Digital business in Turkey: overview

A Q&A guide to digital business in Turkey.

The Q&A gives a high level overview of matters relating to regulations and regulatory bodies for doing business online, setting up an online business, electronic contracts and signatures, data retention requirements, security of online transactions and personal data, licensing of domain names, jurisdiction and governing law, advertising, tax, liability for content online, insurance, and proposals for reform.

To compare answers across multiple jurisdictions, visit the Digital Business Country Q&A tool.

This Q&A is part of the global guide to digital business law. For a full list of jurisdictional Q&As visit www.practicallaw.com/digital-business-guide.

E Kagan Dora, Gamze Cigdemtekin Ozer and Tugce Korkmaz, Cigdemtekin Dora Aranci (CDA) Law Office
Contents

Regulatory overview

1. What are the relevant regulations for doing business online (for business-to-business and business-to-customer)?

There are four main laws that have a significant influence on the operation of online business.

Turkish Internet Law No. 5651

This law entered into force in 2007. It regulates online businesses in Turkey and governs the regulation of broadcasting on the internet, and criminal activities committed through broadcasts. It defines the roles, responsibilities and licensing requirements for the parties operating on the internet, such as internet service providers, public internet usage providers, internet access providers, content providers and hosting services providers. The Law also includes regulations concerning cyber crimes. In 2014, Parliament passed an amendment to Law No. 5651.

E-commerce Law No. 6563

This law entered into force on 1 May 2015. It mainly:

  • Regulates e-commerce transactions and the obligations imposed on individuals and legal entities engaged in e-commerce transactions.

  • Sets out the obligations to inform consumers of certain aspects of the terms and conditions.

  • Imposes sanctions for non-compliance.

The Regulation on Service Providers and Intermediary Service Providers on Electronic Commerce has recently been published in the Official Gazette of 26 August 2015 No. 29457. This regulation governs the obligations of the service providers and the intermediary service providers in connection with e-commerce transactions and online contracts.

Consumer Protection Law No. 6502

This law regulates sales to consumers over the internet and other digital platforms and defines the rules of advertisement to protect consumers. The Regulation for Distance Contracts also aims to protect consumer rights in e-commerce transactions.

Payment and Security Settlement Systems, Payment Services and Electronic Money Institutions Law No. 6493

This Law concerns the collection of funds on behalf of third parties or issuance of electronic money. It provides that payment service providers for e-commerce platforms and electronic money institutions must obtain licences from the Banking Regulatory and Supervisory Board.

In addition to these laws, Decree Law No 556 on Protection of Trade Marks and Law on Intellectual Property Rights and the Turkish Code of Obligations are also relevant to doing business online.

 
2. What legislative bodies are responsible for passing legislation in this area? What regulatory and industry bodies are responsible for passing regulations and codes in this area?

Under the Turkish Constitution, Grand National Assembly of Turkey (TGNA) is the legislative organ in Turkey which passes the laws. However, in some cases, TGNA grants authorisation to enact decree law to the Council of Ministers. Additionally, presidency, ministries and public corporate entities can make secondary regulations to the laws related to their own area if such authorisation has been granted within the relevant code.

The main regulatory body responsible for amending and monitoring the internet is the Information and Communications Technologies Authority (ICTA) under the Ministry of Transport, Maritime Affairs and Communications.

The Ministry of Customs and Trade is the main regulatory body for passing legislation regarding conventional commerce, e-commerce and consumer protection.

The Banking Regulation and Supervision Agency (BRSA) supervises parties dealing with online payment systems and overall money flow.

 

Setting up a business online

3. What are the common steps a company must take to set up an existing/new business online?

The very first step would be to acquire a domain name to establish the website of the online business. If a domain name with ".tr" extension is preferred, it can be acquired from www.nic.tr in Turkey.

Turkish Internet Law No. 5651 requires content providers and hosting providers to acquire a certificate from the Presidency of Telecommunication (TPC), which is affiliated with the Information and Communications Technologies Authority (ICTA). Electronic payment service providers and electronic money institutions must obtain a licence from the Banking Regulation and Supervision Agency (BRSA).

Depending on the nature of the online business, the following information must be made available on the website for users:

  • Information regarding:

    • the commercial title, commercial address, tax or trade registry number, e-mail address, telephone number, and names of administrator(s) of the website (and, where operating an online marketplace, the official communication information of the sellers/providers);

    • whether the website is operating under the licence or permission of a governmental agency, and the relevant agency.

  • Terms and conditions of visiting and using the website.

  • Privacy policy.

  • User agreement (if membership is required).

  • Distance contract to be prepared according to the Regulation for Distance Contracts (if the website will sell any goods or services to consumers) under Consumer Protection Law No. 6502.

To co-ordinate the money flow between the consumers and the online business enterprise, the online business must collaborate with a bank or a payment service provider (Payment Services Law No. 6493).

 
4. What are the relevant types of parties that an online business can expect to contract with?

There are two main types of parties that online businesses contract with:

  • Governmental entities.

  • Private entities.

Governmental entities

If an online business wants to be a hosting service provider or content provider, it must obtain a certificate from the Information and Communications Technologies Authority (ICTA) for such services. If the business wants to be a payment service provider, it must make an application to the Banking Regulation and Supervision Agency (BRSA) and obtain a payment service certificate.

Private entities

A typical online business can expect to contract with web designers and, depending on the business type, software companies, application developers, media planning and buying agencies, advertisement agencies, logistics companies, delivery and cargo companies, and HR companies. If the business wishes to offer an online purchase option, it would be expected to procure payment services from a payment services provider or a bank.

 
5. What are the procedures for developing and distributing an app?

There is no formal procedure for developing and distributing an app under Turkish Law. Software is not patentable, but is protected under Decree Law No 556 on Protection of Trade Marks and Law on Intellectual Property Rights.

Whilst developing the app, the developer must take into account the restrictions on collection and use of personal and sensitive data, such as bank account information (Law on Bank and Credit Cards), as well as publication of commercial and promotional messages (E-commerce Law and its regulations) (see Question 14). In addition, if sale of goods or services are conducted through the app, then the app must be designed and operated according to the rules and prerequisites of the Consumer Protection Law and Regulation on Distance Contracts.

 

Running a business online

Electronic contracts

6. Is it possible to form a contract electronically? If so, what are the requirements for electronic contract formation? Please comment on the enforceability of click-wrap, browse-wrap and shrink-wrap contracts.

It is possible to form a contract electronically. Electronic contracts are mainly regulated under the Turkish Code of Obligations, E-commerce Law No. 6563, Regulation on Distance Contracts and the Regulation on Service Providers and Intermediary Service Providers (see Question 1). The Regulation on Distance Contracts provides certain rules which are specifically relevant to electronic contracts concluded with consumers, and not to business-to-business contracts (see Question 7).

Under Consumer Protection Law No. 6502 and the Regulation on Distance Contracts, contracts that are formed electronically are defined as "distance contracts". Before forming a distance contract between a seller/provider and a consumer, the consumer must be informed of his or her duty to make a payment (Consumer Protection Law). In addition, the above laws require online business enterprises, when entering into electronic contracts with consumers, to provide certain information to consumers, and include certain terms and conditions in the contract:

  • An updated overview of the electronic business enterprise, name or trade name of the seller/provider and Turkish Central Registry Agency registration number.

  • Essential information about goods or services and either:

    • the total price of the goods and services inclusive of taxes and all expenses; or

    • if the price and expenses cannot be calculated in advance, the manner in which the price is to be calculated and information about other additional expenses.

  • The contact information of the seller/provider or, if applicable, the person/entity acting on behalf of the seller/provider. The contact information for consumer complaints is also required.

  • Specific information regarding payment, payment tools, delivery, delivery restrictions (for example, geographical areas where the goods or services are not provided), and performance of the service.

  • Information regarding the applicable conditions, time period and procedure for the right of withdrawal, as well as the information regarding the carrier designated by the seller for return of the goods.

  • Necessary contact information to be used for service of the withdrawal notice.

  • The circumstances in which the consumer cannot use the right of withdrawal and the conditions under which the consumer would lose the right of withdrawal.

  • Where applicable, any deposits or other financial guarantees provided by the consumer on request of the seller/provider, as well as conditions in respect to these.

  • Where applicable, technical protection measures which may affect the functionality of the digital contents.

  • Information about interoperability of digital content with hardware or software.

  • Information proving that the consumers may apply to the consumer courts, consumer arbitral committees or alternative dispute resolution methods, if any, in respect to any disputes.

  • The technical steps to form the contract.

  • Information on whether the:

    • contract will be kept in the provider's records;

    • user will be able to access the contract afterwards and, if so, for how long the user will be able to do so.

  • Information about the technical tools that are to be used to provide necessary data and to correct any mistakes made while entering the data.

  • The applicable privacy policy.

  • If the online business is a member of a professional association, information about the rules and principles of the profession and instructions on how the user can obtain further information about the association, must be provided.

These terms do not apply to contracts issued via e-mail or other personal communication devices.

The terms must be transmitted in writing or with permanent data storage devices (such as CD, DVD, memory card, e-mail, SMS) by the seller/provider in a clear, simple and legible manner, with at least 12-point font size and in accordance with the distance communication tool used (Regulation on Distance Contracts). The seller/provider must obtain the consumer's confirmation that the prior information was duly made. Otherwise, the distance contract would be deemed null and void.

The Consumer Protection Law provides that the consumers, as a rule, have a right of withdrawal without requiring a reason or paying a penalty, within:

  • 14 days following the execution of the distance contract for the sales of services.

  • 14 days following the delivery of the goods to the consumer or to its representative for the sale of goods.

Provisions in distance contracts to the contrary cannot restrict the use of the right of withdrawal.

Under the Turkish law, there is no legislation specifically governing the click-wrap, browse-wrap or shrink-wrap agreements. Under the Code of Obligations, general contract terms are imposed. General contract terms are the provisions of a contract drafted and submitted by one of the parties unilaterally to be used in a variety of similar contracts in the future. The drafting party must expressly inform the other party of the existence of such terms and provide an opportunity to become aware of the content, failing which the general contract terms would be deemed "invalid" and would have no legal effect. General contract terms which are unusual for a contract type or transaction shall also be deemed invalid. In case law, click-wrap and browse-wrap agreements are deemed valid, since the supplier expressly informs the users of the terms and conditions and the users must act to accept the agreement (usually click on the "I accept" button). However, the validity of the shrink-wrap agreements is questioned in doctrine, since the users must open a package before reading the terms and conditions.

On the other hand, the acceptance of the agreement is not enough for the choice of law provision in the agreement to be valid. For the choice of law provision to be valid, it must be expressly and separately offered for the users' acceptance.

 
7. What laws govern contracting on the internet?

E-commerce Law No. 6563, Consumer Protection Law No. 6502, the Regulation on the Distance Contracts and the Regulation on Service Providers and Intermediary Service Providers cover supply of services and goods of any format, including digital products to consumers. In addition, all contracts are generally governed by the Turkish Code of Obligations, where there is no specific rule applicable in a specific law or regulation.

The E-commerce Law explicitly differentiates between business-to-consumer and business-to-business contracts (see Question 6). If all parties are businesses, they can freely determine the terms and conditions of an electronic contract.

 
8. Are there any limitations in relation to electronic contracts?

In principle, there is no limitation in relation to electronic contracts specifically. The Turkish Code of Obligations states that any contract which is contrary to the mandatory provisions of the laws, moral principles, public order, personal rights or any contract with the infeasible subject is invalid. In this context, electronic contracts that fall under these restrictions would be deemed invalid. For example, in Turkey, online sale of alcohol, cigarettes, prescription drugs and so on. is prohibited. Additionally, certain types of contracts must be in a specific format to be legally binding under Turkish law, for example:

  • The sale and transfer of immovable property requires the sale agreement to be signed in an official format before the Title Deed Registry Office. Donations and agent agreements regarding immovable property can be executed in written form with signature or electronic signature.

  • The sale and transfer of registered motor vehicles must be signed in an official format before the notary public to be valid.

  • Any surety or personal guarantee must not be undertaken with an e-signature.

In relation to e-signatures, see Question 12.

 
9. Are there any data retention requirements in relation to personal data collected and processed via electronic contracting?

A new Data Protection Law has been enacted recently, and come into force following its publication in the Official Gazette of Turkey on 7 April, 2016. Under the Data Protection Law, processing the personal data is subject to some requirements. Accordingly, processing of personal data includes operations such as collection, recording, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction of personal data.

The following principles apply to processing of personal data:

  • Personal data can be legitimately processed if the data subject's explicit consent is obtained or such data is publicised by the data subject (see Question 16).

  • Personal data must be accurate, and, if necessary, up to date.

  • Personal data must be kept no longer than is necessary for the purposes it has been collected.

  • Processing must be for legitimate and specified purposes in accordance with law and good faith.

  • Personal data can be transferred abroad with the data subject's explicit consent. When the processing is based on other legitimate grounds, the country to where personal data is transferred must be regarded as safe in protecting personal data, by Personal Data Protection Authority, or the transferee must provide adequate safeguards.

  • Measures to prevent unlawful access to and processing of personal data must be taken.

  • Data subject must be informed on the identity of data controller, purposes and means of processing and conditions under which the personal data can be transferred to third parties.

  • Data subject's requests for information on and erasure or rectification of their personal data must be met.

  • Data processors and controllers must be registered with the Personal Data Protection Authority before they start processing.

  • Processing must be compliant with other regulations such as the Banking Law and the Law on Electronic Communications.

Additionally, sellers/providers and electronic business enterprises that intermediate sales between consumers, and sellers/providers which enter into (or intermediate entering into) electronic contracts with consumers, must retain the electronic contracts and the data relating to the relevant transaction for at least three years (Consumer Protection Law No. 6502 and the Regulation on Distance Contracts). The electronic contracts and other relevant data must be submitted and made available to consumers and authorised governmental entities when requested.

Also, Payment Services Law No. 6493 provides that the payment service providers must retain the documentation and information including the personal data of the service users (electronically or not) relating to the relevant transaction for at least ten years in Turkey.

 
10. Are there any trusted site accreditations available?

In Turkey, there is not a web site accreditation establishment. There is only a web service of ICTA which is called "Safer Internet Service". However, this service is not an accreditation service. Safer Internet Service provides internet users a protected web network by arranging certain restrictions.

 
11. What remedies are available for breach of an electronic contract?

Breach of electronic contracts is governed by the general provisions under the Turkish Code of Obligations and Consumer Protection Law No. 6502. The same general remedies (damages, termination, and so on) apply to business-to-business contracts that apply to other forms of contract. For business-to-consumer contracts, the following remedies are available:

  • To rescind the contract with a refund, if the seller/provider does not perform its obligations within 30 days of receipt of the customer's order.

  • To demand a reduction of the sale price in proportion to the defect.

  • To demand the replacement of the good/service, if possible.

  • To demand repair free of charge.

E-signatures

12. Does the law recognise e-signatures? To what extent and when are e-signatures used in electronic contracting? Are they required in most transactions, or very few?

E-signatures are recognised under Turkish law. E-signatures can be used in electronic contracts in the context of the limitations that the laws impose (see Question 13). E-signatures can be used in the electronic contracts which allow the parties to sign the contract with their secure e-signatures or mobile e-signatures. There is no limitation for using the e-signatures other than the legal transactions that are required by law to be concluded in a mandatory or official form or other special proceeding, such as purchase and sale of real estate or bail contracts.

E-signatures are usually required for the electronic contracts or documents where one of its parties is a governmental agency (e-state documents).

Applicable legislation

The applicable legislation regarding e-signatures is Law No. 5070 on Electronic Signatures (E-Signature Law).

Definition of e-signatures

Secure e-signatures (see below, Format of e-signatures) are defined as signatures that (E-Signature Law):

  • Are exclusively connected to the owner of the signature.

  • Are exclusively formed by the electronic signature forming device that is solely used by the signature owner.

  • Enable identification of the signature's owner via qualified electronic certificates.

  • Enable determination of whether the electronically signed data is later altered or not.

Format of e-signatures

In Turkey, e-signatures and the electronic certificates that verify the authenticity of the e-signatures are provided by electronic certificate service providers (ECSPs), which are approved by the Information and Communications Technologies Authority. A list of these providers in Turkey can be found at www.btk.gov.tr/bilgi_teknolojileri/elektronik_imza/eshs.php.

These listed ECSPs must obtain one of the certificates that are determined in the Communiqué on Processes and the Technical Criteria regarding the Electronic Signature. It is stated on this Communiqué that the ECSPs must also follow ETSITS 101 456 and CWA 14167-1 standards on all their activities regarding the e-signature.

E-signatures under Turkish Law fall into the following two categories:

  • Secure e-signatures. These are e-signatures which protect data integrity, and enable the identification of the signature owner based on a qualified electronic certificate, and whether signed electronic data has subsequently been changed or not (see above, Definition of e-signatures).

  • Mobile e-signatures. These are signatures that are formed by mobile devices and used on the mobile communication.

Secure e-signatures have the same legal effect as handwritten signatures (E-Signature Law).

 
13. Are there any limitations on the use of e-signatures?

An e-signature can be used without any limitation, except for guarantee contracts and legal transactions that are required by law to be concluded in a mandatory official form or other special proceeding (Law No. 5070 on Electronic Signatures) (see Question 16).

 

Implications of running a business online

 

Cyber security/privacy protection/data protection

14. Are there any laws that regulate the collection or use of personal data? To whom do the data protection laws apply?

Data Protection Law

The Data Protection Law has come into force following its publication in the Official Gazette of Turkey on 7 April 2016. The Law sets out important rules applicable to real persons and legal entities handling personal information. In general, any natural or legal person processing personal data falls within scope of the Data Protection Law (see Question 9).

Other regulations

Turkish Constitution and other laws, such as Turkish Criminal Code, include certain general rules about personal data and its process before the adoption of the Data Protection Law. Certain sector-specific regulations such as Law on Electronic Communications, Banking Law and E-Commerce Law also include rules on protection of personal data.

In addition to the Data Protection Law and within the scope of other relevant regulations (see above), the following rules apply:

  • Individuals have the right to request their personal data to be protected (Article 20, Turkish Constitution). This right includes rights:

    • of access to personal data;

    • to be informed about personal data;

    • to request correction or erasure of personal data;

    • to enquire whether the individual's personal data is used for its purposes.

  • Personal data can only be processed with explicit consent of the owner of the personal data, or in cases provided by law.

  • Any person who unlawfully records personal data is sentenced to imprisonment of six months to three years (Article 135, Turkish Criminal Code). In addition, any person who unlawfully delivers personal data to another person, or publishes or acquires personal data through illegal means, is sentenced to imprisonment of one to four years.

 
15. What data is regulated?

Personal data

Personal data is protected under the Data Protection Law as well as the Turkish Constitution and Turkish Criminal Code (see Question 14, Current laws). In addition, the telecoms industry has specific regulations for protecting user's personal data. There is no explicit definition of personal data.

The Draft Data Protection Law defines personal data as any information related to any real person (see Question 14, Draft Data Protection Law).

Under the Data Protection Law, any information relating to an identified or identifiable real person is considered personal data. Information relating to legal persons is not included in this definition provided that such information does not relate to a real person. Personal data relating to religion, ethnicity, association, foundation and union membership, health and dressing preferences are considered special categories of personal data and the processing of the these data will be subject to requirements that will be set by Data Protection Commission.

Commercial data

The following commercial data is protected:

  • Commercial secrets, banking secrets or customer secrets. Anyone who possesses those secrets due to their title, duty, profession or trade and shares that information or documents with unauthorised persons or discloses them, is subject to (Article 239, Turkish Criminal Code):

    • imprisonment of one to three years;

    • a judicial fine amounting up to 5000 days (which would be between TRY100,000 and TRY500,000).

  • Banking secrets. Banking Law No. 5411 imposes strict obligations on banks, bank personnel, and auditors.

  • Production and business secrets. Disclosing production and business secrets could result in unfair competition and is subject to unfair competition penalties and proceedings (Turkish Commercial Code).

  • Employee secrets. Employees are under the obligation not to disclose their employees' secrets, which could result in rightful termination of their employment agreements as well as compensation claims (Labour Law).

There is also a draft law on the agenda of the Parliament: Concerning the Protection of Commercial Secrets, Banking Secrets and Customer Secrets which will consolidate these rules, which is expected to be ratified in 2016.

 
16. Are there any limitations on collecting or using personal data? Are there any specific limitations on storage of personal data in the cloud?

Under the Data Protection Law, collection, recording, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction of personal data is described as processing of personal data. Under such law personal data can be legitimately processed if:

  • Explicit consent of the data subject is obtained. Explicit consent requires the data subject to be informed beforehand and the consent must be:

    • based on the data subject's free will;

    • unambiguously clear;

    • limited to the purposes for which it is obtained.

  • The personal data is publicised by the data subject.

  • Processing is necessary for compliance with a legal obligation, or is obligatory for performance of a right.

  • Processing is necessary for the conclusion or performance of a contract, to which the data subject is a party, personal data can be processed only for the purposes relating to such performance.

  • Processing is necessary for the legitimate interests pursued by the controller unless such interests are overridden by the interests of the data subject with respect to fundamental rights and freedoms.

  • The data subject is unable to express his consent. In such cases, personal data can only be processed for protecting vital interests of such data subject.

Also see Question 9 for the processing rules imposed under the Data Protection Law.

Personal data can only be collected when required by law or with the explicit consent of the personal data owner (Article 20, Turkish Constitution).

Personal data must be (Regulation on Processing and Protecting Personal Data in Electronic Communication Sector):

  • Processed fairly and lawfully.

  • Processed on the consent of the data subject.

  • Adequate, relevant and not excessive in relation to the purpose for which it is collected.

  • Accurate and, where necessary, kept up-to-date.

  • Kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the data was collected or for which it is further processed.

 
17. Is the use of cookies allowed? If so, what conditions apply to their use that impact system design?

Cookies are not specifically regulated or prohibited in Turkey. If cookies are used to collect anonymous data that cannot be linked with a real person, this data is not considered to be personal data and is not subject to personal data protection. It is recommended, therefore, the system not collect IP addresses of the users, which may be considered to be a link to real persons. In addition, it would be prudent to design systems in such a way as to obtain user's consent for the use of cookies, to prevent the risk of the system needing to be redesigned if future laws force online businesses to obtain consent.

 
18. What measures must be taken by companies or the internet providers to guarantee the security of internet transactions?

Since the responsibility to guarantee the security of internet transactions rests heavily with the business, the online companies and internet providers must take necessary technical precautions. Under the Turkish Law, the technical precautions are not specifically indicated. Companies may follow the global security precautions such as implementing 3DSecure or obtaining certificate from the standardisation organizations, such as Payment Card Industry Security Standards Counsel or Secure Socket Layer. They may also have a protection service from certificated payment service provider companies.

Pursuant to the Regulation on Service Providers and Intermediary Service Providers, the marketplace owners must indicate the sellers and their registered electronic mail addresses.

In addition, it would be advisable for a company to include legally binding non-disclosure/confidentiality agreements with their employees, suppliers, hosting services provider and business partners.

 
19. Is the use of encryption required or prohibited in any circumstances?

Sensitive payment data should be stored and saved in an encrypted form (Communiqué on the Management and Audit of the Payment and the Electronic Money Institutions' Information Systems). Sensitive data is defined as information that the payment service users give during and/or before the payment transaction to the payment institutions that could lead to fraud when obtained by third parties, such as the password, security question, PIN, card number, expiration date, and CVV2 - CVC2 codes.

In addition, legal entities that are operating in the payment services area must use encryption system to protect sensitive card data of the payment service user (Communiqué on the Management of Information Systems Used on Bank and Credit Card Transactions).

 
20. Can government bodies access or compel disclosure of personal data in certain circumstances?

Government bodies can access or compel disclosure of personal data in case of matters of (Article 20, Turkish Constitution):

  • National security.

  • Public order.

  • Prevention of crime.

  • Protection of public health and public morality.

  • Protection of other people's rights and freedoms.

Also, the Financial Crimes Investigation Board may process personal data to avoid financial crimes and funding of terrorist activities.

The Draft Data Protection Law will introduce a rule that obtaining consent of the personal data owner is not required when processing personal data for purposes of public interest, fulfilment of an official permission or by court order (see Question 14, Draft Data Protection Law).

 
21. Are there any regulations in relation to electronic payments?

For the requirements of electronic contracts and the information that must be provided to consumers before electronic payment is completed, see Question 6.

E-payment

An e-payment system provider (Payment Services Law and bye-law):

  • Can only process personal data for security purposes. The e-payment system provider must obtain the customer's consent if the provider wants to process personal data for another purpose.

  • Must take all measures to protect sensitive data (such as credit card numbers, passwords, and so on).

  • Must ensure that its system is ready for the audit of the Banking Regulation and Supervision Agency (BRSA) and keep transactions records for at least ten years in case of disputes.

Although e-payment institutions are not mentioned in the list of institutions which have to submit information frequently to the Financial Crimes Investigation Board of Turkey (MASAK), it is anticipated that e-payment institutions will be required to submit information to MASAK in the near future.

The Regulation on Service Providers and Intermediary Service Providers on E-commerce

Pursuant to the Regulation on Service Providers and Intermediary Service Providers on E-commerce, the service provider and the intermediary service provider cannot establish an electronic contract without a customer's consent to use his or her personal data (see Question 40). Although consent can be attached to the electronic contract, the approval of the contract and the personal data processing must be separate and independent. The consent form must contain the purpose of processing this data.

The service provider and intermediary service provider will also need to keep records about e-commerce transactions, and consents of the customers' related personal data processing for three years beginning from the transaction date pursuant to the Regulation on Service Providers and Intermediary Service Providers. These records must be submitted to the Ministry of Customs and Trade when demanded.

 
22. If the site is aimed at children, are there any specific rules or guidance that apply?

Even though there are no regulations expressly referring to the sites aimed at children, according to general principle adopted in Article 4 of the Regulation on Procedures and Principles of Publications on the Internet, publications on the internet cannot include contents that can harm physical, mental and moral development of the children.

 

Linking

23. Are there any limitations on linking to a third party website and other practices such as framing, caching, spidering and the use of metatags?

In principle, content providers are not responsible for third party content; however, if a content provider endorses third party content then it is just as responsible as the actual provider of that content (Turkish Internet Law No. 5651).

The trade mark owner can request that its trade mark not be used as a domain name, routing code, and keyword or in a similar manner by unauthorised persons (Decree Law on Trade Mark).

Otherwise, there is no legislation specifically governing practices such as framing, caching, spidering and the use of metatags.

 

Domain names

24. What regulations are there in relation to licensing of domain names?

According to www.nic.tr, it is possible for a foreign company to register a domain name in Turkey with ".tr" extension if it:

  • Proves that it has, or has initiated, commercial activities in Turkey, or is affiliated with a company already operating in Turkey.

  • Provides supporting official documents, such as a franchising agreement, distribution agreement, invoice, custom papers, and so on.

For domestic companies, the procedure to register a domain name is slightly difference. If the domain name which the company desires to register does not contain ".tr" extension, the domain name can be registered without any official document by applying to the various domain name provider companies. The company pays a registration fee determined by that domain name provider.

www.nic.tr is the sole organisation that assigns a domain names with ".tr" extension. A domestic company may register a domain name with ".tr" extension, by providing the following:

  • A unique domain name that is not already registered (however, this domain name must not include any extra word other than the trade name or registered trade mark of the applicant company).

  • Official documents, such as the trade registry certificate, certificate of activity, copy of the chamber of commerce registration or trade mark registry certificate after 15 days from the application date.

  • A registration fee for the following terms after approval of the application: TRY25 for one year, TRY45 for two years, TRY65 for three years, TRY84 for four years and TRY100 for five years.

 
25. Do domain names confer any additional rights (in relation to trade marks or passing off) beyond the rights that are vested in domain names?

Domain names do not automatically confer any additional rights beyond the rights vested in domain names. If the domain name also meets the requirements to be registered as a trade mark, however, it can be registered as a trade mark with the Turkish Patent Institute.

 
26. What restrictions apply to the selection of a business name, and what is the procedure for obtaining one?

The business name of limited partnerships and unlimited liability companies must contain all or at least one of the partners' first name and surname, and the type of company.

Joint stock companies, limited liability companies and co-operative companies are free to choose their business name, as long as they define the type of the company in the business name.

If the merchant is a real person, the business name must include his or her first name and surname, together with a possible extension (Turkish Commercial Code). Extensions must not:

  • Mislead third parties about the identity of the merchant, or the volume or importance of its operation and financial status.

  • Be contrary to truth and public order.

Individual merchants cannot adopt a business name that may mislead third parties to believe the individual merchant is a company instead. The terms "Türk", "Türkiye", "Republic of Türkiye" and "National/Milli" can only be used in a business name by a decision of the Council of Ministers.

Before applying for a commercial title, the first three words of the desired business name must be checked with the website of the Turkish Trade Registry Gazette: (www.ticaretsicilgazetesi.gov.tr/sorgu_acik.php), to see whether the same commercial title has been registered before. In addition, the business name must be searched with the Turkish Patent Institute, to check whether it has been registered with the same service classes.

 

Jurisdiction and governing law

27. What rules do the courts apply to determine the jurisdiction for internet transactions (or disputes)?

The parties to electronic transactions or contracts can agree on jurisdiction. If there is no choice of jurisdiction by the parties, general procedural rules will apply in determining the jurisdiction. The court of competent jurisdiction is the court located in the defendant's place of residence (Code of Civil Procedure). If the dispute arises from a contract and a jurisdiction has not been determined in the contract, the claimant can also apply to the court in the place of performance of the contract. These rules apply to both business-to-consumer and business-to-business disputes.

Consumer Protection Law No. 6502 defines the monetary limits for applying to the consumer arbitration committees or consumer courts. For disputes that are higher than TRY3,480 (for the year 2016; this value changes annually) the consumer must apply to the Consumer Courts located in the consumer's place of residence. For disputes that are below TRY3,480, the consumer must apply either to the district consumer arbitration committee or to the provincial consumer arbitration committees at the consumer's place of residence, or the place where the consumer transaction happened.

 
28. What rules do the courts apply to determine the governing law for internet transactions (or disputes)?

The main laws for internet transactions or disputes do not contain specific provisions concerning the determination of the governing law for internet transactions. Therefore, designation of the governing law on internet transactions continue to be regulated under general provisions of Turkish law.

If there is a foreign element (for example, foreign place of performance, different nationalities of the parties, and so on) in an internet transaction the parties can decide to choose a foreign law as the governing law. However, if the parties have not designated the governing law, Turkish courts will determine which governing law should apply. To determine the governing law, the court must find out characteristic elements of the transaction which have the closest connection to the relevant country's law.

 
29. Are there any alternative dispute resolution/ online dispute resolution (ADR/ODR) options available to online traders and their customers? What remedies are available from the ADR/ODR methods? Are there any requirements to notify customers of the availability of these methods?

Consumer disputes

The Arbitration Committee for Consumer Problems is authorised to resolve consumer disputes of up to TRY3,480. They can order refunds, free repair and product replacement, and these decisions are legally binding in the same way as other court decisions. An objection to these decisions can be submitted to the Consumer Courts within 15 days after the date of notification. There is no appeal from the decisions of the Consumer Court.

The Consumer Courts have jurisdiction over disputes the value of which exceeds TRY3,480.

Article 5 of Regulation on Distance Contracts regulates seller's or provider's obligation to notify customer regarding various matters. These notifications also include seller's or provider's obligation to notify customer regarding their right to apply to the Arbitration Committee for Consumer Problems or Consumer Courts in case of a conflict (see Question 6).

Business-to-business disputes

The contracting parties to business-to-business contracts can freely agree on ADR mechanisms. Currently, there is no ODR under Turkish Law.

 

Advertising/marketing

30. What are the relevant rules on advertising goods/services online/via social media?

Consumer Protection Law No. 6502 defines the rules of advertisements to protect the consumers. The Board of Advertisement is authorised to define principles of commercial advertisements and protect consumers against unfair commercial applications.

In addition, the Regulation on Commercial Advertisements and Unfair Commercial Applications based on Consumer Protection Law regulates commercial advertisements, and has a very wide scope that includes television, printed media, internet, telephone, radio, cinema and open air advertisement.

Under the Law and Regulation, commercial advertisements must comply with the principles of the Board of Advertisement, public morality and order, and personal rights.

The Regulation on Procedures and Principles of Broadcasting Services regulates the principles that the media service providers must obey. Under the Regulation, the Radio and Television Supreme Council is authorised to audit the broadcasts of radio, television and optional broadcast services.

 
31. Are there any types of services or products that are specifically regulated when advertised/sold online (for example, financial services or medications)? 

Advertisements of pharmaceuticals, medicine, human medicinal products, medical equipment, healthcare services, food, supplementary foods, cosmetics and hygiene are subject to specific regulations.

The following forms of advertisement are prohibited (Regulation on Procedures and Principles of Broadcasting Services):

  • Advertisement of prescription medicine and treatments, medicinal food supplements and herbal products.

  • Advertisements of fortune tellers, astrologists and dating services.

  • Advertisement and promotion of alcoholic beverages to consumers, including a prohibition on any domain or subdomain name that includes the name of or trade in alcoholic beverages.

 
32. Are there any rules or limitations in relation to text messages/spam emails?

Commercial electronic communications can only be sent to consumers with their prior consent (E-commerce Law No. 6563). This consent can be obtained from the consumer in writing or via electronic communication device such as SMS, e-mail, phone, internet, and so on. However, this limitation does not apply to business-to-business transactions.

The recipient has the right to refuse receiving commercial electronic communications. On receipt of the refusal request, the sender has three days to stop sending the messages.

The Regulation on Commercial Communication and Commercial Messages under the E-Commerce Law aims to regulate provisions and limitations regarding the commercial electronic communications in detail. Under the regulation, these commercial electronic messages must contain the procedures to unsubscribe from receiving such messages, free of charge, without the need to provide any reason at any time.

 
33. Are there any language requirements in your jurisdiction for a website that targets your particular jurisdiction or whose target market includes your jurisdiction?

There are no language requirements for a website that targets Turkey or whose target market includes Turkey.

 

Tax

34. Are sales concluded online subject to taxation?

Online sales conducted in 2015 in Turkey were worth TRY55.39 billion(Turkish Interbank Card Centre (BKM)). In the last ten years, e-commerce has reached a significant volume in Turkey. Control of taxation has increased and now applies to online sales as well.

Sales concluded online attract VAT and, depending on the goods and services, it may also attract Special Consuming Tax. In addition, the real person or the legal entity that sells goods and services online will be subject to either corporate income tax or personal income tax (Turkish Tax Code). Corporate profits are subject to corporate income tax, which imposes a fixed rate of 20% on the annual profit. A real person's annual income is subject to personal income tax which has graduated tax rates.

 
35. Where and when must online companies register for VAT and other taxes? Which country's VAT rate will apply?

Companies which have a tax presence in Turkey must apply applicable VAT on goods and services sold online. Companies which make sales in Turkey from abroad, will not be required to register for VAT or impose VAT on goods. Turkish-resident purchasers that buy goods online from companies that are not resident in Turkey must pay the applicable VAT at customs, while the goods pass through customs in Turkey.

 

Protecting an online business

Liability for content online

36. What laws govern liability for website content?

Turkish Internet Law No. 5651 governs liability for website content. Depending on the content, it may also be subject to:

  • E-commerce Law No. 6563.

  • Turkish Criminal Code (for example, through defamation).

  • Turkish Commercial Code (for example, through unfair competition).

  • Trademark Law (for example, through violation of trade mark rights).

  • Consumer Protection Law No. 6502 and Regulation on Commercial Advertisement and Unfair Commercial Applications (for example, through false advertising).

 
37. What legal information must a website operator provide?

The commercial content, hosting and access providers must include the following information on the homepage of their website:

  • If the provider is a real person, his or her name and surname, if the provider is a legal entity, its business name, representative's name, and tax ID or Trade Registry number.

  • Residency, in the case of legal entities, the company HQ.

  • Electronic communication numbers and telephone number.

  • If the service provided in the website is subject to a permit or supervision of a competent authority, information regarding this authority.

  • The commercial content provider must also provide information regarding its hosting provider.

 
38. Who is liable for the content a website displays (including mistakes)?

The content provider is responsible for all content he or she provides. If the subject is a hosting provider or a user generated content platform provider or marketplace, he or she will not be responsible for checking whether the content uploaded is against the law or not, but must remove this content when informed by competent authorities or any removal request is made by a third party whose personal rights, copyright or other IP rights are violated. The hosting provider must also keep the traffic information of its users for at least one year up to a maximum of two years, and present the information when requested by the competent authorities.

 
39. Can an internet service provider (ISP) shut down a website, remove content, or disable linking due to the website's content and without permission?

An ISP must cease access to content only where there is a cease access decision from courts (Turkish Internet Law No. 5651). After a court makes a "cease access" decision for a website, such decision is sent to the Presidency of Telecommunication which then notifies the relevant ISP that it must cease access to the content within four hours. The ISPs who do not cease the access to the content within four hours are liable to administrative fine between TRY18,974 and TRY189,783. The cease access decisions are not publicly accessible; however, the information whether there was a cease access decision taken for a particular website can be found by searching the website's URL on the ICTA's online search panel.

 

Liability for products / services supplied online

40. Are there any rules that might apply to products or services supplied online?

The Internet Law No. 5651 separates the liability of content provider and hosting service provider for the goods and services sold via websites. Under this law, hosting service or a user generated content platform provider or marketplace will not be responsible for checking whether the goods are counterfeit or compliant with the law. Therefore, the content provider is responsible for any content he or she provides. In Turkey, content providers are the sellers or product/service provider on the online marketplaces. If a hosting service provider is also the product/service provider on its website, the hosting service provider is deemed to be the content provider and is responsible for the quality of the products/services supplied online.

These rules also apply to the products or services for the auction sites. However, since there are different tax implementations for the auction sites in Turkey, tax consultants should be consulted first.

There is no legislation specifically governing practices such as using spiders, bots and crawlers.

 

Insurance

41. How should an online business be insured?

Turkish Law does not impose any obligation on online businesses to be insured. An online business can be insured through using suitable conventional insurance schemes depending on the type of the business.

 

Reform

42. Are there any proposals to reform digital business law in your jurisdiction?

There are two regulations that were recently ratified that regulate provisions relating to digital business in Turkey:

  • Regulation on Commercial Communication and Commercial Messages.

  • Regulation on Service Providers and Intermediary Service Providers on E-commerce.

The Regulation on Commercial Communication and Commercial Messages has been published in the Official Gazette of 15 July 2015 No. 29417. This regulation aims to prevent undesirable commercial messages and provides rules for sending commercial messages to consumers.

The Regulation on Service Providers and Intermediary Service Providers on E-commerce has been published in the Official Gazette of 26 August 2015 No. 29457. This regulation provides that the service providers and the intermediary service providers must publish their introductory information as registered electronic mail address and inform the consumers about all the steps of an e-commerce transaction in a detailed form (see Question 21, Regulation on Service Providers and Intermediary Service Providers).

Finally, the Draft Data Protection Law will affect the processing of personal data by digital business owners. This is expected to be ratified in 2016.

 

Online resources

Grand National Assembly of Turkey

W www.tbmm.gov.tr

Description. This website is the official website of the Grand National Assembly of Turkey, the legislative body. The information on the website is up-to-date, and includes all laws, draft laws, bills of law and decrees with power of law. However, the laws are published in Turkey only, with the exception of the Constitution of Republic of Turkey, which has an English translation: https://global.tbmm.gov.tr/docs/constitution_en.pdf ( www.practicallaw.com/resource.do?item=https://global.tbmm.gov.tr/docs/constitution_en.pdf)

Banking Regulation and Supervision Agency (BRSA)

W www.bddk.org.tr

Description. This website is the official website of the BRSA and provides laws and regulations that the Agency has published, together with announcements, reports and statistics. The information on the website is up-to-date. The website provides English-language versions of legislation: www.bddk.org.tr/WebSitesi/english/Legislation/Legislation.aspx

Information and Communications Technologies Authority

W www.btk.gov.tr

Description. This is the Authority's official website and contains laws and regulations, announcements, reports and statistics online. The information on the website is up-to-date. The website provides English-language versions of the Electronic Signature Law and the Electronic Communication Law: http://eng.btk.gov.tr/mevzuat/kanunlar/index.php ( www.practicallaw.com/resource.do?item=http://eng.btk.gov.tr/mevzuat/kanunlar/index.php)


Contributor profiles

Emin Kagan Dora, Co-Managing Partner

Cigdemtekin Dora Aranci (CDA) Law Office

T +90 212 227 0061
F +90 212 227 0063
E kdora@cdahukuk.com
W www.cdahukuk.com

Professional qualifications. Member of Istanbul Bar

Areas of practice. IT; technology; media; entertainment; energy; defence

Recent transactions. Provides legal advice on intellectual property law, commercial law, contracts law, insurance law and public procurement law to clients such as eBay, Fujitsu, Noktacom and WPP group companies including Mindshare, Mediacom and MEC and also to project groups.

Languages. Turkish, English

Gamze Cigdemtekin Ozer, Co-Managing Partner

Cigdemtekin Dora Aranci (CDA) Law Office

T +90 212 227 0061
F +90 212 227 0063
E gcigdemtekin@cdahukuk.com
W www.cdahukuk.com

Professional qualifications. Member of Istanbul Bar

Areas of practice. M&A; corporate; private equity; energy; infrastructure

Recent transactions

  • Advised clients such as Templeton Asset Management, Veolia Water Solutions, Socar Turkey, ADM Capital, Christian Dior in various mergers, acquisitions and restructurings.

  • Provides regular corporate commercial, contracts and competition law advice to clients in sectors such as Retail, IT, Technology, Energy and Financial Services.

Languages. Turkish, English

Tugce Funda Korkmaz, Associate

CDA Law Office

T +90 212 227 0061
F +90 212 227 0063
E tkorkmaz@cdahukuk.com
W www.cdahukuk.com

Professional qualifications. Member of Istanbul Bar

Areas of practice. Corporate; M&A; IT; commercial law

Recent transactions. Advises multinational and local corporates on IT, M&A, corporate and commercial law.

Languages. Turkish, English


{ "siteName" : "PLC", "objType" : "PLC_Doc_C", "objID" : "1248216936720", "objName" : "Digital business in Turkey Overview", "userID" : "2", "objUrl" : "http://us.practicallaw.com/cs/Satellite/us/resource/5-618-1186?null", "pageType" : "Resource", "academicUserID" : "", "contentAccessed" : "true", "analyticsPermCookie" : "2-3b01f5d1:15b15deebd9:1ded", "analyticsSessionCookie" : "2-3b01f5d1:15b15deebd9:1dee", "statisticSensorPath" : "http://analytics.practicallaw.com/sensor/statistic" }