Pehlivan & Barlak is an Istanbul based law firm specialized in providing legal services to international and local businesses in Turkey.
Pehlivan Barlak
We offer clear and timely advice addressing your legal issues relaying on our expert knowledge of Turkish law and our assessment of the commercial context.
Our unique and experienced team consisting of commercially focused lawyers and business people allows us to provide tailored and result oriented legal guidance for your business needs.
We pride ourselves with maintaining the highest standards of integrity and confidentiality throughout our interactions and engagement.
Practice Areas
We have extensive knowledge and experience on the following areas of information and technology law:
Data Protection and Privacy: We help our clients on commercializing data compliantly. Our practical and pragmatic approach assists our clients in establishing clear strategies in this ever-developing area.
E-Commerce: Legal advice and support on the day-to-day business needs for online platforms operating as B to C e-tailers, content providers, e-mail service providers or marketplaces; as well as assisting them in meeting the legal compliance requirements including drafting necessary agreements and texts (including privacy or cookie policies).
Payment Systems: Assisting clients in the drafting and structuring of complex contracts with payment system service providers, necessary legal consultancy and legal compliance of the cards and hardware to be used in the payment systems. In addition, we assist in managing the relations with the regulators and supporting licensing procedures.
IP Rights: Assisting clients on any IP right matters related to their online platforms including dispute resolution, content review and take down and keeping the business compliant with IP right formalities.
Our corporate team caters to the needs of a company and its shareholders at every stage of the business cycle, including incorporation of liaison offices, foreign company branches, limited liability companies and joint stock companies, registration processes to the relevant Trade and Industry Registries. We also provide services to our clients on mergers and acquisitions, securities offerings, corporate governance, shareholder rights, joint ventures, preparation of shareholders’ agreements and by-laws, licensing processes and providing assistance on their exit strategies.
We offer legal services for a full range of commercial contracts to clients from diverse backgrounds including Turkish entrepreneurs to international conglomerates and private equity.
Our intellectual property expertise covers all aspects of intellectual property rights including trademarks, patents, utility models, copyrights, industrial design, trade secrets, geographical indications and domain names.
We assist our clients with strategic decision making to ensure that business goals are reached by correct coordination of intellectual assets as well as providing guidance to secure and guard their intangible assets from any contingent liabilities and/or future threats.
We represent both local and international private equity and strategic investors. Our practice covers business acquisitions, mergers, de-mergers, spin-offs, share exchanges and joint ventures.
Our exposure in M&A transactions includes a wide range of sectors which allows us to provide sector specific advice. We have in-depth experience in conducting due diligence exercises (both for seller and buyer side) in addition to drafting and negotiating asset sale, share purchase and shareholders’ agreements.
We represent national and multinational banks, financial institutions and borrowers. Our experience includes acting as local counsel in international finance transactions and as lead counsel in Turkish law governed deals between Turkish banks and borrowers.
We primarily advise on project, structured, trade and commodity, acquisition and corporate finance. Our team also provides regulatory advice to our clients and has diversified experience in drafting and negotiating a full range of loan and security documents.
Our competition law practice group advises on a day-to-day basis on business dealings including distributorship, licensing, franchising and joint production; as well as merger control.
Our services include advising on merger, acquisition and joint venture transaction documents as well as commercial agreements and submitting exemption filings and merger control filings to the Turkish Competition Authority. We also provide sector specific competition law trainings to our clients at all levels of seniority, from the C Suite to sales teams.
We provide legal support, representation and strategic guidance to local and multinational companies for their dispute resolution matters in Turkey.
Our team has handled litigation cases for both the plaintiff and defendant sides and is experienced in advising clients on commercial, real estate, employment and investment disputes. Our firm also provides legal assistance in obtaining preliminary injunction and attachments, and debt recovery through enforcement proceedings.
We advise on all aspects of real estate transactions including, sale and purchase of real estate, lease agreements, construction agreements, financing, establishment and release of all rights in rem on immovable property, such as mortgages and usufruct rights.
Our clients include national and multinational banks, real estate funds and private individuals.
Our employment law team advises employers on full range of employment law issues including hiring, compliance with statutory and contractual requirements, disputes, disciplinary schemes and actions, termination, post-termination strategies and employment law effects of restructurings.
We also cover all aspects of employee incentives and pensions work and provide training and regular legal support to human resources teams of our clients.
We help expatriates and foreign nationals in Turkey by offering client focused guidance on all aspects of Turkish law.
Our services include obtaining work and residence permits both for independent purposes or for employees inclusive of their immediate family members.
Team
Erdost Pehlivan
Erdost Pehlivan is a corporate lawyer with over 16 years of experience having in-house (C-level) executive and international law firm background. He specializes in the fields of information and technology law, e-commerce, payment system regulation, data protection, intellectual property, employment law and corporate and commercial law.
Throughout his career, Erdost advised a wide range of clients including Turkish and multinational conglomerates, state owned companies and private equities in relation to information technology (mainly e-commerce, payment systems and data protection), mergers and acquisitions and capital markets practices.
Erdost held executive positions in Naspers Limited investments in Turkey (Markafoni, letgo and PayU), closely involved in management and strategic business decisions. Before his career as an executive, he had worked for White & Case and Paksoy both being top tier law firms in Turkey.
Education:
Harvard Business School, Executive MBA in E-Commerce(certificate)
University of Manchester, Law School, LL.M.
Marmara University Faculty of Law, LL.B.
Bar Associations:
Istanbul Bar Association
Selin Barlak Gümrükçü
Selin Barlak Gümrükçü is a corporate lawyer with more than 16 years of experience having in-house legal counsel and international law firm background. She mainly focuses on corporate law, energy law, real estate law, intellectual property, commercial contracts, mergers and acquisitions and data protection and privacy.
Throughout her career, she has worked at Paksoy, a top tier law firm in Istanbul more than five years and then worked as an in-house legal counsel at Koç Holding A.Ş. where she had the opportunity to represent major companies in Turkey in a variety of sectors including energy, technology, automotive, tourism, retail and food and beverage sectors.
Selin Barlak Gümrükçü is particularly experienced at corporate and commercial matters including mergers and acquisitions, joint ventures, company structuring and drafting and negotiating corporate and commercial documents and agreements including share purchase, asset transfer, shareholders, joint venture, licensing, outsourcing, commercial sales, distribution and supply agreements.
Education:
Yeditepe University Faculty of Law, LL.B.
Istanbul Technical University, Executive MBA
Bar Associations:
Istanbul Bar Association
Naz Yaman
Naz Yaman is a corporate lawyer specializes in the fields of commercial law and contracts, merger and acquisitions, data protection, employment law, corporate dispute resolution matters and private law associated with commercial litigation.
Education:
Bar Associations:
Istanbul Bar Association, 2014
Işık Kaya
Işık Kaya is a corporate lawyer specializes in the fields of commercial law and contracts, real estate law, consumer law, law of obligations, merger and acquisitions, employment law and private law associated with commercial litigation.
Education:
Istanbul University Faculty of Law, L.L.B.
Bar Associations:
Istanbul Bar Association, 2021
Nehir İsen
Nehir İsen is a corporate lawyer specializes in the fields of data protection, e-commerce, information and technology law, corporate law and commercial contracts. During her time as a student, she participated as a team member in 27th Willem C. Vis International Commercial Arbitration Moot Competition.
Education:
MEF University, Faculty of Law, L.L.B.
Bar Associations:
Istanbul Bar Association, 2021
Dilşad Çağlayan
Dilşad Çağlayan is an intern in our firm working on the fields of information and technology law, e-commerce, arbitration and mediation,data protection, intellectual property,employment law and corporate and commercial law. She is also interested in alternative dispute resolution methods, including arbitration and mediation.
Education:
Istanbul Ticaret University Faculty of Law, LL.B.
Bar Associations:
Istanbul Bar Association 2024, pending
Dilek Taşlı
Office Assistant
Publications
14 October 2021
Guideline on Biometric Data
14.10.2021
A. Introduction
Turkish Data Protection Authority (‘’Authority’’) has published ‘’The Guideline on the Considerations for the Processing of Biometric Data’’ (‘’Guideline’’) on its official website on 16 September 2021.
In the Guideline, the Authority defines biometric data and explains the principles to follow relating to the processing of biometric data.
B. Definition of biometric data
The Guideline refers to General Data Protection Regulation (“GDPR“) Article 4 for the definition of biometric data: “the physical, physiological or behavioral characteristics data that allows for or confirms the unique identification of a natural person”.Additionally, the Authority categorizes biometric data as physical and behavioral biometric data parallel to European Commission’s ‘’Working Document on Biometrics’’. Examples of physical biometric data includes the subject’s fingerprints, retina, palm, face, hand shape, and iris; while behavioral biometric data includes the way the subject walks, types, slides the screen, drives, etc.Biometric data that is defined as sensitive personal data, in Article 6 of the Law on the Protection of Personal Data Numbered 6698 (“Law“) and sensitive personal data is subject to specific processing conditions.
C. The principles to follow according to Guideline
1. Biometric data shall be processed in compliance with general principles and conditions outlined in Articles 4 and 6 of the Law and with the following principles:
- The essence of fundamental rights and freedoms shall not be violated.
- The data processing method shall be suitable for the purpose of data processing and appropriate for achieving the aimed purpose.
- The method of data processing shall be necessary for the achievement of the aimed purpose.
- The purpose to be achieved by data processing and the means to it shall be Processing of biometric data shall be avoided if a less intrusive solution is available.
- The processed data shall be kept as long as necessary, and destroyed immediately without delays, after such necessity ends.
- The obligation to inform shall be fulfilled in compliance with Article 10 of the Law.
- Explicit consent of data subjects shall be obtained under the Law if such consent is required.
D. The measurements to take for securing biometric data according to Guideline
The Authority states that the data controller shall take measurements required for sensitive personal data for biometric data (these are specific and burdensome measures which were published by the Authority previously).
1. Technical measures:
- Biometric data may only be stored in cloud systems by using cryptographic methods.
- Derived biometric shall be stored in a manner that does not allow the recovery of the original biometric feature.
- Biometric data and its templates shall be encrypted with cryptographic methods to provide adequate security. The encryption and key management policies shall be expressly defined.
- The system shall be tested with synthetic data in test environments, before installing the system and after any updates . Additionally, usage of biometric data during tests shall be limited by necessity. All processed data shall be removed after the completion of tests at the latest.
- Measures that warn the system administrator and/or delete biometric data and report in case of an unauthorized access to the system shall be in place.
- The data controller shall (i) use certified equipment in addition to licensed and up-to- date software systems, (ii) prefer open-source software primarily and (iii) perform the necessary updates.
- Usage period of devices that process biometric data shall be trackable.
- The data controller shall be able to monitor and limit user actions on software that processes biometric data. Hardware and software tests of biometric data systems shall be checked periodically as well.
2. Administrative measures:
- An alternative system shall be provided with no restrictions or costs for data subjects who do not give their explicit consent or for conditions where biometric data solutions may not be used (e.g. a handicap that prevents processing biometric data).
- An action plan shall be started in case of failure or failure to authenticate by biometric methods (failure to verify an identity, lack of authorization to enter a secure area, etc.).
- A mechanism for authorized persons to access biometric data systems shall be created and managed, and those responsible shall be identified and documented.
- Special training shall be provided to the employees that participate in biometric data processing and such training shall be documented.
- A formal reporting procedure shall be created for the employees to report security gaps in systems and services and possible threats the gaps may cause.
- An emergency procedure shall be implemented if there is a data breach and such breaches shall be announced to everyone concerned.
E. Additional practical points for data controllers
- Consent for processing biometric data may be invalid if it is a precondition of a service/good.
- Consent of employees for processing biometric data may be invalid as there is a clear inequality between the parties (i.e. employee and employer). This is especially true in situations where the employee is not provided with an alternative if she does not provide her consent for biometric data processing (e.g. entry to and exit from a workplace).
- The Authority considers processing of biometric data acceptable for controlling entry and exit to a facility or workplace in exceptional circumstances. As an example, controlling entry and exit to a Nuclear Power Plant with biometric systems may be OK while using biometric systems for checking entry and exit of a sports gym is not acceptable.
If you have further questions, do not hesitate to contact us.
Kind regards,
12 May 2021
Crypto Asset Developments in Turkey
12.05.2021
I. Prohibition of payments with crypto assets
The Regulation Prohibiting Payments with Crypto Assets (“Regulation”) has entered into force on 30 April 2021 in Turkey.
The Regulation defines crypto assets as intangible assets, (i) created virtually using distributed ledger or similar technologies and distributed over digital networks (ii) which do not qualify as money, registered money, electronic money, payment instrument, security or any other capital market instrument.
As per the Regulation (i) crypto assets shall not be used directly or indirectly for payments, (ii) services shall not be provided for the use of crypto assets directly or indirectly in payments, (iii) payment service providers shall not develop business models which will enable the use of crypto assets directly or indirectly for providing payment services and electronic money issuance and shall not provide services regarding such business models and (iv) payment and electronic money institutions shall not intermediate transfer of funds to/from platforms that offer trading, custody, transfer or issuance services regarding crypto assets.
Its application remains to be seen; however, the Regulation seems to prevent only the payment function of the crypto assets in Turkey as well as restricting payment system providers’ involvement in the crypto asset ecosystem. Use of crypto assets as investment instruments does not seem to be prohibited yet.
II. Money laundering and financing of terrorism related requirements
An amendment to the Regulation on Measures Regarding Prevention of Laundering Proceeds of Crime and Financing of Terrorism (“Amendment”) has entered into force on 1 May 2021.
With the Amendment, “crypto asset service providers” and “savings financing companies” were included in the scope of the Article 4 of the Regulation on Measures Regarding Prevention of Laundering Proceeds of Crime and Financing of Terrorism (“Measures Regulation”). Therefore, these entities are now within the scope of the Measures Regulation and the Law on Prevention of Laundering Proceeds of Crime numbered 5549 (“AML Law”).
Some obligations for crypto asset service providers regarding customer transactions under the Measures Regulation and the AML Law include; (i) identification of customers (ii) monitoring of customer transactions and status (iii) suspicious transaction notification and (iv) provision of information and documents.
III. The Guideline for Crypto Asset Service Providers
Following the new Amendment, Financial Crimes Investigation Board (“MASAK”) has released a Guideline for Crypto Asset Service Providers (“Guideline”) on 5 May 2021. In this Guideline, obligations for crypto asset service providers have been explained in detail.
Among other obligations, crypto asset service providers are required to identify customers if a suspicious transaction takes place (without regard to the amount of the transaction) or if there is/are a total of TL 75.000 worth of transaction(s).
Crypto asset service providers are also required to provide necessary and requested information to MASAK at any time and to keep all electronic or physical documents from the latest registry date and customer identification documents from the latest transaction date, both for 8 years.
Breach of the obligations above may result in administrative fines up to TL 4.000.000 as well as criminal sanctions.
IV. Turkish court decision on seizure of crypto assets
A Turkish court has decided on 19 April 2021 that crypto currencies may be considered as a security instrument/commodity and may be seized. Please note that this is a debt collection court decision and its interpretation of the crypto assets is limited to its purpose and the seizure decision was related to an account at a crypto asset exchange.
If you have further queries, do not hesitate to contact us.
Kind regards,
10 May 2021
Sosyal Medya Etkileyicileri Hakkında Kılavuz
Sosyal Medya Etkileyicileri Tarafından Yapılan Ticari Reklam ve Haksız Ticari Uygulamalar Hakkında Kılavuz (“Kılavuz”) 5 Mayıs 2021 tarihinde T.C. Ticaret Bakanlığı tarafından duyurulmuştur. Kılavuz ile sosyal medya etkileyicileri tarafından yapılan ticari reklam ve ticari uygulamalar hakkında; reklam veren, reklam ajansları, mecra kuruluşları ve reklamcılık ile ilgili tüm kişi, kurum ve kuruluşlara yol göstermek amaçlanmaktadır.
Kılavuz, 7.11.2013 tarihli ve 6502 sayılı Tüketicinin Korunması Hakkında Kanun’un (“Kanun”) 61 inci, 62 nci, 63 üncü ve 84 üncü maddeleri, 10.01.2015 tarihli ve 29232 sayılı Resmi Gazete’de yayımlanan Ticari Reklam ve Haksız Ticari Uygulamalar Yönetmeliği (“Yönetmelik”) ile 04.05.2021 tarihli ve 309 sayılı Reklam Kurulu toplantısında alınan kararlar dayanak alınarak hazırlanmıştır. Bu çerçevede Kılavuz’da belirtilen düzenlemeler sosyal medya etkileyicileri tarafından yapılan tüketiciye yönelik her türlü ticari reklam ile ticari uygulamayı kapsayacak şekilde oluşturulmuştur.
Sıkça duyduğumuz “influencer” kavramına ilişkin tanım Kılavuz’da yapılmış ve böylece yasal anlamda netlik kazanmıştır. Kılavuz uyarınca, sosyal medya etkileyicisi (“influencer”); “sosyal medya hesabı üzerinden kendisine veya reklam verene ait bir mal veya hizmetin satışını ya da kiralanmasını sağlamak, hedef kitleyi oluşturanları bilgilendirmek veya ikna etmek amacıyla pazarlama iletişiminde bulunan kişi”yi ifade etmektedir.
Kılavuz, influencer’lar tarafından gerçekleşecek ticari reklam ve ticari uygulama faaliyetlerinin genel ilkelerini belirlemek adına uyulması önemli ve gerekli kriterler getirmiştir. Her bir yayın yapılan mecra bakımından gerçekleşen ticari reklam faaliyetinde influencer’ın kullanılması gereken ifadeler de ayrıca düzenlenmiştir. İşbu bilgi notunda, Klavuz uyarınca, uygulamada dikkat edilmesi gereken hususlar açıklanmıştır.
- Influencer aracılığıyla yapılan reklamların, açık ve anlaşılır şekilde ifade edilmesi, ayırt edilebilir olması zorunludur.
- Her türlü iletişim aracında olduğu gibi sosyal medyada da sesli, yazılı ve görsel olarak örtülü reklam yapılması yasaktır.
- Influencer, henüz deneyiminin bulunmadığı bir mal veya hizmete ilişkin, tüketiciler nezdinde o mal veya hizmeti onaylayacak ya da deneyimlediği algısı yaratacak şekilde ticari reklam amacıyla paylaşımda bulunamaz.
- Influencer, ilgili mevzuata aykırı olacak şekilde bir mal veya hizmete ilişkin sağlık beyanında bulunamaz.
- Influencer, bir mal veya hizmete ilişkin nesnel, ölçülebilir, sayısal verilere dayanmayan ve ispatı mümkün olmayan bilimsel araştırma ve test sonuçları hakkında iddialarda bulunamaz.
- Influencer, doktor, diş hekimi, veteriner hekim ve eczacılar ile sağlık kuruluşları tarafından sunulan mal veya hizmetlere yönlendirmede bulunamaz, bu mal veya hizmetlerin tanıtımını yapamaz.
- Influencer, kendisine reklam veren tarafından hediye edilmiş bir mal veya hizmeti kendisinin satın aldığı izlenimi oluşturamaz.
- Influencer, bir mal veya hizmetin ticari reklamına ilişkin herhangi bir reklam verenden maddi kazanç ve/veya ücretsiz ya da indirimli mal veya hizmet gibi faydalar sağladığı süre boyunca kendisinin sadece bir tüketici olduğu izlenimi oluşturamaz.
- Influencer, herhangi bir malın ticari reklamında, efekt veya filtreleme uygulamalarını kullanması durumunda görüntünün filtrelendiğini açıkça belirtir.
- Influencer, sosyal medya aracılığıyla bir mal ve/veya hizmet hakkında iletişim kurmak için sistematik olarak sahte veya var olmayan kimlikleri toplu olarak oluşturamaz ve/veya kullanamaz.
- Influencer tarafından; reklam verenden maddi kazanç ve/veya ücretsiz ya da indirimli mal veya hizmet gibi faydaların sağlandığı paylaşımlarda bu durumun, ticari reklam ilişkisinin gerçekleştiği platforma (Youtube, Instagram TV, Instagram, Twitter, Facebook ve podcast mecraları gibi mecralar bu kapsamda değerlendirilmektedir) bağlı olarak aşağıdaki tabloda yer alan ifadelerden en az birisi ile açıkça belirtilmesi zorunludur ve bu kapsamda influencer’lar tarafından kullanılan etiket ve açıklamalar aşağıdaki hususları sağlamalıdır;
-
- paylaşım içinde kullanılan renklerden ve arka fondan ayırt edilebilir nitelikte ve kolaylıkla okunabilir büyüklükte olmalıdır,
- tüketicilerin paylaşımla ilk karşılaştıkları anda başka bir şey yapmalarına gerek kalmadan paylaşımın ticari reklam olduğu anlaşılacak biçimde ve konumda belirtilmelidir,
- paylaşımda başka etiket veya açıklamalara yer verilmesi durumunda, bu etiket ve açıklamalar arasında görünebilir şekilde belirtilmelidir ve
- paylaşımın yer aldığı mecranın ara yüz ve teknik özellikleri de dikkate alınarak tüketiciler tarafından ilk bakışta fark edilebilecek biçimde sunulmalıdır.
Video paylaşım mecralarında yapılan reklamlar | Fotoğraf ve mesaj paylaşım mecralarında yapılan reklamlar | Podcast mecrasında yapılan reklamlar | İçeriğin yalnızca kısa bir süre için görülebildiği mecralarda yapılan reklamlar |
YouTube ve Instagram TV gibi video paylaşım mecralarında yapılan reklamlar ile canlı yayın niteliğinde olan paylaşımlarda, video içinde sürekli olarak veya videonun başlığında ya da açıklama kısmında veya ilgili reklamın geçeceği bölümün başında, tüketicileri “daha fazla oku” gibi bir alanı tıklamak zorunda bırakmadan yazılı ve sözlü olarak aşağıda belirtilen açıklamalardan en az birine yer verilir. | Instagram, Facebook, Twitter gibi fotoğraf ve mesaj paylaşım mecralarında paylaşılan fotoğrafın ve/veya mesajın içinde ya da altında veya açıklamalarında reklam verene ilişkin ad, marka, ticaret unvanı gibi tanıtıcı bilgilerden herhangi biriyle birlikte aşağıda belirtilen etiketlerden ya da açıklamalardan en az birine yer verilir. | Podcast aracılığıyla yapılan reklamlarda yayının başında, ortasında ve sonunda, yazılı ve sözlü olarak aşağıda belirtilen açıklamalardan en az birine yer verilir. | Snapchat ve Instagram hikâyeleri gibi içeriğin yalnızca kısa süreliğine görülebildiği reklamlarda, paylaşım süresince reklam verene ilişkin ad, marka, ticaret unvanı gibi tanıtıcı bilgilerden herhangi biri ile birlikte aşağıda belirtilen etiketlerden ya da açıklamalardan en az birine yer verilir. |
|
|
|
|
- Kılavuz kapsamında, reklam verenler ise;
- influencer’ları Kılavuz hükümleri hakkında bilgilendirmek,
- influencer’ların, 6502 sayılı Kanun, Yönetmelik ve Kılavuz dâhil olmak üzere ilgili kanun ve yönetmeliklere uymasını istemek,
- reklam veren tarafından influencer’ların üçüncü şahısları kullanmasına izin verildiği durumlarda, influencer’ların üçüncü şahısların da 6502 sayılı Kanun, Yönetmelik ve Kılavuz dâhil olmak üzere ilgili kanun ve yönetmeliklerde sayılan yükümlülüklere uyması gerektiğine dikkatini çekmek ve
- influencer’ların yükümlülüklerini yerine getirmesi için çaba göstermek ve ihlallere karşı önlem almakile sorumludur.
Reklam verenler, reklam ajansları ve influencer’lar Kılavuz maddelerine uyum konusunda ayrı ayrı sorumlu olacaklardır. Reklam verenin, sayılan hususlardaki sorumluluğunu, influencer’in kendi sorumluluğu olduğu gerekçesine dayanarak, yerine getirmekten kaçınamayacağı unutulmamalıdır. Bu gibi durumlarda, sorumluluk sınırlarının belirlendiği yazılı sözleşmelerin bulunması yükümlülüklerin yerine getirildiğinin ispat edilebilmesi bakımından yardımcı olacaktır.
Kılavuz uyarınca; Kanunun 61 inci ve 62 nci maddelerine, Yönetmeliğe ve Kılavuz hükümlerine aykırı ticari reklam veya ticari uygulamanın daha sonra düzeltilmesi veya telafi edilmesi reklam verenin veya ticari uygulamada bulunan tarafın tespit edilen aykırılığa ilişkin sorumluluğunu ortadan kaldırmayacağı da düzenlenmektedir.
Kılavuz’un dayanağı olan Kanun ve Yönetmelik uyarınca ise, haksız ticari reklamlara ve haksız ticari uygulamalara karşı tüketicilerin korunması ve ticari reklam veya ticari uygulama faaliyetinde bulunan tüm kişi, kurum ve kuruluşlar bakımından ilkeler ve kurallar getirmek amaçlanmaktadır. Bu düzenlemeler ile reklamların taşıması gereken unsurlar belirlenmiş olup; başta ahlaka ve dürüstlük kurallarına aykırı, kamu sağlığını bozucu, isitismar, vb. hususlara yol açabilecek reklamlar haksız olarak nitelendirilmiştir. Kural olarak bir reklamın, reklam olduğunun açıkça anlaşılması gerekmekte olup; Kılavuz uyarınca sosyal medya paylaşımlarında gerçekleşen ticari reklam faaliyetlerinin de yasal düzenlemelerde yer alan ilkeler ışığında gerçekleşmesine ve en sık ürün yerleştirme yöntemi ile karşımıza çıkan sosyal medya/ televizyon yayınlarında gerçekleşen örtülü reklamlara da ayrıca dikkat çekilmiştir.
Örtülü reklam; reklam olduğu açıkça belirtilmeden yapılan yayınlarda, tanıtımı yapılan mal veya hizmete ilişkin isim, marka, logo ya da diğer ayırt edici şekil veya ifadelerle ticaret unvanı ya da işletme adlarının reklam yapmak amacıyla yer alması ve tanıtıcı mahiyette sunulması olarak karşımıza çıkmaktadır. Her türlü iletişim aracında sesli, yazılı ve görsel olarak örtülü reklam yapılması yasaktır.
Gerçekleşecek ticari reklam ve ticari uygulama faaliyetleri sonucu yasal düzenlemeler tahtında yaptırıma maruz kalmamak adına; Kılavuz hükümlerini, Kanun hükümlerine ve Yönetmeliğin örtülü reklamlara ilişkin hükümleri ile birlikte yorumlamak oldukça önemlidir. Kılavuz’da yer alan hususlar, sayılan düzenlemelere aykırı şekilde yorumlanamayacak ve uygulanamayacaktır.
Kind regards,
1 December 2020
Sanctions on the Social Media Platforms in Turkey
1 December 2020
New amendments on the Turkish Internet Legislation (Law No. 5651 on the Regulation of Internet Broadcasts and Prevention of Crimes Committed through Such Broadcasts) brought (among others) an obligation to appoint at least one representative in Turkey for social network providers (“Social Network Providers”) which are based abroad and have more than one million daily access to their services from Turkey.
Social Network Providers that did do not fulfill this obligation had been notified by the Information Technology and Communication Authority (“ITC Authority”). Also, on 4 November 2020, the ITC Authority has imposed, an administrative fine of TL 10.000.000 (approx. USD 1,282,000) (each) to certain social network providers including Facebook, Twitter, Instagram and TikTok which has not appointed a representative in Turkey.
In the upcoming days, the following sanctions may be imposed gradually to the Social Network Providers which do not fulfill their obligation to appoint a representative:
- Administrative fine of TL 30.000.000 (USD 3,846,000)
- Advertising ban
- Reduction of the internet traffic bandwidth by 50%
- Reduction of the internet traffic bandwidth up to 90%
The first administrative step will be the fine of TL 30.000.000 (USD 3,846,000) on this matter on
Social Network Providers which fail to appoint a representative within 30 days from the notification of the administrative fine imposed on 4 November 2020. Up until now, only VKontakte (VK- a Russian social media platform) has appointed a representative in Turkey. It remains to be seen how much compliance other social media giants will show in light of this new regulatory regime in Turkey.
We will keep you informed of the updates.
Kind regards,
8 September 2020
New Legislation for Social Media in Turkey
8 September 2020
On 29 July 2020, the Law on the Regulation of Publications on the Internet and Combating Crimes Committed by means of such Publications has been amended, which is widely known as the new social media law in Turkey.
The amendments in question brought major changes regarding social media, some of which are highlighted below:
A. What is new?
- Social Network Provider
New amendment has brought a Social Network Provider definition: “Real or legal persons that provide opportunity for users to create, view or share content in text, visual, sound, location and similar forms on the internet environment in terms of social interaction”. This new definition came with numerous obligations on Social Network Providers.
- Obligations and sanctions for Social Network Providers
(a) Obligation to appoint a representative in Turkey and to inform the Information and Communication Technologies AuthorityIf a Social Network Provider located outside of Turkey has more than 1.000.000 access per day from Turkey, it is under an obligation to (i) appoint a representative (a real person or a legal entity) in Turkey and (ii) to inform the Information and Communication Technologies Authority (“ITCA”) about the identity and the contact information of the representative.There is a progressive system of sanctions in case of a breach of such obligations, including administrative fines up to TL 30.000.000 (approx. USD 4.000.000), bandwidth reductions up to 90% and advertising bans to such Social Network Providers.
(b) Short response periods for content removal/access blockingFor Social Network Providers which are located abroad or in Turkey and have more than 1.000.000 access per day from Turkey,
- If a content removal/access blocking request is received, (based on personality rights and right to a privacy), it shall reply within 48 hours and provide a reasoning if such request is denied.
- If a court determines certain content to be illegal, the Social Network Provider is under an obligation to remove such content/block access within 24 hours within notification.
(c) Data localization and reporting obligationsSocial Network Providers which are located abroad or in Turkey and have more than 1.000.000 access per day from Turkey must (i) keep the Turkish user’s personal data in Turkey and (ii) provide a report to ITCA Foreign on its content removal and access blocking activities.
The provisions of the new amendment have differing application dates and some of the major changes (including the definition of Social Media Provider and appointment of representatives) are to enter into force on 1 October 2020.Please do not hesitate to contact us for your further questions.
Kind regards,
Turkish DPA Announcement on International Transfer
8 June 2020
A. Background
As per the Law on Protection of Personal Data, personal data may be transferred abroad with the data subject’s explicit consent.
Alternatively, personal data may also be transferred abroad if data processing conditions are present (e.g. legitimate interest, performance of contract etc.) and (i) without explicit consent in case there is sufficient protection in the country where the data is transferred1 to or (ii) again without explicit consent in case parties located in Turkey and abroad have undertaken the necessary protection for personal data (“Undertaking”) and such Undertaking is approved by the Data Protection Authority (“Turkish DPA”) (even if there is not sufficient protection in the country where the data is being transferred to). There is also a more complicated binding corporate rules method recently introduced by the Board for international transfers.
In relation to the Undertaking method of international transfers, Turkish DPA has announced certain clarifications and requirements on 7 May 2020. Please find below the highlights of this announcement.
B. Contentrequirements
In relation to the content of the Undertakings,
A detailed explanation is required for international personal data transfers based on legitimate interest of the data controller (e.g., specific explanation for each data subject and data type regarding what kind of a legitimate interest is pursued, why international transfer is required for this and how fundamental rights of data subjects are protected);
There shall be no onward transfers (inside or outside of the country to which personal data is transferred) and all transferee parties shall be parties to the Undertaking (one Undertaking for all concerned transferees is possible);
Maximum data retention periods shall be stated in the Undertaking;
Parties shall use the correct form published by the Turkish DPA (“Data Controller to Data Controller” or “Data Controller to Data Processor”, depending on the parties), and provide any document that proves this relationship such as contracts; and
The personal data transferred abroad with explicit consent cannot be subject of an Undertaking.
C. Procedural requirements
In relation to the procedural requirements of the Undertakings:
Parties shall use the exact wording provided by the Turkish DPA for the Undertakings. If they require additional provisions, these shall be included under a separate heading as “Additional Provisions”;
Signatory authorization documents (e.g. signature circular) shall be attached to the Undertaking; and
If any there are any foreign language (i.e. any language other than Turkish) documents attached to the Undertaking, these documents shall be translated to Turkish (and notarized & apostilled as applicable).
For your further inquiries please do not hesitate to contact us.
Kind regards,
Turkish Data Protection Board Decision on Amazon Turkey
27.05.2020
The Turkish Personal Data Protection Board (“Board”) has issued a decision regarding Amazon Turkey Perakende Hizmetleri Limited Şirketi (“Amazon Turkey”), and imposed a TL 1,200,000 (approx. USD 176,000) fine due to its breaches of the Act on Protection of Personal Data.
Most of the points the Board raised in this decision are not novel and are already present under laws, secondary legislation or guidelines published by the Board. However, it is of practical importance for companies operating in Turkey (especially in retail/e-commerce sector) as this decision clearly demonstrates the motivation of the Board to vigorously apply Turkish privacy rules and impose fines.
- Commercial messages and protection of personal data
Although there is a separate set of legislation on electronic commercial messages (i.e. Act on Electronic Commerce and its secondary legislation), the Board reasserted its authority on this area.
The Board restated that sending commercial electronic messages (SMS, e-mail etc.) and storing personal data such as phone number or e-mail address in a data recording system are personal data processing activities. According to the decision, consent of the data subject is required for such activities.
- Consent mechanism (opt-out and opt-in)
The Board (i) rejected the opt-out consent mechanism which assumes the consent of data subject and allows her to remove such consent if she prefers so and (ii) required data subject to actively provide consent (i.e. opt-in), if data processing activity is based on consent.
- Merging privacy notice and consent texts
The Board stated that the it is not acceptable to merge the privacy notice and consent text in one document. Also, it has also reasserted that if there is a legal basis other than consent for a data processing activity (e.g. legitimate interest), it is against good faith to obtain data subject’s consent for such data processing activity.
- Consent as a condition of service
The Board stated that requiring consent of a data subject as a condition of providing a service (e.g. not allowing customers to purchase goods from a website if they do not consent to marketing activity) is not acceptable. According to the decision, such consents are not valid.
- Third party transfers with consent
The Board has clarified that if personal data is transferred to third parties with the data subject’s consent, such consent shall be present before or (at the latest) when such personal data is transferred to third parties. In other words, (for such transfers) it is not acceptable to transfer personal data to third parties without consent and provide data subject with an option to restrict such transfers.
- Transfer of personal data outside of Turkey and the effect of Board application
Amazon Turkey has applied for Board approval for personal data transfers outside of Turkey prior to this decision. However, this application was still pending and the Board stated that in the absence of such an approval, only legal basis remains consent for transfer of personal data outside of Turkey. Board also criticized the blanket consent (all inclusive, non-specific consent) that Amazon Turkey used in this respect.
- Cookies
Board explains that that the data processing activity starts with cookies when the website is first visited. In this context, the Board found that visitors were not sufficiently notified regarding their privacy regarding cookies. The Board also found that consent mechanism was not in place (for cookies that require consent). We believe there is a clear need for specific regulation regarding cookies similar to EU in order to remove the legal uncertainties faced in practice.
Kind regards,
4 May 2020
Memorandum on Binding Corporate Rules
4 May 2020
A. INTRODUCTION
International personal data transfers are regulated under Article 9 of the Code on Protection of Personal Data (“Code”). Accordingly, personal data may be transferred abroad with the data subject’s explicit consent.
Alternatively, personal data may be transferred abroad if data processing conditions are present (e.g. legitimate interest, performance of contract etc.) and (i) without explicit consent in case there is sufficient protection in the country where the data is being transferred1 to or (ii) again without explicit consent in case parties located in Turkey and abroad have committed to undertake the necessary protection for personal data (“Commitment”) and such Commitment is approved by the Data Protection Board (“Board”), even if there is not sufficient protection in the country where the data is being transferred to.
In addition, Data Protection Authority (“Authority”) also introduced “Binding Corporate Rules” (“BCR”) as a new personal data transfer method for multi-national corporate groups.
B. WHAT ARE THE BINDING CORPORATE RULES?
BCR allows the transfer of personal data abroad for multi-national corporate groups that operate in countries where sufficient protection does not exist. It aims to be a more practical method than series of bilateral Commitments between the members of a group.
We would like to emphasize that the BCR method also requires application to the Board and approval of the Board.
C. MAIN POINTS OF BINDING CORPORATE RULES
Authority has regulated the 8 main points to be included in the BCR under the Auxiliary Document Regarding the Main Points to be Included in Binding Corporate Rules for Data Controllers (“Auxiliary Document for BCR”).
We would like to state that the main points in question could be required both for BCR and for Binding Corporate Rules Application Form for Data Controllers (“BCR Application Form”) shared in the annex of the Announcement.
Please find below a summary of these 8 main points:
1. Binding Nature
a. Obligation to comply with the BCR
The BCR prepared by the group companies shall be legally binding. Thus, there has to be a clear obligation to comply with the BCR for all related parties including the employees. This point has to be included both in the BCR and in the BCR Application Form.
b. An explanation of how the rules are binding on the BCR members included in the group and their employees
The validity and the legally binding nature of the BCR has to be explained in the BCR Application Form (e.g. via employment agreements for employees of the group companies, collective labor agreements, employee confidentiality agreements, code of ethics or policies and internal regulations)
c. Rights and legal claims of the data subject
The rights of the data subjects shall be clarified under the BCR.
d. Responsibility of the group in Turkey
Authority requires that the BCR shall contain a duty for the group headquarters located in Turkey or a delegated group member located in Turkey to accept the responsibility for the remedies for breach of BCR and to pay fines/compensation. Also, Turkish courts shall be authorized to resolve disputes.
e. Company having the sufficient assets
The BCR application form must contain a confirmation that the BCR member that has accepted liability for the acts of other BCR members outside of Turkey has sufficient assets to pay compensation for damages resulting from the breach of the BCR.
f. Burden of proof lies with the Company
The BCR member that has accepted the liability shall also accept the burden of proof. If the BCR member that has accepted the liability can prove that the BCR member outside Turkey is not responsible for the act giving rise to the damages, it may discharge itself from liability.
g. Easy access to BCR and transparency for data subjects
Data subjects shall be informed about their rights and such information shall be easily accessible (e.g. publishing BCR online).
2. Effectiveness
a. Training and awareness
BCR shall contain appropriate training programs for personnel with data protection duties.
b. Complaints
There should be a pre-set complaint mechanism for data subjects
c. Audit
BCR shall contain information on the audits to ensure compliance with the committed rules. In addition, Authority requires that BCR shall provide the Authority with the power to access to the results of the audit upon request as well as the power carry out an audit itself.
d. Authorized personnel
All BCR group members shall appoi nt personnel to ensure compliance with the BCR.
3. Cooperation with the Authority
Duty to cooperate with the Authority
The Authority requires that Binding Corporate Rules shall contain a clear duty for all BCR members to accept audit by the Authority and to comply with the advice of the Authority.
4. Processing and Transfer of Personal Data
a. Explanation regarding the content of the BCR
The BCRs, in general, shall cover issues such as nature of the personal data subject to the transfer (sensitive or non-sensitive), data categories (ID, contact information, location, etc.), purpose of and period for the transfer, group(s) of data subjects (employees, customers, visitors etc.), the method of the data transfer, legal basis of the data transfer, distribution of the data to be transferred within the group (by specifying the name and contact information of the relevant Group members) and onward transfers.
b. A statement of the geographical scope of the BCR
The BCR shall expressly specify the structure and contact details of the each of the BCR members.
c. Entities bound by BCR
A contact person designated by the BCR members shall hold a list of all entities bound by the BCR and to inform the amendments of the BCR (detailed below) to the relevant persons. This contact person shall be stated in the BCR Application Form.
5. Mechanisms for Reporting and Recording Changes
Reporting, recording changes made to the BCRs and notifying these changes to the Authority.
BCR may be amended/updated. However, these amendments shall be notified to all BCR members and the Authority without any delay (notification requirements are subject to certain exceptions as stated under the Auxiliary Document for BCR).
6. DataSecurity
a. A description of data protection principles covering the transfers from Turkey or onward transfers
The BCRs shall expressly contain the following principles to be complied with:
1. Lawfulness and fairness
2. Being accurate and kept up to date where necessary
3. Being processed for specified, explicit and legitimate purposes
4. Being relevant, limited and proportionate to the purposes for which they areprocessed
5. Being stored for the period laid down by relevant legislation or the periodrequired for the purpose for which the personal data are processed
6. Processing of special categories of personal data
7. Security; technical and organizational measures shall be taken. In terms of personal data transfers within the Group, data processors must comply with the technical and organizational measures laid down in the BCRs.
b. Transparency where national legislation prevents the group from complying with the BCR
If any legislation that a BCR member is obliged to comply with prevents such member to fulfil its obligations under the BCRs or has substantial adverse effect on implementing the rules regulated by the BCRs, the headquarter of the company established in Turkey or if there is no headquarter established in Turkey, a Group member established in Turkey with delegated data protection responsibilities must be promptly notified.
7. Accountability and Other Tools
Each data controller shall comply with the BCR, as previously stated.
8. Supporting Information and Documents
Supporting information and documents may be presented to the Board at the time of application.
D. APPLICATION PROCESS REGARDING BINDING CORPORATE RULES
Data controllers which submit a BCR application have to present (i) the BCR that they have prepared (ii) additional information and documents they would like to present to support their application.
The Authority has 1 year to analyze BCR applications and this period may be extended by 6- month periods.
Please do not hesitate to contact us for your further questions.
Kind regards,
Careers
Our commitment to provide our clients the best legal solutions requires dedication, passion and hard work. We are aware that this is only possible in a supportive, compassionate, yet competitive environment in which the kind of talent we seek can thrive.
If you are a law student, experienced lawyer or business professional who share our values and would like to be a part of our team, please send your resume to [email protected]