediary service providers and stricter regulations regarding remote contracts.

Recent Key Developments in E-Commerce

Competition Authority’s Preliminary Findings on E-Marketplace Sector

On 7 May 2021, the Turkish Competition Board made public certain preliminary findings (“Report“) from its e-marketplace sector inquiry, commenced 11 June 2020 (“Inquiry”), by publishing same on the Turkish Competition Authority’s (“TCA”) website.

The Inquiry was intended to, in the interest of general consumer and merchant protection, identify anti-competitive practices within the e-marketplace sector. In light of the Inquiry findings, the Report, inter alia, recommends implementing certain ameliorative measures. To that end, the Report contains the following recommendations:

• strengthen applicable secondary legislation,
• implement a code of conduct applicable to e-marketplace platforms in order to eliminate current imbalances in bargaining power between merchant and e-marketplace platform operator,
• promulgate standards for e-marketplace conduct of gatekeeper enterprises.

INTERNET/SOCIAL MEDIA

General

All internet contents including online media services are regulated under the Law no.5651 (aka Internet Law) by Information and Communication Technologies Authority (“ICTA”) The Internet Law regulates obligations of content providers, hosting providers, internet providers and social network providers.

As per the Internet Law;

• The content provider is responsible for any kind of content it makes available on the internet. Yet, hosting providers are not responsible for checking the hosted content or researching whether such content constitutes an unlawful activity.
• Access providers are required to block alternative access methods and provide information to the ICTA if requested;
• Social network providers are under the obligation to respond individual requests within forty-eight hours, complying with content removal and access prevention measures, and providing regular reports including statistical and categorical information containing the foregoing.
• The social network providers abroad that has more than 1 million daily access from Turkey are required to appoint local representatives. The local representatives are responsible from accepting notices, notifications, and requests from administrative and judicial authorities in Turkey, responding to individual applications and fulfilling other obligations under the Internet Law.

Recent Key Developments in Internet/Social Media

Bans Advertising on Twitter, Periscope, and Pinterest

Turkey has brought a set of amendments on the Internet Law and the amendment law was published in the Official Gazette on 31 July 2020. With the amendments, series of obligations were set forth for the local and foreign domiciled social network providers operating in Turkey including appointing a local representative.

ICTA banned advertising on Twitter, Periscope, and Pinterest for failure to appoint a local representative. The advertisement bans have been withdrawn later after appointment of such representatives.

Guidelines applicable to Social Media Influencer Advertising

To clarify the current state of the law on social media advertising governed by Consumer Law and the Regulation on Commercial Advertisement and Unfair Commercial Practices (“Advertising Regulation”), Turkey’s Advertisement Board published its Guideline on Commercial Advertisement and Unfair Commercial Practices of Social Media Influencers, effective 4 May 2021 (“Guideline”).

Social media posts by influencers deriving financial or other material benefit are commercial in nature under the Law and the Advertising Regulation; and with it such ads must fully comply. Accordingly, the Guideline, on top of certain other requirements, obliges social media influencer posts to be disclosed as commercial advertising.

Amendments to the Regulation on Presentation of Radio, Television, and On-Demand Internet Broadcasts

The Regulation Amending the Regulation on Presentation of Radio, Television, and On-Demand Internet Broadcasts (“Amendment Regulation”) was published in Official Gazette dated 10 April 2021 and numbered 31450. Amendment Regulation introduced certain amendments affecting the financial obligations of licensed broadcasters which are as follows:

• Broadcasters wishing to pay their licensing fees in installments were obliged to pay the first installment to the Radio and Television Supreme Council (“RTÜK”) up-front and in cash, and guaranty payment by providing to the RTÜK a guarantor letter(s) operative for a period of at least 10 years and amounting to 6 installments. The Amendment Regulation revised the amount as 9 installments and allowed broadcasters to obtain guarantor letters from more than one bank.
• A broadcaster wishing to renew its license must apply online to the RTÜK at least 2 months before expiration of its then current license.
• Guarantor letter covering a broadcaster’s internet broadcast transmission authorization fee must be in an amount equal to such fee and operative for a period of 1 year.

CLOUD COMPUTING

General

In Turkey; although there is no specific regulation regarding cloud computing, certain rules prescribed in several laws and secondary legislation concerning cloud computing apply in most cases. These rules are mainly concentrated on the notification requirement and data localization.

As stated above, hosting providers should notify ICTA before providing hosting services.

Hosting provider is defined under the Internet Law as “natural or legal persons who operate or provide systems which stores the services and contents”. As such, cloud providers are regarded as hosting providers with respect to the Internet Law.

As per the Internet Law, hosting providers are required to retain traffic data for 1 year and ensure the integrity, accuracy and privacy of this data. However, as per Electronic Communication Law No. 5809 (“ECL”), traffic data cannot be transferred abroad without the data subject’s explicit consent. This is an important challenge for cloud computing providers servers of which are located in foreign countries. The Personal Data Protection Board (“DP Board”) has previously concluded with the “Gmail Decision” numbered 2019/157 dated 31 May 2019 that in case of the usage of Gmail services provided by Google, mails are being held at the data centers all around the world, therefore, it constitutes transferring personal data abroad.

Recent Key Developments in Cloud Computing

DP Board’s Decision Regarding Cloud Use

In the DP Board’s decision numbered 2021/359 dated 13 April 2021, the data controller employer has been sanctioned for the use of cloud services to store employees’ personal data without obtaining first the employees’ explicit consent. The employee data was stored in a cloud database with servers abroad, which could only be accessed by relevant authorized persons. As the servers of the cloud database were abroad, the DP Board ruled that the data was transferred abroad.

BRSA’s Regulation Regarding Cloud Use in Banking

Regulation on Information Systems and Electronic Banking Services of Banks (“BRSA Regulation”) has entered into force which governs cloud computing usage of banks. The use of cloud systems is not prohibited under the BRSA Regulation. However, certain conditions should be fulfilled for the use of cloud systems. According to BRSA Regulation, the primary and secondary systems of the Institutions should be kept in Turkey. If cloud computing services are used, the information systems of cloud computing service providers and their back-ups are also regarded as primary and secondary systems of the Institutions. In such cases, these data, hardware and software and their back-ups should also be kept in Turkey. Moreover, in case cloud computing services are used for primary and secondary systems, the hardware and software used should be dedicated to a single institution. However, the use of community clouds is permitted for banks and financial institutions in certain conditions. In the presence of BRSA approval, community cloud can be used by the banks and financial institutions, on condition that the software and hardware are dedicated to BRSA regulated institutions and logical separation is provided for each company. In addition, for the financial institutions, in the presence of BRSA’s approval, financial institutions may use the same dedicated software and hardware on condition that logical separation is provided for each company.

Artificial Intelligence (“AI”)

General

AI is not specifically regulated under Turkish law; however, use of it may trigger certain control mechanism under various laws and regulations. For instance, use of AI for automatic decision making can be challenged by data subject if the use of it results in negative impact on the data subjects and they can request human intervention for decision making. Product liability and tort provisions of Turkish law also apply to damages incurred due to use of AI.

Recent Key Developments in AI

Artificial Intelligence Strategy

The Circular numbered 2021/18 on the National Artificial Intelligence Strategy was published in the Official Gazette dated 20 August 2021 and numbered 31574, and the National Artificial Intelligence Strategy Document (“Strategy”) on Digital Transformation Office of the Presidency’s website on 24 August 2021.

The high-level targets foreseen for 2025, which is the end of the implementation period of the Strategy, are as follows:

• The contribution of AI to GDP will be increased to 5%.
• Employment in the field of AI will be increased to 50,000 people.
• Employment in the field of AI in central and local government public institutions and organizations will be increased to 1,000 people.
• The number of graduate level graduates in the field of AI will be increased to 10,000.
• AI applications developed by the local ecosystem will be prioritized in public procurement and commercialization will be supported.
• An active contribution will be made to the regulatory studies and standardization processes of international organizations in the field of cross-border data sharing with reliable and responsible AI.

TELCO

General

Telecommunication (telco) is a highly regulated sector under Turkish Law. The ECL, which is prepared based on Directive (EU) 2018/1972 of the European Parliament and of the Council of 11 December 2018 Establishing European Electronic Communications Code (“EECC”), is the main legislative document that governs the telecommunication sector. ICTA is the national regulatory agency for the supervision of the sector and execution of the ECL. The telco sector is regulated by licensing, authorization, notification and other control mechanisms regarding establishment, conduct and structure of the telco companies. Electronic communication services can only be provided by obtaining a license from ICTA. On the other hand, electronic communication services and/or networks or infrastructure established within the immovables of a real or legal person and not exceeding the borders of each immovable, used exclusively for personal or corporate needs, not used to provide any electronic communication service to third parties, not intended for any commercial purpose in its provision and not made available to the public and those established by public institutions and organizations in accordance with their special laws regarding the services they provide exclusively are not subject to authorization. Unlike EECC, the ECL does not contain a provision to expressly scope the communication medium between individuals which are provided for a price.

Recent Key Developments in Telco

Regulation on Verification Process of the Applicant’s Identity in the Electronic Communications Sector

Regulation on Verification Process of the Applicant’s Identity in the Electronic Communications Sector (“RIR”) introduced in the Official Gazette dated 26 June 2021 and numbered 31523.

According to the RIR, only following channels can be used for identification verification:

• e-Government gateway,
• Visual verification by artificial intelligence or authorized person, together with the document with near field communication feature in accordance with the ICAO 9303 standard,
• Creating PAdES with Republic of Turkey ID Card,
• Taking video footage to be specific to the process with the applicant’s identity document in face-to-face channels.

The Regulation allows artificial intelligence to make the comparison of the face in the live image and the photograph in the identity document.

Regulation on Protection of Personal Data in Electronic Communication Sector

ICTA’s long-awaited Regulation on Process of Personal Data and Protection of Privacy in Electronic Communication Sector (“DPR”) has been published on the Official Gazette number 31324 dated 4 December 2020.

In the DPR, contrary to its predecessor, explicit consent requirement for the cross-border data transfer is not regulated for all personal data categories. The communication and location data are regarded as important for national security so that cross-border transfer of these data is prohibited unless user’s explicit consent is obtained.

The DPR obliges the operators to implement all necessary technical and administrative measures to ensure the security of the services provided with the user’s personal data. The minimum requirements are also provided in the DPR, such as determining policies, protection of personal data against all breaches including disruption, loss, alteration, recording to another environment; and implementing necessary measures to prevent unauthorized access to these data. The operators are also obliged to save the log records to the systems containing personal data for two years.

In article 8 of the Regulation, specific provisions were brought regarding explicit consent. The provisions are generally in line with the Law on Protection of Personal Data number 6698 (“DP Law”). As with the DP Law, the explicit consent must be specific to a certain data processing activity and must be given in a free will, thus cannot be a condition for the service. It is, however, stated in the Regulation that explicit consent may be requested by providing additional benefits such as extra minutes or SMS rights. An obligation to inform is also implemented with the regulation as to the processed personal data, traffic, and location data. This information must be in 12 font size if made in writing. Operators are also obliged to inform the users that their data is processed based on their explicit consent in the third quarter of the year. Otherwise, the data processing activity of the Operators within the scope of the express consent given before is suspended until the privacy notice is submitted.

Increase in Direct Carrier Billing Usage

Direct Carrier Billing (“DCB”) has been used in Turkish market already widely for especially payment of electric, gas and water subscription bills. The pandemic, however, emerged the need for alternative payment methods to the card and cash. DCB use in Turkey during the Covid-19 pandemic has increased

PERSONAL DATA PROTECTION

General

Privacy and protection of personal data is primarily regulated by the Law on Protection of Personal Data No. 6698 (“DP Law”). The DP Law set forth certain obligations of data controllers including comply with general principles of data processing, base data processing activities on a valid and legal ground, inform data subjects as to determined aspects of the data processing, respond to data subjects for their applications with regards to their rights under the DP Law, comply with prohibitions of domestic/cross border transfer, comply with erasure, destruction, and anonymization of personal data requirements, take adequate security measures for the protection of personal data, notify data breaches and register with data controllers registry.

Recent Key Developments in Personal Data Protection Law

Personnel Certification

The Communiqué on the Procedures and Principles Regarding the Personnel Certification Mechanism (“Certification Communique”) was published. With the Certification Communique, in accordance with the standard numbered EN ISO/IEC 17024 (ISO17024), the procedures and principles have been determined regarding the certification of persons with regards to DP Officer Program.

According to the Certification Communique, those who acquired a certificate by participation in the program, principles and procedures of which is determined by the Authority and has been successful in the respective exam will be entitled to use the title of “data protection officer”. Organizations accredited by the Turkish Accreditation Agency within the scope of ISO17024 standard will be authorized to certify those who are successful in the relevant exams related to certification.

In accordance with the Certification Communique, a data protection officer is assumed to have sufficient knowledge in terms of personal data protection legislation within the scope of the program for which they are certified. It is also regulated that the data protection officer can only use this title during the validity period of their certificates.

Finally, it is emphasized in the Certification Communique that employing a data protection officer will not remove the responsibility of the data controller and data processor to comply with the DP Law.

Personal Data Categories in Privacy Notices

Regarding the obligation to inform, the most important decisions in 2021 were the DP Board’s decisions regarding the need to include the personal data categories processed in the privacy notice. In Article 4 of the Communique on Principles and Procedures to be Followed In Fulfillment Of The Obligation To Inform, the information required to be included in the privacy notice is determined as the identity of the data controller and, if any, its representative, the purpose for which personal data will be processed, to whom and for what purpose personal data can be transferred. In the Board’s decision dated 8 October 2020 and numbered 2020/765, however, stated that the categories of personal data processed in the privacy notice should also be included.

CORRUPTION & INTERNAL INVESTIGATIONS

CORRUPTION AND RELEVANT FRAMEWORK UNDER TURKISH LAW

Definition of Corruption

Corruption has no specific definition under Turkish law. Corruption comprises specific crimes such as embezzlement, malversation, bribery, misconduct, bid-rigging and manipulation of tender contracts, money laundering, fraud, fraudulent bankruptcy, insider trading, terrorism financing and forgery.

International Legal Framework

Turkey is a party to the following conventions:

• the United Nations Convention against Corruption, ratified in 2006;
• the United Nations Convention against Transnational Organized Crime ratified in 2003;
• the European Convention on Mutual Assistance in Criminal Matters ratified in 1969;
• the Convention on the Transfer of Sentenced Persons ratified in 1987;
• the Council of Europe Civil and Criminal Law Conventions on Corruption, ratified in 2001;
• the European Convention on the International Validity of Criminal Judgments ratified in 1978;
• the Council of Europe’s Convention on Laundering, Search, Seizure and Confiscation of the Proceeds from Crime, ratified in 2004;
• the European Convention on the Suppression of Terrorism ratified in 1981;
• the European Convention on the Transfer of Proceedings in Criminal Matters ratified in 1978;
• the European Agreement on the Transmission of Applications for Legal Aid ratified in 1983; and
• the OECD Convention on Combating Bribery of Foreign Public Officials in International Business Transactions, ratified in 2000.

Turkey is a member of the following groups:

• the Group of States against Corruption, member since 2004; and
• the Financial Action Task Force, member since 1991.
• Egmont Group, as a financial Intelligence Unit, member since 1998.

In addition to the above list, Turkey signed bilateral agreements on cooperation regarding criminal matters with countries such as: Albania; Algeria; Belarus; Bosnia Herzegovina; Brazil; China; Egypt; Georgia; India; Iran; Iraq; Italy; Jordan; Kazakhstan; Kosovo; Kuwait; Kyrgyzstan; Macedonia; Moldova; Mongolia; Morocco; Oman; Pakistan; Poland; Turkish Republic of Northern Cyprus; Romania; Serbia; Syria; Tajikistan; Tunisia; Turkmenistan; USA; and Uzbekistan.

National Legal Framework

Relevant national legislation includes:

• Turkish Penal Code numbered 5237 (the “TPC”)
• Criminal Procedure Code numbered 5271 (the “CPC”)
• Misdemeanors Law numbered 5326
• Banking Law numbered 5411 (“Banking Law”)
• Code on Asset Declaration and Fighting Against Bribery and Corruption numbered 3628
• Regulation on Asset Declaration numbered 90/748
• Code on Public Officials numbered 657
• Code on Public Tenders numbered 4734
• Code on the Prevention of Laundering of Crime Revenues numbered 5549 (the “CPL”)
• Code on Establishment of the Public Officials Ethics Board and Amendments to Some Laws numbered 5176
• Regulation on Ethical Behavior Principles of Public Officials
• Code on Prevention of Terrorism Financing numbered 6415
• Regulation on Program of Compliance with Obligations Regarding Prevention of Laundering of Crime Revenues and Terrorism Financing
• Capital Markets Law numbered 6362 (the “CML”)
• Anti-Smuggling Law numbered 5607 (“Anti-Smuggling Law”)
• Code on Independent Accountant Financial Advisers and Certified Public Accountants numbered 3568
• Turkish Commercial Code numbered 6102 (the “TCC”)
• Turkish Code of Obligations numbered 6098 (the “TCO”)
• General Communiqué for Reporting Suspicious Transactions Regarding Terrorist Financing
• General Communiqués numbered 5, 7, 8 and 13 of the Financial Crimes Investigation Board (MASAK); and
• Communiqué on Tax Procedure Law numbered 529

Bribery & Foreign Bribery

Bribery is defined as granting, directly or through intermediaries, an undue advantage to a public official or to another person addressed by the public official in order to prompt him to perform or not to perform a task with regards to his duty (Article 252 of the TPC). The person receiving a bribe and also the person giving a bribe are held responsible. The offence is committed when the parties agree upon a bribe.

Although bribery in the extent of private-to-private relations is not regulated under Turkish law, engaging in bribery of persons who are representatives of below listed legal entities is also criminalized:

• Companies with a public entity status
• Companies established with the partnership of public entities or the professional organizations which have public entity status
• Foundations operating within public entities or the professional organizations having a public entity status
• Public benefit associations
• Cooperatives

Bribery attracts sanctions of between four- and 12-years’ imprisonment, subject to aggravating and mitigating circumstances.

Article 252/9 of the TPC criminalizes the bribery of foreign public officials as regards to Turkey’s commitments to illegalize foreign bribery in international treaties. Those persons listed below would be considered as foreign public officials and would be charged with the same penalties as provided for bribery under Turkish law:

• Public officials elected or appointed in a foreign country
• Judges, jury members or other officials acting in international or transnational or foreign state courts
• Members of international or transnational parliament
• Persons performing public activities for a foreign country, including public institutions or public corporations
• Citizens or foreign arbitrators appointed within the framework of arbitration procedure applied for solution of a legal dispute
• Officials or representatives of international or supranational organizations established based on an international agreement

INTERNAL INVESTIGATIONS  

Legal Requirements to Initiate Internal Investigations

 Under Turkish law, there is no specific legal requirement to conduct an internal investigation or submit the findings thereof to the relevant authorities that is imposed on legal entities. Nevertheless, there are certain requirements and obligations stipulated under various laws and regulations which have to be regarded to assess the legal entities’ obligations to identify misconduct.

The right and obligation to manage and the authority to represent are granted to the board of directors (“BoD”) in joint stock companies under article 365 of the TCC. As a general rule, the BoD is authorized to take decisions regarding all actions and transactions in order to conduct business of the company except for matters reserved to the General Assembly in accordance with the relevant provisions of the TCC and articles of association of company.

Management of the company both constitute a right and an obligation for the BoD members and failure to fulfill such obligations give rise to the liability of the BoD members.

Pursuant to article 375 (1)(e) of the TCC, supervision obligation is one of the non-transferable duties and authorities of BoD members. The BoD members are obliged to oversee the conduct of business, compliance with law, agreements, articles of association provisions, internal directives, General Assembly and BoD resolutions and orders and company’s interests. Such supervision obligation is not transferable by delegation of authorities and no member shall be kept exempt from such obligation. Furthermore, article 369 (1) of the TCC states that BoD members must conduct their duties with diligence and care of a prudent manager and must pursue the company interests in accordance with the good faith principle.

Within this context, primary suspects of a crime committed on behalf of a company are generally BoD members in the eyes of public prosecutors.

With respect to crimes which can be committed deliberately (=willingly and knowingly), only BoD members who are aware of, but; tolerate this crime or who are directly involved into commissioning of this crime can be held criminally liable due to individual criminal personal liability set forth under the Constitution of the Republic of Turkey (“Constitution”) and TPC, as mentioned above. Corruption offences can only be committed deliberately, but not negligence. That also means that the said offences can be committed by dolus eventualis (olası kast) or legal intention. Intent in the form of dolus eventualis or legal intention, is deemed present when the perpetrator objectively foresees the possibility of his action’s consequences and persists regardless of the consequences as per article 21(2) of the TPC.

BoD members can avoid criminal liability for corruption offences by proving that that they have no knowledge or intention regarding commitment of such kind of crime and that company executives or employees who are reporting them committed this criminal offence by not obeying and/or acting contrary to their instructions. That being said, there are still certain criminal offences which might be committed by negligence. In other words, BoD members might also be held criminally liable for this kind of crimes due to breaching the supervision obligation and/or duty of diligence and care.

In particular, article 366 of the TCC sets out regulatory authority of the BoD to establish committees and commissions to detect any forthcoming risks in order to secure the improvement and continuity of the operations of the company. These committees and commissions may include the members of the BoD or third parties. Accordingly, an internal audit committee which is a direct obligation for companies whose shares are listed on the stock exchange, can be established in other companies. In practice, such regulatory obligations may motivate the BoD to conduct internal investigations to detect any misconduct, since they may be held liable for breach of their obligations otherwise.

Additionally, there are provisions stipulated under Employment Law numbered 4857 (“Employment Law”) concerning the conditions of the conduct of internal investigations. For instance, as per article 5 of the Employment Law, the employer must treat all employees equally and should not discriminate the employees based on their gender, race, color, language etc. Subsequently, if an internal investigation resulted in a termination violates the obligations set out in article 5, the terminated employee has the right to initiate a lawsuit for re-employment.

Please also refer to our explanations under the self-reporting requirements under Turkish law for further details.

Criminal Liability of Legal Persons

Under Turkish law, only real persons can be author of crimes and subject to criminal sanctions (Article 20 of the TPC). Hence, unlike some other jurisdictions, legal entities in Turkey cannot be held criminally liable. Therefore, if a real person commits a crime on behalf or in favor of a legal entity, the real person will be held personally liable.

However, legal entities are still subject to certain safety measures (Article 60 of the TPC).  Safety measures imposed on legal entities include seizure or cancellation of the proceeds of crime. Besides, in circumstances where any crime is commissioned in a corporate environment, the board members and directors of the company may be laid with charges or even be held criminally liable in cases where the crime is committed within the context of the company’s business or for the benefit of the company.

According to article 43/A of the Misdemeanor Law, in the case that a person who is an organ or representative or acts within the operation of the legal entity commits one of the following crimes for the benefit of the legal entity, a fine of up to TRY 74.303.910, which is calculated in accordance with the revaluation rate declared for 2021, will be imposed by the court on the legal entity for each crime listed below:

• Fraud as defined in articles 157 and 158 of the TPC
• Manipulating tenders as defined in article 235 of the TPC
• Manipulating the performance of a deed as defined in article 236 of the TPC
• Bribery as defined in article 252 of the TPC
• Money laundering as defined in article 282 of the TPC
• Embezzlement as defined in article 160 of the Banking Law
• Smuggling as defined in the Anti-Smuggling Law
• Financing terrorism as prescribed in article 3 of the Code on Prevention of Terrorism Financing numbered 6415

Legal Requirements to Self-Report to Judicial or Regulatory/Administrative Authorities

Under Turkish law, failure to report a crime that is still being commissioned or consequences of which continues is considered itself as a separate criminal offence set forth under article 278 of the TPC, which is sanctioned up to one-year imprisonment. The application of this provision is very rare, though, this provision always raises concern of the BoD and management in corporate settings and require legal assessment.

The CPL also sets out several obligations with regards to establishing training, internal audit, control and risk management systems and other measures to obliged parties (such as banks, financial institutions, companies operating in specific industries, etc.), and expects such parties to put into operation internal systems to detect and notify noncompliant transactions in a timely manner. According to article 4, if those who are deemed obliged parties under the CPL suspect that an asset subject to a transaction was obtained by illegal means or used for illegal purposes, they must report the transaction to the Financial Crimes Investigation Board (“MASAK”). According to article 28 of the CPL a Suspicious Transaction Report Form should be filled and submitted to the MASAK by obliged parties such as banks and financial institutions, to detect and report any suspicious transactions to MASAK, within 10 days of the suspicion arising. In addition, responsible institutions must notify MASAK when a transaction exceeds certain amounts prescribed by law. Pursuant to article 13 of the CPL, an administrative fine of 50,000 liras will be imposed on an obligor who violates the obligation to report. MASAK has the power to request and access all relevant information.

Furthermore, as per the Communiqué on Notification Obligation Regarding Insider Trading and Market Fraud, investment institutions subject to the CML has an obligation towards the Capital Markets Board if they come across a suspicion regarding insider trading or capital market fraud. This notification is made independent from the suspicious transaction notification to MASAK. Other than that, there is no specific requirement to force the companies to make any reporting to any judicial or governmental bodies.

Self-reporting can be considered as a possibility, like for instance in the case of any significant concerns around facing a potential criminal or administrative investigation. Nevertheless, it would be necessary to make detailed legal analysis of the circumstances each time such a possibility arises.

Furthermore, certain public disclosure requirements apply for publicly held companies, as provided under the CML. Although it does not bring forward any reporting requirement to any judicial or governmental authority, it is obvious that above a certain materiality threshold, the BoD and management of a publicly held company will be under the obligation to disclose the consequences of any material incident in such respective company.

Benefits that could be derived from self-reporting

Reducing sentence is possible if it is foreseen in related provisions. Additionally, repentance is possible for money laundering, embezzlement and bribery which revoke punishment in case of reporting the crime before investigation process. Article 254 of the TPC provides for the following safe harbors and exemptions:

• No punishment is imposed if a person taking bribe delivers the subject of bribery exactly as it is to the relevant bodies before the commencement of investigation. No punishment is imposed if the public officer who agrees to receive a bribe notifies the relevant bodies about this fact before the commencement of investigation.
• No punishment is imposed if a person offering a bribe to a public officer notifies the relevant authorities about this fact before the commencement of investigation.
• No punishment is imposed on a person complicit in bribery if the person notifies the relevant bodies and shows sincere repentance about this fact before the commencement of investigation.
• These are not applicable with regards to foreign bribery.

Plea bargaining is not covered under Turkish law. However, Turkey has adopted expedited trial procedure which can be applied at the end of the investigation phase. This procedure allows penalty reduction if suspect agrees to settle the dispute with the public prosecutor. (Article 250 of the TPC)

Mediation is available as an alternative resolution method for certain crimes. As per article 253 of the TPC, (i) the crimes investigation and trial of which depends on the complaint, (ii) provided that the victim or the person injured by the crime is a natural or private legal entity, crimes requiring imprisonment or judicial fine with an upper limit not exceeding three years in terms of juvenile delinquents and the crimes listed under the article can be resolved by settlement, including:

• Abuse of trust (Article 155 of the TPC)
• Fraud (Article 157 of the TPC)

Also, the crimes that are explicitly allowed by other laws to be settled through settlement can be subject to resolution by settlement.

Fraud defined in Article 157 of the TPC is within the scope of crimes subject to mediation procedure. However, it is not applicable to other crimes such as bribery and embezzlement.

Although mediation is not available for crimes other than mentioned, in some cases it is possible to make a settlement with to authorities for fine reduction. Settlement for fine reduction before administrative bodies, e.g., Competition Board, Tax and Customs Offices, Consumer Board, Data Protection Authority, is possible.

Retaining External Counsel and Attorney-Client Privilege

Article 149 of the CPC specifically foresees the right to legal advice and privilege throughout all criminal procedures. It is stipulated in the article that the suspect or the defendant may receive legal support in all phases of investigation and trial, and the right of the legal counsel to be present during interrogation and taking testimony cannot be restricted. The suspect or the defendant is free to choose and authorize their legal counsel; however, in the event that the suspect or the defendant state that they are not able to do so, a legal counsel is appointed.  In article 150 of the CPC, conditions in which a counsel is compulsory are regulated. Accordingly, if the suspect or the defendant is a child, or disabled to an extent that would preclude the from defending themselves, a counsel is appointed for them without the need for prior request.

The scope and elements of attorney-client privilege are quite unspecified compared to the common law attorney-client privilege rules. Attorney-client privilege is regulated under the Attorneyship Law numbered 1136 (“Attorneyship Law”). Accordingly, as per article 36 of the Attorneyship Law, attorneys cannot disclose any document or information obtained while practicing their profession. There are also related provisions in the CPC, regulating the issues concerning attorney – client privilege and attorneys’ exemption from ordinary criminal investigation processes within these privileges.

As per the article 130 of the CPC, attorney offices and residences can only be searched by court warrant and with the participation of the registered bar association representative, under the supervision of the public prosecutor, regarding the event specified in the warrant. For a search is to be conducted in a law office, specific rules apply, such that a bar representative has to be present during all times of the search to take place in the attorney’s office. The attorneys working in that office, the president of the bar association, or the attorney representing the president of the bar association may assert that an item to be seized is subject to attorney – client privilege. In this situation, the item is placed inside a separate envelope or package to be stamped. If the courts determine, within 24 hours, that the item is subject to attorney – client privilege, the seized item is returned immediately to the attorney.

As per article 58 of the Attorneyship Law, an attorney cannot be searched except in the case of red handedness for a crime that falls within the jurisdiction of the high criminal court.

Furthermore, investigation against attorneys or those in the organs of the Union of Turkish Bar Associations or bar associations, for crimes arising from their duties or committed during their duty is carried out by the public prosecutor of the place where the crime was committed, upon the permission of the Republic of Turkey Ministry of Justice.

Turkish Competition Authority’s practice, the correspondence between attorneys and their clients is deemed to be a significant part of the right of defense. However, it is important to note that, in order to benefit from the privilege, the correspondence must be made between an independent external attorney and their client. As the above stated provisions does not make any distinctions between in-house and external counsels, it is ambiguous whether such privileges are provided for both. Nevertheless, under the current practice of Turkish Competition Authority, correspondence of the company with its in-house counsel attorney is not deemed to be privileged as per the relevant articles of Attorneyship Law and the CPC.

Whistleblower Protection

During the internal investigations an important place is attributed to whistleblowers due to their effectiveness and importance in detecting risks and irregularities. No specific whistleblower protection legislation exists in Turkey. However, certain provisions in various laws and sub-legislation applies to whistleblowing including those of:

• Constitution
• Turkish Civil Code, Law numbered 4721 (as amended)
• TPC
• TCO
• Employment Law
• Personal Data Protection Law numbered 6698 (“DPL”)
• Witness Protection Law numbered 5726
• Regulation on Deletion, Destruction and Anonymisation of Personal Data
• CPC

In accordance with Article 18/3-c of the Employment Law, if an employee submits a complaint against his/her employer to administrative or legal authorities concerning his/her legal or contractual obligations, the employer cannot terminate the employment agreement of such employee. Even though this provision provides a protection for whistleblowers solely against their employers; employers must also provide protection for the whistleblowers against any kind of retaliation which may come from other employees and/or relevant parties.

Overall, Turkey has a plenty of development room for whistleblower protection and needs a single legal structure for this to ensure effective implementation, rather than a piecemeal approach.

Chapter 23 (Judiciary and Fundamental Rights) for Turkey’s accession to the EU requires Turkey to implement a whistleblower protection. In fact, the European Commission’s 2020 Turkey Progress Report emphasizes that Turkey’s “legal framework on whistleblower protection still needs to be aligned with the new EU acquis on this issue.” Implementation of the Directive would also accelerate Turkey’s implementation process towards its commitments as regards whistleblower protection under the respective UN and OECD Conventions.

Legal Considerations on Evidence Gathering

Designing and conducting a lawful internal investigation is not only important to avoid any further legal risks and undesirable consequences, but it is also important to assert any claims based on the collected information during the internal investigations before judicial and administrative bodies, as the information collected without following certain legal procedures may risk not qualifying as evidence.

Article 38 of the Constitution guarantees the right to exclude unlawfully obtained evidence. Furthermore, a criminal offence can be proven with all kinds of evidence provided that evidence was gathered in accordance with law as per the article 217(2) of CPC. Therefore, evidence collection requires strict compliance with the applicable law. Otherwise, evidence that is collected in an unlawful manner will be dismissed by the Turkish courts.

Contradiction to law is defined by Constitutional Court as contradiction to all legal provision in force in Turkish legal system[1]. In this regard, an investigative finding can be construed as a legally proper evidence, in case;

• the company is legally entitled to gather such finding,
• the company complied with applicable laws while gathering such finding,
• the finding is used/processed in accordance with applicable laws.

The collection method should be legally proper so that the findings can be deemed legally proper evidence. It also important to assess data protection aspects as electronic communications involves personal data.

As per article 419 of the TCO, the employer can use the personal information of the employees only to the extent required for the competency of the employee for the work or for the enforcement of the employment agreement. In this regard, from an employment law perspective it is possible for an employer to audit its employees’ computers and e-mail accounts allocated for performance of business operations, unless there is not an explicit provision set forth under employment agreements executed with employees stipulating otherwise.

Although from the perspective of the employment law and precedents, the electronic correspondences conducted via the work tools of the employees are considered to be the property of the employer, the content of such correspondences constitute personal data of the employees. In this regard, the DPL needs to be considered for processing of the findings derived from any monitoring activities in the course of internal investigation.

Employers’ right to monitor electronic communications of the employee is solely restricted with the corporate tools/devices given to employee by the employer such as; corporate e-mail account, company phones, company computers. However, employer cannot audit/monitor the correspondence made by the employee through his personal accounts. This issue is crucial for the legality and legitimacy of the monitoring. Monitoring of the personal accounts of the employee might cause violation of the privacy of the employee by the employer.

As per the DPL, processing means any activity carried out on personal data such as data collection, recording, use, storage, disclosure, destruction, transfer, profiling, grouping. Under article 5 of the DPL, personal data can be processed and transferred abroad by obtaining an explicit consent from the data subject. Data controller is obliged to process data in line with the principles set out in article 4 of the DPL which requires that data shall be (i) processed fairly and lawfully, (ii) accurate and up to date; (iii) processed for a specific, explicit, and legitimate purpose; (iv) relevant, adequate and not excessive; and (v) kept for a term that is necessary for the purpose.

The DPL stipulates the conditions for processing and cross-border transfer of personal data without obtaining explicit consent of data subject. In this regard, personal data can be transferred abroad without obtaining explicit consent of the data subject if one of the conditions stated under article 5(2) exists and the country that the personal data will be transferred to has an adequate level of protection. If the level of data protection in such country is not deemed to be adequate, then the data controllers in Turkey and abroad can provide an undertaking, warranting the delivery of an adequate level of protection, which can be approved by the Turkish Data Protection Board.

Based on Constitutional Court decision dated 17 September 2020 and numbered 2016/13010 (aligned with the Bărbulescu v. Romania decision which was delivered by the European Court of Human Rights in 2017) on surveillance of employee e-mails:

• The employer must have a legitimate interest in monitoring communication by considering whether this interest can be pursued by only monitoring the flow of the communication or monitoring the content of the communication is compulsory,
• The employees must be informed by the employer beforehand about the surveillance, its purposes, its legal grounds, its scope, its results and employees’ rights.
• The intervention to the privacy of the employee must be eligible to accomplish the purpose of the surveillance,
• The intervention must be compulsory for the purpose of the surveillance and the same results must be able to be accomplished by other means, which requires fewer personal data to be processed or require them to be processed less intensely,
• The data to be collected must be limited by the purpose of the surveillance, no excessive data processing must take place,
• The legitimate interest of the employer must be balanced with the employee’s fundamental rights and freedom.

Based on the Constitutional Court decisions and the DPL, the employer must inform the employee before the communication that their communication may be monitored, the surveillance must be required and proportionate, must comply with general principles under article 4 of the DPL and must be based on one of the legal bases prescribed under article 5/6 of the DPL, an assessment must be made for each individual case. If the same result can be achieved by processing less data, more intense data processing is regarded as unlawful therefore the employer must determine whether the same results can be achieved without monitoring the communication or at least the content of the communication. 

Conducting Interviews

There is no regulation under Turkish law which provides for principles to respected during an internal investigation interviews and protection to the whistleblowers. In the circumstances where the whistleblower is a current employee of the company, an evaluation is made under the employment relationship to determine the responsibilities and commitments of the employer towards the whistleblower. However, no provision regulates the position towards the former employees or third parties. Therefore, it is of essence that employers establish an effective and secured structure for whistleblowing. In particular, the employers must ensure that any kind of whistleblowing will be anonymous, the process will be kept confidential, and the whistleblower will be protected from any kind of retaliation. In this regard, the employers may consider setting up a hotline where the employees can submit their complaints anonymously.

During an internal investigation following a complaint submitted by the whistleblower, it is crucial to firstly interview the whistleblower and obtain detailed information on the complaints. However, the whistleblower should not be the only interviewee within such an investigation process. If there are other parties involved, such as an alleged fraudster, suppliers or witnesses, they should be separately interviewed in order to gather as much information and evidence as possible.

In order to ensure objectivity towards the interviewees and the allegations, the interviewer could be a professional who does not work for the employer. Therefore, external counsel, auditor or an investigator may conduct the interviews. Any external parties should be empowered in a legal manner as for the interviewees may refrain from sharing company information with unauthorized interviewers, aside from its legal implications. The number of interviewers may vary depending on the context of the investigation, the significance of the allegations and the demands of the employer. In general, two or three interviewers may be sufficient for an interview, as the interviewee may feel overwhelmed if there are more than three interviewers.

Even though it is preferred to have face-to-face interviews, some interviews may be required to be conducted remotely due to various reasons such a pandemic etc. In remote interviews, a secured platform is advised to be used to prevent any leak of information. It should be ensured that all participants took the measures to avoid any breach of confidentiality and third-party intervention.

It is also important to note that in case there is time differences between the participants’ locations, a reasonable time should be selected for all parties. Otherwise, very early or late interviews may be considered as excessive from an employment law perspective.  It is also important to note that in case there is time differences between the participants’ locations, a reasonable time should be selected for all parties. Otherwise, very early or late interviews may be considered as excessive from an employment law perspective and may violate the employee’s right to rest.

During the interviews, an accurate note or recording should be kept. At the end of the interviews, an objective report should be prepared.

Once the investigation is complete, a final report summarizing all evidence collected and procedure followed along with any red flags to be reported to the management. The BoD members should take into consideration those findings and take necessary measures or actions vis-à-vis the obligations and liability attributed to them, as provided above under Section 2.1.

Legal Considerations on Corrective Actions towards Employees

It is also essential to underline that assessing possible corrective actions and remediations having concluded the internal investigation. On the basis of the investigation findings, determining the remedial actions and remedies to be implemented should be determined prudently.

Corrective actions may also include disciplinary actions or dismissal of the alleged wrong-doers depending on the investigation findings. Disciplinary actions can be in the form of warning, reprimand, wage cut, change of job and workplace, temporary suspension from work. It should be noted that the acts that will require disciplinary actions and the sanctions to be applied to such acts should be stated clearly within the disciplinary regulations of the workplace. The application of such rules should be carried out in line with the provisions of the Employment Law, and the sanctions must be applied equally to all employees. Furthermore, the employer cannot impose a dismissal penalty for the same action following the disciplinary action applied as a result of the employee’s unlawful behavior, due to the fact that it would mean two separate punishments imposed on the same act (Non bis in idem).

Dismissals by the employers can be separated into two categories, namely (i) termination with a just cause and (ii) termination with a valid reason. If the employer terminates the employment agreement with just cause based on the limited reasons stated under article 25/II of the Employment Law (which are immoral acts and acts against goodwill) the employer will not be under the obligation to make severance or notice payments. It should be noted that breach of the employer’s trust, theft, disclosure of employer’s trade secrets are all among the reasons for termination with just cause. Termination with just cause must be performed within six business days after learning the facts, and in any event after one year following the commission of the act, has elapsed. The “one year” statutory limitation shall not be applicable, if the employee has extracted material gains from the act concerned.

If the employer cannot terminate the employment agreement with a just cause but also cannot keep employing the wrong-doer, the employer may terminate the employment agreement with a valid reason. In such a case, the employer must pay severance payment and abide by the notice periods. The employer is also under the obligation to obtain written defense of the employee prior to the termination.

If during termination no reason is mentioned or if the employee claims that the mentioned reason is not justifiable, the employee may initiate a re-employment lawsuit based on these claims by applying to the mediator within one month following the termination, and the employee must file the re-employment lawsuit with two weeks following the mediation meetings. In the event that the court accepts the employees claims for re-employment, the termination will be deemed invalid. In such case, the employee shall request from the employee his/her re-employment. Upon such request, the employer must re-employ the employee, and if not, the employer must pay compensation to the employee, ranging from four to eight months of the employee’s salary as employment security indemnification and an additional four months of the employee’s salary as the salary for the time passed during the trial. Such lawsuit may be initiated by the employees who have worked for more than six months, and if there are more than thirty employees in the workplace. In practice, if the same employer has several workplaces, the court may take the whole number of employees in all workplaces into consideration, even if they are working in a workplace in a separate location. Regarding employees who has other workplaces in foreign countries, the court may have a tendency to take number of employees in foreign countries into consideration.

Employer’s representatives who manage the complete enterprise and his/her assistants and the employer’s representatives who manage the complete enterprise and who are authorized to recruit and dismiss employees, may not initiate such re-employment lawsuit.

[1] Constitutional Court Decision numbered 1999/2 E. and 2001/2 E. and dated 21 June 2001.

Legal Developments

Capital Markets Board of Turkey Amends the Communiqué on Principles of Venture Capital Investment Funds

Turkish Constitutional Court: Imposing a Preliminary Injuction for an Unreasonable Time Violates the right to property.

TITCK Updates the Guideline regarding the Regulation on the Sale, Advertising and Promotion of Medical Devices

Turkish Constitutional Court: In Correction Requests Regarding Declaration-based Taxes Miscalculated

Turkish Constitutional Court: Turkish Counsel of State’s Failure of Unification of Discrepancies Between Precedents in Tax Litigation

• Tax administration requested applicant to submit his legal books and documents for the calendar years 2008, 2009, 2010 for the investigation pertaining to the purchase of certain goods and services. Upon applicant’s failure to submit the aforementioned books and documents without providing any valid excuse, the difference amount arising by means of the refusal of VAT deductions for the purchases made in the relevant years was assessed with a threefold amount of tax loss fine.
• The applicant filed multiple lawsuits against the assessments before Adana 1^st Tax Court (“Court”) and claimed that the refusal of lawsuit without examination regarding whether the documents related to the deducted VAT amount were recorded in the relevant books and documents would be illegitimate. The applicant requested for the examination of electronic accounting records and stated that the applicant can submit legal books and documents if a sufficient time was provided hereof.
• The Court dismissed the case on the grounds that the legal books and documents were not submitted without providing any valid excuse in the term of limitation and it was not proved that the purchase documents, which the deducted VAT amounts were based on, had been recorded in the legal books.
• 3^rd Chamber of Council of State has approved the Court’s decision and dismissed the applicants request regarding the revision of decision.
• Final decisions were notified on 10 February 2015 and the applicant made an individual constitutional application on 9 March 2015.

1. If legal books and documents were not submitted to tax audit officer, court decision will be rendered without examination of legal books and documents submitted to court, and
2. Courts are under obligation to examine legal books and documents in order to allow taxpayers to prove their claims.

• Tax administration requested applicant to submit his legal books and documents for the calendar years 2008, 2009, 2010 for the investigation pertaining to the purchase of certain goods and services. Upon applicant’s failure to submit the aforementioned books and documents without providing any valid excuse, the difference amount arising by means of the refusal of VAT deductions for the purchases made in the relevant years was assessed with a threefold amount of tax loss fine.
• The applicant filed multiple lawsuits against the assessments before Adana 1^st Tax Court (“Court”) and claimed that the refusal of lawsuit without examination regarding whether the documents related to the deducted VAT amount were recorded in the relevant books and documents would be illegitimate. The applicant requested for the examination of electronic accounting records and stated that the applicant can submit legal books and documents if a sufficient time was provided hereof.
• The Court dismissed the case on the grounds that the legal books and documents were not submitted without providing any valid excuse in the term of limitation and it was not proved that the purchase documents, which the deducted VAT amounts were based on, had been recorded in the legal books.
• 3^rd Chamber of Council of State has approved the Court’s decision and dismissed the applicants request regarding the revision of decision.
• Final decisions were notified on 10 February 2015 and the applicant made an individual constitutional application on 9 March 2015.

1. If legal books and documents were not submitted to tax audit officer, court decision will be rendered without examination of legal books and documents submitted to court, and
2. Courts are under obligation to examine legal books and documents in order to allow taxpayers to prove their claims.

The Law on Restructuring of Certain Receivables and Amending Certain Laws Is Published

The Law on Restructuring of Certain Receivables and Amendment of Certain Laws (“Law”) was published in the Official Gazette dated 17 November 2020 and numbered 31307.

The Constitutional Court Decision Evaluating the Expert Report’s Positive Proof Qualification upon

Turkish Constitutional Court: Failure to take the Favorable Law into Account Violates the Principle

Turkish Constitutional Court (“CC”) ruled that it is unconstitutional not to apply the favorable criminal provision within the scope of the law change that occurred during the judgement process.

Personal Data Protection Authority Imposed Administrative Fines Against the Association Sending Adve

Companies and Branches within the scope of the Foreign Direct Investment Law are Required to Obtain a registered electronic mail (“KEP“) account

Amendments to the Shareholders’ Meeting Procedures of Joint Stock Companies

Significant changes to shareholders’ meeting procedures and principles on the attendance of a representative of Ministry of Trade have been introduced.

Amendments to the Financial Reporting of Investment Funds

Capital Markets Board of Turkey (“CMB“) has published the Communiqué Amending the Principles Regarding Principles on Financial Reporting on Investment Funds (“Amendment Communiqué“), in the Official Gazette dated 9 October 2020 and entered into force on the same date. Changes introduced by the Amendment Communiqué can be summarized as follows:

Additional Six Months has been granted to Benefit from the Renewable Energy Resources Support Mechanism

Amendments in Communiqué on Principles Regarding Real Estate Investment Companies

Turkish Constitutional Court Annulled Article 81/13 of Law on Intellectual and Artistic Works

Pursuant to Law numbered 5846 on Intellectual and Artistic Works (“Law“) reproduced copies of musical and cinematographic works and non-periodical publications should bear a special label, called a banderol for commercial exploitation. The breach of banderole liability crimes and related punishments are regulated under article 81 of the Law. Article 81/13 of the Law, on the other hand, sets forth a special joiner of offences rule by making a reference to article 71/1-1 of the Law that infringement of the moral and financial rights crime regarding an artistic work is laid down.

Guideline on Non-clinical Evaluation of Vaccines for Human Use has been Published

WIPO Launches “WIPO Lex-Judgments” Database

Principles and Procedures Applying to Taxpayers Detected with High

The Court of Cassation: Mediation is not Mandatory for Compensation Cases Initiated with Non-Monetar

Guidelines on Employee Inventions and Inventions Made in Higher Education Institutions were published

Regulation on Generation and Use of TR QR Code in Payment Services has been Published

Turkey Amends the Decision on State Aids in Investment

Turkey Announces the Regulation on Sale of Refurbished Products

Turkey Introduced Significant Amendments to the Code of Civil Procedure

WIPO Launched “WIPO PROOF”, A Trusted Digital Evidence Service to Safeguard Digital Assets

The ever-changing digital world, on one hand, creates a great number of digital data pertaining to innovative and creative ideas, but on the other hand raises questions on misuse and infringement of these.

Turkey’s Board of Advertisement Rendered a Decision in which It Classified Certain Personal Social

Turkish Data Protection Board States that the Convention 108 is not sufficient per se for Data Trans

Turkish Data Protection Board: A Single Person may be Appointed as the Contact for more than One Dat

Turkish Data Protection Board (“Board”) decided that a single person may be appointed as the contact person for multiple data controllers abroad at the same time. However, a person can be a contact person for only one data controller in Turkey.

Turkey Introduces Procedures and Principles Regarding Determination of Power Plant Areas of Production

Turkish Court of Cassation: Article 6/A of the Abolished Law number 4077 on the Protection of Consum

Turkey Amended the Communiqué on Signing of the Company Establishment Agreement

Turkish Trade Remedies – July 2020

TURKEY INITIATES SURVEILLANCE ON IMPORT OF BICYCLE PARTS FROM CHINA, INDONESIA, INDIA, MALESIA AND THAILAND

The Law Amending the (“Amendment Law”) Law number 5651 (“Law Number 5651”) on Regulation of Broadcasts via Internet and Prevention of Crimes Committed through Such Broadcasts was published in the Official Gazette on 31 July, 2020. With the Amendment Law, important changes were made to the internet law. It is possible to examine the changes brought under two main headings: changes in social media regulations and changes in the general process.

Moroglu Arseven

The Law Regarding the Establishment of Digital Platforms Commission and Amendment of Certain Laws (“Law”) was published in the Official Gazette dated 28 July 2020 and numbered 31199.

Digital Economy Maneuver from the Turkish Competition Authority

Turkey Announces Procedure and Principles Regarding R&D Tenders

Turkish Constitutional Court Determined Constitutional Review Principles for Presidential Decrees

In Presidential Government System, which was adopted on 9 July 2018 in Turkey, the President is entitled to issue Presidential Decrees on the matters related to executive power without the need for an enabling law. Presidential Decree, being a fundamental norm as per regulated directly under the Constitution, is a general and framework regulative transaction.

Turkish Constitutional Court: Decision to Completely Block Access to a News Site Violates Freedom of the Press

Regulation on Activities to be Evaluated under Insurance Services, on Insurance Contracts Concluded

Turkey Issues Regulation on Manipulation and Misleading Transactions in Financial Markets

Legal Briefings

• Asset recovery in Turkey: are criminal proceedings the only way?

  White-collar crimes have not only increased in scale but have also become increasingly sophisticated. Individuals, companies, and financial institutions have been outflanked by criminal attacks. Furthermore, with advancing technology and complex transactional structures, the proceeds of white-collar crime have become easier to dissipate and move. Accordingly, alongside combating the criminals, finding new and effective ways …

  Continue reading ""

• Substantive and procedural issues in asset purchases under Turkish law

  Transactions for the transfer of assets of commercial enterprises, and commercial enterprises in toto, have always been somewhat controversial under Turkish law. A threshold issue is whether, under applicable law, the divested asset(s) comprise the seller’s total enterprise. In this respect, it is important to start with the definition of an asset transfer under Turkish …

  Continue reading ""

Comparative Guides

• Turkey: Intellectual Property

  Published: July 2021

  Authors: Işık Özdoğan, LL.M. Gökçe İzgi, LL.M. Ezgi Baklacı Gülkokar, LL.M. Yonca Çelebi

  This country-specific Q&A provides an overview to Intellectual Property laws and regulations that may occur in Turkey.

• Turkey: Bribery & Corruption

  Published: May 2021

  Authors: Burcu Tuzcu Ersin, LL.M. Benan Arseven Dr. Z. Ertunç Şirin, MA

  This country-specific Q&A provides an overview to Bribery & Corruption laws and regulations that may occur in Turkey.

• Turkey: Patent Litigation

  Published: October 2021

  Authors: Gökçe İzgi, LL.M. Işık Özdoğan, LL.M. Ezgi Baklacı Gülkokar, LL.M. Merve Altınay Öztekin, LL.M.

  This country-specific Q&A provides an overview to Patent Litigation laws and regulations that may occur in Turkey.

• Turkey: Employment & Labour Law

  Published: March 2022

  Authors: İpek Ünlü Tık Burcu Tuzcu Ersin, LL.M. Ergun Benan Arseven A. Kaan Başer, LL.M.

  This country-specific Q&A provides an overview to Employment & Labour Law laws and regulations that may occur in Turkey.

• Turkey: Tax

  Published: October 2021

  Authors: Dr. Z. Ertunç Şirin, MA Metin Abut

  This country-specific Q&A provides an overview to Tax laws and regulations that may occur in Turkey.