Category: Turkiye

Paksoy, working with Eversheds Sutherland as global counsel, has advised Siniora Food Industries Company PLC, a Jordan-originating multinational food company, on its acquisition of a 77% stake of Polonez – Trakya Et ve Sut Urunleri San. ve Tic. A.S., a Turkish processed meat products company. Caliskan Okkan Toker advised the selling Akkas Family members.

Paksoy’s team included Partners Elvan Aziz and Nihan Bacanak and Associate Meric Sacak.

Caliskan Okkan Toker’s team included Partners Sezer Caliskan and Mustafa Toker, Senior Associate Yaprak Kucukoglu, and Associate Kardelen Atay.

Kinstellar has advised Turkish technology start-up Dream Games on its generation of a USD 50 million Series A Round investment from Index Ventures as the lead investor, as well as Balderton Capital and Makers Fund.

Dream Games is an Istanbul-based developer of mobile games, such as Royal Match.

Kinstellar’s team included Istanbul-based Partner Emre Edmund Ozer, and Associates Mert Elcin and Beliz Zorlu, who were assisted by Of Counsel Can Sevener of the Sevener Law Firm. Kinstellar did not reply to an inquiry about the deal.

Paksoy has advised the Ageas insurance company on its acquisition of a 40% stake in Turkey’s AvivaSA life insurance company, from British insurance group Aviva, for approximately GBP 122 million. The transaction, which is expected to close this year, remains subject to regulatory approval.

According to Paksoy, “Sabanci will retain its 40% stake in the company, which will allow the two long-time partners in the general insurance business to extend their collaboration to the life and pension business.”

Paksoy’s team included Partners Stephanie Beghe Sonmez, Omer Collak, Nazli Bezirci, and Sansal Erbacioglu and Counsel Okkes Sahan.

Editor’s note: After this article was published, CEE Legal Matters learned that Gedik & Eraksoy had advised AvivaSA on the deal. The firm’s team included Partner Hakki Gedik, Senior Associate Cinar Sipahioglu, and Associate Berkan Tomay.

Turunc has advised Bogazici Ventures on its USD 500,000 investment in Barakatech.

Bogazici Ventures is an Istanbul-based venture capital and private equity fund which primarily invests in blockchain, machine learning, artificial intelligence, digital games, and the Internet of Things in the fields ranging from health to security. 

Barakatech is an Ankara-based firm specializing in mobile and web application development and engineering focusing on blockchain and big data technologies. 

The Turunc team included Partner Kerem Turunc, Attorney Yasemin Kerestecioglu, and Associate Beste Yildizili Ergul.

The Turkish Data Protection Board (“Board”) has recently published summaries of several important decisions on certain matters, which may constitute precedents for future cases. All of the decisions below are published on the Data Protection Authority’s website on February 12, 2021.

The Board’s Decision of December 8, 2020 regarding Right to be Forgotten

The Board conducted an investigation upon a complaint wherein the complainant stated that there had been an academic staff job opening at the public university they are working at, to which their relatives applied and were successful, however social media published false news about the recruitment process, the university conducted an investigation upon the allegations and concluded that there were no irregularities. The complainant claimed that they requested removal of the relevant news from the relevant search engine, and search engine decided not to take any action and that the news articles were affecting their lives and profession, requesting the relevant contents to be de-indexed.

The Board decided through the evaluation it made that, (i) the information provided by the complainant regarding the foregoing incidents were accurate and that the complainant is still working at the same public university, (ii) the contents did not include special categories of personal data, (iii) the incidents dated back to 2020 therefore are considered current, (iv) the contents did not cause any risk for the complainant and could be considered within the scope of journalism activities, (v) contents could cause prejudice against the complainant, but that this is not provable, (vi) there is no legal obligation in publishing of the contents, (vii) the complainant did not publish the contents, (viii) the contents do not relate to a criminal offence. In light of the foregoing, the Board concluded that the search engine’s decision of not removing the contents was in accordance with the relevant criteria published by the Board’s decision with number 2020/481 and that there were no processes to be undertaken  regarding the issue in terms of Law No. 6698 on Protection of Personal Data (“DPL”).

The Board’s Decision of September 3, 2020 regarding Making Explicit Consent a Precondition for Providing Services

Regarding a data subject’s complaint about the data subject applying to a data controller insurance company to renew the health insurance policy issued on behalf of his family and the insurance company requesting explicit consent to renew, Board decided that, since the health insurance policy includes health data, which is a special category of personal data, the health data included in the policy cannot be processed within the scope of Article 6/3 of the DPL and that it can only be processed with the explicit consent of the data subject. Therefore, insurance company requesting explicit consent is in compliance with the law.

This is an important decision in general. Although the Board has not provided further details, asking for explicit consent for renewal might be considered as making explicit consent a precondition for providing services, which may be the grounds for the complaint. However, this decision may also be interpreted as if health data (or any special categories of data) is mandatory to provide the relevant service, explicit consent may be requested as a precondition.

The Board’s Decision of June 30, 2020 regarding the Personal Data of the Lawyers Published on Websites

This decision is related to notifications made to the Board from lawyers, of which, their full name, registered bar associations, registry numbers, e-mail addresses and photographs are published on various websites without their consents.

The Board has detected only one website regarding only one of the complainants. The profile in the website only included the e-mail address of that complainant. Board decided that the e-mail address is also accessible from Turkish Bar Association’s (TBA) website and the relevant websites could have pulled the information from official TBA website and there is no indication that the websites broadcast such information for a purpose other than the purpose for publication of that information in TBA website and the data subjects are granted the means to delete or rectify the personal data.  Therefore, this matter is not against the processing conditions under Article 5 and general principles under Article 4 of the DPL since the personal data were made public by the data subject to be published on TBA website. 

This is also an important decision since third party websites using the public information for the same purpose is considered in compliance with the DPL even data subject has not consented.

The Board’s Decision of January 30, 2020 regarding the Determination of the Data Controller and Data Processor

The Board published a decision summary regarding the matters that should be taken into account in the determination of the data controller and data processor and which will be fulfilling the obligation to inform. The Board decided that the obligation to inform which is regulated in Article 10 of the Law No. 6698 can also be performed by the data controller itself or by a person authorized by the data controller as well as the data processor. In this decision, the Board also underlines the criteria of data controller and processor.

Those who fulfill most of the following criteria are considered as data controllers: 

– Collection and collection method of personal data,

– The types of personal data to be collected,

– Which individuals’ personal data will be collected,

– Deciding on the processing of personal data and who will process it,

– Deciding on the basic elements of the processing (which personal data will be collected, for what purposes the collected data will be used and how it will be processed, how long the data will be retained, what the data retention policy will be, who will be authorized to access the data, who will be the recipients, etc. can be shown as examples)

– Whether the collected data will be shared, and if so, with whom,

– Being able to make decisions at a high level in the processing of personal data without taking any orders or instructions,

– Dealing directly with the data subjects,

– Appointment of a data processor to carry out data processing on their behalf,

– Taking advantage of the processing activity.

Data controller may appoint a data processor who is authorized with the following through a data processing agreement:

-Which IT systems or other methods will be used for collection of personal data

-Through which method the personal data will be retained

-Details of the security measures that can be taken for protection of personal data

-Using which method the data will be transferred

-Method for correctly operating personal data retention periods

-Methods for deletion, destruction or anonymization of personal data.

Those who fulfill most of the following criteria are considered as data processors:

-Taking instructions from another

-Not having the authority to make decisions in collection of personal data from persons

-Not having the authority to decide on how the data can be exposed, who can access such data

-Not having the authority to decide on data retention process

-Not having responsibility for the consequences of data processing

-Whether there are any decision-making mechanisms regarding data processing within the scope of authorities granted by the data controller under legally binding agreements such as with a data controller.

The Board’s Decision of January 30, 2020 regarding Processing Personal Data without Relying on Any Processing Conditions

The Board conducted an investigation upon the complaint of a person who claimed they received multiple informative messages regarding several electricity service membership numbers regarding various issues and who requested his/her contact information to be deleted from the records related to the relevant membership agreements. The company has not provided to response and kept sending the messages. The company claimed in its defense that, contact information of the relevant data subject was updated but no documents were sent to the Board confirm it. The Board indicated that the request should be considered a request of “correction” of personal data instead of deletion. The Board found that the data controller made it difficult for data subject to exercise its rights. Consequently, the Board instructed the data controller to respond timely and completely to such requests, while also imposing a monetary fine of TL 100,000 (approximately EUR 11,760) on the data controller on the grounds that the data controller did not take the necessary administrative and technical measures.

This decision is important as it demonstrates that the Board is not bound with the legal basis of the complaint and can even change the nature of it during investigation. 

The Board’s Decision of December 1, 2020 regarding Biometric Data

Upon a civil servant’s complaint, Board conducted an investigation regarding a governmental institution’s implementation of fingerprint method for supervising employee shifts. The Board found the relevant methods used by the institution to be in violation of the DPL on the grounds that biometric scanning should only be used when extreme security measures are needed and since as a result of COVID-19, the current method of supervision of employees are made through wet signature, it is understood that at the moment, extreme security measures are not necessary for the institution, and that the institution is able to supervise its employees through alternative methods without processing its employees’ biometric data. Therefore the Board found that taking fingerprints of employees for the purposes of surveilling employee shifts violates the proportionality principle governed under paragraph (ç) of Article 4 of the Law No. 6698.

Although it is related to a public institution and a civil servant’s complaint, it is important in general as biometric scanning for surveilling shifts is a commonly used practice. The data controller claimed that the fingerprints cannot be extracted as the fingerprint data is encrypted, becomes a template and then matched with the relevant person. This methodology is often used in fingerprint scanning systems. However, the Board has not found this defense applicable and emphasized that explicit consent was needed for processing. The Board also emphasized, in line with its previous decisions, that if extreme security measures are not needed and alternative methods are applicable, biometric data should not be taken.

The Board’s Decision of January 27, 2020 regarding Unauthorized Access to E-Mail Account 

The Board investigated the matter upon the complaint of the data subject claiming that his/her corporate e-mail account was accessed without permission and against the law, his/her access settings were changed and he/she requested deletion of all data in his/her e-mail account from the data controller. Data controller indicated in its defense that the data subject was a manager in the company subject to an investigation for misuse of duty for transferring money from corporate accounts to various bank accounts, the data was obtained from the backups, which were created upon the data subject’s own request, the e-mail messages were taken to investigate the issue, which is subject to a commercial lawsuit and data subject’s criminal complaint was rejected.

The Board decided that the processing is in compliance with the law since processing was “necessary for compliance with a legal obligation to which the data controller is subject”.

This is an important decision as it is an example for application of the relevant processing condition.

The Board’s Decision of September 17, 2020 on Sending Lien Notification to the Relatives of a Debtor

According to the decision, the execution office investigated the name and addresses of the debtors’ relatives and sent lien notifications to them. The data controller indicated in its defense that the lien notification was sent in accordance with the Article 89/1 of the Law No. 2004 Enforcement and Bankruptcy Law (“Law No. 2004”) which authorizes execution office to send notices to any third party who possibly holds debtor’s receivables, therefore, the said process was in accordance with the law. Following the data controller’s response, the Board investigated the matter and concluded that the notices sent by the execution office, were in accordance with the Article 89/1 of the Law No. 2004. Therefore Board decided that this personal data processing activity is lawful due the fact that this activity is based on the processing condition of “it is expressly provided for by the laws”.

The Board’s Decision of October 30, 2019 regarding Destruction of Special Categories of Personal Data

The Board received a complaint from a doctor regarding the collection and recording of blood, serum and tissue samples for scientific research projects by a hospital and deterioration of said samples as a result of negligence and error of the said hospital which constitutes a violation of obligations regarding data security in accordance with the Article 12 of the Law No. 6698. The Board requested defense from the data controller on the matter and data controller indicated in its defense that deterioration of said samples caused by a fault which kept under records and said samples are not usable for scientific purposes. Within the information shared by the data controller and complainant, Board stated that, collection of blood, serum and tissue samples with barcodes make it possible to match these samples with the patients which constitutes a personal data processing activity. However Board further stated that, this processing activity falls outside of the scope of the Law No. 6698 as this processing activity is pursued on a scientific purpose which is regulated under the Article 28 of the Law No. 6698 as one of the exceptions.

The Board’s Decision of February 6, 2020 regarding the Rectification  and Erasure of Personal Health Data

The decision states that the DPA received several complaints from data subjects stating that their recorded health data (especially psychiatric health records) constitutes problem in their daily life and requesting rectification and erasure of these personal health data from the records. Board started an investigation and requested the data controller Ministry’s defense on the matter. Data controller indicated in its defense that the said personal data was processed as per the Article 6/3 of the DPL, which does not require the data subjects explicit consent, the legal condition on which the data processing activity is based has not yet disappeared and the erasure of the health records in question may constitute a threat to public health and safety. Data controller also indicated that for diagnoses that are not proven to be inadvertently recorded; data subject should apply to provincial health directorate.

The Board evaluated the matter and stated that; regarding the rectification of the personal health data, Article 13 of the Regulation on Personal Health Data should govern, which directs the relevant persons to provincial health directorates for inadvertent records, legal condition which the data processing activity is based on is still valid and the personal data is processed as per Article 6 of the DPL, therefore decided that no action should be taken regarding the request for erasure.

The Board’s Decision of January 27, 2020 regarding the Personal Data which is Processed within the Scope of White Code Procedure

The Board conducted an investigation upon a complaint wherein the complainant stated that his/her personal data which was accessed from hospital records was processed following an argument between hospital personnel and the complainant, after the complainant left the hospital. The complainant applied data controller hospital and data controller stated in its response that they followed the procedure on the 2016/3 Circular of the Legal Counsel of the Ministry of Health on Legal Aid and White Code Procedure (“Circular No. 2016/3”) and said personal data only shared by the persons/entities that are under confidentiality.  

The Board evaluated the defense of the data controller, and stated that, the processing activity in question was in accordance with the Circular No. 2016/3 which falls under the scope of Article 5/2/ç of the DPL (It is necessary for compliance with a legal obligation to which the data controller is subject). Consequently, Board decided that the processing activity in question was in accordance with the DPL.  

The Board’s Decision of December 26, 2019 regarding the Necessity of Signing Confidentiality Agreement with Public Officer

According the decision; duties, rights, obligations and responsibilities of the public officers are governed under Law No. 657.  Pursing to Law No. 657, the public officers are obliged to comply with the principles specified in the law and other legislation, to carry out their duties with care and attention. Also it is regulated that in the event that individuals are harmed as a result of the fault of a public officer, the relevant person must apply directly to the relevant institution instead of the public officer. Recourse relationship between the public institution and the public officer is regulated in the Law No. 657 and its relevant regulations. In this context, it would not be correct to sign a confidentiality agreement between the public institution and its personnel due to the reason that such agreement will affect the current recourse relationship between the public institution and its personnel.

Board consequently stated that, the issue of signing an employee confidentiality agreement, which is mentioned in both the Personal Data Security Guide and the Board decision numbered 2018/10, is applicable to the employees subject to employment agreement under the orders and instructions of an employer, and to employees working in public institutions and organizations who are not subject to Law No. 657.

By Gonenc Gurkaynak, Partner, Ceren Yildiz, Partner, Noyan Utkan, Associate, and Talha Sen, Associate, ELIG Gürkaynak Attorneys-at-Law

Allocation of liabilities between the parties in merger and acquisition (“M&A”) transactions is of utmost significance, in order to ensure that the buyer will be sufficiently protected, and the seller’s liabilities limited as much as possible. Under Turkish laws, the sellers` liabilities are subject to the provisions of the Turkish Code of Obligations No. 6908 (“TCO”). Having said this, Turkish laws are not designed to save commercial parties from a bad bargain, thus the parties often resort to adding certain clauses to their share purchase agreements (“SPA”) such as representations and warranties, indemnities, amount-based restrictions such as de minimis and baskets clauses, setting forth specific procedures and time limits for claims, and so on. Accordingly, this article aims to provide a general understanding as to the sellers’ liabilities in M&A transactions, the general liability provisions most commonly used in SPAs, and how they are dealt with under the Turkish laws.

Selling with Liabilities

Under the TCO, the seller is liable for defective goods; in this case, defects would be those matters that result in the diminution of the value of the shares subject to the M&A transaction. The extent of this liability however, consists only of those issues that could not be discovered upon inspection, incorporating the principle of caveat emptor i.e., “let the buyer beware.”

The liabilities of the seller arise mainly from the seller’s so called “representations and warranties.” Representations and warranties are usually express guarantees and fundamental statements of the seller in an SPA, whereby they undertake that the target company has certain qualities. Depending on nature of the business, as well as the discussions and negotiations between the parties, warranties may cover various topics such as incorporation, authority, compliance with applicable laws, data protection, material agreements, immovable assets, licenses, litigation, insurances, insolvency and tax.  

According to Article 219 of the TCO, the seller is not only liable for any deficiency in the qualities that it has confirmed existence of to the buyer, but also for the physical, legal or economic defects, even if the seller is not aware of them. The liabilities of the seller are limited by Article 222 of the TCO, which mirrors the caveat emptor principle. Under this article, the seller is only liable for those defects that the buyer did not know about at the time it entered into the contract; or could not have discovered with sufficient inspection. The position is further explained in Article 223 of the TCO, putting the onus on the buyer to carry out a due diligence on the target, or conduct other means of inspection suitable for the nature of the transaction, and to notify the seller upon finding out any irregularities or defects that fall under the seller’s liability. This means that failing to carry out such inspections or notifications will be deemed as the buyer accepting the target “as is” with defects/breaches included, and forfeiting any grounds to a claim (except for any hidden defects).  It should be noted that as per Article 23 of the Turkish Commercial Code No. 6102, the time periods for notifying the seller of the defects are specified as 2 (two) days for “apparent” defects and 8 (eight) days for those which could not be easily discovered, starting from the date of delivery (which can be translated as the completion of share transfers in an M&A transaction). Indeed, these notification periods specified under Turkish laws do not really give sufficient time to the buyer; therefore it is of utmost importance for the parties to determine their customized notification period for the liabilities in an SPA.

Protection of the buyer against risks in an M&A transaction is often achieved by adding an “indemnities” clause into the SPA, where the seller undertakes to reimburse the buyer in case of a breach, on a pound-for-pound basis, mostly for known and specific risks. The difference between the (representations and) warranties and the indemnities is that the warranties act as guarantees on certain aspects of the target company and grant the right to a compensation with respect to the consideration, provided that the value of the target company is diminished, whereas the indemnities are designed to indemnify the exact losses that arise in relation to the matters contained in the clause. Under indemnities, the buyer will be able to recover those losses that would not have been recoverable under warranties (due to their awareness of the facts disclosed to them or for what the buyers ought to have known). In practice, the indemnity option is mostly preferred for future tax liabilities and matters willfully concealed by the seller. The parties may extend the scope of indemnities, as the case may be. The warranties and indemnities must be drawn carefully to exclude the adjustments to consideration (purchase price) already made through closing mechanisms.

For liabilities arising out of breaches of warranties and representations under the SPA, Article 227 of the TCO grants discretionary remedies to the non-breaching party to choose from, such as right to rescind the contract or to ask the purchase price to be reduced in proportion to the defect. The non-breaching party will also have a contractual right to be compensated for its losses arising from the breach.

How to Limit Liability?

Surely, the parties are free to determine the precise scope of their liabilities and the limitation period, so long as they are compatible with the laws, e.g., they cannot waive or limit their liabilities for fraud or gross negligence. Consequently, the parties customarily choose to employ contractual provisions regarding the scope of liabilities and disclosures, caps for individual and aggregate claims, specific time period of limitations and obligations for mitigating loss. 

The scope of liability will primarily be based on the results of the due diligence carried out by the buyer. Also, parties usually add a provision stipulating no liability for disclosed matters for avoidance of doubt. In order to clarify the matters revealed to the buyer, parties opt to sign a “disclosure letter” prior to signature of an SPA. This letter lists the matters disclosed or deemed to be disclosed by the seller and expresses that the buyer has been made aware of such matters. The disclosure letter also provides the basis for construing the representations and warranties. As a means of limiting the seller’s liability, the SPA might refer to this disclosure letter, where the buyer waives its rights to claim with respect to the facts and matters included in the letter.

Another key provision for limiting the monetary amounts of potential claims is the de minimis clause, which stipulates a minimum amount for an individual claim to be brought. In addition to the de minimis, the practice is to set a further threshold to establish a minimum amount for the total to be claimed, by what is called a “basket clause.” Accordingly, the buyer will be able to make a claim to the seller, subject to the agreed individual and aggregate thresholds being exceeded. As a result of de minimis and basket clauses, the seller will be relieved from the burden of dealing with multiple claims concerning trivial amounts, saving cost and time. The overall liability of the seller for claims arising from the SPA may be also capped with a clause.

Lastly, it is important to ensure that the parties will not be entitled to multiple compensation or claims for the same loss, by simply adding a clause to the SPA to prohibit double recovery.

Conclusion

Parties should be mindful that in Turkey, the consequences of M&A transactions in terms of liabilities are not addressed under a separate legislation; they are governed by the TCO which allows the buyer and the seller to freely determine the limits of their liabilities. For this reason, albeit resulting in a very lengthy transaction document, it is important that the buyer ensures that the potential risks will be indemnified or compensated, and the provisions regarding the extent of the seller’s liabilities are not ambiguous.

By Gonenc Gurkaynak, Partner, Nazli Nil Yukaruc, Partner, Selen Ernanli Sakar, Associate, and Irmak Yetim, Associate, ELIG Gürkaynak Attorneys-at-Law

Sait Eryilmaz, Head of Banking & Finance at Clifford Chance Turkey, has made Partner.

Eryilmaz began his career at the Ismen Law Firm in 2009. He moved to Clifford Chance’s Istanbul office in 2012. Eryilmaz was promoted to Counsel at Clifford Chance in 2018, after a brief secondment to the firm’s London office, and he took charge of the firm’s Turkish Banking & Finance practice in May, 2020. He obtained his Bachelor of Laws at the Istanbul Bilgi University in 2009. 

Eryilmaz primarily focuses on project finance and structured finance. According to Clifford Chance, “over the past years Sait has held a key position at the forefront of Turkish infrastructure and energy transactions, taking part in many notable projects including PPPs.” In addition, the firm reported that Eryilmaz acted on behalf of “banks, ECAs, Islamic and conventional financial institutions, sponsors and other transaction parties in domestic and international project financings, including PPPs, infrastructure, transportation (roads, railways and airports) energy projects, oil and gas, and privatizations.”

The Balcioglu Selcuk Ardiyok Keki Attorney Partnership has advised Yildiz Holding A.S. and Gozde Girisim Sermayesi Yatirim Ortakligi A.S. on the sale of their 100% stake in Kumas Manyezit Sanayi A.S., a producer and seller of customized refractory products, to Eregli Demir ve Celik Fabrikalari T.A.S. The Esin Attorney Partnership advised the buyers on the deal.

BASEAK’s team included Managing Partner Galip Selcuk, Associate Mert Buberoglu, and Legal Intern Simge Yilmaz.

The Esin Attorney Partnership’s team included Partners Eren Kursun and Ali Selim Demirel, Senior Associate Orcun Solak, and Associate Sila Pinar.

Kinstellar has advised Hungarian medical device manufacturer Medicor on its EUR 2 million investment in the construction of an incubator-production facility in Ankara, Turkey.

Medicor is described by Kinstellar as “one of the largest and oldest medical device manufacturers in Hungary.” The company, which was founded in 1963, produces incubators and warming and resuscitation tables, and exports them to more than 100 countries.

According to Kinstellar, the project is Hungary’s first direct investment in the medical industry in Turkey. The firm reported that the new facility is expected to start production by the first half of 2022 and that the incubators produced in the Turkish plant will be sold in Central Asia, the Middle East, and Africa.

Mustafa Varank, Minister of Technology and Industry in Turkey, said that “this investment is one of the pioneering steps for economic and trade cooperation between Turkey and Hungary, which has a great potential.”

Kinstellar’s team included Partner Ebru Temizer, Associates Irmak Seymen and Ceren Ceyhan, and Legal Intern Ali Kiziltepe.

Former Esin Attorney Partnership Attorney Asli Tezcan has rejoined Acar & Ergonen.

Tezcan, who joins as a Partner specializes in Corporate/M&A. She has a BA in Law from Yeditepe University and an LL.M. from the Queen Mary University. She started her career with three years at Caga & Caga before joining Acar & Ergonen for the first time in September, 2014. In May of 2019 she moved to the Esin Attorney Partnership before returning to Acar & Ergonen.

“Asli’s background in dispute resolution has turned into a lucrative sense of determining the potential disputes and the most practical solutions for clients,” commented Acar & Ergonen Partner Onur Ergonen. 

“Asli is an excellent leader, a solid team player, and a remarkable support not only for the firm but also for the clients,” added Acar & Ergonen Managing Partner Duygu Acar Yucesoy.