Global Legal Group – International Comparative Legal Guide – Technology Sourcing 2024 -Turkiye

Procurement Processes

1.1 Is the private sector procurement of technology
products and services regulated? If so, what are the basic features
of the applicable regulatory regime? No specific rules govern the procurement of technology
products and services in the private sector. Thus, the general
rules enshrined in the Turkish Code of Obligations
(TCO) apply. Additionally, laws such as the
Turkish Code of Commerce (TCC), the Law on
Protection of Competition, and other relevant laws come into play
when applicable. Furthermore, sector-specific regulations,
including those in telecommunications, banking, electronic money
and payment systems, e-commerce, and healthcare, must also be
observed.

One of the key principles accepted by the TCO is freedom of
contract. This empowers private sector parties to decide on nearly
every provision that governs their relationship, as long as both
parties are private, or the relationship is deemed private as per
the TCO.

While the Law on Protection of Consumers could potentially apply to
the procurement of technology-related products and services, we
have excluded it from consideration, presuming that the context of
this chapter primarily involves legal entities.

1.2 Is the procurement of technology products and services
by government or public sector bodies regulated? If so, what are
the basic features of the applicable regulatory regime?

Procuring technology products and services by government
or public sector bodies is regulated by a complex legal framework,
primarily consisting of the Public Procurement Law
(PPL) and the Public Procurement Contracts Law,
among others. These laws establish the foundational principles and
procedures for tender processes conducted by public
institutions.

The Public Procurement Authority oversees compliance with these
laws, issues guidance, and monitors transparency and fairness in
procurement processes.

The basic features of the applicable regulatory regime are as
follows:

• Procurement Methods: The PPL outlines
  procurement methods based on specific service requirements,
  technical needs, and fees. These methods include open tender,
  tender among specific bidders, negotiated tender, direct
  procurement, and design competitions.




• Electronic Tendering: Electronic bid
  submissions are facilitated through the Electronic Public
  Procurement Platform, which has expanded notably during the
  COVID-19 pandemic, reducing physical contact and streamlining the
  procurement process.




• Performance of Contract: Contracts for
  procuring goods and services are executed using standard contracts
  published in the Official Gazette. These contracts include standard
  provisions, including the scope of the procurement, nature and
  definition of the goods and services, pricing, taxes, delivery
  conditions, technical specifications, as well as penalty and
  termination clauses.




• Objective Criteria: The PPL sets objective
  criteria (e.g., technical specifications, quality standards, price
  competitiveness) for selecting suppliers to ensure that they are
  treated equally and without discrimination.




• Transparency and Competition: The regulatory
  framework promotes transparency, competition, reliability,
  confidentiality, and efficient use of resources to ensure fair and
  accountable procurement practices.




• Ethical Standards: The PPL prohibits
  corruption and favouritism in procurement activities, with
  penalties for ethical breaches.

General Contracting Issues Applicable to the Procurement of
Technology-Related Solutions and Services

2.1 Does national law impose any minimum or maximum term
for a contract for the supply of technology-related solutions and
services?

No, typically, national law does not specify a minimum or maximum
contract term for supplying technology-related solutions and
services. Contract terms are usually negotiated between parties,
unless other laws apply.

2.2 Does national law regulate the length of the notice
period that is required to terminate a contract for the supply of
technology-related services?

No specific regulation mandates a notice period for
terminating such contracts, but parties can determine a reasonable
notice period with good faith principles. Specific regulations or
industry practices may also influence the notice period. Similarly,
certain regulations may impose requirements for specific
contracts.

According to the TCO, the parties may also terminate the contract
without a notice period if (i) granting time to the debtor would be
ineffective, (ii) the obligation becomes useless due to the
debtor’s fault, or (iii) it is understood from the contract
that the performance of the obligation will no longer be accepted
due to non-performance at a specified time or within a specified
period.

2.3 Is there any overriding legal requirement under
national law for a customer and/or supplier of technology-related
solutions or services to act fairly according to some general test
of fairness or good faith?

Yes, the Turkish Civil Code (TCiC) explicitly
states that everyone must act in good faith when exercising their
rights and performing their obligations. However, there is no
established test for fairness or reasonableness, as courts assess
the good faith and honesty principle on a case-by-case basis.

This principle extends not only to the performance of contractual
obligations but also to pre-contractual negotiations and the
termination of contracts.

2.4 What remedies are available to a customer under general
law if the supplier breaches the contract?

The customer has several remedies available under the
general law, specifically per the TCO. The customer may demand one
or more of the following:

• Compensation for damages.




• Performance of the contract.




• Compensation instead of performance.




• Rescission of the contract.




• Termination of the contract.

The nature of the contract should be considered, as the TCO
outlines specific conditions for certain contract types.

2.5 What additional remedies or protections for a customer
are typically included in a contract for the provision of
technology-related solutions or services?

Contracts typically include the following remedies and
protections for customers:

• Service level agreements (SLAs).




• Warranty clauses.




• Indemnifications.




• Data protection and privacy clauses.




• Intellectual property (IP) rights protection clauses.




• Audit rights.




• Penalty clauses.




• Dispute resolution mechanisms.




• Termination clauses.

2.6 How can a party terminate a contract without giving
rise to a claim for damages from the other party to the
contract?

A party can terminate the contract without raising damage claims
under specific circumstances defined within the contract or
governed by the TCO. Primary methods include:

• Mutual agreement.




• Fulfilment of contract terms.




• Termination clauses.




• Force majeure.




• Impossibility of performance.




• Special termination conditions are regulated under specific
  legislation.

2.7 Can the parties exclude or agree additional termination
rights?

Yes, parties can agree to include or exclude specific termination
rights, as long as these do not contravene mandatory legal
provisions.

2.8 To what extent can a contracting party limit or exclude
its liability under national law?

Under the TCO, parties can limit liabilities for slight
negligence through a prior agreement but cannot limit or exclude
liabilities for gross negligence or wilful misconduct. Liabilities
for their assistants’ actions can also be limited or excluded.
However, if the service requires special knowledge, profession, or
licence, the supplier cannot limit or exclude its liability, even
for slight negligence or their assistants’ actions.

2.9 Are the parties free to agree a financial cap on their
respective liabilities under the contract?

Yes, parties can set a financial cap on their
liabilities, subject to limitations on liability (please see the
answer to question 2.8).

2.10 Do any of the general principles identified in your
responses to questions 2.1–2.9 above vary or not apply to any
of the following types of technology procurement contract: (a)
software licensing contracts; (b) cloud computing contracts; (c)
outsourcing contracts; (d) contracts for the procurement of
AI-based or machine learning solutions; or (e) contracts for the
procurement of blockchain-based solutions?

The general principles apply to all technology
procurement contracts, except where specific laws provide
otherwise.

For instance, these contracts may be subject to specific
regulations, particularly regarding IP rights (please see the
answer to question 4.1).

Dispute Resolution Procedures

3.1 What are the main methods of dispute resolution used
in contracts for the procurement of technology solutions and
services?

Several methods are commonly used for dispute resolution in these
contracts, including:

• Negotiation.




• Mediation.




• Arbitration.




• Litigation.

Some of these methods may be mandatory as per the applicable
legislation. For instance, in commercial cases involving monetary
claims, it is a prerequisite to engage in mediation before
initiating legal proceedings.

Intellectual Property Rights

4.1 How are the intellectual property rights of each party
typically protected in a technology sourcing transaction? From an IP perspective, two laws are relevant: the Law on
Intellectual and Artistic Works (LIAW); and the
Industrial Property Law (IPL). Meeting their
conditions enables protection through either copyrights or
industrial property rights. For the LIAW copyright protection,
assets subject to technology sourcing transactions must be
considered intellectual products reflecting author characteristics
(e.g., computer programs). These assets may also be protected by
industrial rights related to patents, trademarks, designs, and
utility models under the IPL, providing a comprehensive framework
for their protection. In practice, the most effective way to
protect IP rights is to clearly define ownership and assignment
terms within the contract and include provisions for
confidentiality, non-disclosure, non-compete agreements, and
indemnifications.

4.2 Are there any formalities which must be complied with
in order to assign the ownership of Intellectual Property
Rights?

Yes. According to the LIAW, the assignment of material
rights or their use must be formalised through a written agreement.
The agreement must detail the rights transferred, their scope,
limitations, and duration. Failure to meet these formalities could
render the assignment invalid or unenforceable. While registration
of copyright assignments is not mandatory, it is advisable to
register them with the Ministry of Culture and Tourism for public
notice and additional legal substantiation.

Under the IPL, industrial rights can be assigned through a written
agreement to be notarised by a public notary. Although notary
certification is sufficient for the agreement’s establishment
between the parties, registration with the Turkish Patent and
Trademark Office (TurkPatent) is necessary for
effectiveness against third parties.

4.3 Are know-how, trade secrets and other business critical
confidential information protected by national law?

Know-how and trade secrets are not explicitly defined by statutes
but are recognised by their confidentiality, economic value, and
protective measures. While sector-specific regulations exist to
safeguard critical confidential information, there’s no single
law governing them. Protection relies on a combination of
commercial, contractual, and criminal laws.

The Turkish Criminal Code (TCrC) imposes
imprisonment and judicial fines for disclosing commercial secrets
obtained through one’s title, duty, occupation, or profession,
though this provision is rarely applied.

Unauthorised use of know-how, trade secrets, or confidential
information may also constitute unfair competition under the TCC,
allowing the aggrieved party to seek compensation and prevent
unfair actions. The TCC also penalises unfair competition with
imprisonment or judicial fines; these penalties, however, are
rarely applied.

Furthermore, the TCO mandates employee loyalty, prohibiting them
from disclosing or using their employer’s trade secrets during
and after employment.

Typically, companies reinforce these protections with robust
contractual agreements like non-disclosure agreements, non-compete
agreements, and confidentiality clauses.

Data Protection and Information Security

5.1 Is the manner in which personal data can be processed
in the context of a technology services contract regulated by
national law? The Turkish Data Protection Law (DPL) is
the primary legal framework regulating the procedures and
principles of processing personal data. While no specific law
exclusively governs personal data processing within technology
services contracts, the DPL’s general principles and
obligations, along with relevant sector-specific regulations,
provide a robust framework for such activities.

Additionally, sector-specific regulations and guidelines issued by
the Personal Data Protection Authority (DPA) may
impact how personal data is handled in technology services. For
instance, Guidelines on Cookie Practices, Guidelines on Personal
Data Security, and Recommendations for Protecting Privacy in Mobile
Applications would be relevant to technology services involving
online activities.

5.2 Can personal data be transferred outside the
jurisdiction? If so, what legal formalities need to be
followed?

Yes,¹ the provisions governing personal data
transfer abroad were recently amended to align with the General
Data Protection Regulation. The new system categorises transfers
into three levels:

1. adequacy decisions;




2. appropriate safeguards; and




3. occasional causes.

The DPA can now issue these decisions for international
organisations, specific sectors, and countries. If no adequacy
decision exists, appropriate safeguards must be implemented,
ensuring data subjects can exercise their rights and access legal
remedies. Appropriate safeguards include:

• agreements between public institutions, subject to DPA
  approval;




• binding corporate rules, subject to the DPA approval;




• standard contractual clauses, with notification to the DPA;
  and




• written undertakings providing adequate protection, subject to
  the DPA approval.

If there is no adequacy decision or appropriate safeguard, data
transfers can only occur if the transfer is occasional and specific
conditions are met. These include, for example, explicit consent
from the data subject, the necessity for contract performance, or
an overriding public interest.

These regulations also apply to onward transfers by controllers or
processors.

5.3 Are there any legal and/or regulatory requirements
concerning information security?

Yes, several legal and regulatory requirements under
Turkish law address information security. The primary regulation is
the DPL, which focuses on safeguarding personal data and outlines
principles and regulations governing its processing and protection,
including provisions dedicated to information security.

Criminalisation of activities like unlawful recording, disclosure,
or obtention of personal data, as well as failure to destroy data
within specified deadlines set by the laws, falls under the TCrC,
alongside cybercrimes like hacking, data theft, and cyber
extortion.

Various additional regulations, directives, and industry-specific
guidelines complement the DPL in addressing specific information
security concerns. These legislative measures collectively aim to
strengthen information security, protect privacy rights, and foster
trust in data handling practices.

The Law on Electronic Communication emphasised information
security, providing a framework for network security, communication
confidentiality, and personal data protection. Secondary
legislation further elaborates on these matters, such as the Decree
on Information and Communication Security Measures No. 2019/12
(Presidential Decree), which mandates specific
security measures for public institutions and operators providing
critical infrastructure services.

Additionally, the Law on Regulation of Publications via the
Internet and Combating Crimes Committed by Means of Such
Publications outlines obligations and responsibilities for various
entities, including content providers, hosting providers, and
internet service providers, to combat internet-based crimes.

Banking and payment regulations outline specific requirements as
well.

Türkiye’s 12th Development Plan outlines the framework for
enhancing cybersecurity across all sectors in Türkiye, aiming
to protect critical infrastructure and national security interests
from cyber threats.

Though not legally mandated, obtaining ISO/IEC 27001 certification
is also widely recognised as a standard for information security
management systems.

Employment Law

6.1 Can employees be transferred by operation of law in
connection with an outsourcing transaction or other contract for
the provision of technology-related services and, if so, on what
terms would the transfer take place? The transfer of employees in outsourcing or technology
service contracts is primarily governed by the Turkish Labor Law
(TLL) and the TCO.

The TLL doesn’t directly regulate the transfer of employment
contracts, but rather the transfer of a workplace or part thereof
(e.g., sale or rent of a workplace). In such cases, all rights and
obligations from the employment contract are automatically
transferred to the new owner. The transfer itself does not justify
termination; valid reasons (e.g., economic, technological, or
organisational changes) or justified causes are required per the
TLL. The transferor and transferee are jointly liable for employee
obligations for two years post-transfer.

The TCO contains a provision specific to employment contract
transfers. Accordingly, employment contracts can be transferred
with the employee’s written consent, making the transferee the
new employer with all associated rights and obligations.

Even without a transfer, outsourcing relationships where
subcontractors employ workers for another employer’s auxiliary
tasks may result in joint responsibility for compliance with the
TLL and employment contracts.

6.2 What employee information should the parties provide to
each other?

Turkish law doesn’t mandate specific information sharing during
business transfers. In practice, the transferor provides the
transferee with information kept in accordance with the TLL, which
typically includes employees’ personal files. This is crucial
because the transaction involves transferring all associated rights
and obligations of the employee.

Since main employers are also accountable in subcontracting
relationships, they usually request guarantees and details
regarding wages and social security contributions made by
subcontractors for employees.

6.3 Is a customer or service provider allowed to dismiss an
employee for a reason connected with the outsourcing or other
services contract?

Neither the customer nor the supplier is entitled to
terminate an employment contract solely on the grounds of the
transfer of a contract. However, their right to terminate the
contract based on valid or justified grounds as per the TLL (please
see question 6.1) remains unaffected.

Furthermore, contractual clauses may allow the customer to request
changes in the employee(s) assigned by the supplier. Such a request
doesn’t automatically lead to the termination of the
employee’s contract, provided that the supplier retains the
right to termination on the grounds provided by the TLL.

6.4 Is a service provider allowed to harmonise the
employment terms of a transferring employee with those of its
existing workforce?

No specific regulations prohibit the new employer from proposing
changes to employment terms. However, material changes that
diminish the rights or benefits of transferred employees require
their consent.

The TLL emphasises equal treatment, ensuring no discrimination or
unfair treatment of transferred employees compared to the existing
workforce. Therefore, it is possible to harmonise non-material
general working conditions with the existing workforce.

If an employer, party to a collective bargaining agreement
(CBA), acquires a workplace that does not have its
own CBA, the rights and obligations under the CBA apply to the
transferred workplace. This implies that the CBA of the acquiring
employer extends to include the new employees.

6.5 Are there any pensions considerations?

The new employer is responsible for registering
transferred employees on its payroll and paying social security
premiums to the Turkish Social Security Institution. Additionally,
if the former employer provides a pension scheme for transferred
employees, the new employer is required to maintain this
scheme.

6.6 Are there any employee transfer considerations in
connection with an offshore outsourcing?

The TLL does not specifically regulate offshore
outsourcing, but the Turkish International Private and Civil
Procedure Law applies. Parties can choose the applicable law for
cross-border employment contracts, but this choice must not deprive
employees of the TLL protections.

Additionally, parties can agree on a forum selection clause, though
Turkish courts may still assert jurisdiction if the employee
habitually works in Türkiye or to protect the employee’s
rights.

Outsourcing of Technology Services

7.1 Are there any national laws or regulations that
specifically regulate outsourcing transactions, either generally or
in relation to particular industry sectors (such as, for example,
the financial services sector)? There is no specific law regulating outsourcing
transactions, but general provisions from the TCO, TCC, and TCiC
apply, depending on the transaction type (please see question 1.1
and Section 2). Sector-specific regulations also cover outsourcing
transactions:

• Banking: Banks can outsource support services
  under certain conditions, such as risk management plans and
  specific contract provisions, as per the Regulation on the
  Procurement of Support Services by Banks. Services like catering,
  transportation, and consulting are exempt.




• Insurance: Insurance and pension companies can
  outsource support services under the Regulation on Insurance
  Support Services, provided they meet supplier qualifications and
  submit a risk report to the Insurance Information and Monitoring
  Center. Services like consulting and advertising are exempt.




• Capital Markets: Institutions and public
  companies under the Capital Market Law can outsource information
  systems services if they establish a monitoring structure, prepare
  a technical qualification report, and execute a written contract as
  per the Communiqué on Management of Information
  Systems.




• Payment and Electronic Money Services: Payment
  and electronic money institutions can outsource services as per the
  Regulation on Payment Services, Electronic Money Issuance and
  Payment Services Providers, provided they specify the service scope
  in a written contract and comply with regulatory obligations.
  Services like consulting and advertising are exempt.




• Payment and Securities Settlement Systems:
  System operators can outsource information system services after
  informing the Central Bank of the Republic of Türkiye and
  taking the necessary measures as per the Regulation on Activities
  of Payment and Securities Settlement Systems.

7.2 What are the most common types of legal or contractual
structure used for an outsourcing transaction?

Although Turkish law does not prescribe specific structures, in
practice, several common legal or contractual frameworks are
utilised:

• Direct Outsourcing: The supplier works
  post-contract with the customer.




• Indirect Outsourcing: The supplier
  subcontracts post-customer contracts.




• Multi Outsourcing: The customer contracts
  several suppliers for different work parts.




• Joint Venture: The customer and supplier form
  a joint venture for outsourcing.

Additionally, technology services-related agreements often involve
various arrangements such as IP licences, SLAs, master services
agreements, software-as-a-service agreements, and outsourcing
framework agreements.

7.3 What is the usual approach with regard to service
levels and service credits in a technology outsourcing
agreement?

Technology outsourcing agreements typically include detailed SLAs
to ensure service quality. SLAs specify performance metrics like
uptime, response times, resolution times, and targets or
benchmarks. Penalty clauses and termination provisions are often
incorporated to address SLA breaches.

While service credit mechanisms are less common, they can sometimes
be found in agreements influenced by US contracts.

7.4 What are the most common charging methods used in a
technology outsourcing transaction?

The most common charging methods are as follows:

• Interim payment or per piece: Payment upon
  completion of stages or delivery of goods and services.




• Hourly/daily fee: Payment based on man/hours
  or man/ days.




• Retainer fee: Fixed periodic payments.




• Lump-sum payment: One-time fixed payment.

The choice of method depends on factors like the nature of
services, complexity, and the parties’ preferences.

7.5 What formalities are required to transfer third-party
contracts to a service provider as part of an outsourcing
transaction?

According to the TCO, transferring a contract requires the
agreement of the transferor, transferee, and the remaining party,
making the remaining party’s approval essential. In practice,
terms regarding contract transfers are often outlined in the main
contract.

Additionally, specific registration and announcement requirements
must be fulfilled for business transfers to limit the
transferor’s responsibility.

7.6 What are the key tax issues that can arise in the
context of an outsourcing transaction?

Several key tax issues may impact both the service provider and the
customer. These include:

• Stamp
  Duty: Applies to written contracts, with certain
  exemptions. For a standard service contract, the rate is 0.948% of
  the contract amount levied for each counterpart. The maximum stamp
  duty for 2024 is TRY 17,006,516.30.




• Value-Added Tax
  (VAT): Applies to service fees paid by the customer to the
  supplier, unless exempted. VAT rates range between 1% and 20%,
  depending on the type of service provided.




• Corporate
  Income Tax: Companies headquartered in Türkiye (full
  liability taxpayers) pay tax on global income, while those
  headquartered outside Türkiye (limited liability taxpayers)
  pay tax only on Türkiye-sourced income. The general corporate
  tax rate was increased to 25% for 2024.




• Withholding
  Tax: Professional service and royalty payments to
  non-residents are subject to a 20% withholding tax, potentially
  reduced by double taxation treaties.

Software Licensing (On-Premise)

8.1 What are the key issues for a customer to consider when
licensing software for installation and use on its own systems
(on-premise solutions)?

Key issues to be considered are as follows:

• Licensing Model and Pricing: Ensure the
  licensing model aligns with the customer’s budget and usage
  requirements.




• Licence Scope and Terms & Conditions:
  Determine whether the licence covers the customer’s needs
  without over or under licensing. Reviewing the licence to
  understand rights, obligations, usage restrictions, renewal terms,
  and termination clauses is crucial.




• Data Security and Privacy: Ensure the software
  meets the necessary administrative and technical measures as per
  the DPL and relevant legislation.




• IP Rights: Verify that the software adheres to
  IP rights and licensing agreements.




• Maintenance and Support: Assess the
  availability, cost, and quality of maintenance and support
  services, including response times and SLAs.




• Training and Documentation: Ensure adequate
  training and documentation are provided for users and
  administrators to use and manage the software effectively.




• Backup and Disaster Recovery: Verify that the
  service provider has robust backup and disaster recovery procedures
  in place to minimise downtime and data loss.




• Migration of Data: Develop a plan for data
  migration, software removal, and transitioning to alternative
  solutions.

8.2 What are the key issues to consider when procuring
support and maintenance services for software installed on customer
systems?

Key issues to be considered are as follows:

• Compatibility and Integration: Ensure that the
  service provider’s services align with the customer’s
  existing systems, infrastructure, and software environment.




• Service Agreement Scope and Terms &
  Conditions: Ensure a clear description of the services,
  including software updates, bug fixes, troubleshooting,
  configuration assistance, and technical guidance. Ensuring that the
  agreement addresses the rights and obligations of both parties,
  including SLAs, uptime requirements, and mechanisms for enforcing
  obligations (e.g., penalties or termination rights in cases of
  breaches), is crucial.




• Data Security and Privacy: Implement measures
  to ensure compliance with the DPL and relevant legislation,
  including defining data access, handling, and confidentiality
  protocols.




• IP Rights: Clarify the ownership of data and
  IP rights.




• Maintenance and Support: Ensure that the
  support and maintenance services are provided for an adequate
  duration with reasonable renewal options.




• Backup and Disaster Recovery: Verify that the
  service provider has robust backup and disaster recovery procedures
  in place to minimise downtime and data loss.




• Training and Documentation: Ensure adequate
  training and documentation are provided for users and
  administrators to use and manage the software effectively and
  determine the extent of customer support to be provided. Migration
  of Data: Develop a plan for data migration, software removal, and
  transitioning to alternative solutions.

8.3 Are software escrow arrangements commonly used in your
jurisdiction? Are they enforceable in the case of the insolvency of the
licensor/vendor of the software? While software escrow arrangements
are not yet widespread in Türkiye, they are gaining traction
as a risk mitigation strategy for software licensees. These
arrangements are generally enforceable, provided they are
well-drafted and comply with the TCO.

Cloud Computing Services

9.1 Are there any national laws or regulations that
specifically regulate the procurement of cloud computing
services?

Türkiye lacks a single national law for cloud computing
services, but various regulations apply, including those on
banking, payment services, data protection, and cybersecurity,
which may impose specific conditions or restrictions on cloud
service procurement and use.

For instance, the Presidential Decree prohibits public institutions
from using cloud services unless within their private systems or by
local providers under their supervision.

Additionally, the DPA addresses cloud services in its guidelines
(e.g., Guidelines on Personal Data Security), emphasising the
measures to be taken when using cloud storage, such as the use of
cryptographic methods for transfers.

9.2 How widely are cloud computing solutions being adopted
in your jurisdiction?

Cloud computing adoption is on the rise, driven by the
need for digital transformation, cost efficiency, and scalability.
Various sectors, including financial services, telecommunications,
healthcare, retail, and the public sector, are leveraging cloud
technologies to enhance their operations.

9.3 What are the key legal issues to consider when
procuring cloud computing services?

When procuring cloud computing services, it’s
important to consider the general key issues outlined for procuring
support and maintenance services and the data transfer abroad rules
since most cloud computing services host their servers outside of
Türkiye (please see questions 8.1, 8.2, and 5.2).
Additionally, sector-specific regulations may impose specific
restrictions and requirements.

10 AI and Machine Learning

10.1 Are there any national laws or regulations that
specifically regulate the procurement or use of AI-based solutions
or technologies? Türkiye lacks specific laws for the procurement or
use of AI-based solutions. However, on 25 June 2024 a Draft Bill on
Artificial Intelligence (AI Draft Bill) was
submitted to the Turkish Grand National Assembly. This AI Draft
Bill aims to ensure secure, ethical, and fair use of AI
technologies.

Even though it is unlikely to be approved, the AI Draft Bill is
significant as it represents the first effort to regulate this
field. On the other hand, existing laws, including the LIAW, IPL,
DPL and other sector-specific regulations may apply for the
procurement or use of AI-based solutions or technologies. While not
legally binding, ethical guidelines and standards for AI
development and deployment also offer valuable guidance.

10.2 How is the data used to train machine learning-based
systems dealt with legally? Is it possible to legally own such
data? Can it be licensed contractually?

Given Türkiye’s absence of specific AI regulations,
various laws may be applied to address ownership and licensing
issues related to training data for machine learning systems. The
DPL, LIAW, IPL, and TCC are particularly relevant.

• DPL: The DPL governs the use of data in
  training machine learning-based systems, focusing on personal data
  protection. However, challenges arise regarding data subject
  rights, data minimisation, purpose limitation, and automated
  decision-making (ADM) processes. Under the DPL,
  data subjects have the right to object to decisions against them
  based solely on automated processing. However, the scope of this
  provision is unclear, and the lack of obligations to inform data
  subjects about ADM processes leads to transparency issues.
  Complying with principles like data minimisation and purpose
  limitation in AI usage is also complex due to the widespread use of
  personal data in training sets, often collected from sources like
  web scraping and data brokers. The methods used to collect data,
  especially in generative AI, make it difficult to trace data back
  to its subject, complicating compliance with data subject
  rights.




• LIAW: AI models based on computer programs are
  considered intellectual products under the LIAW and enjoy copyright
  protection. For training data to be protected by copyright, it must
  be deemed an intellectual product that bears the characteristics of
  the author.




• IPL: Inventions can be patented as per the IPL
  if they meet the criteria of (i) novelty in all fields of
  technology, (ii) reaching an inventive level, and (iii) industrial
  applicability. Alternatively, they can be protected as utility
  models if they meet these criteria but have not reached an
  inventive level. If a product enjoys patent or utility model
  protection (please see questions 4.1 and 4.2), in order to use such
  a product’s technology and/or components as training data,
  proper licences should be obtained to avoid infringement as per the
  IPL. Furthermore, training data meeting criteria of novelty and
  distinctive characteristics may be protected as designs, while
  input or training data registered as trademarks may be protected as
  trademarks under the IPL. Trademarks and designs can be licensed as
  well.




• TCC: If components, including training data,
  do not meet the criteria for copyright or other IP protection, they
  may still enjoy protection against unfair competition under the
  TCC.

10.3 Who owns the intellectual property rights to
algorithms that are improved or developed by machine learning
techniques without the involvement of a human programmer? Since no specific legislation directly addresses
AI-generated works, other applicable laws can be implemented.

Typically, algorithms are protected under the LIAW as
“copyrighted material”. However, like most jurisdictions,
the LIAW traditionally requires human authorship for copyrightable
works. Algorithms can be patented as well if they meet the required
criteria as per the IPL (please see question 10.2). However, the
patent’s owner must be a natural or legal person. Hence, the
ownership of algorithms developed by machine-learning techniques
without human involvement is a complex issue.

11.1 Are there any national laws or regulations that
specifically regulate the procurement of blockchain-based
solutions?

There are no specific national laws or regulations that
exclusively govern the procurement or use of blockchain-based
solutions. However, several existing laws and regulations
indirectly affect blockchain technology and its applications by
giving references to crypto assets, particularly in areas such as
finance.

The Turkish Central Bank issued the Directive on Crypto-Assets Not
to Be Used in Payments, which for the first time defined
“crypto-assets” in Turkish law. The use of crypto-assets
as an instrument of payment and the provision of services using
crypto-assets in payments in a direct or indirect manner were
prohibited by this directive.

The Law on Amendments to the Capital Markets Law (CM Law
Amendments) was published in the official gazette on 2
July 2024 and entered into force immediately. The CM Law Amendments
introduce new definitions and concepts including cryptocurrency,
trading platforms, custody services, and service providers. They
also establish certain obligations for supervising platforms and
service providers, along with sanctions for non-compliance.

11.2 In which industry sectors in your jurisdiction are
blockchain-based technologies being most widely adopted?

In recent years, blockchain-based technologies have
gained traction in various sectors, especially finance, banking,
entertainment, and gaming. Despite regulatory restrictions on using
cryptocurrencies for payments, blockchain technology is being used
for financial applications such as trading platforms, digital asset
management, and tokenization of assets.

11.3 What are the key legal issues to consider when
procuring blockchain-based technology?

Despite the developments regarding the introduction of
regulations regarding crypto assets (e.g., CM Law Amendments), the
procurement of blockchain-based technology remains unregulated
under Turkish Law. Consequently, it is crucial to carefully observe
existing laws and regulations that indirectly impact
blockchain-based technology (please see question 11.1).