Technology Law, Data Privacy (KVKK) and Cryptocurrency Regulation. Serka Law Firm advises international technology companies, SaaS providers, fintechs, AI developers, and cryptocurrency platforms on Turkish data protection, e-commerce, internet, and capital markets law. We build the compliance structures that let a foreign platform serve Turkish users lawfully, and we defend that platform when a regulator moves against it.
Av. Serkan Kara, Istanbul Bar No. 53770
Last updated: June 2026
What is technology and data privacy law for companies operating in Turkey?
Technology and data privacy law in Turkey governs how a company collects, stores, transfers, and monetizes personal data and digital services. The core statute is the Personal Data Protection Law No. 6698 (KVKK), which mirrors the EU GDPR but imposes stricter conditions on transferring data outside Turkey. A technology company serving Turkish users is bound by these rules regardless of where its servers sit. Alongside KVKK, the Law on the Regulation of Electronic Commerce No. 6563, the Internet Law No. 5651, and the Capital Markets Law No. 6362 (for crypto assets) together form the regulatory perimeter that any foreign platform must respect.
What should a technology or data project review first?
A technology project should begin with a data-flow map: who the data subjects are, what personal data is processed, for what purpose, where it is stored, and which third parties or vendors touch it. From that map, counsel can identify the legal obligations that attach to each flow, including consent or other lawful basis, cross-border transfer controls, security duties, consumer-facing contract terms, and any sector licensing. Resolving these questions during product design, rather than after a regulator inquiry, is what keeps a single commercial decision from becoming a compliance failure later.
What is KVKK and how does it differ from GDPR?
KVKK (Personal Data Protection Law No. 6698) is Turkey’s general data protection statute, structurally close to the GDPR in its principles, data subject rights, and accountability duties. The decisive difference is cross-border data transfer. Where the GDPR permits transfers under adequacy decisions and standardized safeguards, KVKK historically required either the explicit consent of the data subject or that the destination country appear on the Personal Data Protection Board’s list of countries with adequate protection. Because that adequacy list has remained limited in practice, most international companies rely on Board-approved written undertakings or standard contractual safeguards rather than treating a destination as automatically safe.
VERBIS registration for data controllers
Companies that meet defined thresholds, or whose core activity is processing sensitive personal data, must register with VERBIS, the public Data Controllers’ Registry maintained by the Personal Data Protection Authority. Registration documents the controller’s data inventory, processing purposes, retention periods, and security measures. A foreign data controller without a Turkish establishment must appoint a Data Controller Representative in Turkey, a role our firm performs for international clients. Failure to register, or registering inaccurate information, exposes the controller to administrative fines.
Cross-border data transfer
Under KVKK, personal data of users in Turkey cannot be transferred to servers abroad on convenience alone. Explicit consent is one route, but it is fragile because a user can withdraw it at any time. The more durable route is a written undertaking or standard contractual mechanism approved by the Personal Data Protection Board, supported by genuine technical and organizational security equivalence. We prepare and submit these instruments so that a global company can keep data on its existing cloud infrastructure while remaining lawful under Turkish law.
How does Turkey regulate cryptocurrency and crypto-asset platforms?
Cryptocurrency and crypto-asset service providers in Turkey are regulated under the Capital Markets Law No. 6362, as amended to bring crypto assets within the supervision of the Capital Markets Board (SPK). Crypto asset service providers, including exchanges and custody platforms, must hold an operating authorization from the SPK and comply with capital, governance, custody, and anti-money-laundering obligations. Operating an exchange that targets users in Turkey without that authorization is treated as an unauthorized capital markets activity and can lead to criminal liability for the responsible executives and to access-blocking of the platform.
Licensing a crypto exchange
A foreign exchange that solicits Turkish users, advertises in Turkish, or offers Turkish Lira trading pairs generally needs to establish a Turkish joint stock company and obtain SPK authorization. Licensing involves meeting minimum capital requirements, implementing anti-money-laundering and customer identification controls aligned with MASAK (the Financial Crimes Investigation Board), and putting compliant custody arrangements in place. We manage the authorization application end to end and structure the corporate vehicle that holds the license.
Token issuance and Web3 structuring
Token issuance carries securities risk. A token that behaves like a profit-sharing or dividend instrument can be treated as a security, which triggers prospectus and disclosure obligations. We provide legal opinions distinguishing utility tokens from security tokens, structure the issuing entity, and geo-fence retail offerings so founders are not exposed to unauthorized public offering claims in Turkey.
What e-commerce rules apply to foreign online platforms?
Foreign online platforms selling to consumers in Turkey must comply with the Law on the Regulation of Electronic Commerce No. 6563 and the Distance Selling Contracts regulation. Two obligations matter most. First, any business-to-consumer sale must give the consumer a fourteen-day right of withdrawal without penalty, together with a detailed preliminary information form before purchase. Second, commercial electronic messages such as marketing SMS, email, or automated calls require prior approval recorded in the central Message Management System (IYS); a consumer’s opt-out must be honored automatically. Sending unsolicited marketing without IYS approval, or denying a lawful refund, draws administrative fines and consumer complaints that can disrupt local payment processing.
Can Turkish authorities block or throttle a foreign platform?
Yes. Under the Internet Law No. 5651, a foreign social network provider with a large daily Turkish user base must appoint a local representative to receive and respond to legal notices. When a court orders content removal on personal-rights or other statutory grounds, the provider must act within the statutory window. Refusal can lead the Information and Communication Technologies Authority (BTK) to impose advertising bans, fines, and progressive bandwidth throttling that degrades the service. We act as the appointed representative, evaluate the validity of each order, file objections where an order is defective, and execute narrowly targeted compliance so that a single dispute does not jeopardize the platform’s overall availability.
What are the main legal risks for technology companies, and the exceptions?
The recurring risks are unlawful cross-border data transfer, missing VERBIS registration, operating a crypto service without SPK authorization, unsolicited marketing without IYS approval, and ignoring content-removal or representative obligations under the Internet Law. Each carries administrative fines, and several carry criminal exposure or access-blocking. The principal exceptions and defenses include lawful bases other than consent under KVKK, genuine anonymization that removes data from the scope of personal data, Board-approved transfer instruments, and structuring crypto or token activity so that it does not target Turkish retail users. Whether an exception applies is fact-specific and should be assessed before, not after, a regulator acts.
Do I need a lawyer for technology and data privacy matters?
A lawyer is necessary whenever a technology product touches Turkish users at scale, processes sensitive or biometric data, transfers data abroad, offers crypto or token services, or has received a regulator notice. These matters combine data protection, capital markets, consumer, and internet law, and a misstep in one area can freeze payment gateways or block the entire service. Engaging counsel during product design is far less costly than defending an enforcement action after launch.
Frequently asked questions
Does KVKK apply to a company with no office in Turkey?
Yes. KVKK applies based on the processing of personal data of individuals in Turkey, not on where the company is incorporated or where its servers are located. A foreign data controller that processes the data of Turkish users is generally required to register with VERBIS and to appoint a Data Controller Representative in Turkey.
Can we keep customer data on AWS or Google Cloud outside Turkey?
Often yes, but not automatically. Storing Turkish users’ personal data on foreign cloud infrastructure is a cross-border transfer under KVKK. It must be supported either by valid explicit consent or, more durably, by a Board-approved written undertaking or standard contractual mechanism plus adequate security measures. We prepare and submit the instruments that authorize the transfer.
Is it legal to run a crypto exchange for Turkish users from abroad?
Targeting Turkish users from an unlicensed offshore exchange is treated as an unauthorized capital markets activity under Law No. 6362 and can lead to criminal liability and access-blocking. A platform that wants Turkish users typically must establish a Turkish company and obtain SPK authorization, including MASAK-compliant anti-money-laundering controls.
What happens if we send marketing messages without IYS approval?
Each unapproved commercial electronic message can trigger an administrative fine, and repeated violations attract regulatory and consumer complaints. Marketing SMS, email, and automated calls to Turkish consumers must be registered in the IYS system, and opt-outs must be applied automatically.
A Turkish court ordered us to remove content. What is the deadline?
Under the Internet Law No. 5651, providers must act on a valid content-removal order within the statutory window applicable to the order type. Missing the deadline can lead the BTK to impose advertising bans, fines, and bandwidth throttling. We assess the order’s validity, comply where required, and challenge defective orders.
How quickly should we involve counsel after a regulator inquiry?
Immediately. Early counsel can pause a non-compliant data pipeline, preserve defenses such as anonymization or alternative lawful basis, and open a structured dialogue with the regulator before fines and destruction orders are finalized. Delay narrows the available defenses.
Related legal services
Technology matters frequently connect to other practice areas. We coordinate technology and data work with establishing companies in Turkey for the corporate vehicle that holds an SPK license, with corporate and commercial law for SaaS and platform agreements, with foreign direct investment structuring for inbound technology capital, with tax law and customs regulations for digital service taxation, and with criminal defense and jurisdiction where capital markets or cybercrime liability arises.
Request a confidential case assessment
If your platform processes Turkish user data, offers crypto or token services to Turkish users, or has received a regulator notice, request a confidential case assessment. Describe the product, the data flows, and any pending order, and we will identify the obligations that apply and the structure that keeps you compliant and operating.
Legal disclaimer
This page provides general information about Turkish technology, data protection, and capital markets law and does not constitute legal advice. Reading it does not create an attorney-client relationship. An attorney-client relationship is formed only by a signed engagement. For advice on a specific situation, consult a qualified attorney.