Artificial intelligence is now embedded in Turkish business, from finance and health to retail, defence and agriculture. Türkiye has no dedicated AI statute in force. Instead, AI-related legal questions are answered under existing law, and increasingly under the extraterritorial reach of the EU AI Act. Understanding how these rules combine is essential for any company building or deploying AI in or from Türkiye, because the absence of a single “AI law” does not mean the absence of AI regulation. It means several regimes apply at once, and the burden of joining them up falls on your business.
The Legal Framework Governing AI in Türkiye
Because there is no standalone AI act, existing frameworks apply by analogy. In practice, four bodies of law do most of the work:
- Data protection — the Personal Data Protection Law (KVKK No. 6698) governs any AI system that processes personal data, including training data, profiling and automated decision-making.
- Intellectual property — copyright, patent and trade-secret rules determine ownership of models, datasets and AI-generated output.
- Consumer and product law — the Consumer Protection Law (No. 6502) and product-liability principles apply where an AI-enabled product is defective or misleads consumers.
- Liability — the Turkish Code of Obligations (No. 6098) supplies the contractual, tort and strict-liability rules used to allocate damage.
| Framework | What it governs for AI |
|---|---|
| KVKK (No. 6698) | Training data, profiling, automated decisions, cross-border transfers |
| IP law | Ownership of models, datasets and AI-generated output |
| Consumer Protection Law (No. 6502) | Defective or misleading AI-enabled products |
| Code of Obligations (No. 6098) | Contractual, tort and strict-liability claims for AI harm |
| EU AI Act | Turkish systems whose output is used in the EU |
Turkish policy supports AI adoption, and sector-specific regulation is expected to develop over time. For now, no dedicated AI regime exists in banking, health, autonomous vehicles or other sectors, so general rules and regulator guidance govern. What this means for you: you cannot point to one checklist and declare yourself compliant. A single AI deployment can simultaneously raise a data question, an IP question and a liability question, and each must be answered under its own body of law.
KVKK and AI Data Compliance
Most AI risk in Türkiye is data risk. Under KVKK, any processing of personal data by an AI system needs a lawful basis, whether explicit consent or another statutory ground. Key obligations include:
- Transparency — informing data subjects how their data feeds AI systems, in clear and accessible language.
- Data minimisation and purpose limitation — training and inference only on what is necessary for a defined purpose.
- Cross-border transfer safeguards — critical where models, vendors or cloud infrastructure sit abroad.
- Automated-decision caution — decisions producing legal or similarly significant effects require particular scrutiny.
In concrete terms, a lender using an AI model to score loan applicants, a retailer profiling customers, or an HR team screening CVs with an algorithm are all processing personal data and all need to satisfy these duties. The safest posture is to run a documented data-protection impact assessment before deployment, keep a record of your lawful basis for each processing activity, and be able to explain to a regulator or a data subject, in plain terms, how the system reaches its outputs.
If your AI system touches personal data, treat compliance as a data-protection project first and an “AI project” second. In Türkiye, the fastest route to a fine is not a novel AI theory of harm, it is an ordinary KVKK breach hidden inside a clever model.
The EU AI Act’s Extraterritorial Reach
Even without a Turkish AI law, the EU AI Act matters. It applies to providers and deployers located outside the EU where the output of an AI system is used within the EU. A Turkish company that sells an AI product into the EU, or serves EU customers, can fall within its risk-based obligations, which range from prohibited practices to strict duties for high-risk systems and transparency rules for general-purpose and generative AI.
The Act sorts systems into tiers. Some practices are banned outright. High-risk systems, such as those used in employment, credit, or essential services, face the heaviest duties: risk management, data governance, human oversight, logging and conformity assessment. General-purpose and generative systems carry transparency obligations, including disclosure that content is AI-generated. Mapping your products against these tiers early avoids costly retrofitting, and the analysis should happen at the design stage, not after a customer in the EU asks for evidence of conformity.
For a Turkish business, the practical first step is simple: list every product or service in which an AI system’s output could reach an EU user, then classify each against the Act’s tiers. Most systems will land in the minimal-risk category and need little more than good documentation, but discovering late that a flagship product is high-risk under EU rules can force an expensive redesign that early classification would have avoided.
Allocating Liability for AI
When an AI system causes harm, responsibility is shared among the developer, operator and user, and sometimes a distributor. Claims typically rest on:
- Contract — the relationships between developer, operator and users are usually contractual; well-drafted clauses are the first line of defence.
- Product liability — where an AI-enabled product is treated as defective.
- Tort — fault-based claims, though attributing fault to an autonomous system is difficult.
- Regulatory breach — most often data-protection or IP violations.
Open questions remain around burden of proof, attribution of fault in autonomous systems, and the applicable standard of care. A claimant may struggle to prove exactly how an opaque model produced a harmful output, and courts have limited precedent to draw on. Until these questions are settled by legislation or case law, the contract is where liability is really decided.
Do not assume a court will untangle AI liability for you. If your agreements are silent on who owns the risk when the model is wrong, you have not avoided the question, you have simply left it to be answered against you.
Managing AI Legal Risk
Businesses can reduce exposure well before any dispute:
- Documentation — record how the system was built, tested and validated, so you can evidence the correctness and integrity of inputs and outputs if challenged.
- Supervision and guardrails — monitor outputs and constrain user misuse, with a human able to intervene in high-stakes decisions.
- Governance — adopt internal policies on ethical, transparent and accountable AI use, and assign clear ownership of AI risk within the organisation.
- Contracts — allocate responsibility, IP and indemnities expressly across every vendor and customer relationship.
- Insurance — consider specialised liability cover for errors, bias or discrimination.
Taken together, these measures do more than reduce liability. They give you the paper trail that turns a defensible decision into a provable one, which is often the difference between resolving a dispute quickly and litigating it for years.
How Lex Lata Can Help
Our team advises Turkish and international clients across the AI lifecycle:
- AI governance and KVKK compliance — policies, data-protection impact assessments and privacy safeguards.
- Intellectual property — protecting models, datasets and AI output, and settling ownership before disputes arise.
- EU AI Act readiness — classifying systems and closing compliance gaps for EU-facing products.
- Contracts and licensing — drafting development, data-sharing and service agreements that allocate risk.
- Liability and dispute resolution — assessing exposure and representing clients in AI-related disputes.
AI regulation in Türkiye will keep evolving, and businesses that build compliance in from the start will adapt far more cheaply than those forced to react. We help clients stay compliant, control liability and deploy AI with confidence. Contact Lex Lata to discuss your AI project.
How an AI compliance project works
- 01
Map your AI systems
We inventory every AI use case, the data it touches, and where its outputs are used.
- 02
KVKK compliance check
We confirm a lawful basis for each processing activity and document impact assessments where needed.
- 03
EU AI Act classification
EU-facing systems are mapped against the Act's risk tiers before design decisions become expensive to reverse.
- 04
Contract and governance layer
We draft or revise agreements and internal policies so liability, IP and oversight are allocated expressly.
- 05
Monitor and adapt
As Turkish and EU rules evolve, we keep documentation, guardrails and contracts aligned with them.
Frequently asked questions
Does Türkiye have a specific AI law?
No. There is no dedicated AI act in force. AI-related disputes are resolved under existing frameworks, chiefly the Personal Data Protection Law (KVKK No. 6698), the Code of Obligations (No. 6098), the Consumer Protection Law (No. 6502) and intellectual property law. Sector regulators may also issue guidance that shapes how AI is used in banking, health and other regulated fields.
Does the EU AI Act apply to Turkish companies?
It can. The EU AI Act reaches providers and deployers outside the EU where an AI system's output is used in the EU. Turkish firms selling AI products or services into the EU, or serving EU customers, may fall within its risk-based obligations even without an EU establishment. Non-compliance can carry substantial fines, so EU-facing products should be mapped against the Act's tiers early.
Who is liable when an AI system causes damage in Türkiye?
Liability is allocated among the developer, operator and user under contract, product-liability and tort principles in the Code of Obligations and Consumer Protection Law. The relevant party is usually the one who failed to exercise reasonable care or placed a defective product on the market. Because the law is unsettled on autonomous systems, contracts that pre-allocate responsibility are decisive in practice.
Can we train AI on personal data under Turkish law?
Only with a lawful basis under KVKK. You need valid consent or another statutory ground, transparency to data subjects, data minimisation, and safeguards for cross-border transfers where models or infrastructure sit abroad. Automated decisions producing legal or similarly significant effects require particular care and, often, a documented impact assessment.
How should a contract for AI services be drafted?
Allocate responsibility clearly: define acceptable use, data ownership and processing roles, accuracy and performance standards, indemnities, liability caps, and audit and documentation duties. Include provisions on model updates, IP in outputs, and confidentiality of training data. Sound clauses are the primary tool for controlling AI risk today.
Who owns the output an AI system generates?
Ownership is not automatic and depends on your contracts and on general IP principles. Turkish copyright law is built around human authorship, so purely machine-generated output may not attract standard protection. In practice, ownership and licensing of models, datasets and outputs should be settled expressly in the relevant development, data-sharing or service agreement.