Technology

Artificial Intelligence and Corporate Law in Turkey

9 January 202512 min read
Reviewed by Lexin Legal · Updated 14 June 2026

An AI system cannot be a company director in Türkiye, and the human directors stay personally liable for AI-assisted decisions under the Turkish Commercial Code. There is no standalone AI liability law yet, though two bills are now before parliament. This 2026 guide explains what artificial intelligence means for corporate governance, director duties, liability and data-protection compliance under Turkish law, and how foreign-owned companies in Türkiye can prepare.

What AI Means for Corporate Law in Türkiye

Artificial intelligence (AI) refers to systems that analyse data, recognise patterns and produce outputs that once required human judgement. In a corporate setting, companies use AI to review datasets for board decisions, draft and check contracts, screen counterparties, monitor regulatory changes and sift hiring or compliance data.

This shift is powerful, but it sits uneasily with company-law frameworks built around human decision-makers. Turkish company law is set out mainly in the Turkish Commercial Code (Türk Ticaret Kanunu, Law No. 6102, the TTK), which assumes that the people managing a company are accountable individuals. AI raises three recurring questions: who decides, who is responsible, and who pays when something goes wrong.

Tip: For a foreign investor running a Turkish joint-stock (anonim) or limited company, the practical message is simple. AI can support governance, but it does not displace the legal duties of the board. The directors remain accountable, and your internal records should show that a human reviewed every AI-assisted decision.

Can AI Replace Human Directors?

No. One of the most debated questions is whether an AI system can sit on, or replace, a company's board. The debate was sparked years ago when a Hong Kong venture-capital firm gave an algorithm observer status on its board. AI is excellent at processing data, but it lacks the legal personhood and accountability a director must have.

The Turkish Legal Position

Under the TTK, the board of a joint-stock company (anonim şirket) and the managers (müdür) of a limited company (limited şirket) must be persons who can hold rights and obligations and answer for them. A legal entity may sit on the board of a joint-stock company under TTK art. 359, but only if a single real person is registered to represent it. There is no provision anywhere in Turkish law that lets software hold a board seat.

Most other jurisdictions take the same view. The UK Companies Act 2006 requires at least one director to be a natural person, and German stock-corporation law (AktG) limits management-board and supervisory-board membership to individuals of full legal capacity.

The reason is that directors owe a duty of care and a duty of loyalty that are inherently personal. An algorithm cannot, in any current legal system, personally answer for a breach of those duties. In practice, AI in the boardroom stays an advisory and analytical tool, not a director. If you are weighing how to structure the board of a new entity, our team can advise on corporate governance and director duties.

AI and the Duties of Directors

Using AI does not dilute a director's duties. It changes how those duties are discharged, and it raises the bar for documented human oversight.

The law: TTK art. 369 imposes a duty of care and loyalty on the board of a joint-stock company, measured against the standard of a prudent, cautious manager. Founders, board members and managers can be jointly and severally liable to the company, shareholders and creditors for damage caused by breaching their statutory or charter duties under TTK arts. 553 and following. For a limited company, that liability regime applies to the müdür by reference under TTK art. 644.

Duty of Care

Directors must make informed decisions in the company's interest with the diligence of a prudent manager. AI can strengthen this by giving the board fuller, faster analysis. But over-reliance creates risk: if the tool malfunctions, is fed poor data, or produces a biased output, a board that simply rubber-stamps the result may itself fall short of the standard of care. The duty is to understand and test the output, not to defer to it.

Duty of Loyalty

Directors must act in good faith and put the company ahead of personal gain. AI has no personal interests, so it is not itself prone to conflicts. The risk shifts to the programmers, vendors and owners whose choices and commercial incentives can be embedded in the system. Boards should know who built and controls the tools they rely on, and what data those tools were trained on.

Who Is Liable for an AI-Driven Decision?

When an AI-influenced decision causes financial loss or breaks the law, responsibility can be hard to pinpoint. Türkiye has no special AI-liability statute, so liability is allocated under existing rules: directors' liability under the TTK, and the general tort and contract provisions of the Turkish Code of Obligations (Türk Borçlar Kanunu, Law No. 6098, the TBK).

The decisive question is usually whether AI was an advisory tool the board reviewed, or a decision-maker the board deferred to. The table below sets out the difference.

Role of the AIWhat it doesWhere liability tends to fall
Advisory toolProduces analysis the board reads, tests and decides onDirectors, for their own decision; easier to defend if human review is documented
De facto decision-makerOutput is adopted with little or no human scrutinyDirectors face a sharper duty-of-care exposure under TTK arts. 553 ff.; vendor may share fault for a defective tool

In practice, liability can attach to several parties at once:

  • Directors and managers may be liable under TTK arts. 553 ff. if they rely on AI but fail to supervise, question or verify its outputs. The exposure can also be criminal in some scenarios, so it is worth understanding the criminal liability of company directors alongside the civil rules.
  • Developers and vendors may bear responsibility under the TBK, and under their contract, warranty and indemnity terms, if loss stems from flawed design, defective programming or a misrepresentation about the tool. Getting these terms right is a job for your AI vendor and software contracts.
  • The company itself may answer to third parties where the AI is an organisational tool used in its business, with internal recourse against those at fault.
Tip: Because the law was not written for autonomous systems, careful documentation of how a decision was made, and what human review took place, is often decisive. Keep a short decision log for any AI-assisted board decision that carries legal or financial weight.

AI, Data Protection and Cybersecurity Compliance

AI can be a genuine compliance asset. Companies use it to track legal changes, screen for anti-money-laundering red flags, and automate reporting. But AI tools also create their own obligations, above all in data protection.

KVKK and the 2024 Cross-Border Transfer Overhaul

Türkiye's Law on the Protection of Personal Data (Kişisel Verilerin Korunması Kanunu, Law No. 6698, the KVKK) governs how companies process personal data and broadly follows the EU GDPR. Any AI system that ingests customer, employee or counterparty data must do so on a lawful basis, with proper notices, security measures and a VERBIS registration where required. Automated profiling and decisions about individuals raise extra fairness and transparency concerns, and sensitive data generally needs explicit consent.

The framing that the KVKK simply mirrors the GDPR is now out of date. Law No. 7499 (Official Gazette, 12 March 2024) rewrote the cross-border transfer rules in KVKK art. 9, and the new regime has applied since 1 June 2024. This matters directly for AI tools hosted or trained offshore.

Watch the deadline: Since 1 June 2024, transferring personal data abroad must rest on one of three pillars: a KVKK adequacy decision; appropriate safeguards (standard contractual clauses, binding corporate rules, or a written undertaking authorised by the Board); or a narrow set of exceptions. If you rely on the Board's standard contractual clauses, you must notify the KVKK Board within 5 business days of signing. An AI vendor that processes your data on overseas servers is exactly the scenario this regime governs, so map your data flows before you deploy. Read more on KVKK and GDPR compliance.
The law: KVKK fines are revalued each year. For 2026 (revaluation rate 25.49%, set by Tax Procedure Law General Notice No. 585, Official Gazette 27 November 2025), the fine for failing to take adequate data-security measures runs from roughly 256,357 TL to 17,092,242 TL. Failing to notify the Board of standard contractual clauses within 5 business days carries a separate band of roughly 50,000 TL to 1,000,000 TL. These are the 2026 figures and will be uplifted again next year.

AML Screening and Sector Rules

Where AI does counterparty or sanctions screening, the underlying anti-money-laundering obligations sit in the Law on Prevention of Laundering Proceeds of Crime (Law No. 5549) and MASAK regulations. Regulated sectors face an extra layer: banks answer to the BDDK and capital-markets firms to the SPK, both of which expect sound model and algorithmic governance. The AI does not replace these duties; the obligated party still owns them.

Cybersecurity

Cybersecurity is now a parallel concern. The Cybersecurity Law No. 7545 (in force March 2025) created a consolidated framework and a cyber-security authority with sanction powers over public and private bodies that run critical or strategic systems. That is relevant wherever AI tools sit on top of sensitive infrastructure. For the detail, see our guide to the Cybersecurity Law No. 7545.

AI in Hiring and Employee Monitoring

A common worry for foreign employers is using AI to screen candidates, score performance or monitor staff. Two regimes overlap here. Employment decisions are governed by the Labour Law (İş Kanunu, Law No. 4857), which prohibits discrimination and requires valid grounds for dismissal, so a biased algorithm can expose the employer to reinstatement and compensation claims. At the same time, employee data fed into an AI tool is personal data under the KVKK, and monitoring must be proportionate, notified and lawful.

An automated rejection or disciplinary decision that the employee cannot understand or contest is a weak position to defend before a Turkish labour court. Keep a human in the loop, document the reasoning, and treat AI scoring as input, not verdict.

Who Owns AI-Generated Work Product?

When AI drafts a contract, writes code or produces a report for your business, who owns the result, and can it be protected? Turkish intellectual-property law, like most systems, ties authorship and protection to human creativity, which leaves purely machine-generated output in an uncertain space. For companies, the practical issues are ownership as between you and the AI vendor, whether confidential inputs leak into a shared model, and whether the output infringes third-party rights.

These questions overlap with the wider topic of who owns AI-generated work within a company, and they are best addressed in your vendor contract and internal IP policy before, not after, deployment.

AI Regulation in Turkey: What Is Coming

As of 2026, Türkiye has no dedicated AI statute in force. But it is no longer merely "weighing" regulation: two bills are before the Turkish Grand National Assembly (TBMM), and the EU AI Act already reaches some Turkish companies. You can read our companion overview of AI regulation in Turkey alongside this section.

The Two Pending Turkish Bills (Not Yet Law)

  • Yapay Zeka Kanunu Teklifi (Esas No. 2/2234), submitted in June 2024, proposes a standalone, risk-based framework: obligations for AI operators, oversight of high-risk systems and administrative penalties. It remains in committee and is not in force.
  • The AI-systems amendment package (Esas No. 2/3358), brought forward in late 2025, would add a statutory definition of an "AI system," deepfake labelling, content takedown and access-blocking powers, and rules on responsibility. It too is pending, not enacted.
Watch this space: Both bills are drafts before the TBMM and could change substantially or stall. Treat their specific figures and obligations as proposals, not current law, and re-check status before relying on them.

Does the EU AI Act Reach Turkish Companies?

It can. The EU AI Act entered into force on 1 August 2024. Bans on prohibited practices and AI-literacy duties applied from 2 February 2025; rules for general-purpose AI and governance from 2 August 2025. The headline high-risk obligations were due from 2 August 2026, but under the EU's Digital Omnibus (provisional political agreement reached in May 2026, subject to formal adoption) the start date for stand-alone high-risk systems is set to be deferred to 2 December 2027.

The Act has extraterritorial reach. A Turkish company that places an AI system on the EU market, or whose AI output is used in the EU, can be caught as a provider or deployer, regardless of where it sits. Foreign-owned Turkish subsidiaries of EU groups are frequently in scope. So even before a Turkish AI law passes, EU rules may already shape your obligations.

Where Turkish Practice Is Heading

Expect a sharper focus on human oversight, transparency and explainability, so AI-driven outcomes can be traced and challenged, and a continuing rule that AI is a tool, not a legal person. Directors will increasingly need to show they understood the tool, checked its outputs and did not abdicate judgement to the machine.

DAOs: Decentralized Autonomous Organizations

Decentralized Autonomous Organizations (DAOs) push these questions to their limit. A DAO runs on blockchain technology and smart contracts, often with no central management or human board. That model collides with traditional company law in several ways.

  • Unclear legal status — in many jurisdictions, including Türkiye, a DAO is not recognised as a legal entity, which complicates taxation, ownership and liability. Without a recognised entity, participants risk being treated as a partnership with personal exposure.
  • Accountability — with no human directors, it is genuinely hard to say who is responsible for a DAO's actions.
  • Regulatory compliance — DAOs must still navigate financial, securities and AML rules even though they do not fit neatly within them.

The Turkish backdrop tightened in 2024. Amendments to the Capital Markets Law (Sermaye Piyasası Kanunu, Law No. 6362) brought crypto-asset service providers under a licensing and supervision regime led by the SPK. While those rules target crypto-asset platforms rather than DAOs as such, they show the direction of travel: a token or governance structure with a Turkish nexus can attract regulatory and tax consequences even where the entity itself is unrecognised. Anyone structuring or joining a DAO with a Turkish connection should take advice early, because wrong assumptions about legal status can create personal exposure.

How Companies in Türkiye Can Prepare

Foreign investors and Turkish companies can take practical steps now to use AI responsibly and reduce legal risk.

  1. Run a legal risk assessment — evaluate the corporate-law, liability, employment and data-protection risks of an AI use case before you deploy it.
  2. Write an AI governance policy — set clear internal rules on how AI is used, who signs off, and how outputs are checked, aligned with the TTK and KVKK.
  3. Map your data flows — confirm any cross-border transfer rests on a lawful KVKK basis and that standard contractual clauses are notified within 5 business days.
  4. Keep a decision log — for any AI-assisted board decision, record what the tool produced, who reviewed it and why the board agreed.
  5. Fix vendor contracts — pin down ownership, warranties, indemnities, data handling and audit rights before signing.

Our firm advises foreign founders, investors and companies operating in Türkiye, from setting up a company in Türkiye through to AI governance and director duties. Get in touch to discuss your specific situation.

Reviewed for accuracy: This guide was last reviewed by a Turkish lawyer in June 2026. It is general information, not legal advice. AI and corporate law are moving quickly, and the right answer depends on your company and facts, so a Turkish lawyer should review any concrete plan.

Frequently asked questions

Can an AI legally serve as a company director in Türkiye?

No. Under the Turkish Commercial Code (Law No. 6102), board members and company managers must be persons who can be held accountable, not software. A legal entity may hold a board seat in a joint-stock company under TTK art. 359, but only if a real person is registered to represent it. AI can support and inform the board, but it cannot replace a director or take on a director's legal duties.

Who is liable when an AI-driven business decision causes loss?

There is no special AI-liability law in Türkiye, so liability follows existing rules. Directors and managers may be liable under TTK arts. 553 and following for failing to supervise AI; developers or vendors may be liable under the Turkish Code of Obligations (Law No. 6098) for defective tools or misrepresentation; and the company itself may answer to third parties. Documenting human review of each decision is often decisive.

Is there an AI law in Turkey yet?

Not yet. As of 2026 there is no standalone AI statute in force. Two bills are before parliament: the Yapay Zeka Kanunu Teklifi (Esas No. 2/2234, submitted June 2024) proposing a risk-based framework, and an AI-systems amendment package (Esas No. 2/3358, late 2025) covering AI definitions, deepfake labelling and content rules. Both are drafts, not law, and could change before any are enacted.

Does the EU AI Act apply to Turkish companies?

It can. The EU AI Act has extraterritorial reach, so a Turkish company that places an AI system on the EU market, or whose AI output is used in the EU, can be caught as a provider or deployer. Foreign-owned Turkish subsidiaries of EU groups are often in scope. The Act entered into force on 1 August 2024 and is being phased in, so EU rules may shape your obligations even before a Turkish AI law passes.

How can a company stay compliant when using AI in Türkiye?

Put robust human oversight in place, keep AI decision-making transparent and well documented, and comply with the Personal Data Protection Law (KVKK, Law No. 6698), including its 2024 cross-border transfer rules, plus the Cybersecurity Law No. 7545 and any AML or sector rules where relevant. A pre-deployment legal risk assessment is the safest starting point.

What is a DAO and is it recognised under Turkish law?

A DAO (Decentralized Autonomous Organization) is a blockchain-based structure governed by smart contracts, usually with no central management. Turkish law does not currently recognise DAOs as legal entities, which creates uncertainty over liability, taxation and compliance, and can leave participants personally exposed. Turkey's 2024 crypto-asset rules under the Capital Markets Law also signal closer regulatory scrutiny, so take advice before participating in or structuring one.

Related articles

Cybersecurity Law No. 7545 in TurkeyAnimal Rights Legal Framework in TurkeyMilitarization of Outer Space: Legal Gaps
Let's begin

Speak to a Turkish lawyer who speaks your language.

Tell us your commercial, corporate or personal matter and get a clear, fixed-fee answer from a real Turkish lawyer — usually within one business day.

★★★★★ 4.9 from 60 Google reviews · Recognised on Mondaq, Clutch & Trustpilot
Book a consultation WhatsApp us or email info@lexinlegal.com
WhatsApp us
A real lawyer replies — usually within a day
WhatsAppEmailBook a consultation