Category: Turkiye

Litigator Erdem Atilla has been promoted to Partner at Pekin & Pekin in Istanbul.

He specializes in commercial, administrative, and employment disputes, criminal proceedings, execution and bankruptcy proceedings, debt collection proceedings, compensation lawsuits, consumer disputes, and disputes arising from contracts having an international aspect as well as contracts subject to Turkish Law.

After graduating from Galatasaray University Faculty of Law, Erdem joined the firm’s Dispute Resolution Department in 2009.

Under the Turkish data protection law (“DPL”), data subjects have the right to learn who processes their personal data, the purposes and legal bases of these processing activities, and to whom and for what purposes such personal data are transferred. These rights arise from the data controllers’ obligation to inform data subjects about their processing activities. During the collection of personal data, the data controller or any other person authorized by the data controller is obliged to provide data subjects with certain information, such as the identity of the data controller and of his representative (if any), the purposes of the processing, to whom and with what purpose the processed personal data can be transferred, and the method and legal reason/basis of collection. The same article of the DPL further requires data controllers to provide information to data subjects about certain other rights, as discussed below.

Data subjects have the right to know the third parties within or outside the country to whom personal data are transferred, and to ask for the rectification of any incomplete or inaccurate personal data processing as well. They may also request the erasure or destruction of their personal data (within the framework of the conditions set forth under Article 7) and request the notification of these operations to third parties to whom personal data have been transferred. According to this law, data subjects have the right to object to any consequence or situation that is to his/her detriment that results from an analysis of the processed data exclusively by means of automated systems, and to request compensation for the damages incurred due to the unlawful processing of personal data.

Interpretation of These Provisions

The Turkish Data Protection Authority has published the Communiqué on the Procedures and Principles for Compliance with the Obligation to Provide Information (“Communiqué”)  in order to provide guidance for the interpretation of these articles.

The Communiqué sheds light on the methods to be used for providing information and specifies that data controllers may provide information to data subjects either physically or by using electronic means (e.g., verbally, in written format, by voice recordings, or through call centers), and also clarifies when data subjects must be informed. According to the Communiqué, data controllers are obliged to inform data subjects of their rights in all cases or circumstances in which their personal data is processed. Furthermore, they must also inform data subjects whenever the purpose of processing changes, prior to starting the data processing activity. For instance, if a data controller processes a data subject’s address information for the purpose of delivering the goods/services that the subject has ordered and will further process the same address information for marketing purposes in the future, then it needs to inform the data subject since the purpose of the data processing activity will change. 

If different divisions/units of a data controller process personal data for different purposes, then the data controller must inform data subjects separately for each purpose. For instance, if the name, last name and phone number of a data subject is processed by the marketing department of a company for marketing purposes, and the same personal data is also processed by the human resources department to evaluate the job application of that data subject, then the data subject must be informed of both processing purposes. 

The information that the data controllers provide to the Data Controllers’ Registry must be in line with the information they provide to the data subjects. It is also extremely critical for data controllers to realize and keep in mind that compliance with the obligation to provide information does not require the data subject’s prior request, and that the burden of proof is on the data controller to show that it has complied with all its obligations under the law. 

The Communiqué also states that the explicit consent of data subjects must be obtained separately from the information provided to data subjects. In other words, data controllers are not allowed to obtain explicit consent from data subjects by using the same text or document with which they inform them.

Personal data must be processed for specific, explicit and legitimate purposes. Similarly, data controllers must also be clear and specific when providing information to data subjects, and they should avoid deficient, misleading or inaccurate statements. Moreover, they must steer clear of ambiguous or broad terms in the information provided to data subjects. For example, data controllers should not state that the personal data of data subjects might be processed for marketing purposes in the future. Rather, data subjects should be informed of the purpose for which their personal data is processed, not the possible purposes that might arise in the future. It should be noted that ambiguousness/vagueness is a crucial red line when it comes to providing information to data subjects, and data controllers must avoid such ambiguity whenever possible. 

In addition, the information that will be communicated to data subjects must include: (i) the legal purpose of the personal data processing (in other words, the basis of the data processing activity), (ii) the recipients of the personal data, and (iii) the purpose of the data transfer. 

While data controllers are required to provide data subjects with information about the processing of their personal data prior to data collection, this may not always be possible in practical terms. If personal data is obtained from an indirect source, such as the news media or public records, then data controllers must fulfill their obligation to provide information to data subjects (i) within a reasonable period of time after the personal data is obtained, (ii) in the first communication, if the personal data is obtained for the purpose of communicating with the data subject, and (iii) if the personal data is to be transferred, then at the first moment that the personal data is being transferred, at the latest.

Comparison of the DPL and the General Data Protection Regulation (“GDPR”)

The GDPR, which has entered into force on May 25, 2018, also brings similar requirements for data controllers. Some of the information stipulated under the GDPR which data controllers are required to provide to data subjects are not included in the DPL, such as (i) the right of data subjects to withdraw their consent at any time, (ii) the right of data subjects to lodge a complaint with a supervisory authority, and (iii) storage periods and the criteria used to determine the duration of such data storage, even though data subjects do, in fact, have those rights under the Turkish data protection legislation. 

Another difference between the GDPR and the Turkish data protection legislation concerns indirect data collection practices. According to the GDPR, when personal data is collected indirectly, data controllers are not obliged to inform data subjects of such activity if (i) it is impossible, or (ii) it requires disproportionate effort, or (iii) it would render impossible or seriously impair the purpose of the data processing. Neither the DPL nor the secondary legislation in Turkey sets out similar exceptions or follows the GDPR on this issue. However, in practice, if a data controller is unable to inform data subjects about indirect personal data collection despite its best efforts and can demonstrate its efforts (i.e., show that it has genuinely attempted to inform data subjects), such activities should not raise any legal concerns under the DPL either. Nevertheless, keeping in mind that there is no clear definition of “sufficient effort” or provisions regulating this matter in the DPL, one cannot exclude the possibility of a data controller facing sanctions in this context. 

Despite these differences, the GDPR requires data controllers to use clear and plain language in communicating with data subjects, similar to the DPL, and to provide data subjects with the information regulated under the DPL.

Conclusion

Interpreting the obligation to inform data subjects correctly is of paramount importance to data controllers, since failing to fulfill the obligation to provide information may result in an administrative fine ranging from 5,000 Turkish Liras up to 100,000 Turkish Liras. Therefore, data controllers should implement the Communiqué with the utmost care and be able and ready to demonstrate that they provide data subjects with the necessary information in order to fulfill their legal obligations and avoid such administrative penalties.

(First published by Monday on May 28, 2018)

By Gonenc Gurkaynak, Partner, Ilay Yılmaz, Partner, Noyan Utkan, Associate, ELIG Gürkaynak Attorneys-at-Law

Paksoy has advised Japan’s Nippon Yusen on the formation of a joint venture with Oyak, the Turkish military’s pension fund, to build a port in northwest Turkey with an investment of USD 110 million to serve the automotive sector.

The joint venture will be 55% owned by Oyak and 45% owned by Nippon Yusen. Construction will begin this year and the port is scheduled to enter service in 2019.

The Paksoy team consisted of Partner Togan Turan and Senior Associate Serdar Ildirar.

Today, more than 90% of cyber-attacks start with a phishing e-mail and every 40 seconds a company gets hit by a ransomware. Therefore, it is crucial to be well-educated regarding suspicious e-mails. Following warnings and tips of course indicate only an introduction to the safety measures that could be taken to avoid suspicious emails or spotting them at once.

What is a “suspicious email”?

Suspicious emails are the mostly used and unfortunately the most efficient instrument of cyber criminals which usually contain viruses, worms or ransomwares for the purpose of accessing to a specific computer or a network.

What should we do?

Although there is not a certain formula to avoid suspicious emails, simply checking (i) the sender and the recipient’s titles and addresses, then (ii) the subject of the email, and (iii) examining the email content in the light of the warnings and the tips stated herein below is advisable.

1. To check the sender and the recipient of the email, move your cursor to the Sender and the recipient section to check the name or the title and the email extension without clicking.
2. The “Subject” section of emails  usually helps us to spot suspicious emails in many different ways. (Blank subject, irrelevant matters, artificial importance etc.)
3. Finally, the content of the email may also give you many clues to be suspicious of. (empty , attachments, IBAN numbers etc.)

In addition to above, taking following steps is also crucial to mitigate cyber risks;

• Write a cyber security policy including all relevant other policies such as corporate password policy for all users and modems etc.
• Create and implement a proper but realistic Incident Response Plan.
• Educate personnel for awareness and daily routine security measures such as logging off from accounts, not using personal e-mails or same passwords for each account.
• Cyber criminals are good at spotting your weakest link who could be a new employee recently started and not yet took the cyber security education. 90% of cyber attacks originate from human factor and negligence.
• Always be suspicious and vigilant. Think before you click anything and do not open zip file or .exe file attachments unless you are expecting it. 
• Don’t share sensitive corporate data with third parties and even a personnel or department of your company and keep data flow limited as much as possible.
• Back up regularly all data at all times in alternative storages.
• Utilise defences including anti-virus, anti-malware, anti-spyware, and install software and hardware firewalls.
• Use external devices cautiously since most of the time a cyber-attack starts with an innocent looking but infected USB flash disk of a co-worker.

Cyber risks evolve and develop even each hour and cyber criminals progress faster than we can imagine in order to succeed in their scams. Therefore, regularly updating company policies, awareness and education together with necessary software and hardware defences is vital for maintaining cyber hygiene.

By Efe Kınıkoglu, Partner, Moral & Partners

Paksoy has advised CS Wind, a wind tower manufacturer headquartered in South Korea, on its purchase of 100% shareholding in Ege Tower, based in Izmir. The deal is expected to close by the end of May 2018, and is subject to fulfillment of corporate and regulatory requirements.

EGE Tower operates as a steel tower manufacturing company, offering towers for wind turbines. 

According to Paksoy, the acquisition of Ege Tower is a strategic first step for CS Wind to expanding its business in Turkey, “before penetrating into neighboring countries.” The firm reports that “the deal showcases the strengthening of economic relations between South Korea and Turkey especially before the introduction of the Turkish government’s incentivizing plans in the renewable energy sector.” 

The Paksoy team consisted of Partner Togan Turan, Senior Associate Serdar Ildirar, and Associate Ece Sarıca.  

Paksoy has advised Doktas Metal on the sale of 93.57% shares of Turkish automotive manufacturer Doktas Dokumculuk to Celik Holding, which is a member of the Guris Group.

---

The share purchase agreement was signed on May 11, 2018. The completion of the transaction is subject to clearance from the Turkish Competition Board as well as the creditor banks of Doktas Dokumculuk.

The Paksoy team consisted of Partner Togan Turan, Counsel Okkes Sahan, and Senior Associate Serdar Ildirar.

Each day, cyber security becomes more and more important than physical security and it is the hottest topic all over the world nowadays. Despite the developing awareness, cyber-attacks increased significantly and more importantly most of them succeed to give colossal damages. So, what shall we do legally or is there anything we could do once we are under attack?

Months ago, a US based client’s corporate server was hacked upon a professional penetration of hackers and a considerable amount of money was transferred to an unknown account in Istanbul. Such kind of penetrations and illegal money transfers are frequently seen and apart from legal actions to be taken, reacting rapidly but also accurately upon becoming aware of a cyber-attack is crucial. 

Let alone days, losing even hours may lead to catastrophic results since it is almost impossible to track or locate money once it is out circulating between unidentified persons and accounts. Therefore, quick involvement of legal counsels is essential but it may not be possible due to lack of a power of attorney including requisite authorizations related to bank transactions since banks are under strict regulations and it may not be possible to intervene despite the account receiving the money may be known to the client. 

If victim company already granted such a power of attorney, as legal counsels we may be able to involve immediately and prevent release of the concerning money temporarily until an injunction decision is rendered by a court freezing the relevant bank account. In case an international money transfer was made from a foreign client, issuance of a power of attorney unfortunately takes time more than expected and, in that duration, suspects usually draw the money in cash and it becomes almost impossible to track them or the money due to lack of concrete evidence.

In our case, we succeeded to prevent the release of the money to suspects who tried to draw it from the related branch of the bank and immediately obtained an injunction order from the Court ordering the bank to freeze the related bank account due to suspicious transfer. Simultaneously we have filed a criminal complaint and both civil lawsuit and criminal lawsuit is finalized only in months by imprisonment of the suspects and we have returned entire money to the client.

In this recent experience, evading that cyber-attack by means of immediate legal actions was compelling but possible in a short span of time. Therefore, it is essential to empower trusted legal counsels beforehand in order to enable them to take necessary legal actions on behalf of victim companies targeted by cyber criminals.

By Efe Kınıkoglu, Partner, Moral & Partners

TCiting “family-related reasons,” former Akol Law lawyer Jonathan Clarke has left his position with the Istanbul-based firm to move back to the UK, where he re-joins DLA Piper as a Legal Director.

Clarke minimized the significance of the change in a comment with CEE Legal Matters. “This is very much business as usual, I remain passionately committed to supporting my Turkish clients (while also supporting DLA Piper’s clients in the Turkish and other international markets).  It is a good time to be able to have access to a global network to support Turkish cross-border deals (both inbound and increasingly outbound as Turkish multi-nationals look to geographically diversify); and I am also looking forward to being able to support multi-national clients in multiple geographies (including in the CEE region where I have already done a number of deals).”

Clarke is a specialized Corporate Commercial and Mergers & Acquisitions lawyer who has been based in Turkey for more than 12 years. He focuses his practice on company and commercial transactions including corporate finance, share sales, business sales, joint ventures, take-overs, mergers & acquisitions, commercial agreements, and reorganizations. In addition, Clarke has experience in advising corporate and M&A matters in highly-regulated areas such as capital markets, energy, life sciences, media and mining- with a particular focus on insurance matters.

Clarke worked with Dentons (in its various incarnations) in Istanbul from 2000 to 2011. From 2011 until joining Akol Law in 2016 he was with DLA Piper. 

In recent years, the USA has been pursuing a very protectionist approach against imports and accordingly, it has initiated safeguard investigations and imposed very high measures (e.g. steel product).

Such approach has led other countries to implement a protectionist approach as well. In other words, the increasing number of trade defence measures taken by third countries has triggered new investigations of the EU to protect its domestic industries from the potential serious injury on the basis of the most recent developments, such as any trade diversion resulting from the US measures or potential tendencies after such developments.

Such an approach has particularly become crucial for the exporting firms active in a market which is characterized by extensive trade flows and where the customers as well as the suppliers operate on a global level. Thus, any restriction concerning exports/imports of the products which are largely commoditized (no significant differences) and whose price levels are relatively comparable across jurisdictions and dependent on the conditions of competition at a global level would definitely raise concerns and trigger, at least, counter-investigations to protect the interest of the country’s main producers.

In this regard, the aforesaid ongoing world-wide protectionist approach in the international trade regime has finally found its response from Turkey as well. Right after the EU’s newly initiated safeguard investigation concerning iron & steel products (on 26 March 2018), the Turkish Ministry of Economy (“Ministry”) has launched a safeguard measure investigation concerning the imports of certain iron & steel products and announced this in the Official Gazette dated 27 April 2018 and numbered 30404. The result of the investigation which covers a wide range of product and all countries will absolutely have an effect on export, import and domestic markets for the subject products.

In the light of above, we will provide a brief of recent events in this regard from the USA and the EU. Then, Turkish Ministry of Economy’s recent investigation will be discussed.

Background

As widely discussed, US President Donald Trump last year issued a controversial executive order calling the Department of Commerce to open an investigation whether the steel imports harmed the US national security. The executive order aimed to protect the national security by imports in accordance with a decades-old, rarely used law, namely Section 232 of the Trade Expansion Act. Following this executive order, the Department of Commerce has opened an investigation and analyzed the effects of the imported steel to the US. As a result of the investigation, “The Effect of Imports of Steel on the National Security” was issued on 11 January 2018. The report indicates that the imports of the steel have “weakened US internal economy and threatened to impair the national security as defined in Section 232”.

Protectionist approaches by the President Trump are not limited with this case. Within his administration, the USA has withdrawn from Trans-Pacific Partnership and is considering to withdraw from NAFTA. Further, new measures on steel and aluminum, solar panels are also in the agenda. In the news, this whole process is called “trade wars”.

The EU officials have previously stated that if the USA is to impose measures, then the EU would take these three steps to protect itself:

• taking the case to the WTO,
• imposing further safeguard measures and
• impose tariffs on a series of American-made goods.

Within this scope, the EU Commission has launched a safeguard investigation concerning steel products to prevent trade diversion into the EU. According to the EU, the surveillance system for steel imports, which has been in place since March 2016, has granted evidence that imports of certain steel product have increased. The investigation is on-going.

Turkish Investigation

An action from the Turkish government against the actions taken by US and EU had been expected to prevent trade diversion into Turkey. As expected, the Ministry on 27 April 2018 ex officio initiated a safeguard investigation concerning the imports of steel products by the Communiqué on the Safeguard Measures in Imports No: 2018/3 (“Communiqué”) to find out whether the steel imports were caused serious injury the domestic industry and/or threatens to cause serious injury. The investigation covers 21 different steel products and scope can be widened pursuant to the information collected throughout the investigation. Currently, the following product categories are being investigated by the Ministry to find whether the imports were caused serious injury the domestic industry and/or threatens to cause serious injury: (i) flat rolled products, (ii) bars, rods and angles, (iii) railway or tramway truck construction materials, (iv) tubes, pipes, hollow profiles and (v) stainless steel.

As an important note, the Board of Evaluation of Safeguard Measures decided to consider the issue whether the products originating from EU may be exempted from the measures, if imposed.

Within this scope, exporters may cooperate with the Ministry in this investigation to enjoy no measure or lesser measures than those who do not cooperate. As such, exporters wishing to cooperate with the Turkish government are required to fill-in a questionnaire published in the Turkish Ministry of Economy’s website and submit it to the Directorate General of Imports within 30 days. By doing so, exporters are considered as interested parties and are given the chance to defend themselves in the process. Additionally, any interested party may attend the public and private hearing where they have the opportunity to orally present their position. Any oral or written communication regarding the investigation is carried out in Turkish.

Within the said questionnaire, the exporters should present the following matters to the Turkish Ministry’s attention: (i) information on the concerned products (types, production technology, usage, competitiveness, substitutability etc.), (ii) market structure of the concerned product and (iii) economic indicators (profitability, domestic sales, export sales, employment etc.) of the exporting company.

Importing companies may also fill-in a questionnaire to be considered as an interested party. In this questionnaire, the following information should be provided by the importers: (i) status of the importer (industrial user, exporter, only importer, distributor or etc.) and (ii) purposes for the imports (raw material, exporting by processing, reselling to the domestic market or etc.).

On the other hand, the domestic industry may also participate in the investigation and defend their interest by filling-in a questionnaire, which includes the following information: (i) the distribution channels, (ii) raw materials of the concerned product, (iii) technology of the concerned product, (iv) worldwide demand amount and (v) the domestic capacity.

As the above information suggests, the Ministry aims to collect information regarding the concerned product in terms of export, import and production. The information provided to the Ministry is crucial for the findings as to whether the iron-steel imports cause serious injury to the domestic industry.

Conclusion

Following the international trade measures imposed by the USA, mainly the import tariffs on the steel and aluminum, the EU has also started a safeguard investigation regarding to steel imports, as a response to the actions taken by the USA. Shortly after, Turkey announced that it initiated a safeguard investigation concerning the steel imports. It is not yet clear that the imports originating in European Union will be exempted from the possible safeguards measures. While the reflections of the Turkish investigation are yet to be seen, many exporters around the world are expected to participate in this investigation to protect their interest and to enjoy a potential no measure or lesser measures than their competitors. Therefore, it is undoubted that this investigation will shape the relevant markets in Turkey.

By Ertugrul Can Canbolat, Senior Associate, Baran Can Yıldırım, Associate, Sinan Lahur, Associate, ACTECON