Introduction
The rapid evolution of connected car technologies has introduced significant legal challenges and regulatory considerations across jurisdictions, including Türkiye. As vehicles become increasingly embedded with sensors, communication modules, and data-driven functionalities, their classification transcends traditional automotive frameworks, which necessitates a multidisciplinary legal analysis to assess compliance and risk management obligations under Türkiye’s legal landscape.
In the Turkish context, connected cars interact with various legislative regimes. From a telecommunications law perspective, their use of embedded SIMs (eSIMs), from a data protection perspective, the collection, processing, and potential transfer of personal data generated by drivers and passengers. Moreover, the increasing integration of consumer-facing digital services within vehicles brings Turkish consumer protection law, cybersecurity law and product liability regulations into scope.
This article provides a structured legal analysis of connected car technologies in Türkiye, examining their implications across key regulatory domains. By identifying overlapping obligations and enforcement trends, it aims to assist connected car providers, operators and software developers in navigating the legal and operational complexities of these emerging mobility solutions.
Legal Analysis Regarding Telecommunications Law
For connected cars, the first issue regarding telecommunications law would be the usage of eSIM technologies. Although there is no direct legal prohibition against the deployment of in-vehicle connectivity solutions, the telecommunications regulatory authority in Türkiye, Information and Communication Technologies Authority (“ICTA”), has introduced significant compliance obligations.
ICTA has issued two key decisions regarding eSIM, one in January 2018 and another in February 2019. The core requirement established by both decisions is strict data localization: connected car services must use SIM profiles provided by local mobile network operators, and traffic data must remain within Türkiye.
Further clarification came with ICTA’s decision dated April 2022, which set forth detailed requirements concerning the network architecture for connected vehicles. This decision introduced two main obligations: (i) a localization requirement for "connection servers" that support communication systems enabling value-added services beyond eCall; and (ii) a mechanism allowing users to opt in or out of such services via the e-Government (e-Devlet) platform. For the e-Government option, currently there is no definitive implementation available and yet the local authorities have requested the development of an interface that would allow users in Türkiye to terminate their connectivity and disconnect their internet connection at any time. This demand arises from summaries of meetings with sector representatives. Industry representatives note that if such an option is made available, the various internet services associated with the vehicle may become inaccessible. However, without any official regulation or draft on the issue, a clear statement cannot be made yet.
ICTA appears to permit the use of international infrastructure for value-added services, provided that regulatory supervision and user control mechanisms are preserved. This illustrates Türkiye’s cautious regulatory approach to connected vehicle data flows. In line with this, it should be mentioned that, according to Regulation Regarding the Registration of Devices with Electronic Identity Information, permanent roaming is restricted and if a registration is not made within 120 days of entering to Türkiye, that device’s communication is restricted by the ICTA.
Beyond eSIM, the centralized eCall system in Türkiye introduces further compliance dimensions. With the Regulation on Emergency Call Services in Electronic Communications Sector and Regulation on Type Approval Requirements for the Deployment of the eCall In-Vehicle System based on the 112 Service, Türkiye has opted for a centralized eCall model, where all eCall signals are routed through a national platform before being dispatched to emergency services. Consequently, any vehicle manufacturer or connectivity provider operating in Türkiye must ensure compatibility with the centralized eCall architecture.
Lastly, for electronic communications, it should be mentioned that Türkiye enforces strict rules on the localization of metadata and location data. Pursuant to Regulation on Protection of Confidentiality and Processing of Personal Data in Electronic Communications Sector, operators should retain metadata and location data, including data generated by connected vehicles, within Türkiye’s borders. These requirements are justified in national security and public order grounds. Metadata such as IP logs, call/SMS activity, and session identifiers are thus subject to local retention.
Due to the above, any stakeholder offering in-vehicle connectivity in Türkiye, such as connected car providers, operators, or service providers must navigate a highly structured regime that prioritizes data localization and centralized regulatory oversight.
Geographical Data
In Türkiye, processing geographical data is specifically regulated under Geographical Information Systems Law (“GIS Law”) numbered 7221. According to GIS Law and its secondary legislation, geographical data subject to permit is defined as “data containing location information, data that can be linked to a digital map base or address data, data collected online or offline from the field using sensors specified in data definition documents” and both natural and private legal persons require a permit from the Ministry of Environment, Urbanization and Climate Change in order to collect, produce, share or sell geographical data in Türkiye. Activities involving the collection, production, sharing and sale of geographical data are sufficient to be subject to the GIS Law. Therefore, as long as the services include geographical data collected from within Türkiye, these services will most likely be considered subject to the permit obligation.
For the permit fee, the fee is calculated according to the procedure stated in article 1(2) of GIS Law, which takes into account the (i) number of geographical data themes, (ii) area of operation, (iii) permit duration and (iv) net sales amount in the income statement attached to the income or corporate tax return for the most recent accounting period as of the application date or the sales revenue amount in the summary of operating account.
For the duration, a permit will be valid for at least one year and at most five years. In addition to permits, the GIS Law mandates that the geographical data produced must be shared with the Ministry of Environment, Urbanization and Climate Change free of charge before and after disasters and emergencies to be used as part of disaster and emergency management efforts.
As per the GIS Law, if it is determined that the activities are being carried out without obtaining geographical data permit, the authorities will grant the operator engaging in geographical data activities a period for which the operator can apply for a permit. If there is no application during this period, administrative fines shall be imposed on operators who engage in geographical data activities without authorization.
As a last note regarding geographical data, it should be noted that the GIS Law was amended in 2024, but the auxiliary regulations were not updated according to this amendment. Due to this, there are certain ambiguities between GIS Law and its secondary regulations, and it is expected for an amendment in these secondary regulations in order to harmonize the GIS Law and the relevant legislation.
Data Protection
This section will analyze the data protection aspects of connected vehicles. Data protection in Türkiye is mainly regulated by Law on Protection of Personal Data, numbered 6698 (“DP Law"), which was modeled after Directive 95/46/EC and therefore bears similarities with its EU counterpart, mainly GDPR.
Firstly, data subjects must be presented with a privacy notice in accordance with Article 10 of the DP Law. This notice must clearly outline the purposes and legal basis for processing, recipient groups, and the data subject’s rights. Controllers must also ensure that data subjects can exercise their rights under Article 11, which, while similar to GDPR Articles 12–22, differs slightly in scope and form (e.g., absence of the right to data portability). For global connected car providers, the privacy notices prepared in accordance with EU generally can be used in Türkiye with minor localizations.
Secondly, different from EU, Turkish data protection legislation requires all foreign controllers who process the personal data of Turkish data subjects to be registered with the Data Controllers' Registry (“VERBİS”). Pursuant to Article 16 of the DP Law and the Regulation on Data Controllers Registry, controllers must keep a detailed Personal Data Processing Inventory, which outlines the types of data collected, processing purposes, legal bases, data categories, recipient groups, retention periods, international transfers, and security measures. This inventory is conceptually similar to the GDPR’s Record of Processing Activities (RoPA). However, in Türkiye, based on this inventory, a registration to VERBİS must be made.
Regarding VERBİS, a specific requirement exists for non-resident controllers, such as foreign connected car providers, which is the appointment of a “data controller representative” in Türkiye. This representative acts as the point of contact for the Turkish Data Protection Authority (“DP Authority”) and for any data subject asserting rights under the DP Law. Therefore, for foreign connected car providers, appointment of a representative and registering to VERBİS is highly advised before launching the products/services in Türkiye.
In addition to above, the cross-border data transfer rules should be assessed regarding the usage of connected car services by Turkish data subjects. In the past, unlike EDPB, the DP Authority accepted direct collections from Turkish data subjects by the foreign controllers as a “transfer”. The view of the DP Authority changed recently and currently, direct collections from Turkish data subjects does not constitute a “transfer” but this processing activity is in the scope of DP Law. Therefore, if the connected car provider directly obtains the data from Turkish data subjects and transfers this data to its processors, all of these activities are also in the scope of DP Law and the transfer to the processor would constitute a cross-border data transfer in terms of DP Law. Additionally, if the connected car provider obtains the data from another controller/processor in Türkiye (e.g. local dealers), then the transfer from the local controller/processor to the foreign connected car provider would be in the scope of cross border data transfer regime.
According to article 9 of the DP Law, which is the main article that regulates the cross-border data transfers in Türkiye, similar to GDPR, personal data may only be transferred abroad if:
To date, the DP Authority has not recognized any country, including EU member states or the U.S., as providing adequate protection so the first option is unusable in Türkiye at this point. The other three safeguards (an agreement between public bodies, binding corporate rules and a written undertaking) require the prior approval of the DP Authority, whereas the standard contractual clauses only require notification of the DP Authority in order to rely on that mechanism. Therefore, in practice, standard contractual clauses are widely used since they only require notification to the DP Authority, rather than approval. For this reason, foreign service providers who obtain personal data from a Turkish controller or processor are advised to use one of the appropriate safeguards for continuous transfers (e.g. standard contractual clauses).
With regard to data security obligations, Article 12 of the DP Law requires data controllers to take “all necessary technical and organizational measures” to prevent unauthorized access to, or processing of, or loss of, personal data. The DP Authority’s Data Security Guide provides further clarification of these obligations and recommends measures aligned with GDPR standards. Therefore, compliance with GDPR security protocols (e.g. encryption, pseudonymization, access control and logging) is generally considered sufficient for Turkish standards, although documentation and localized governance (via the local representative) remain essential.
