Insights

As detailed under part one of this article series, connected cars must be assessed by conducting analyses on multiple legislation such as consumer, data protection and telecommunication. This part will continue to analyze connected cars according to Turkish legislation. 

Consumer Law & E-commerce

According to Turkish legislation, the online purchase and sale of products and services is classified as e-commerce. Therefore, online services provided through connected cars, such as purchases made via the connected car’s app or store, will be subject to this legislation. If connected car functions are provided via electronic commerce channels, the provider will be considered a “service provider” for these channels and will be required to comply with certain transparency and information provision requirements.

These include (i) displaying mandatory information under “contact” section within the stores, (ii) displaying mandatory information under “transaction guide” section within the stores (and if such section is not present on the website, to add one), (iii) designing the checkout process in line with the procedural requirements indicated in the e-commerce regulations, (iv) retaining records relating to e-commerce activities for at least 3 years and present them to the Ministry of Trade, when requested and (v) registering with the Electronic Commerce Information System (“ETBIS”) registry. The “Contact" section on stores should display the following information: e-mail address, telephone number, business name or registered brand name, trade name, head office address, membership to trade association and to sectoral institutions, if any, along with the relevant code of conduct (and how to electronically reach them).

Additionally, service providers are obliged to include the following information under the title of "transaction guide" on the home page, in a way that can be accessed directly through the website: (a) technical steps showing procedures such as choosing the goods, entering the delivery and payment information, and confirming the order for the contract with the customer to be established; (b) information on whether the contract for electronic commerce will be stored electronically, whether it will be possible for the consumer to access this contract later from the same website, and for how long this access will be provided; (c) information on the provision of technical tools, such as a summary order form and a “back” button, to help consumers identify and correct errors in data entry before placing an order, (d) alternative dispute resolution mechanisms, if any, in case of disagreement with the consumer.

Procedural requirements relating to checkout processes include the following obligations: During the confirmation of the order placed over the website and before entering the payment information, the total price to be paid by the consumer, including tax and delivery costs, and other terms of the contract must be clearly shown to the consumer; If the total cost of the good, the method of calculating the price and the delivery costs cannot be determined in advance, the consumer should be informed that additional costs may be paid; before order confirmation, an order summary should be provided so that consumers can identify data entry errors and appropriate, effective and easily accessible technical tools such as undo and change should be provided to correct these errors; contract terms and general transaction conditions should be sent to the consumer physically or electronically so that they can be viewed again; The information that the order has been received must be notified to the consumer without delay via the network where the transaction is made and also by at least one of the tools such as e-mail, short message, telephone call, fax (the order and confirmation of the receipt of the order will be deemed to have been realized as soon as the parties can access the aforementioned statements).

As for the ETBIS registration, requirements are as follows: Service providers conducting e-commerce activities are expected to register with the ETBIS; the registration should be concluded before the e-commerce platform starts to operate; the registration process can be completed online and it generally takes 1 – 2 hours if all information to be uploaded is at the ready; the registration is more of a notification than a permit/licensing by the and it allows the visitors to verify the identity of the service provider’s website through an online registration list: see https://www.eticaret.gov.tr/sirketsorgula.

In addition to above requirements, the service provider must present the consumer facing documentation (e.g. T&Cs, distance sales contracts in Turkish language.) According to the Turkish consumer protection regulations, every distance sales transaction must be concluded via an individual distance sales agreement that contains details of the goods/services purchased for every instance.

Pursuant to the Article 4 of the Consumer Protection Law numbered 6502, contracts and notifications to be provided to the consumers, such as terms and conditions, shall be drafted in a comprehensible language and in a clear, simple, and legible form. Similarly, data protection legislation in Türkiye requires any privacy notifications that are presented to the data subjects to be easily understandable, therefore the privacy policies presented to Turkish citizens in general must be in Turkish. As for the paid services of the service provider, according to the Distant Sales Regulation, a “preliminary information form” must be provided before the distance sales contract[1] is formed (on the purchase screen, before the consumer becomes under the payment obligation). The form may be presented on the checkout screen with an unchecked checkbox and must include the mandatory content[2] specified under Article 5 of the Distant Sales Regulation.

Lastly, the service provider must display the following information separately and in a clear and transparent manner on the checkout screen, right before the checkout: a) The basic characteristics of the goods or services subject to the contract, b) The total price of the goods or services including all taxes, c) information concerning right of withdrawal including information on the conditions, duration, procedure for exercising this right, d) information on the conditions under which the consumer will not benefit from the right of withdrawal.

As a side note, if the structure of the connected car services store allows the connected car service provider to facilitate other service providers in concluding contracts for the provision of such services, (e.g., individual consumption, e-charge services, entertainment services, digital assistants etc.) or to place orders (e.g., displaying information about the order summary, option to add or remove products/services), the connected car service provider will be considered as an electronic commerce intermediary service provider (“ECISP”) within the scope of local e-commerce regulations and be subject to the provisions of the Regulation on Electronic Commerce Intermediary Service Providers and Electronic Commerce Service Providers (“E-Commerce Regulation”) (such as signing an intermediary agreement with other service providers, allowing the distance contract and preliminary information form to be submitted by other service providers).

It is recommended that connected car service models offered in Türkiye are evaluated in light of the above legislation. Documents should be localized and ETBIS registration completed. If the connected car service provider is classified as an ECISP, the necessary procedural measures should be carried out with other service providers. 

Other

AML/KYC Obligations

According to Article 4/1-o and 4/1-y of Regulation on Measures for the Prevention of Laundering Proceeds of Crime and Financing of Terrorism (“AML Regulation”), “Those engaged in the purchase and sale of all types of marine, air, and land transportation vehicles, including construction machinery, and those acting as intermediaries in such transactions” and “Medium, large, or very large-scale electronic commerce intermediary service providers, limited to transactions carried out with electronic commerce service providers” are obliged with the AML/KYC obligations stated in the relevant legislation. These obligations include but are not limited with (i) carrying out KYC obligations, (ii) notifying suspicious transactions to the Financial Crimes Investigation Board, (iii) carrying out a compliance program and appointing a compliance officer, and (iv) maintaining adequate record keeping procedures.

In terms of “those engaged in the purchase and sale of all types of marine, air, and land transportation vehicles, including construction machinery, and those acting as intermediaries in such transactions”, it is observed that connected car providers typically collaborate with distributors and/or authorized dealers in Türkiye to sell these vehicles to end customers. In that case, the distributor or authorized dealer engaging in the purchase and sale of these connected cars will be directly obliged under the AML Regulation. Although the obligation rests with distributors and/or authorized dealers, it is advisable for connected car providers to ensure that these parties are complying with their local obligations, in order to avoid complaints and/or official investigations.

In terms of “medium, large, or very large-scale electronic commerce intermediary service providers, limited to transactions carried out with electronic commerce service providers”, where the connected car service provider is classified as a ECISP, its activities, limited to the transactions carried out with electronic commerce service providers,  will be directly in the scope of AML Regulation if this electronic commerce intermediary service provider is a medium, large, or very large-scale ECISP.

The scale of an ECISP is determined annually by the Ministry of Trade based on net transaction volume and number of transactions, adjusted each year by the annual re-evaluation rate. For the year 2025, the classification thresholds are as follows:

Therefore, before and during the engagement of connected car services in Türkiye, it is highly advised for the providers to check above thresholds and if the provider is classified as a medium, large or very large ECISP, it should adapt its services so that the obligations arising from AML Regulation are fulfilled.

Cyber Security Law No. 7545

As is known, the Cyber Security Law entered into force upon its publication in the Official Gazette dated Wednesday, March 19, 2025, and numbered 32846. The Cyber Security Law covers public institutions and organizations, professional organizations with public institution status, natural and legal persons, and entities without legal personality that operate, provide services, or maintain a presence in cyberspace.

Within this scope, parties who “provide services, collect or process data, or engage in similar activities through the use of information systems” are subject to the following obligations:

• To submit promptly and as a priority to the Cyber Security Presidency ("Presidency") any data, information, documents, hardware, software, or other contributions requested by the Presidency in the course of its duties and activities,
• To take the measures stipulated by legislation for the purposes of national security, public order, or the proper conduct of public services, and to report without delay to the Presidency any vulnerabilities or cyber incidents identified in the area of service,
• To procure cybersecurity products, systems, and services to be used in public institutions and critical infrastructure only from cybersecurity experts, manufacturers, or companies certified and authorized by the Presidency,
• To obtain the approval of the Presidency, in accordance with existing regulations, prior to commencing operations if operating as a cybersecurity company subject to certification, authorization, or accreditation,
• To implement the necessary measures and fulfill the obligations set out in policies, strategies, action plans, and other regulatory instruments issued by the Presidency aimed at increasing cyber maturity.

To mitigate potential risks and ensure compliance with the upcoming secondary legislation, we recommend taking the following steps:

• Closely monitor whether “connected cars” are classified as “critical” infrastructure and the development of secondary legislation, which will define the practical scope and enforcement of the Cyber Security Law.
• Adopt a cooperative and solution-oriented approach with officials in the event of an inspection.
• Establish a reliable and well-functioning communication channel with the relevant authorities in order to address requests for information and documents. While it may not always be possible to fulfil certain requests due to technical or legal constraints, maintaining open communication is key to avoiding sanctions.
• Any cyber security incident that could potentially impact Türkiye must be evaluated with regard to reporting in the country.
• If cyber security related products or services are provided, ensure that all the necessary certifications and authorizations have been obtained in accordance with the applicable regulations.

The Concepts of FOTA and OTA

FOTA (Firmware Over-The-Air) and OTA (Over-The-Air) refer to the transmission of software or firmware updates to vehicle systems via wireless communication. Technically, FOTA mainly covers firmware updates at the hardware level, while OTA includes software and application-based updates.

In this regard, the Addendum 155 - UN Regulation No. 156 (“Regulation”) issued by the United Nations Economic Commission for Europe (UNECE), which serves as an international point of reference, defines OTA updates under Article 2.9 as “any method that transfers data wirelessly rather than using a cable or other local connection.”

Although the term FOTA is not explicitly used within the Regulation, Articles 7.1.1.8 and 7.1.1.9 indicate that all types of software updates fall within its scope. In particular, it is stated that modifications which may affect type-approved systems should be specifically assessed, and we are of the opinion that updates at the firmware level would also fall within this scope.

Therefore, it can be concluded that the technical distinction between FOTA and OTA updates does not give rise to a difference in legal obligations. Both types of updates should be evaluated under the same legal principles and security standards.

Under Turkish law, the provision of OTA and FOTA services for the purposes of ensuring the systemic functionality of vehicles, implementing safety and cybersecurity measures, and improving or enhancing the functions of digital services does not present any legal non-compliance. When evaluated within the scope of the DP Law, the delivery of such services entails personal data processing activities. Accordingly, the data subjects whose data will be processed must be duly informed, and their explicit consent must be obtained where necessary. Additionally, if cross-border data transfers are conducted, please note that they must comply with the provisions of Article 9 of the DP Law.

According to Article 7.2.2.2 of the Regulation, drivers must be informed about an update before the update is executed. The information made available shall contain:

• The purpose of the update. This could include the criticality of the update and if the update is for recall, safety and/or security purposes,
• Any changes implemented by the update on vehicle functions,
• The expected time to complete execution of the update,
• Any vehicle functionalities which may not be available during the execution of the update,
• Any instructions that may help the vehicle user safely execute the update.

Additionally, under Article 7.2.2.3, in the situation where the execution of an update whilst driving may not be safe, the vehicle manufacturer should demonstrate how they will:

• Ensure the vehicle cannot be driven during the execution of the update,
• Ensure that the driver is not able to use any functionality of the vehicle that would affect the safety of the vehicle or the successful execution of the update.

Following the update, Article 7.2.2.4 requires:

• The driver is able to be informed of the success (or failure) of the update,
• The driver is able to be informed about the changes implemented and any related updates to the user manual (if applicable).

In light of the above provisions, we believe that a single general notice provided at the time of the initial contract phase may not be sufficient for compliance. Therefore, we recommend that, where operationally feasible, separate and specific notifications be provided prior to each update, addressing the above-listed points. These notifications may be delivered via email or through in-vehicle applications. Moreover, in cases where the update is of high importance or involves safety-critical actions, obtaining active consent from the driver before proceeding with the update may be considered a prudent risk mitigation measure.

Although the secondary legislation specifying the measures required under the Cyber Security Law has not yet been published, we are of the opinion that the document titled "Cybersecurity Best Practices for the Safety of Modern Vehicles", issued by the U.S. National Highway Traffic Safety Administration (NHTSA), may serve as an important reference point for the sector. With respect to OTA updates, the said document recommends concrete technical measures such as:

• Maintaining the integrity of update servers and the transmission mechanism,
• Taking into account, when designing security measures, the risks associated with compromised servers, against server attacks, insider threats, and men-in-the-middle attacks,
• Ensuring that firmware modifications are carried out only by authorized parties,
• Taking measures to limit firmware rollback attacks.

As stated above, although no binding list of measures has yet been defined under the Cyber Security Law, we believe that the measures outlined above can be taken as a reference point in terms of compliance with international standards and the adoption of the best sectoral practices.

Activities Subject to License/Permit/Authorizations

In addition to the above, certain activities of connected car providers may be subject to licenses/permits/authorizations from the relevant authorities. For charging stations, if the connected car provider will also provide its own charging stations, according to Regulation on Charging Services, this action is subject to a license by the Energy Market Regulations Authority. For vehicles that will be used in transportation of goods or people, an approval must be obtained from the Ministry of Industry and Technology according to Regulation on Type Approval and Market Surveillance and Audit of Motor Vehicles And Their Trailers, And Of Systems, Components And Separate Technical Units Intended For Such Vehicles. It should be noted that this regulation on type approval is highly parallel with its European counterpart - Regulation (EU) 2018/858.

[1] If the contract is based on a subscription model, the distance sales contract can be prepared to include the subscription terms.

[2] a) The essential characteristics of the goods or services covered by the contract,

1. b) The name or title of the seller or supplier and the intermediary service provider, their MERSIS number or tax identification number,
2. c) The consumer's ability to quickly contact the seller or provider and the intermediary service provider through clear address, phone number, and similar contact information, as well as the identity and address of the person acting on behalf of or for the account of the seller or provider, if applicable,

ç) If the seller or provider and the intermediary service provider have different contact information for the consumer to submit complaints than those specified in paragraph (c), information regarding such contact information,

1. d) The total price of the goods or services, including all taxes, or if the price cannot be calculated in advance due to the nature of the goods or services, the method of calculating the price, and information on any additional costs such as shipping, delivery, or similar expenses, as well as information on the possibility of paying such additional costs if they cannot be calculated in advance,
2. e) If the cost of using the remote communication tool during the contract formation stage cannot be calculated based on the standard tariff, the additional cost imposed on consumers,
3. f) The delivery or performance period consistent with the period promised in commercial advertisements and promotions, other information regarding delivery and performance, and any commitments related thereto, as well as the complaint resolution methods of the seller or supplier and the intermediary service provider,
4. g) In cases where the right of withdrawal applies, the conditions, duration, and procedure for exercising this right, information regarding the carrier designated by the seller for return, and the amount of return costs, which shall not exceed the delivery costs, and which party shall bear such costs, and if the return is made using a carrier other than the one designated, the consumer shall bear the return costs.

ğ) The clear address, fax number, or email address where the withdrawal notice must be sent,

1. h) Information on the circumstances under which the right of withdrawal cannot be exercised, or the conditions under which the consumer loses the right of withdrawal,

ı) If applicable, any deposits or other financial guarantees that the consumer must pay or provide at the seller's or supplier's request, along with the conditions applicable to such deposits or guarantees,

1. i) Technical protection measures that may affect the functionality of digital content,
2. j) Information regarding the hardware or software with which the digital content is compatible, as known to the seller or supplier or as reasonably expected to be known,
3. k) Information regarding the consumer's right to submit complaints regarding disputes to the Consumer Court or the Consumer Arbitration Board.

[3] The EUR equivalents indicated above have been calculated based on the indicative EUR/TRY exchange rate as of 21 May 2025. These figures are approximate and provided for reference purposes only; they do not constitute binding thresholds in foreign currency.