IT & Technology Law
Advisory and representation are provided on personal data protection (KVKK) compliance, e-commerce activities, requests concerning online content, and cybercrime matters.
Current legal issues brought about by technology are assessed in light of legislative and practical developments.
Services in This Area
- Advice on KVKK compliance programmes, data inventories and privacy notices
- VERBİS registration obligations and challenges against decisions of the Personal Data Protection Board
- Data breach notifications and post-incident legal support
- Content removal and access-blocking requests under Law No. 5651
- Right-to-be-forgotten and search engine de-listing applications
- Advice on e-commerce, distance selling and platform agreements
- Drafting and review of software, licence and SaaS agreements
- Representation in cybercrime investigations and prosecutions
What Does IT and Technology Law Cover?
IT law spans a broad field, from personal data protection and e-commerce to online content and cybercrime. In Turkish law, its core instruments include the Personal Data Protection Law No. 6698 (KVKK), Law No. 5651 on the Regulation of Online Publications, and the cybercrime provisions of the Turkish Criminal Code.
For businesses, the focus lies on lawful data processing, the regulatory compliance of websites and applications, and structuring contracts that reflect how technology is actually used. For individuals, the most common issues are the unauthorised use of personal data, online violations of personality rights, and cyber fraud.
How Does a KVKK Compliance Process Work?
Compliance begins by mapping the personal data a controller processes: a data processing inventory is prepared, and the purposes and legal bases of processing are identified. Privacy notices, explicit consent statements, retention and destruction policies, and, where required, VERBİS registration are then put in place.
Compliance is a continuing obligation rather than a one-off exercise; the steps prescribed by the legislation must be followed when launching new products, transferring data abroad, or responding to a data breach. Board decisions and secondary regulations are monitored so that processes remain up to date.
What Can Be Done About Unlawful Online Content?
For content violating personality rights, an application may be made to the criminal judgeship of peace under Law No. 5651 for the removal of content and the blocking of access. Removal can also be requested through notices addressed to content and hosting providers.
For outdated search results that unfairly affect an individual, applications may be made to search engines and the competent authorities under the right to be forgotten. Depending on the nature of the content, damages claims and criminal complaints are also considered alongside these routes.
Frequently Asked Questions
- What are the sanctions for breaching the KVKK?
- The Personal Data Protection Board may impose administrative fines for breaches of the obligations on information notices, data security, compliance with Board decisions and VERBİS registration; fine amounts are revalued annually. Unlawful processing of personal data may also constitute a criminal offence under the Turkish Criminal Code. The applicable sanction depends on the nature of the breach and the specific case.
- How can online content be removed in Türkiye?
- For content infringing personality rights, removal and access blocking can be requested from the criminal judgeship of peace under Law No. 5651. Takedown notices may also be sent to content and hosting providers. The most effective route depends on the type of content and the platform on which it appears.
- What can I do if my personal data is used without consent?
- An application may first be made to the data controller requesting erasure or correction; if the application is rejected or left unanswered, a complaint can be lodged with the Personal Data Protection Board. Where damage has occurred, a compensation claim and, where the conditions are met, a criminal complaint may also be pursued. The appropriate course depends on the circumstances of each case.
- Where should victims of cybercrime apply?
- In cases such as online fraud, unauthorised access or account takeover, a complaint may be filed with the public prosecutor's office; preserving screenshots, correspondence and transaction records is important so that evidence is not lost. Prompt notification of banks and platforms can help limit the damage. How the process unfolds depends on the nature of the act and the available evidence.
These answers are for general information only and do not constitute legal advice. For an assessment of your specific situation, please consult a lawyer.
Request an appointment to talk
Get in touch to discuss your questions and plan the process together.
Meetings are held by appointment, online or in person.