Av. Serhat Koçblog, English_1, IT&IP_Law

 

Understanding Legal Risks and Compliance for SaaS in Turkey

1. SUMMARY

This study provides an overview of the legal framework applicable to cloud-based services (Software as a Service – SaaS) in Turkey, with particular emphasis on software licensing and data protection issues. It is prepared with reference to the Law on Intellectual and Artistic Works (FSEK), the Turkish Constitution, the Turkish Criminal Code, the Turkish Commercial Code, the Turkish Civil Code, as well as draft and sector-specific regulations on personal data protection.

The analysis considers the situation of large corporate users – such as banks, insurance companies and other financial institutions – when entering into contractual relationships with SaaS providers. It addresses the enforceability of license agreements, the handling and transfer of personal data, and the broader implications of cloud computing in Turkish law.

2. MAIN ISSUES

2.1. Subject Matters

The brief note examines the legal validity and implications of various agreements typically concluded between cloud-based service providers and corporate clients. These include license agreements, data processing agreements, compliance documents, and ancillary contractual frameworks.

2.2. Key Terms

Cloud Computing: A model of computing in which applications, storage, and services are delivered over a network rather than through locally installed hardware or software. This allows users to access services flexibly without substantial infrastructure investment.

SaaS (Software as a Service): A licensing and delivery model whereby software is centrally hosted and made available to users over the internet on a subscription basis. Corporate clients use the software without owning it, and access is usually governed by license agreements.

3. LEGAL ASSESSMENT

3.1. Software Licenses under Turkish Law (FSEK)

Under FSEK, software is classified as a “literary and scientific work.” The economic rights of the author or right holder may only be transferred through written and duly signed agreements. Both autographic signatures and secure electronic signatures are recognized as legally binding.

Licenses are, as a rule, considered non-exclusive unless expressly stated otherwise. Exclusive licenses must be explicitly agreed in writing. Any ambiguity in the scope of rights may result in invalidity or disputes.

Importantly, FSEK does not recognize “good faith” as a defense in cases of copyright infringement. Therefore, a corporate user relying on a license chain remains potentially liable if one link in that chain proves invalid. For this reason, it is crucial for clients to ensure that SaaS providers hold the proper rights to license software in Turkey.

Unlicensed use of software falls under both civil and criminal provisions of FSEK. Remedies include injunctions, compensation up to three times the license fee, and, in some cases, criminal sanctions.

3.2. Data Protection and Privacy Law

Turkey has not yet adopted a fully comprehensive data protection law comparable to the EU’s GDPR. However, several fragmented provisions exist:

  • The Constitution (Art. 20) guarantees the confidentiality of private life and personal data.

  • The Turkish Criminal Code criminalizes unlawful collection and misuse of personal data.

  • Sector-specific regulations (e.g., telecommunications, banking) impose particular obligations.

  • Draft Law on Personal Data Protection (prepared in line with EU Directive 95/46/EC) foresees the establishment of an independent authority to monitor compliance.

For cloud-based services, personal data transfer abroad is particularly sensitive. Under current principles, such transfers require explicit and informed consent of the data subject. Written consent (including opt-in/opt-out mechanisms) is essential, especially for sensitive data such as health records, financial data, or political and religious information.

Banks and financial institutions are subject to stricter data protection obligations under sectoral laws (e.g., the Debit and Credit Cards Law). Unauthorized disclosure of financial data may result in both civil and criminal liability.

3.3. General Observations on Cloud-based Service Agreements

Cloud service agreements raise specific legal challenges:

  • Data Security and Encryption: Agreements should specify encryption standards, access control, and breach notification obligations.

  • Data Location: Corporate clients often require assurance that certain categories of data (e.g., financial or health data) are stored within Turkey or the EU.

  • Subcontractors: The use of subcontractors must be transparently disclosed, with liability retained by the primary provider.

  • Termination and Portability: Agreements should address data retrieval and portability upon termination of services.

  • Liability Allocation: Providers often attempt to limit their liability; however, under Turkish law, contractual limitations of liability cannot eliminate responsibility for gross negligence or willful misconduct.

4. CONCLUSION

  • Licensing Requirements: FSEK requires all software licenses and transfers of economic rights to be in writing and duly signed. Corporate users must ensure that SaaS providers have legitimate rights to license software in Turkey.

  • Data Protection: Although Turkey lacks a fully harmonized GDPR-like framework, constitutional and sectoral rules impose significant obligations. Explicit written consent is crucial for international data transfers.

  • Cloud Contracts: Corporate users should carefully review SaaS contracts with respect to data protection, subcontracting, encryption, and liability clauses.

  • Future Developments: Turkey is expected to enact a comprehensive Personal Data Protection Law aligned with EU standards. This will have a major impact on cloud-based services and international data flows.

In light of these considerations, large corporate users engaging with SaaS providers should conduct thorough legal due diligence, ensure compliance with FSEK and existing data protection provisions, and negotiate strong contractual safeguards to mitigate legal and operational risks.