Fintech Laws and Regulations Turkiye 2023 - Part 2

4. Other Regulatory Regimes / Non-Financial Regulation

4.1. Does your jurisdiction regulate the collection/use/transmission of personal data, and if yes, what is the legal basis for such regulation and how does this apply to fintech businesses operating in your jurisdiction?

Yes, Turkey regulates the collection, use and transmission of personal data through its data protection law, Personal Data Protection Law numbered 6698 (“KVKK”). The KVKK is based on the EU’s General Data Protection Regulation.

The KVKK applies to individuals or legal entities, including fintech businesses, who process personal data of individuals. According to the KVKK, personal data must be processed lawfully, fairly and in a transparent manner, collected for specified, explicit and legitimate purposes. Personal data must be accurate and, where necessary, kept up to date.

In principle, the KVKK requires explicit consent from data subjects before personal data can be processed, with certain exceptions such as compliance with a legal obligation or law, performance of a contract and legitimate interests of the controller. The data controller must inform the data subjects about their personal data, keep a data processing inventory, register with the Data Controllers Registry Information System, and implement the necessary security measures. Also, data subjects may revoke its rights under the KVKK, and data controllers are liable to respond to those requests.

4.2. Do your data privacy laws apply to organisations established outside of your jurisdiction? Do your data privacy laws restrict international transfers of data? Turkish data privacy laws apply to organisations established outside of Turkey if they process personal data of individuals located in Turkey.

Legal entities residing abroad must register with the Data Controllers Registry Information System. They must also appoint a representative authorised to communicate with the Turkish Data Protection Authority and notify necessary information during registration.

Regarding international transfers of data, personal data may only be transferred abroad if the data subject has given their explicit consent. There are two exemptions to this rule, which are transfer to adequate countries and data transfer agreements. The Data Protection Board of Turkey has not announced the adequate countries, consequently this exemption is not in use. Data transfer agreements must be approved by the Data Protection Board to be valid, and as at March 2023, the Data Protection Board has only approved six transfer agreements. Therefore, obtaining the explicit consent of data subjects remains as the only practical basis for transferring personal data abroad.

4.3. Please briefly describe the sanctions that apply for failing to comply with your data privacy laws.

Failing to comply with Turkish data privacy laws may result in administrative fines, criminal sanctions and civil liability.

Administrative fines can be imposed by the Turkish Data Protection Authority for non-compliance with various obligations under the law, such as failing to obtain proper consent for data processing or failing to provide adequate information to data subjects. Administrative fines can range from TRY 29,852 to TRY 5,971,989 (for 2023), depending on the nature and severity of the violation. The fines are updated every year with the revaluation rate.

In the cases of intentional violation of the KVKK, criminal sanctions may also apply. For example, knowingly and illegally recording personal data, or transferring personal data to unauthorised third parties, may result in imprisonment for up to four years.

In addition to administrative fines and criminal sanctions, individuals whose rights have been violated may seek compensation for damages.

4.4. Does your jurisdiction have cyber security laws or regulations that may apply to fintech businesses operating in your jurisdiction?

Fintech businesses operating in Turkey are subject to various cyber security regulations. Under the KVKK, data controllers are required to prevent the unlawful processing of personal data, prevent unauthorised access, use or disclosure, and ensure the protection of personal data through the implementation of necessary technical and administrative measures.

The Turkish Data Protection Authority has published a guide on Personal Data Security that sets out the technical and administrative measures that should be taken to ensure data security. 

Data controllers are required to provide training to their employees and prepare data security policies in line with this guide. Data controllers who are required to register with the Data Controllers Registry are also responsible for preparing a personal data retention and destruction policy in accordance with the Regulation on the Erasure, Destruction or Anonymization of Personal Data, which includes technical and administrative measures businesses must take to ensure the secure storage of personal data. The Turkish Criminal Code also contains provisions relating to cyber security. These provisions criminalise offences such as unauthorised access to computer systems, data interception and disruption of electronic communication systems. The law imposes penalties ranging from imprisonment to fines for these offences.

Finally, the Information and Communication Security Measures Regulation covers the security measures that must be taken by public institutions and critical infrastructure service providers, including electronic communications, energy, water management, transportation, banking and finance, as well as businesses providing “critical public services” in areas such as population, health and security.

4.5. Please describe any AML and other financial crime requirements that may apply to fintech businesses in your jurisdiction.

The Financial Crimes Investigation Board in Turkey has amended its Regulation on Measures to Prevent Money Laundering and Financing of Terrorism to include “crypto asset service providers”. These providers, which include exchange platforms accessible in Turkey and that allow money transfers from Turkey, must comply with AML and counter-terrorism financing regulations. They are required to identify traders through a KYC process, monitor transactions, retain and submit documents, report suspicious transactions, periodically report transactions that exceed a certain threshold, and provide information and documents when requested. Notifications may be submitted electronically, and the Financial Crimes Investigation Board has the authority to require their use and determine procedures and principles relating to electronic notifications and responses.

4.6. Are there any other regulatory regimes that may apply to fintech businesses operating in your jurisdiction (for example, AI)?

Other regulatory regimes that may apply to fintech businesses are as follows:

Consumer Protection Law: This law sets out the rules for protecting consumers in Turkey.  The law stipulates that companies must provide clear and transparent information to consumers about their products and services.

Internet Law: Internet service providers, website owners, content providers, social media networks, news websites, online marketplaces, e-commerce platforms and other online service providers must comply with the Regulation of Publications on the Internet and Suppression of Crimes Committed by Means of Such Publications. The internet law applies to all fintech businesses that provide their services through a website. The law contains regulations regarding the blocking of websites and content that are deemed inappropriate.

AI Strategies: Although AI is not regulated in Turkey, there are efforts to develop local technology in AI and promote its effective use.  The National AI Strategy 2021-2025 focuses on developing AI specialists and increasing employment opportunities, supporting research, entrepreneurship and innovation, expanding access to quality data and technical infrastructure, accelerating socio-economic compliance regulations, strengthening international collaborations, and accelerating structural and workforce transformation.

5. Accessing Talent

5.1. In broad terms, what is the legal framework around the hiring and dismissal of staff in your jurisdiction? Are there any particularly onerous requirements or restrictions that are frequently encountered by businesses?

The legal framework for hiring and dismissal of staff is primarily governed by the Labour Law numbered 4857. The law sets out the rules and regulations regarding employment contracts, working conditions, wages, termination of employment and termination-related payments. Also, the provisions of the Law numbered 1475 on severance payments, the Labour Health and Safety Law, Social Security Law, and Turkish Code of Obligations will be applicable in certain cases.

Employers are required to comply with the regulations governing working hours, overtime and occupational health and safety. Any working hours exceeding the standard working hours are classified as overtime. Generally, the standard working hours are set at 45 hours.  Overtime hours should not exceed 270 hours or 90 days per year and working for more than 11 hours in a day is prohibited. Also, the salary amount cannot be less than the minimum salary determined by the Minimum Wage Determination Commission.

5.2. What, if any, mandatory employment benefits must be provided to staff?

Employers in Turkey are required to provide several benefits to their employees. These include:

Paid Annual Leave: Employees are entitled to paid annual leave. The length is determined by the duration of the employment. For example, annual paid leave is 14 days if the duration of employment is one to five years.

Social Security Contributions: Employers must contribute to the social security system on behalf of their employees.

Overtime Pay: If an employee works overtime, the employer is required to pay the employee an additional amount.

Notice Periods: Parties must comply with the notice periods to terminate the agreement. The notice periods shall be calculated in accordance with the employment duration.

Termination Rules: The employer must have a valid cause to terminate the employment agreement if the employer meets the eligibility requirements stipulated in the Labour Law. Upon termination, the employer must pay all monetary rights and entitlements that the employee has earned during the term of his/her employment – this may include salary, leave payments, notice payment and severance indemnification. Both the employer and the employee are entitled to terminate an employment agreement for a just cause. The liabilities of the employers may vary depending on the reason for the agreement’s termination and which party initiates the termination.

5.3. What, if any, hurdles must businesses overcome to bring employees from outside your jurisdiction into your jurisdiction? Is there a special route for obtaining permission for individuals who wish to work for fintech businesses?

To employ a foreigner, the employer needs to fulfil specific criteria regarding the company’s minimum paid-up capital, gross sale amounts, exportation amounts and the number of Turkish employees working in the company. As per the International Workforce Law, individuals interested in working in Turkey as foreigners are required to obtain a work permit. There are three types of work permits available: temporary work permit; permanent work permit; and independent work permit. Applications for work permits can be submitted from Turkey or abroad through representative agencies of Turkey.

6. Technology

6.1. Please briefly describe how innovations and inventions are protected in your jurisdiction.

IP rights in Turkey are generally harmonised with European legislation. Innovations and inventions can be protected in Turkey through the following:

Copyrights: Copyrights consist of literary works, works of fine arts, musical works and cinematographic works.

Patents: A patent is an exclusive right granted for an invention. In Turkey, the patent protection period is 20 years from the date of filing the patent application. The invention must be new, inventive and industrially applicable to be eligible for patent protection.

Trademarks: A trademark is a sign used to distinguish goods and services of one company from those of another.  Trademarks must be registered with the Turkish Patent and Trademark Institution and the protection period is 10 years from the date of registration.

Designs: A design is the appearance of a product or a part of a product, including its shape, colors, lines and textures. In Turkey, designs must be registered, and the protection period is five years from the date of registration.

Utility Models: A utility model is a form of IP that protects inventions that are new and industrially applicable.  Utility models must be registered, and the protection period is 10 years from the date of application.

Geographical Indications: They refer to signs that indicate a product specific to a place or region in terms of its quality, reputation or other characteristics.

6.2. Please briefly describe how ownership of IP operates in your jurisdiction.

The owner of the IP right is typically the individual or entity that created or registered the IP. Copyrights are automatically protected upon production of work, whereas other IPs, such as trademarks, patents, utility models, designs and geographical indications, must be registered with the Turkish Patent and Trademark Institution in order to be afforded protection.

6.3. In order to protect or enforce IP rights in your jurisdiction, do you need to own local/national rights or are you able to enforce other rights (for example, do any treaties or multi-jurisdictional rights apply)?

Turkey is a signatory to various international treaties and conventions. The Paris Convention enables applicants to claim priority for their applications in Turkey.  The Berne Convention provides automatic minimum protection for copyrights. The Madrid Protocol is an international trademark registration system that offers trademark protection in multiple countries with a single application. The Hague Agreement is an international registration system for industrial designs, which provides protection in several countries through a single application. The Patent Cooperation Treaty is an international patent system that offers protection for their inventions in multiple countries by a single application. The European Patent Convention establishes a single procedure for granting patents in its member states.

6.4. How do you exploit/monetise IP in your jurisdiction and are there any particular rules or restrictions regarding such exploitation/monetisation?

There are various ways to exploit and monetise IP in Turkey, such as licensing, franchising and selling. There is not a general restriction regarding the exploitation and monetisation of IP in Turkey, provided that this does not infringe any third-party IP rights.

In some cases, compulsory licensing may be required for patents, particularly in the areas of public health and national security.

There are restrictions on the use of geographical indications, which are signs used to identify goods as originating from a particular geographical location.