Focus on…

Corporate and M&A in Turkey

1. Development of M&A trends in technology companies in recent years in Türkiye a)  Overview: Technology start-ups in Türkiye have been around since the 1980s with e-mail and internet provider companies. However, it took several decades for the market to develop to a point where it could attract global-scale investments. The startup ecosystem has played a critical role in driving technological innovation, and its fostering owes much to the combined efforts of both individuals and the public sector. In the early 2000s, Technology Development Zones were introduced, providing incentives for research and development (“R&D”) efforts and granting tax benefits. Technology Transfer Offices were also introduced during this period, which further facilitate the cooperation between the universities and businesses and commercialization of technologies. By 2010s, the startup ecosystem have started to mature with the introduction of acceleration programs, incubation centers, angel networks and venture capitals (“VCs”). From 2012 to date, angel investors have become accredited, local VCs are formed, equity-based crowdfunding has been introduced, along with other governmental grants and funds supporting the start-up ecosystem. In the last quarter of 2022, the Republic of Türkiye Ministry of Industry and Technology announced the "Turcorn 100 Program". It aims to support start-ups and promote the international recognition of the Turkish technology ecosystem, with goals to increase the number of "Turcorns" (i.e. Turkish unicorns). It cannot be disregarded that the Covid-19 pandemic has resulted in a new reality, and technology companies were able to address the current dynamics and help mitigate the negative effects of the pandemic on our lives. Businesses have adopted methods to facilitate remote work, while individuals have increasingly relied on online platforms to work, socialize and access health and educational services. Despite the economic slowdown caused by the pandemic in 2021, the e-commerce sector experienced a surge and accounted for almost one-third of the total deal volume while technology, internet and mobile services were reported to comprise 37% of the total deal numbers in Türkiye[1]. In 2022, the global M&A market has faced numerous significant challenges, including geopolitical tensions, supply chain disruptions, energy crises, economic instability, high inflation and employee salary problems. In parallel with the global trend, the activity in Turkish M&A transactions gradually slowed down each quarter throughout the year. Overall, large transactions in telecommunications, financial services and e-commerce sectors are reported to have represented the bulk of the deal volumes, while technology, internet, and mobile services accounted for approximately one-third of the deals[2]. Despite the challenges in the M&A market, the growth of technology and its influence on the market leads to a positive outlook for the future. The projections for 2023 seem hopeful that tech M&As will continue to play a significant role, with tech companies' assets benefiting from high demand from investors. Given that this trend seems to continue to drive the market, it is essential to evaluate tech M&A deals in such a way to understand the fundamental components of this field, as a good roadmap would be one of the most crucial items in a tech deal. b) Increase in cross border M&As and “flip-ups” The tech sector in Türkiye has recently been experiencing a rise in cross border M&As. This trend can be attributed to several factors, including the fact that Türkiye boasts a growing technology ecosystem with a thriving startup culture which has made it an appealing target for foreign investment; that Türkiye has a significant pool of skilled and talented tech professionals which has attracted foreign companies seeking to expand their operations in the tech sector; and that Türkiye's strategic location provides access to several regional markets, including Europe and the Middle East. In addition, the Turkish government has been implementing policies to support the growth of the tech sector, such as tax incentives to attract foreign investment, including tax breaks and investment subsidies. In addition to incoming investments to Türkiye, there have also been a rise in the number of Turkish borne start-ups seeking options to relocate their holding entities to foreign countries, while keeping their operations in Türkiye, which is referred to as a “flip-up”. While there are various reasons to realize a flip-up in practice, the main drive for companies originated in Türkiye appear to be securing their position in markets with growth potential like Europe or the United States and potentially improve operational processes. Another goal of the flip-ups is to attract foreign investment from international angel investors and VCs at later funding stages. It is not uncommon that US based investors prefer to invest through familiar mechanisms (such as through “SAFE” agreements), so that the local start-ups may explore a flip-to US to potentially benefit from similar investment options. In particular, a flip-up is usually completed through a share-for-share exchange of Turkish company shares with the foreign company shares and the ultimate structure would depend on the laws of the company where company will be relocated to. That said, for each flip-up process, there are many points to be carefully considered, including: Decision on the legal structure of the new company and procedures to complete a flip-up; Making a precise target market planning and business plan; Deciding on intellectual property (“IP”) related matters, which requires evaluation on where the IP of the company will be generated and owned; Deciding on hiring of employees for foreign entity and relocation of local employees; Ensuring compliance with relevant regulations, including a careful tax planning. 2. Key considerations in tech M&As in Türkiye Tech company M&A deals can be complex and involve a number of factors that are unique to the tech industry. Depending on the deal type agreed, following key considerations need to be taken into account while constructing and negotiating a tech company related M&A deal: a) Determining the corporate structure: One of the first items to be considered during an M&A deal would be to determine a transaction structure fit for the needs of the parties to the deal. The rules governing M&As in Türkiye differ depending on the deal structure, which are usually construed through an acquisition, merger, demerger or joint venture: Acquisitions can be realized through share transfers, capital increases, asset transfers or business transfers. Mergers are regulated under the Turkish Commercial Code No. 6102 (“TCC”) in two types (Article 136 onwards, TCC): establishment of a new company after merger of two or more companies; or takeover of one or more companies by another company. It is also possible to split a business-line from one company and merge it with another company by undertaking a demerger (Article 134, TCC). Joint ventures (JV) occur through execution of a joint venture agreement, which may include contractual business operation principles, or include provisions requiring incorporation of a special purpose vehicle company (SPV) to carry out business operations. Another key point during this stage would be to review the regulatory framework of the target company to decide if any changes in the structure would be necessary prior to investment, as many corporate investors seek to invest into a joint stock company (JSC) rather than a limited liability company (LLC) in Türkiye, since JSCs have a more bureaucratic and organic corporate governance structure. Share transfers are also easier and eligible for capital gains exemptions under certain conditions, which overall makes JSCs more compatible with M&A structures. It is imperative to establish and finalize the post-investment corporate structure, particularly for tech firms that secure funding from VCs and PE investors, who may have specific regulatory and corporate actions and compliance requirements. This is especially relevant when it is preferred to relocate the company headquarters by way of a flip up. An exhaustive evaluation at this stage can proactively address potential disputes between the company's founders and investors, which may stem from cultural and business style related disparities. b) Handling cross border issues and tax planning: Given the high frequency of cross-border transactions in the tech M&A sector, parties to such deals must carefully consider a range of critical factors. These include: (i) compliance with local legal and regulatory requirements applicable to both the acquirer and target; (ii) tax implications in both the acquiring and target countries; and (iii) cultural differences and country-specific matters, such as currency exchange rate risks, that may influence the deal structure. This is especially true in cases where the target company will be relocated to another country or the acquisition will be completed through a special purpose vehicle (SPV) located in another country, where restructuring the target and implementing effective tax planning measures becomes essential. Parties must work closely with legal, tax, and financial advisers to evaluate the tax-related risks for all stakeholders, including the shareholders, acquirer, and target company. c) Financing of the Deal: Investors may choose to obtain loans from financial institutions to raise funds for an acquisition. In such case, the financer (usually a bank) may also attend the due diligence phase or ask the buyer for additional securities in exchange for the loan. As granting by a target company any advance, loan, or security to finance the acquisition of its own shares is prohibited (Article 380, TCC), the financial assistance restrictions of TCC which prevents leveraged buyouts should be considered while structuring financing of the transaction. Another issue worth mentioning is whether cryptocurrency can be an alternative for financing tech M&A transactions. In theory, cryptocurrency could be used to pay for the acquisition of a target company, with the payment being made directly to the seller's digital wallet, which could potentially offer advantages over traditional payment methods. In Turkish legislation, there is not any specific regulation on cryptocurrency payments in M&As. By virtue of the principle of freedom of contract which governs the Turkish legal practice, cryptocurrency can be used to finance the transaction in question with the mutual agreement of the parties. However, as the legal and regulatory status of cryptocurrencies is still uncertain, which could present legal and compliance risks for parties involved in M&A deals, it is yet to evolve into a much used practice in Türkiye. d) Merger Control: Merger control rules in Türkiye are akin to the ones stipulated in the European Union under the Council Regulation No. 139/2004 and are regulated within the scope of the Law No. 4054 on the Protection of Competition (the “Competition Law”) as well as the Communiqué No. 2010/4 on Mergers and Acquisitions Requiring the Approval of the Competition Board (“Communiqué”). According to Article 7 of the Competition Law and the Communiqué, merger and acquisition transactions resulting in permanent change in the control structure of the parties which exceed the turnover thresholds are required to be mandatorily notified before and approved by the Competition Board (“Board”) in order for the transactions to become legally valid. With the amendment of the Communiqué by the Communiqué Amending the Communiqué Concerning the Mergers and Acquisitions Requiring the Approval of the Competition Board (the “Communiqué No. 2022/2”) published in the Official Gazette on 4 March 2022 and entered into force as of 4 May 2022, the definition of “technology undertakings” is introduced for the first time into the Turkish competition law. As in other jurisdictions, with the increasing interest in digital platforms and technology related markets, the Board through this amendment has aimed to prevent “killer acquisitions” and catch transactions involving acquisition of start-up companies (as target companies) whose turnover figures do not exceed the applicable thresholds required for the target, leading the transaction being off the Competition Authority’s radar and review. Indeed, pursuant to the amendment, undertakings operating in digital platforms, software and gaming software, financial technologies, biotechnology, pharmacology, agricultural chemicals and health technologies are considered within the scope of “technology undertaking” definition and regardless of the turnover thresholds for the target set forth under the Communiqué, transactions concerning the acquisition of technology undertakings (as target companies) operating in Turkish geographical market or having R&D activities or providing services to users in Türkiye will be subject to the approval of the Board. It should be noted that the obligation to exceed the turnover thresholds provided under the Communiqué is solely removed for the target company qualifying as technology undertaking and the acquirer is still required to meet the turnover thresholds for the transaction to be notifiable under merger control rules in Türkiye. e) Deciding on future of key employees and founders: Status of Key Employees Employees are usually a key aspect of the M&A deals for companies operating in technology sector, as the businesses typically relies on key persons and product development carried out by those persons. Accordingly, it becomes a key matter to review the current status of the target’s employees, including matter as to their financial rights, future covenants, bonus structures, stock options, IP rights, as well as their non-compete and confidentiality obligations. It is also important to evaluate whether the employment agreements executed mainly with the key employees of the target company contains a non-compete provision. Under Turkish law, the non-compete obligation of an employee is regulation under Turkish Code of Obligations No. 6098 (“Law No. 6098”). Since this non-compete clauses restrict employees’ freedom of labor, there are some requirements for the validity of the non-compete clauses and accordingly, the non-compete obligation must not unreasonably endanger employee’s financial future and have certain restrictions in terms of time and geographical scope. Employee Stock Option Plans Tech companies are keen to recruit highly skilled key employees who can add value to their organization, but building a strong workforce remains a significant challenge for them. In the early stages of a startup, revenue streams are typically low, and the salary expectations of talented employees are high. To address this issue, stock option plans have been widely implemented, particularly in the United States since the 1970s, to satisfy the financial concerns of employees by providing them with a share option in the company. In Türkiye, there is currently no specific legislation regulating stock option plans, but the concept is applicable in the light of existing legal regulations in accordance with the Law No. 6098 and the TCC. Historically, stock options have not been widely adopted, as many companies are not publicly traded and the legislation does not clearly define the conditions for benefiting from stock option plans. As a result, Turkish tech companies faced additional challenges in attracting and retaining key employees, particularly those who may be seeking financial incentives in the form of stock options. However, in the recent practice, Turkish start-ups, especially ones operating in tech sector, have widely started to use stock option plans, due to many advantages of the concept. With stock option plans, the employees who meet certain conditions specified in the share option agreement, they either become shareholders in the company or they receive some of the benefits of the share ownership. Thus, stock option plans serve to increase the employees’ loyalty and their performance and enables them to align their own interests with the company’s future gains. In the employers’ perspective, stock options allow the companies to provide an upside to key employees during the early phases of their organization. Typically, there are two types of stock option plans used in Turkish legal practice: Phantom stock options: The employee does not become a shareholder of the company but benefits from certain economical rights and benefits attached to the shares, generally known as “phantom stock option plans”. Direct share options: The employee becomes a direct shareholder of the company by way of a share transfer and the shareholding is recorded to the cap table. Since non-voting shares are not available in Turkish companies, phantom stock option plans are more commonly preferred by investors. It gives the freedom to companies to custom-design their plans based on their organizational and shareholder structure, capital, volume, and other factors. For the same reason, direct share options are usually accompanied with additional mechanisms such as share pledges or usufruct rights, to ensure that the stock option plans do not directly interfere with the governance of the company or exit opportunities. However, tax consequences of each option is a matter for consideration for each type options and it needs to be carefully evaluated on a case-by-case basis. f) Key aspects for due diligence phase: While each M&A process usually involves similar elements, tech M&As have many different dynamics from other M&As as well. The findings revealed during the due diligence phase are crucial to shape the negotiations related with the potential transaction, particularly the seller’s representations and warranties. An appropriate due diligence process for a tech M&A bears considerable importance to determine the decision to invest into or take-over a technology company. Below is a summary of key points to be considered during a tech M&A: Corporate maintenance: The corporate structure refers to the way a company is organized and managed, including its shareholding structure, management hierarchy, and the way it conducts its business operations. It is essential to review the target company’s corporate documents (such as power of attorneys, share certificates of the transferring shareholders, internal directive (if any)), branch offices’ documents (if any), articles of incorporation, signature circulars, commercial registry records, company books, company website, shareholders’ agreements, related party agreements and parent / subsidiary relationship in order to determine and evaluate its management, shareholding and business structures. Key business agreements: During the due diligence process of tech M&As, evaluation of how the business operates to determine whether there are any key customers or persons to the business would be of great significance. Accordingly, the first stage of the due diligence usually requires a keen focus on understanding how the company operates. The buyer typically reviews at the stage, target company’s key agreements including (i) software license agreements including open-source licenses agreements, commercial licenses agreements and custom licenses agreements, (ii) technology agreements including technology transfer agreements, joint development agreements and technology licensing agreements, (iii) IP licensing agreements related to intellectual property, including patents, trademarks and copyrights, (iv) service level agreements executed with customers, suppliers and service providers, (v) data processing agreements and (vi) cloud services agreements executed with cloud service providers are some of the key business agreements that are specific to technology companies. In addition to these agreements, the material agreements and financial agreements that are not specific to technology companies are also evaluated to understand the target company's obligations, liabilities and potential risks. Intellectual Property (“IP”): Another significant distinction between tech M&As and other M&A transactions is the status of the target company’s IP rights. It is vital for the buyer to check whether the target company has the ownership of all the IP rights related with the company’s ordinary course of business. In addition, the target company’s employees may have an extensive know-how of the company in general. These factors undoubtedly affect the financial value of the target company. If the target company is involved in products with are subject to IP rights, such as software, patented products, inventions etc. within the scope of its business, determining how the IP development process works and identity of the persons involved is one of the most crucial points of a due diligence process, to ensure whether the target company duly holds the rights to its products. Accordingly, a qualified due diligence within the scope of the IP and IT used by the target company, is required to (i) determine the main products of the company; (ii) identify those who create such main products (founders, employees registered in payroll, independent employees, key employees or the company); and (iii) determine who will be the owner of such products or the intellectual rights on such products as a result of the transaction during the due diligence phase. Under Turkish copyright laws, upon the presumption of the Code on Intellectual and Artistic Works, the employer may enjoy economic rights arising from copyrighted works created by the employee within the scope of his/her duties, the employees would still hold the moral IP rights unless there is a written assignment to company. Also, as the pre-contractual arrangements before creation of an artistic work are considered only an undertaking to transfer, even where the employment agreements include that the IP rights fully belong to the target company, validity of the agreements signed before the creation of the work shall also be evaluated. Thus, depending on who is involved in the IP development (i.e. founders, employees, third party freelancers etc.), it needs to be ensured that the IP rights over the products are duly held by the target company, by duly reviewing the existing contracts of the company, including any employment agreements and freelance agreements. In addition, it should be identified whether the IP has been developed within the scope of projects that received grants or funding from third-party organizations, such as TÜBİTAK (the Scientific and Technological Research Council of Türkiye) or universities. This concern is particularly relevant for early-stage companies which may need to access such funds and resources. The conditions of such project agreements should be carefully reviewed to ensure there are no third-party claims or conditions that could affect the company’s ownership of the IP rights. Furthermore, if the company uses third parties’ software or other licensed products while creating its own software and other services, it is essential to (i) examine whether the company has the right to use third parties software while creating its own software or other services; (ii) examine the license agreements executed by and between the company and third parties and the intellectual property rights granted within the scope of such license agreements, during the due diligence phase. IT and Cybersecurity: In terms of tech M&A, the inventory list regarding the hardware and other IT related devices of the target company including but not limited to servers, licenses, computers, laptops, tablets, telephones, mobile-phones, terminals, storage, networking and other physical devices, infrastructure must be provided to the purchaser during the due diligence phase. It should be examined whether the target company has the necessary hardware and other IT related devices to run its business, and whether such hardware and IT related devices belong to the target company, as well as cyber security measures taken by the target company. Moreover, the certificates of the target company with regards to sustainability and information security in relation to its field of activity as well as their validity shall also be examined during the due diligence. Since the significant cybersecurity incidents continue to increase day by day, cyber security is an important issue for the tech M&A in order to protect the target company's computers, mobile devices, servers, electronic systems, networks, software, data and know-how and etc. Cyber security risks can be a major threat to the business of the target company and thus, cyber security risks should be evaluated during the due diligence phase. Moreover, the sellers' representations and warranties regarding cyber security should be added to the definitive agreements in order for the buyer to be protected from such cyber security incidents following the completion of the transaction. Data Privacy: It is becoming increasingly critical for technology companies to prioritize the protection of personal data as data privacy awareness grows and local authorities adopt regulations to address raising concerns. Personal data violations can lead to significant legal liability, as well as reputational damage. In Türkiye, the Law on the Protection of Personal Data No. 6698 (“Law No. 6698”), supplemented by its secondary legislation including the decisions of the Personal Data Protection Board, is the main inclusive regulation on personal data. Law No. 6698 sets out various obligations for the processing, transfer and protection of personal data, including privacy notices, registering with the Data Controllers' Registry Information System (VERBIS), obtaining explicit consent when required, and addressing data subject complaints. Moreover, companies, especially those provide online services, should be aware that they may be subject to data privacy laws in other jurisdictions where they collect personal data. Compliance with data privacy obligations is critical, as failure to comply can result in accumulation of unlawfully processed personal data and associated risks. In addition to classic protections included in the definitive agreements, it is important to have an action plan to integrate strong data privacy policies that are compatible with the business model for future growth and success of a technology company. Licenses, Regulatory Compliance and Incentives: Technology companies may be subject to various licensing, registration or notification obligations depending on their scope of activity. It is important to take into account the applicable rules of each sector, particularly as technology investments may involve hybrid operations in regulated sectors. For instance, in case the target’s operations involve payment and e-money services, e-commerce, online broadcasting or hosting services, specific regulatory requirements may be applicable. Additionally, review of incentives applicable to the target would be another key review point.  Incentives are usually granted based on specific conditions. Therefore, it is crucial to identify whether the M&A transaction would trigger any procedural requirements and whether the target company’s intended post-investment structure is fit to meet the conditions of such incentives. Incentives provided to technology companies in Türkiye are provided through various government programs and tax subsidies. Depending on the type of activity, these incentives may include: R&D Incentives: In Türkiye, there are supports covering a portion of the expenses for R&D activities. These supports mean that a portion of the investments is covered by the government. KOSGEB Supports: KOSGEB (Small and Medium Sized Businesses Support and Development Agency) helps the development of micro, small and medium-sized enterprises (“SMEs”) which are classified regarding their number of employees, annual net sales income and annual financial balance sheet under the Regulation on the Definition, Qualifications and Classification of Small and Medium-Sized Enterprises. KOSGEB provides various supports to technology companies being SMEs including certain benefits for obtaining loans, grants, training and support programs related with business development, cooperation, R&D studies, and consulting services. Technopark Incentives: Technoparks located in various cities of Türkiye provide a special environment for technology companies to operate. Law on Technology Development Zones No. 4691 covers the principles related with the establishment, operations, management and supervision of technology development zones (i.e. Technoparks). Companies are allocated a workplace in Technoparks based on R&D or design projects. Various incentives and exemptions are offered to companies operating in Technoparks, including tax reductions and exemptions related with income and corporate tax and VAT, rent support, infrastructure support. TÜBİTAK Supports: TÜBİTAK (the Scientific and Technologic Research Council of Türkiye) offers incentives, such as grants, funding programs and trainings to support R&D activities and commercialization of technologies. Investment Incentives: Technology companies may benefit from incentives which include tax reductions, customs duty exemption, land allocation, and priority in selecting the investment site. According to the Decision on State Aids in Investments, medium-high technology investments may receive additional support depending on the region they are located in. Industrial Zone Incentives: Various incentives are also provided to companies in industrial zones located in different regions of Türkiye. These incentives include investment discounts, tax reductions, tax exemptions related with VAT and custom duty, and allocation of investment location. As technology companies are driven by innovation, their business models may not always fit traditional descriptions. As a result, it is important to carefully evaluate the business model and review applicable regulations to determine which licensing or registration obligations may apply. Given the dynamic nature of the technology industry, it is important to continuously monitor regulatory developments to remain compliant with the applicable regulations. ESG: As a regulatory standpoint, environmental, social and governance (“ESG”) considerations are an important part of the due diligence phase of the M&As. In Türkiye, ESG component is not always regarded as a main concern for tech M&As. This is because, as workplaces of technology companies do not usually involve production, such companies do not usually have environment related material obligations under the Turkish laws. However, ESG involves other aspects and compliance requirements as to various environmental, social and other governance matters, and an ESG related review becomes highly important during the due diligence phase. It should also not be disregarded that ESG policies, while not always legally required, ensures that companies are managed in a responsible and ethical manner. Companies that prioritize strong governance frameworks can better address the stakeholder’s demands for accountability and transparency. Some of the main ESG obligations for Turkish companies include the following, which may vary depending on the company's size, industry, and geographical location: Environmental compliance obligations, especially if the company has production lines or a polluting activity. Companies are required to comply with labor laws and regulations, including providing safe and healthy working conditions, and protecting employees' rights. Workplace safety under the Occupational Health and Safety Law numbered 6331 and the relevant legislation must be reviewed, as there are certain obligations that companies must fulfill according to their hazard class (less dangerous, dangerous, very dangerous) and their number of employees, such as appointment of qualified individuals in occupational health and safety field and employment of a workplace doctor. Governance related review is also of significance, ensuring that the company's leadership and decision-making processes are transparent and accountable, and that the company is compliant with relevant regulations and laws. If the target is a publicly held entity, the Corporate Governance Principles published by the Capital Markets Board govern these obligations. g) Representations and Warranties (“R&Ws”) and Indemnities: Based on the findings at the due diligence stage, various R&Ws and indemnity provisions are generally included in the share purchase agreements under Turkish Law, designed to allocate the risk associated with the transaction between the parties involved, and to provide the acquiring party with protection in the event of any future liabilities arising from the transaction. The specific terms of each indemnity, such as the amount of compensation, the duration of the indemnity and the conditions for triggering the indemnity, will vary depending on the specifics of the transaction agreement. One of the most significant R&Ws in the context of tech M&As are those related with IP and IT issues, as the buyer would seek to be assured by the seller that the target company is the sole and exclusive owner of the IP. During due diligence examination, it may not always be possible to examine every detail and the exact status of IP and IT infrastructure of the target company, and many times, the target is not fully compliant with the legal obligations. Thus, within the scope of tech M&As, the purchasers are likely to request seller’s warranties for a certain period to mitigate such risks. Tax related R&W and indemnities are also a key issue for M&A deals in Türkiye, considering a through due diligence is not carried out for each project. h) Deciding on dispute resolution method: Within the scope of the disputes arising from tech M&As, it is observed in practice that arbitration is predominantly preferred as is the case with other M&A transactions due to its speed, cost efficiency, and ability to utilize professionals among other factors. Although it is rare in practice, state courts can also be preferred by the parties in resolving disputes. The method or methods to resolve disputes arising from M&A agreements should be specifically included in the agreements. If the disputes arising from the M&A agreements are resolved by the state courts, it is necessary to specify which state court has the exclusive jurisdiction to resolve the dispute in the M&A agreements. If the disputes arising from the M&A agreements are to be resolved through arbitration, it is necessary to specify (i) which rules will be applied in the arbitration procedure; (ii) the number of arbitrators to be appointed by the parties in the settlement of the dispute; (iii) the seat of arbitration; and (iv) the language in which the arbitration proceedings will be conducted in the M&A agreements.   Footnotes [1] https://www2.deloitte.com/content/dam/Deloitte/tr/Documents/mergers-acqisitions/Annual-Turkish-MA-Review-2021.pdf [2] https://www2.deloitte.com/content/dam/Deloitte/tr/Documents/mergers-acqisitions/Annual-Turkish-MA-Review-2022.pdf

TRENDS AND DEVELOPMENTS IN IT LAW

I. PAYMENT SYSTEMS, DIGITAL BANKING AND CRYPTO ASSETS 1. General Banking and payment systems are heavily regulated in Turkish Law. Banking Law No. 5411 (“Banking Law”) is the main legal document that regulates banking sector; and, the payment systems are regulated by Law on Payment and Securities Settlement Systems, Payment Services and Electronic Money Institutions (“Payment Law”), with their secondary legislation. Under the Payment Law, payment system and securities settlement system can only be operated with a license acquired from the Central Bank of the Republic of Turkey (“Central Bank”). Payment system is defined under the Payment Law as “the structure that has common rules and provides the infrastructure required for clearing and settlement transactions carried out in order to realize fund transfers arising from transfer orders among three or more participants” and securities settlement system is defined as “the structure that has common rules and provides the infrastructure required for the clearing and settlement transactions carried out in order to realize securities transfers arising from transfer orders among three or more participants”. Moreover, the following activities are defined as payment services under Article 12 of the Payment Law: All the transactions required for operating a payment account including the services enabling cash to be placed on and withdrawn from a payment account, Execution of payment transactions, including transfers of funds on a payment account with the user’s payment service provider, direct debits, including one-off direct debits, payment transactions through a payment card or a similar device, credit transfers including standing orders, Issuing or acquiring payment instruments, Money remittance, Execution of payment transaction, where the consent of the payer to execute a payment transaction is given by means of any telecommunication, digital or IT device and the payment is made to the telecommunication, Corresponding services enabling bill payments. At the request of the payment service user, the payment initiation service related to the payment account at another payment service provider. Upon approval of the payment service user, the online provision of consolidated information of one or more payment accounts held at payment service providers by payment service users. Other transactions and services reaching the level to be determined by the Bank in terms of total size or impact in payments. According to the Payment Law, payment institutions are legal persons authorized pursuant to the Payment Law to provide and execute payment services. As an important step the Regulation on Payment Services, Electronic Money Issuance and Payment Service Providers (“PSR”) and the Communiqué on Information Systems of Payment and Electronic Money Institutions, and Data Sharing Services of Payment Service Providers in the Field of Payment Services (“DS Communiqué”) drafted by the Central Bank was published in Official Gazette numbered 31676 on 1 December 2021 and entered into force. With the PSR and Communiqué drafted based on the following amendments made in Payment Law, which was published in Official Gazette on 22 November 2019, Turkish legislation has been aligned with Directive (EU) 2015/2366 of European Commission, Payment Services Directive 2 (“PSD2”). DS Communiqué first granted a transition period for the compliance of the market players until 28 February 2023. Thereafter this transition period was extended until 30 April 2023 with the Amendment Communiqué on the DS Communiqué published in the Official Gazette numbered 32118 and dated 28 February 2023. Moreover, digital banks are regulated under the Turkish law for the first time. Crypto assets are, on the other hand, mainly unregulated under Turkish law, and until 2021 there was no provision directly addressing crypto assets. The very first legal document, specifically regulating crypto assets, is the Regulation on the Use of Crypto-Assets in Payment promulgated in 2021, which prohibits the use of crypto assets in payments. Non-Fungible Token (“NFT”) usage and fan token issuance has rapidly grown in Turkey. Fan tokens especially became very popular among sport teams including major league football clubs such as Fenerbahçe and Altay providing additional income. On a further note, blockchain on its own is not regulated, but rather, governed by the rules applicable to the area where it is used. 2. Recent Key Developments in Payment Systems, Digital Banking, Digital On-Boarding and Crypto Assets 2.1 The Regulation on Payment Services, Electronic Money Issuance and Payment Service Providers The regulation aims to draw the procedures and principles regarding the authorization and activities of payment institutions and electronic money institutions (“Institutions”), the provision of payment services to payment service providers, and the issuance of electronic money. The PSR regulates licensing conditions and proceedings of the Institutions One of the most critical regulations is that intangible assets that are only issued in exchange for a one-to-one fiat currency, created virtually and distributed over digital networks are considered as electronic money in case they are issued against funds accepted by the issuing institution, stored electronically, used to perform the payment transactions defined in Payment and accepted as a payment instrument by real and legal persons other than the issuing institution. The Central Bank will determine how the secondary regulations enacted pursuant to Payment Law will be applied to intangible assets that will be considered as electronic money within the scope of this paragraph, and other procedures and principles needed for such electronic money. According to the PSR payment order refers to the instruction given by the customer to the payment service provider for the purpose of realizing the payment transaction, and in accordance with Law No. 6493, the institutions have the right to issue a payment order initiation service (“PIS”). In case of initiations of payment through the PIS provider, the institution holding the sender's payment account will promptly return the unfulfilled or incorrectly executed part of the payment transaction to the sender and restore the payment account if the amount has been deducted from the payment account. In such transactions, the obligation to prove that the payment order has been received by the institution where the payment account is held, the transaction has been approved by the customer, is recorded correctly, processed into the accounts and is not affected by a technical failure or problem in the services under its responsibility will belong to the PIS provider. The procedures and principles regarding the execution of transactions related to the PIS and the account information service (“AIS”) and the technical and operational requirements to be complied with by the parties are determined by the Central Bank. Compliance with the technical and operational requirements of the Central Bank is audited through technical control and evaluation process to be carried out by Interbank Card Center (“BKM”). Parties who complete this technical control and evaluation process without any problems are registered by BKM and publicly announced on the website and are accepted as authorized PIS and AIS providers after the necessary permissions are given by the Central Bank by Institutions operating as of the date of entry into force of the PSR are obliged to harmonize with the PSR within one year from the date of publication of the PSR. PSR mainly granted a transition period for the compliance of the payment and electronic money institutions operating as of the date of the entry into force of the PSR until 1 February 2022 to comply with the requirements set forth under the PSR. This transition period was first extended until 28 February 2023 with the Amendment Regulation on the PSR published in the Official Gazette numbered 32024 and dated 25 November 2022. Thereafter, the second extension was made with the Amendment Regulation on the PSR published in the Official Gazette numbered 32118 and dated 28 February 2023 and the transition period was finally extended until 30 April 2023. 2.2 Digital Banking Regulation As a result of the amendments made in article 76 of the Banking Law, and with entry into force the Regulation on the Establishment of a Contractual Relationship in the Electronic Environment and the Remote Identity Detection Methods to be Used by Banks; establishing contractual relations between banks and their customers in electronic environment became possible. With these developments, Banking Regulation and Supervision Agency (“BRSA”) has aimed to construct the foundations of the digital banking model, which operates only in the digital environment. Therefore, BRSA published the Regulation on the Operating Principles of Digital Banks and Service Model Banking (“DBR”) The DBR aims to determine the operating principles of branchless banks that serve exclusively through digital channels and the conditions for the provision of banking as a service model (banking as a service, “BaaS”) to businesses and innovative enterprises – in other words, start-ups. The DBR defines digital banks as “credit institutions that provide banking services mainly through electronic banking services distribution channels instead of physical branches”. Unlike the branchless banking application in Europe, the DBR allows neo banks to obtain a license to operate directly over the BaaS infrastructure, without the requirement to have a licensed sponsor bank. Unless otherwise stated in the DBR or the relevant legislation, digital banks can perform all the activities that credit institutions can perform, depending on whether they are deposit or participation banks. Digital banks are obliged to comply with the provisions of the DBR in addition to all the legislative provisions that credit institutions are obliged to comply with within the framework of the Banking Law and related legislation. The DBR sets forth certain restrictions for the activities of digital banks. According to the DBR, customers of digital banks can only be financial consumers and small and medium enterprises (“SMEs”). In this respect, digital banks were prevented from carrying out commercial banking activities exceeding the SME size. The total of unsecured cash loans that digital banks can make available to a certain financial consumer cannot exceed four times the average monthly net income of the relevant customer, and if the customer's average monthly net income cannot be determined, the total of unsecured cash loans that can be extended for such customer cannot exceed ten thousand Turkish Liras. The DBR defines the BaaS as “a service model in which customers can perform banking transactions through the service bank by connecting directly with the systems of service banks via open banking services by the interface offered by the interface providers.” The service bank can only provide service model banking services to domestically resident interface providers and only within the framework of their own operating permits. 2.3 Regulation on the Use of Crypto-Assets in Payment Regulation on the Use of Crypto Assets in Payments has been published on 16 April 2021 to be effective as of 30 April 2021 and became the first legal document specifically regulating crypto assets under Turkish Law. Crypto asset is defined under Article 3 as “intangible assets that are created virtually using distributed ledger technology or a similar technology and distributed over digital networks but are not qualified as fiat money, dematerialized money, electronic money, payment instrument, security or another capital market instrument”. As per Article 3, crypto assets may not be used directly or indirectly in payments. Article 4 prohibits payment service providers to develop business models or provide services regarding those business models where crypto assets are used in the provision of payments services and issuance of electronic money. Article 4 also prohibits payment and electronic money institutions to mediate platforms and fund transfers from the platforms offering trading custody, transfer, or issuance services for crypto assets. 2.4 Regulations Allowing IBAN Issuance by Payment Service Providers Communiqué numbered 2021/5 (“Amendment Communiqué”), published in Official Gazette dated 5 August 2021, numbered 31559, amends Communiqué number 2008/6 on International Bank Account Numbers to allow payment service providers to issue international bank account numbers (“IBAN”). Amendment Communiqué provides that (i) payment service provider codes for use in issuing IBAN will be determined by the Central Bank, and (ii) non-bank payment service providers can issue IBAN for customer accounts subject to money transfers but are obligated to do so only where applicable payment system rules established pursuant to Payment Law so require. 2.5 Regulation on Remote Identity Verification and Remote Contract Execution The Regulation on Remote Identification Methods to be Used by Banks and Establishment of Contractual Relations in Electronic Environment was published in the Official Gazette No. 31441, dated April 1, 2021. With the regulation, it became possible to perform identity verification proceedings by video calls online without the need for the customer representative and the customer to be physically present at the same environment. In addition, after identity verification was made remotely or through branches, it became possible to establish remote banking contracts 2.6 General Communiqué of Financial Crimes Investigation Board No. 19 on Remote Identity Verification General Communiqué of Financial Crimes Investigation Board No. 19, effective as of 1 May 2021, on remote identity verification (“Communiqué 19”), was published in Official Gazette No. 31470 of 30 April 2021. The Communiqué 19 allows, in accordance with extant applicable law, remote consumer identity verification to facilitate establishment of a commercial relationship. The method designed and utilized by the parties must minimize the risk of unauthorized publication of protected data. Notably, a signature sample need not be obtained in the process. 2.7 Crypto Asset Service Providers’ Obligations Regarding Anti Money Laundering and Terrorist Financing The Regulation on Amendment of Regulation on the Measures for Prevention of Laundering Proceeds of Crime and Terrorist Financing, effective as of 1 May 2021 (“Crypto AML Regulation”), was published in Official Gazette numbered 31471 of even date. The Crypto AML Regulation expands the definition of obligated entities under article 4 of the Regulation on the Measures for Prevention of Laundering Proceeds of Crime and Terrorist Financing (“AML Regulation”), - published in Official Gazette numbered 26751 of 9 January 2008 - with the following subparagraphs: (ü) crypto asset service providers, (v) savings financing companies. Accordingly, as of 1 May 2021, crypto-asset service providers, savings financing companies, their branches, agents, representatives, commercial agents, and affiliated entities are required to comply with the AML Regulation. 2.8 Digital On-Boarding The BRSA has issued Circular numbered 2022/2 Regarding the Criteria to be Provided for Authentication and Transaction Security in the Establishment of Agreements in Electronic Banking Services and in Electronic Environment. The circular aims to clarify the application of the Regulation on Banks’ Information Systems and Electronic Banking Services, the Regulation on Remote Identification Methods to be Used by Banks and Establishment of Agreements in Electronic Environment and the Regulation on Operating Principles of Digital Banks and Service Model Banking, in a uniform manner without compromising transaction security. 2.9 Recent Developments on Equity Requirement for Payment Institutions The Communiqué Regarding the Redetermination of Minimum Equity Amounts of Payment and Electronic Money Institutions (“Equity Communiqué) has been published by the Central Bank of the Republic of Türkiye, in the Official Gazette dated 28 January 2023 and numbered 32087, in order to update the minimum equity amounts of payment institutions and electronic money institutions regulated in the Regulation on Payment Services and Electronic Money Issuance and Payment Service Providers. The Equity Communiqué will enter into force on 30 June 2023. Updated minimum equity amounts with the Equity Communiqué are as follows: In the event of services for mediation of invoice payments being offered, the minimum equity amount, which was TRY 5,500,000 in 2022, will be TRY 7,000,000 as of the second half of 2023. For other payment institutions, except for those that exclusively provide the service of presenting consolidated information regarding one or more payment account of the payment service user held by payment service providers on online platforms, the minimum equity amount, which was TRY 9,000,000 in 2022, will be TRY 15,000,000 as of the second half of 2023. For electronic money institutions, the minimum equity amount, which was TRY 25,000,000 in 2022, will be TRY 41,000,000 as of the second half of 2023. II. E-COMMERCE 1. General E-commerce is regulated under Turkish law especially regarding e-commerce platforms and electronic commercial messages. Law on Regulation of Electronic Commerce No. 6563 is the main legislative document that governs e-commerce along with the Law on Protection of Consumer No. 6502 (“Consumer Law”) for the B2C side. In accordance with the E- Commerce Law; with certain exceptions, commercial electronic messages can be sent to recipients by service providers, only with recipient’s prior consent. Service providers, wishing sending commercial electronic messages, must register with and transfer their consent records to the commercial electronic communication management system before carrying out any commercial communication. A draft has been brought to Turkish parliament for the amendment of Consumer Law. The proposed amendments, if passed, will bring certain aggravated obligations to the intermediary service providers and stricter regulations regarding remote contracts. 2. Recent Key Developments in E-Commerce 2.1 Competition Authority’s Preliminary Findings on E-Marketplace Sector On 7 May 2021, the Turkish Competition Board made public certain preliminary findings ("Report") from its e-marketplace sector inquiry, commenced 11 June 2020 (“Inquiry”), by publishing same on the Turkish Competition Authority’s (“TCA”) website. The Inquiry was intended to, in the interest of general consumer and merchant protection, identify anti-competitive practices within the e-marketplace sector. In light of the Inquiry findings, the Report, inter alia, recommends implementing certain ameliorative measures. To that end, the Report contains the following recommendations: strengthen applicable secondary legislation, implement a code of conduct applicable to e-marketplace platforms in order to eliminate current imbalances in bargaining power between merchant and e-marketplace platform operator, promulgate standards for e-marketplace conduct of gatekeeper enterprises. 2.2 Licence Requirement Electronic commerce intermediary service providers with a net transaction volume over ten billion and number of transactions over 100,000 excluding cancellations and returns in a calendar year shall obtain a license from the Ministry of Commerce and renew such license annually. The provisions regarding the obligation to obtain a license will enter into force on 1 January 2025. 2.3 Content Management Regarding intellectual and industrial property rights, the e-commerce intermediary service provider is obliged to unpublish the product of the e-commerce service provider, which is the subject of the complaint, and notify the e-commerce service provider and the right owner, upon a complaint based on information and documents regarding intellectual and industrial property rights violations. The product subject to the complaint may be republished upon e-commerce service provider’s submission of the information and documents refuting the complaint to the intermediary service provider. With the relevant regulation, the complaint and takedown procedure to be followed in case of violation of intellectual and industrial property rights of the content is regulated. III. INTERNET - SOCIAL MEDIA AND DIGITAL PUBLICATIONS 1. General All internet contents including online media services are regulated under the Law no.5651 on the Regulation of Publications on the Internet and the Suppression of Crimes Committed by Means of Such Publications (aka Internet Law) by Information and Communication Technologies Authority (“ICTA”) The Internet Law regulates obligations of content providers, hosting providers, internet providers and social network providers. As per the Internet Law; The content provider is responsible for any kind of content it makes available on the internet. Yet, hosting providers are not responsible for checking the hosted content or researching whether such content constitutes an unlawful activity. Access providers are required to block alternative access methods and provide information to the ICTA if requested; Social network providers are under the obligation to respond individual requests within forty-eight hours, complying with content removal and access prevention measures, and providing regular reports including statistical and categorical information containing the foregoing. The social network providers abroad that has more than 1 million daily access from Turkey are required to appoint local representatives. The local representatives are responsible from accepting notices, notifications, and requests from administrative and judicial authorities in Turkey, responding to individual applications and fulfilling other obligations under the Internet Law. 2. Recent Key Developments in Internet/Social Media 2.1 Bans Advertising on Twitter, Periscope, and Pinterest Turkey has brought a set of amendments on the Internet Law and the amendment law was published in the Official Gazette on 31 July 2020. With the amendments, series of obligations were set forth for the local and foreign domiciled social network providers operating in Turkey including appointing a local representative. ICTA banned advertising on Twitter, Periscope, and Pinterest for failure to appoint a local representative. The advertisement bans have been withdrawn later after appointment of such representatives. 2.2 Guidelines applicable to Social Media Influencer Advertising To clarify the current state of the law on social media advertising governed by Consumer Law and the Regulation on Commercial Advertisement and Unfair Commercial Practices (“Advertising Regulation”), Turkey’s Advertisement Board published its Guideline on Commercial Advertisement and Unfair Commercial Practices of Social Media Influencers, effective 4 May 2021 (“Guideline”). Social media posts by influencers deriving financial or other material benefit are commercial in nature under the Law and the Advertising Regulation; and with it such ads must fully comply. Accordingly, the Guideline, on top of certain other requirements, obliges social media influencer posts to be disclosed as commercial advertising. 2.3 Amendments to the Regulation on Presentation of Radio, Television, and On-Demand Internet Broadcasts The Regulation Amending the Regulation on Presentation of Radio, Television, and On-Demand Internet Broadcasts (“Amendment Regulation”) was published in Official Gazette dated 10 April 2021 and numbered 31450. Amendment Regulation introduced certain amendments affecting the financial obligations of licensed broadcasters which are as follows: Broadcasters wishing to pay their licensing fees in installments were obliged to pay the first installment to the Radio and Television Supreme Council (“RTÜK”) up-front and in cash, and guaranty payment by providing to the RTÜK a guarantor letter(s) operative for a period of at least 10 years and amounting to 6 installments. The Amendment Regulation revised the amount as 9 installments and allowed broadcasters to obtain guarantor letters from more than one bank. A broadcaster wishing to renew its license must apply online to the RTÜK at least 2 months before expiration of its then current license. Guarantor letter covering a broadcaster’s internet broadcast transmission authorization fee must be in an amount equal to such fee and operative for a period of 1 year. 2.4 Amendments on Social Media Platforms Law Amending the Press Law and Certain Laws numbered 7418 (“Law No. 7418”) was published in the Official Gazette dated 18 October 2022 and numbered 31987. Accordingly, certain amendments introduced to Law No. 5651 (aka Internet Law) with regards to the regulations related to social network providers. Notable amendments brought by the Law No. 7418 within the scope of the Internet Law are as follows: The legal entity or real person appointed as the representative of a foreign based social network provider with more than ten million daily access from Turkey, will be fully competent and liable for all technical, administrative, legal and financial matters of the social network provider, the liabilities of the social network provider are reserved. If the appointed representative is a legal entity, it is mandatory for this legal entity to be a branch incorporated by the social network provider as a stock company. If the representative of the social network provider is a real person, this person must be a resident in Turkey and also a Turkish citizen. The obligations of social network providers have been extended, as listed below: Both domestic and foreign based social network providers with more than one million daily access from Turkey have been put under the duty to submit a Turkish report in every 6 months to the Authority, reflecting their compliance with the Authority’s notified decisions in relation to removing of content and/or blocking access and/or statistical and categorical information regarding such requests addressed to them by the persons claiming the violation of their personal rights. The article further regulates that such reports must include information regarding header labels, algorithms related to the contents highlighted or underemphasized and social network providers’ advertisement and transparency policies. Within the scope of the social network providers duty to treat their users equally and impartially, the report must also include all precautions taken in this sense. It is also an obligation for the social network providers to publish this report on their websites. The obligation to ensure that the viewers clearly and easily access the parameters used when the social network providers are recommending them other contents has been brought. In addition, social network providers must take all necessary precautions to ensure that the users can change their preferences regarding the recommended contents and limit the use of their personal data on their websites and include this in their report. Furthermore, social network providers also need to establish an advertisement library containing information regarding contents, advertisers, durations of advertisements and target audience, publish this library in their websites and include it in their report. Social network providers must take all precautions in their systems and algorithms in order to not publish contents and header titles about the crimes within the scope of the Internet Law, reflect these in their reports and cooperate with the ICTA accordingly. Social network providers are put under the obligation to take necessary precautions regarding services specifically addressed to children. Last but not least, social network providers have become obliged to draw their crisis management plans in relation to unordinary conditions which may affect public safety and health and submit it to the ICTA. 2.5 Digital Publications Law No. 7418 significantly amends a wide range of different legislations and includes amendments to Press Law numbered 5187 (“Press Law”), Law on the Establishment of the Press Advertising Agency numbered 195 (“Law No. 195”) and Turkish Criminal Code numbered 5237 (“Criminal Code”). Notable amendments brought by the Law No. 7418 within the scope of the Press Law are as follows: Online websites have been added within the scope of periodical publications in the article regulating the scope of the Press Law. The scope of the mandatory information required on the homepages of online news websites have been extended and it has become an obligation to include more specific information such as their workplace addresses, commercial titles and e-mail addresses. This information will also need to be available under the websites’ “Contact” section. The unfulfillment of such duty will be subject to fines amounting from TRY 500 to TRY 20,000. In addition, websites are obliged to include all updates and changes made to their contents with their relevant dates available to their viewers, specified on the content. In line with the duty of the responsible manager of periodical publications to publish the correction and reply within the scope of the Press Law, it has become obligatory for the responsible manager of an online news website to publish the correction and reply written by the person harmed by the published content to publish this text on the following day of the publication the latest. This text will be published on the page and column of the original content, providing the URL, in the same font. Failure to fulfill these duties will lead to the judge’s decision for this text to be published in two online news websites and two newspapers with print run over 100,000. All expenses will be paid by the owner of the publication. IV. CLOUD COMPUTING 1. General In Turkey; although there is no specific regulation regarding cloud computing, certain rules prescribed in several laws and secondary legislation concerning cloud computing apply in most cases. These rules are mainly concentrated on the notification requirement and data localization. As stated above, hosting providers should notify ICTA before providing hosting services. Hosting provider is defined under the Internet Law as “natural or legal persons who operate or provide systems which stores the services and contents”. As such, cloud providers are regarded as hosting providers with respect to the Internet Law. As per the Internet Law, hosting providers are required to retain traffic data for 1 year and ensure the integrity, accuracy and privacy of this data. However, as per Electronic Communication Law No. 5809 (“ECL”), traffic data cannot be transferred abroad without the data subject’s explicit consent. This is an important challenge for cloud computing providers servers of which are located in foreign countries. The Personal Data Protection Board (“DP Board”) has previously concluded with the “Gmail Decision” numbered 2019/157 dated 31 May 2019 that in case of the usage of Gmail services provided by Google, mails are being held at the data centers all around the world, therefore, it constitutes transferring personal data abroad. 2. Recent Key Developments in Cloud Computing 2.1 DP Board’s Decision Regarding Cloud Use In the DP Board’s decision numbered 2021/359 dated 13 April 2021, the data controller employer has been sanctioned for the use of cloud services to store employees’ personal data without obtaining first the employees’ explicit consent. The employee data was stored in a cloud database with servers abroad, which could only be accessed by relevant authorized persons. As the servers of the cloud database were abroad, the DP Board ruled that the data was transferred abroad. 2.2 BRSA’s Regulation Regarding Cloud Use in Banking Regulation on Information Systems and Electronic Banking Services of Banks (“BRSA Regulation”) has entered into force which governs cloud computing usage of banks. The use of cloud systems is not prohibited under the BRSA Regulation. However, certain conditions should be fulfilled for the use of cloud systems. According to BRSA Regulation, the primary and secondary systems of the Institutions should be kept in Turkey. If cloud computing services are used, the information systems of cloud computing service providers and their back-ups are also regarded as primary and secondary systems of the Institutions. In such cases, these data, hardware and software and their back-ups should also be kept in Turkey. Moreover, in case cloud computing services are used for primary and secondary systems, the hardware and software used should be dedicated to a single institution. However, the use of community clouds is permitted for banks and financial institutions in certain conditions. In the presence of BRSA approval, community cloud can be used by the banks and financial institutions, on condition that the software and hardware are dedicated to BRSA regulated institutions and logical separation is provided for each company. In addition, for the financial institutions, in the presence of BRSA’s approval, financial institutions may use the same dedicated software and hardware on condition that logical separation is provided for each company. V. Artificial Intelligence (“AI”) 1. General AI is not specifically regulated under Turkish law; however, use of it may trigger certain control mechanism under various laws and regulations. For instance, use of AI for automatic decision making can be challenged by data subject if the use of it results in negative impact on the data subjects and they can request human intervention for decision making. Product liability and tort provisions of Turkish law also apply to damages incurred due to use of AI. 2. Recent Key Developments in AI 2.1 Artificial Intelligence Strategy The Circular numbered 2021/18 on the National Artificial Intelligence Strategy was published in the Official Gazette dated 20 August 2021 and numbered 31574, and the National Artificial Intelligence Strategy Document (“Strategy”) on Digital Transformation Office of the Presidency’s website on 24 August 2021. The high-level targets foreseen for 2025, which is the end of the implementation period of the Strategy, are as follows: The contribution of AI to GDP will be increased to 5%. Employment in the field of AI will be increased to 50,000 people. Employment in the field of AI in central and local government public institutions and organizations will be increased to 1,000 people. The number of graduate level graduates in the field of AI will be increased to 10,000. AI applications developed by the local ecosystem will be prioritized in public procurement and commercialization will be supported. An active contribution will be made to the regulatory studies and standardization processes of international organizations in the field of cross-border data sharing with reliable and responsible AI. VI. TELCO 1. General Telecommunication (telco) is a highly regulated sector under Turkish Law. The ECL, which is prepared based on Directive (EU) 2018/1972 of the European Parliament and of the Council of 11 December 2018 Establishing European Electronic Communications Code (“EECC”), is the main legislative document that governs the telecommunication sector. ICTA is the national regulatory agency for the supervision of the sector and execution of the ECL. The telco sector is regulated by licensing, authorization, notification and other control mechanisms regarding establishment, conduct and structure of the telco companies. Electronic communication services can only be provided by obtaining a license from ICTA. On the other hand, electronic communication services and/or networks or infrastructure established within the immovables of a real or legal person and not exceeding the borders of each immovable, used exclusively for personal or corporate needs, not used to provide any electronic communication service to third parties, not intended for any commercial purpose in its provision and not made available to the public and those established by public institutions and organizations in accordance with their special laws regarding the services they provide exclusively are not subject to authorization. Unlike EECC, the ECL does not contain a provision to expressly scope the communication medium between individuals which are provided for a price. 2. Recent Key Developments in Telco 2.1 Regulation on Verification Process of the Applicant’s Identity in the Electronic Communications Sector Regulation on Verification Process of the Applicant’s Identity in the Electronic Communications Sector (“RIR”) introduced in the Official Gazette dated 26 June 2021 and numbered 31523. According to the RIR, only following channels can be used for identification verification: e-Government gateway, Visual verification by artificial intelligence or authorized person, together with the document with near field communication feature in accordance with the ICAO 9303 standard, Creating PAdES with Republic of Turkey ID Card, Taking video footage to be specific to the process with the applicant's identity document in face-to-face channels. The Regulation allows artificial intelligence to make the comparison of the face in the live image and the photograph in the identity document. 2.2 Communiqué on the Amendment of the Communiqué on the Processes and Technical Criteria Regarding Electronic Signatures Communiqué on the Amendment of the Communiqué on the Processes and Technical Criteria Regarding Electronic Signatures (“Electronic Signatures Communiqué”) has entered into force on 28 December 2022 upon its publication in the Official Gazette numbered 32057. With the published Electronic Signatures Communiqué, the validity of the algorithms and parameters specified in Article 6/1 of the Communiqué on Processes and Technical Criteria Regarding Electronic Signature that was published in the Official Gazette dated 6 January 2005 and numbered 25692 has been extended from 31 December 2022 to 31 December 2025. 2.3 Regulation on Protection of Personal Data in Electronic Communication Sector ICTA’s long-awaited Regulation on Process of Personal Data and Protection of Privacy in Electronic Communication Sector (“DPR”) has been published on the Official Gazette numbered 31324 and dated 4 December 2020. In the DPR, contrary to its predecessor, explicit consent requirement for the cross-border data transfer is not regulated for all personal data categories. The communication and location data are regarded as important for national security so that cross-border transfer of these data is prohibited unless user’s explicit consent is obtained. The DPR obliges the operators to implement all necessary technical and administrative measures to ensure the security of the services provided with the user’s personal data. The minimum requirements are also provided in the DPR, such as determining policies, protection of personal data against all breaches including disruption, loss, alteration, recording to another environment; and implementing necessary measures to prevent unauthorized access to these data. The operators are also obliged to save the log records to the systems containing personal data for two years. In article 8 of the Regulation, specific provisions were brought regarding explicit consent. The provisions are generally in line with the Law on Protection of Personal Data number 6698 (“DP Law”). As with the DP Law, the explicit consent must be specific to a certain data processing activity and must be given in a free will, thus cannot be a condition for the service. It is, however, stated in the Regulation that explicit consent may be requested by providing additional benefits such as extra minutes or SMS rights. An obligation to inform is also implemented with the regulation as to the processed personal data, traffic, and location data. This information must be in 12 font size if made in writing. Operators are also obliged to inform the users that their data is processed based on their explicit consent in the third quarter of the year. Otherwise, the data processing activity of the Operators within the scope of the express consent given before is suspended until the privacy notice is submitted. 2.4 Increase in Direct Carrier Billing Usage Direct Carrier Billing (“DCB”) has been used in Turkish market already widely for especially payment of electric, gas and water subscription bills. The pandemic, however, emerged the need for alternative payment methods to the card and cash. DCB use in Turkey during the Covid-19 pandemic has increased VII. PERSONAL DATA PROTECTION 1. General Privacy and protection of personal data is primarily regulated by the Law on Protection of Personal Data No. 6698 (“DP Law”). The DP Law set forth certain obligations of data controllers including comply with general principles of data processing, base data processing activities on a valid and legal ground, inform data subjects as to determined aspects of the data processing, respond to data subjects for their applications with regards to their rights under the DP Law, comply with prohibitions of domestic/cross border transfer, comply with erasure, destruction, and anonymization of personal data requirements, take adequate security measures for the protection of personal data, notify data breaches and register with data controllers registry. 2. Recent Key Developments in Personal Data Protection Law 2.1 Personnel Certification The Communiqué on the Procedures and Principles Regarding the Personnel Certification Mechanism (“Certification Communique”) was published. With the Certification Communique, in accordance with the standard numbered EN ISO/IEC 17024 (ISO17024), the procedures and principles have been determined regarding the certification of persons with regards to DP Officer Program. According to the Certification Communique, those who acquired a certificate by participation in the program, principles and procedures of which is determined by the Authority and has been successful in the respective exam will be entitled to use the title of "data protection officer". Organizations accredited by the Turkish Accreditation Agency within the scope of ISO17024 standard will be authorized to certify those who are successful in the relevant exams related to certification. In accordance with the Certification Communique, a data protection officer is assumed to have sufficient knowledge in terms of personal data protection legislation within the scope of the program for which they are certified. It is also regulated that the data protection officer can only use this title during the validity period of their certificates. Finally, it is emphasized in the Certification Communique that employing a data protection officer will not remove the responsibility of the data controller and data processor to comply with the DP Law. 2.2 Personal Data Categories in Privacy Notices Regarding the obligation to inform, the most important decisions in 2021 were the DP Board's decisions regarding the need to include the personal data categories processed in the privacy notice. In Article 4 of the Communique on Principles and Procedures to be Followed In Fulfillment Of The Obligation To Inform, the information required to be included in the privacy notice is determined as the identity of the data controller and, if any, its representative, the purpose for which personal data will be processed, to whom and for what purpose personal data can be transferred. In the Board's decision dated 8 October 2020 and numbered 2020/765, however, stated that the categories of personal data processed in the privacy notice should also be included. 2.3 Guideline Regarding Good Practices on Protection of Personal Data in the Banking Sector Guideline Regarding Good Practices on Protection of Personal Data in the Banking Sector (“Good Practices Guideline”) has been published on 5 August 2022 by the Personal Data Protection Authority. The purpose of the Good Practices Guideline is to guide the data controller banks to realize their personal data processing activities in accordance with the DP Law and the secondary legislation issued by the DP Board and to establish good practices examples within this framework. The Good Practices Guideline includes the general explanations on the procedures and principles that the banks must comply with for the protection of the personal data and it underlines that the banks’ compliance obligation to the DP Law and the secondary legislations still continues. The Good Practices Guideline sets out the principles regarding the relationship between the data controller and the data processor and explains which criteria should be considered for their identification. The Good Practices Guideline also establishes the minimum content recommended to be included in a data processing agreement between a data controller and a data processor and recommends that a data processing agreement contains the obligation / indefinite responsibility of the data controller to delete or return the data following the termination of the contract and/or the purpose for which the personal data was obtained.