Technology

Navigating AI Regulation in Turkey for Businesses and Individuals

18 February 202512 min read
Reviewed by Lexin Legal · Updated 14 June 2026

Turkey still has no single, dedicated artificial intelligence statute as of 2026. Instead, AI is governed through existing laws, and the most important of these is the Personal Data Protection Law No. 6698 (KVKK), which reaches almost any AI system that touches personal data. If you sell into the European Union, the EU AI Act can also bind you from Turkey. This guide explains the current framework, the recent 2024 and 2025 changes you may have missed, and the practical steps foreign businesses and individuals should take now.

Is There an AI Law in Turkey in 2026?

As of 2026, Turkey has no single, comprehensive artificial intelligence statute. There is no Turkish equivalent of the EU Artificial Intelligence Act in force. Instead, AI is governed indirectly through laws that already exist on data protection, contracts, tort liability, intellectual property, consumer protection and criminal conduct, each applied to AI case by case.

This does not mean AI is unregulated. A company deploying an AI system in Turkey must comply with every general law the system touches. For a foreign business, the practical point is simple: "no AI law" does not mean "no obligations." The obligations sit inside other statutes, and several of them changed significantly in 2024 and 2025.

The law: The statutes that actually govern AI in Turkey today are the Personal Data Protection Law No. 6698 (KVKK), the Turkish Code of Obligations No. 6098 (TBK), the Law on Intellectual and Artistic Works No. 5846 (FSEK) and the Industrial Property Law No. 6769 (SMK), the Consumer Protection Law No. 6502, and the Turkish Penal Code No. 5237 (TCK).

Because the picture is moving quickly, any AI deployment should be checked against the law in force on the day you launch it. Our technology, AI and cybersecurity team can confirm how these rules apply to your specific use case.

Turkey's AI Policy Direction After 2025

There is no binding AI code yet, but Turkey has set a clear policy direction, and that direction was refreshed once the original strategy period ended.

  • The National Artificial Intelligence Strategy 2021-2025 has now run its course. It was coordinated by the Digital Transformation Office of the Presidency and the Ministry of Industry and Technology, and set human-centric, trustworthy and ethical principles broadly aligned with international AI norms.
  • An updated Action Plan was issued to carry the strategy forward, assigning dozens of priority actions across ministries, including building Turkish large language models, developing national AI legislation, clarifying IP rights in AI-generated content, and investing in data centres and high-performance computing.
  • A newer roadmap now emphasises digital and data sovereignty, keeping critical AI infrastructure and data under national jurisdiction, and preparing for next-generation systems such as agentic AI.

None of this is binding law. But it tells you where Turkey is heading, and that direction tracks the EU model closely enough that designing for EU-style transparency and risk controls is a sensible bet for any product aimed at the Turkish market.

Data Protection: The Operative Rulebook for AI

For most AI systems in Turkey, the single most relevant law is the Personal Data Protection Law No. 6698 (KVKK). It applies whenever an AI system processes personal data, which covers the overwhelming majority of real deployments: chatbots, CRM and HR tools, recommendation engines, facial recognition and more.

Core obligations under Law No. 6698

  • A lawful basis for processing. You need explicit consent or one of the other legal grounds in the law (Article 5 for ordinary data, Article 6 for special categories). Law No. 7499 (in force 1 June 2024) widened the lawful bases for special-category data, so explicit consent is no longer the only practical route for sensitive data.
  • Purpose limitation and data minimisation. Process data only for defined, legitimate purposes.
  • Transparency. Data subjects must be told how their data is used, including in automated decision-making and profiling.
  • Data security. Appropriate technical and organisational measures must protect the data.

Automated decisions and profiling

AI that scores, ranks or filters people, for example to screen job applicants or assess credit, raises a specific KVKK concern around automated decision-making and profiling. Data subjects must be informed, the processing must rest on a lawful basis, and you should be able to explain the logic. The same use cases are also classic "high-risk" triggers under the EU AI Act, so a single recruitment tool can attract scrutiny under both regimes at once.

Tip: Before you let an AI tool make or shape decisions about employees or customers, map it against KVKK and, where relevant, the Labour Law No. 4857 and Consumer Protection Law No. 6502. Our KVKK data protection compliance team can run that assessment for you.

Cross-Border Data Transfers: What Changed in 2024

The biggest recent change for foreign businesses is the cross-border transfer regime. Feeding personal data into an AI tool, cloud model or service hosted abroad is a cross-border transfer under KVKK, and the rules were overhauled by Law No. 7499, which amended Article 9 (published 12 March 2024, in force 1 June 2024). The Transfer Regulation followed on 10 July 2024.

The old consent-default model is gone. There is now a three-tier framework:

  • Adequacy decisions. Transfers to countries or sectors the Personal Data Protection Board has found adequate. These decisions are re-evaluated at least every four years.
  • Appropriate safeguards. Where there is no adequacy decision, you may rely on safeguards such as standard contractual clauses (SCCs) published by the Board, binding corporate rules for intra-group transfers, or written undertakings approved by the Board.
  • Occasional, incidental exceptions. A narrow set of one-off situations, such as explicit consent to the specific transfer or transfers necessary to perform a contract.
Watch the deadline: If you rely on standard contractual clauses, you must use the Board's published text without alteration and notify the Authority within 5 business days of signature. Missing that notification window can expose the controller or processor to administrative fines. Build the notification step into your contracting process so it is never an afterthought.

For cross-border groups using a shared AI platform, this often means choosing between binding corporate rules and SCCs, then documenting and notifying them correctly. We help cross-border groups and corporate structuring get the transfer mechanism right the first time, and you can read more in our guide to GDPR and Turkish data protection compliance.

The KVKK Generative AI Guide (24 November 2025)

On 24 November 2025, the Personal Data Protection Authority published its Generative Artificial Intelligence and Personal Data Protection Guide (in 15 Questions). It builds on the Authority's earlier 2021 recommendations on AI and personal data, and it is now the clearest official signal of how the regulator expects generative AI and large language models to be handled.

The Guide is not a statute, but it sets the regulator's expectations across the whole AI lifecycle, including:

  • A lawful basis at each stage. Collecting training data, training and fine-tuning a model, and deploying it to users are treated as distinct processing activities that each need their own lawful basis under Law No. 6698.
  • Justifiable retention periods. Training datasets should not be kept indefinitely; retention must be limited and justifiable.
  • Transparency and data-subject rights. Individuals retain rights against systems built on their data, and you should be able to respond to them.
  • Accuracy and hallucinations. Inaccurate AI output about a real person is treated as a data-accuracy problem, not just a technical quirk.

For foreign companies, the most common pitfall remains the same: pushing customer or employee data into an overseas AI tool without first addressing the lawful basis and the cross-border transfer rules above.

Is It Legal to Use ChatGPT or Generative AI for Business in Turkey?

Yes, using ChatGPT or another generative AI tool for business in Turkey is not banned. What matters is what data you put into it and where that data goes. Three questions decide whether your use is compliant:

  • Are you entering personal data? If you paste customer, employee or client information into a prompt, KVKK applies in full. You need a lawful basis, transparency, and a defensible retention position.
  • Is the tool hosted abroad? Most major AI services process data outside Turkey, which makes your input a cross-border transfer. You then need an adequacy decision, appropriate safeguards (such as notified SCCs), or a valid exception.
  • Could the output cause harm? Inaccurate, infringing or defamatory output can create liability, addressed in the next section.
Tip: A practical safeguard is an internal AI-use policy that tells staff which tools are approved, what data must never be entered, and when a prompt needs anonymising. Pair it with the right contract terms with your AI vendor.

Liability: Who Is Responsible When AI Causes Harm?

Turkish law does not give AI any legal personality, so an AI system cannot be liable in its own right. Responsibility falls on the people and companies behind it, under ordinary law.

  • Contractual liability. If an AI product or service fails to perform as promised, the provider can be liable under the contract (TBK No. 6098).
  • Fault-based tort. A party whose AI causes damage through fault may owe compensation under the general tort rule in Article 49 of the TBK.
  • Product and consumer liability. Producers can face liability for defective products, and the Consumer Protection Law No. 6502 adds duties where the user is a consumer.
  • Criminal exposure. Misusing AI, for example deepfakes used for fraud, defamation or non-consensual imagery, can engage offences under the Turkish Penal Code No. 5237 (TCK).

Because the default rules will otherwise decide the outcome, contracts with AI vendors and customers should clearly allocate liability, IP and warranties in your contracts. That is the single most effective control most businesses can put in place today.

Intellectual Property and AI Output

IP questions around AI are governed mainly by the Law on Intellectual and Artistic Works No. 5846 (FSEK) and the Industrial Property Law No. 6769 (SMK). Two issues come up again and again:

  • Ownership of AI-generated content. FSEK protects a work that bears the "characteristic of its author" (the hususiyet, or originality, requirement in Article 1/B). Output generated autonomously by AI, without meaningful human creative input, may fall outside copyright protection. That is a real commercial risk if your business plans to own and licence AI-produced material.
  • Training data and infringement. Using copyrighted text, images or code to train a model can raise infringement questions. Document the provenance of your training data and the licences you rely on.

Because this area is still unsettled, contracts should expressly state who owns AI output and who carries the risk of third-party IP claims. Our intellectual property team can structure those terms so your rights are not left to chance.

Why the EU AI Act Matters Even From Turkey

The EU Artificial Intelligence Act (Regulation (EU) 2024/1689) is not Turkish law, but it has real extraterritorial reach. A company based in Turkey can fall within its scope if it places AI systems on the EU market, or if the output of its AI is used in the EU. For exporters and SaaS providers, that can mean complying with EU rules regardless of the lighter position in Turkey.

The Act applies in stages. The confirmed, in-force milestones are:

MilestoneStatusDate
Ban on prohibited AI practices and AI-literacy dutiesIn force2 February 2025
Transparency obligations for general-purpose AI (GPAI) modelsIn force2 August 2025
High-risk obligations (Annex III stand-alone systems)See note belowOriginally 2 August 2026
High-risk obligations (Annex I regulated products)See note belowOriginally 2 August 2027
Watch this moving deadline: The original 2 August 2026 high-risk start date is being reworked. Under the EU's "Digital Omnibus on AI", EU institutions reached a provisional political agreement in May 2026 to defer the main high-risk obligations, with Annex III stand-alone systems pushed to 2 December 2027 and Annex I embedded systems to 2 August 2028. As of mid-2026 this deferral is provisional and not yet formally adopted and published in the Official Journal, so the dates are not final. Until adoption is confirmed, do not assume the deadline has moved. Check the current position before relying on any date.

The takeaway for foreign businesses is to assess EU exposure now rather than wait. Given Turkey's stated intention to align with the EU model, building EU-grade documentation early reduces the cost of future compliance. We advise cross-border groups and corporate structuring on exactly this kind of dual-regime exposure.

What Is Coming: Turkey's AI Bills and the Deepfake Law

Two legislative developments tell you where Turkey is heading, and they matter to the "and individuals" half of this topic as much as to business.

  • The risk-based AI bill (submitted 25 June 2024). A short bill of eight articles built on principles of safety, transparency, equality, accountability and privacy, taking a risk-based approach. It remains in committee and is not yet law.
  • The AI-generated content / deepfake bill (submitted 7 November 2025). A separate, more recent draft proposing amendments across several laws, including the Turkish Penal Code, to address AI-generated content. Reported measures include a statutory definition of "AI system," mandatory labelling of AI-generated (deepfake) content, faster takedown timelines, and administrative penalties.
Note: Neither bill is in force. They signal direction, not current obligations. Do not build a compliance programme on a draft, but do watch both, especially if you produce or host AI-generated media.

For individuals worried about deepfake fraud, image misuse or impersonation today, the existing remedies sit in the Penal Code No. 5237 and in civil law (personality rights and tort under the TBK), not in a dedicated AI statute yet.

How AI Security Duties Connect to the Cybersecurity Law

AI systems do not sit in a vacuum. Where they process personal data or run critical services, security duties also flow from Turkey's wider cyber framework. The Cybersecurity Law No. 7545 and KVKK's data-security obligations together expect appropriate technical and organisational measures around your models, training data and deployment pipelines.

For a foreign business, the practical effect is that an AI rollout should be reviewed for data protection, IP and cybersecurity in one exercise, rather than treating them as separate projects. You can also see our overview of cybercrime trends and cybersecurity strategies for how these risks are evolving.

Practical Compliance Steps for Businesses and Individuals

Until a dedicated Turkish AI statute is in force, a sensible compliance baseline includes:

  1. Map your data flows. Identify what personal data your AI processes and where it goes, then align with Law No. 6698 (KVKK), paying particular attention to the post-2024 cross-border transfer rules.
  2. Fix the transfer mechanism. If data leaves Turkey, choose adequacy, SCCs (and notify within 5 business days), binding corporate rules or a valid exception, and document the choice.
  3. Document your AI systems. Keep records of purpose, data sources, retention, model logic where relevant, and human oversight. These are the building blocks of any risk-based framework.
  4. Get the contracts right. Allocate liability, IP ownership and warranties in vendor and customer agreements under the TBK No. 6098.
  5. Check EU exposure. If your AI touches the EU market, assess the EU AI Act now and track the current high-risk timeline.
  6. Watch the draft legislation. Turkey's AI bill and the deepfake bill may impose new duties.

Lexin Legal advises foreign companies and individuals on technology, data protection, intellectual property and commercial law in Turkey. To discuss how these rules apply to your AI project, contact our team or explore our technology, AI and cybersecurity services.

Frequently asked questions

Is artificial intelligence regulated by a specific law in Turkey?

No. As of 2026 Turkey has no single, dedicated AI statute. AI is governed indirectly through existing laws, principally the Personal Data Protection Law No. 6698 (KVKK), the Turkish Code of Obligations No. 6098, intellectual property laws No. 5846 and No. 6769, the Consumer Protection Law No. 6502, and the Turkish Penal Code No. 5237. A risk-based AI bill and a separate deepfake bill are progressing but are not yet law.

Is it legal to use ChatGPT for business in Turkey?

Yes, using ChatGPT or other generative AI for business is not banned in Turkey. The legal issues arise from the data you enter. If you input personal data, KVKK applies, and because most AI tools are hosted abroad, your input is usually a cross-border transfer that needs adequacy, notified standard contractual clauses or a valid exception. An internal AI-use policy and the right vendor contract terms reduce the risk.

Do I need consent to use AI on employee data in Turkey?

Not always. Explicit consent is one lawful basis under KVKK, but it is not the only one, and consent given in an employment relationship can be hard to rely on because it may not be freely given. Often another legal ground fits better. Whatever the basis, you must be transparent, especially where AI screens, scores or profiles staff, and you should be able to explain the logic of automated decisions.

How do Turkey's cross-border data transfer rules affect AI tools hosted abroad?

Sending personal data to an AI tool or cloud model abroad is a cross-border transfer under KVKK Article 9, amended by Law No. 7499 in 2024. You must rely on one of three routes: an adequacy decision, appropriate safeguards (such as the Board's standard contractual clauses, which must be notified to the Authority within 5 business days of signature, or binding corporate rules), or a narrow occasional exception.

When will Turkey's AI law come into force?

There is no confirmed date. A risk-based AI bill was submitted to Parliament on 25 June 2024 and a separate bill on AI-generated content, including deepfakes, was submitted on 7 November 2025. Both remain in the legislative process and are not yet in force. Treat them as a signal of direction rather than current obligations, and check their status before relying on them.

Does the EU AI Act apply to companies in Turkey, and from 2026?

It can. The EU AI Act has extraterritorial reach, so a company in Turkey may fall within scope if it places AI systems on the EU market or its AI output is used in the EU. Prohibited-practice rules have applied since 2 February 2025 and GPAI transparency duties since 2 August 2025. The main high-risk obligations were due from 2 August 2026, but a 2026 reform is set to defer them; because that deferral is not yet final, confirm the current dates before relying on them.

Who is liable if an AI system causes damage in Turkey?

AI has no legal personality in Turkey, so liability falls on the people and companies behind it. Depending on the facts, that can be contractual liability, fault-based tort under Article 49 of the Code of Obligations No. 6098, product or consumer liability under Law No. 6502, and criminal exposure under the Penal Code No. 5237 for misuse such as deepfake fraud. Clear contracts allocating risk are the main practical safeguard.

Is content created by AI protected by copyright in Turkey?

Turkish copyright law (FSEK No. 5846) protects works that bear the characteristic of their human author, known as the hususiyet or originality requirement. Output generated autonomously by AI, without meaningful human creative input, may not enjoy the same protection. Contracts should expressly address who owns AI-generated content and who bears the risk of third-party IP claims.

Related articles

Turkey's Cybersecurity Law No. 7545 ExplainedThe Evolving Animal Rights Framework in TurkeyMilitarization of Outer Space: Legal Gaps
Let's begin

Speak to a Turkish lawyer who speaks your language.

Tell us your commercial, corporate or personal matter and get a clear, fixed-fee answer from a real Turkish lawyer — usually within one business day.

★★★★★ 4.9 from 60 Google reviews · Recognised on Mondaq, Clutch & Trustpilot
Book a consultation WhatsApp us or email info@lexinlegal.com
WhatsApp us
A real lawyer replies — usually within a day
WhatsAppEmailBook a consultation