Internal investigations in Turkey are no longer limited to banks, listed issuers, or multinational groups. In practice, any company operating in Türkiye may need to investigate allegations of fraud, bribery, data misuse, harassment, competition-law violations, AML red flags, accounting irregularities, unauthorized foreign employment, or document tampering. Turkish law does not provide one single, stand-alone “internal investigations act.” Instead, the legal basis for internal investigations is built from several sources: the Turkish Commercial Code’s board duties and information rights, employment-law rules on disciplinary action and termination, the Personal Data Protection Law, competition-law inspection powers, AML compliance rules, and general criminal-law rules on reporting crime and preserving evidence. In other words, internal investigations in Turkey are legally real even though they are not codified in one single statute.
That is also why corporate liability in Turkey must be understood in layers. A company may face civil-law and corporate-law liability through the Turkish Commercial Code, administrative fines through regulators such as the Competition Authority, the Personal Data Protection Board, or the Ministry of Labour, and, in certain cases, security measures applicable to legal entities under criminal law. Meanwhile, directors and managers may face their own exposure if they breach non-delegable duties, ignore obvious red flags, or fail to supervise delegates with reasonable care. Internal investigations matter because they often become the bridge between a first warning sign and those later liabilities.
Why internal investigations matter under Turkish company law
Under Turkish law, the board cannot treat serious misconduct allegations as purely operational noise. Article 375 of the Turkish Commercial Code gives the board non-delegable duties that include top-level management, determining the management organization, establishing the order necessary for accounting and financial planning, appointing key managers and signatories, and supervising whether management acts in accordance with the law, the articles of association, internal directives, and written board instructions. That statutory structure makes internal investigations a governance tool, not merely an HR tool. When a company learns of possible wrongdoing, the question is not only whether the allegation is true. The question is also whether the board has created a system capable of detecting, escalating, and addressing unlawful conduct.
Article 367 strengthens that point. It allows management to be delegated through an internal directive, but it requires that directive to define duties, positions, hierarchy, and who must provide information to whom. Article 392 then gives each board member broad information and inspection rights over the company’s affairs, records, contracts, correspondence, and other documents. In practical terms, Turkish law expects internal investigations to function inside an identifiable reporting structure. A company that has no clear escalation chain, no internal directive, and no reporting discipline will often struggle to show that it investigated misconduct in a lawful and credible way.
The risk-oversight framework points in the same direction. Article 378 of the Turkish Commercial Code requires listed companies to establish, operate, and develop a committee and system for early detection and management of risks threatening the company’s existence, development, and continuity. The Public Oversight Authority’s principles on that system confirm that the board is responsible for establishing and operating it. Internal investigations are not identical to that committee process, but they fit naturally within the same logic: when a company encounters a serious compliance signal, it should not improvise. It should respond through a documented governance mechanism.
Common triggers for an internal investigation in Turkey
In Turkish practice, internal investigations are usually triggered by one of five events. The first is an internal report or complaint from an employee, manager, shareholder, or business partner. The second is a regulator-facing event such as a dawn raid, a data-breach incident, a suspicious transaction concern, or a work-permit irregularity. The third is an audit finding involving accounting, tax, inventory, or document inconsistencies. The fourth is an employment incident such as harassment, misconduct, policy breaches, or retaliation allegations. The fifth is a transactional trigger, especially before financing, M&A, or restructuring, when the company realizes that unresolved compliance issues could affect value or closing. This categorization is a practical synthesis, but it is grounded in the way Turkish law and regulators structure oversight across competition, privacy, AML, labour, and corporate governance.
Competition-law triggers are especially common because the Competition Authority has strong powers to request information and inspect electronic and physical records. Article 14 allows the Board to request information it deems necessary from public bodies, undertakings, and associations of undertakings. Article 15 allows on-site inspections, including examination of books, all kinds of data and documents on physical or electronic media and in information systems, copying materials, and taking statements on specific issues. Article 43 then structures the investigation phase, including notification to parties, a six-month investigation period that may be extended once, and the possibility of commitments and settlement. A company that receives a competition inquiry or raid in Turkey should usually begin an immediate parallel internal investigation rather than wait passively for the authority’s file to develop.
Privacy and cybersecurity triggers are similarly time-sensitive. Article 12 of the Personal Data Protection Law requires the controller to take necessary technical and organizational measures, imposes joint responsibility with processors, and requires internal audits. The Board’s breach-notification materials further state that where notification cannot be made within 72 hours, the reason for delay must accompany the notice, and that the controller should document the facts, effects, and measures taken. A suspected data leak, unauthorized access event, or processor incident therefore requires not only technical containment but also a legally structured internal fact-finding process.
AML triggers often arise from unusual transaction patterns, incomplete onboarding, source-of-funds issues, or red flags raised by finance or operations teams. MASAK’s official materials show that the AML framework is risk-based, that Law No. 5549 is designed to prevent laundering of crime proceeds, and that the compliance-program framework includes risk management, monitoring and control, training, and internal audit. Turkish AML law also treats suspicious transactions as a formal compliance matter rather than as an informal commercial concern. In practice, when a Turkish entity or obliged party notices a suspicious structure, it should launch an internal review quickly and through a tightly controlled chain rather than discuss the issue casually across commercial teams.
How to structure an internal investigation in Turkey
A defensible Turkish internal investigation usually begins with a written scoping decision. The company should define what is being investigated, why the investigation is being opened, who will lead it, what the initial facts are, which legal areas may be implicated, and which immediate protective actions are needed. That sounds obvious, but it matters because Turkish law repeatedly emphasizes documented organization and information flow. If the company later has to explain its conduct to the board, an auditor, a court, or a regulator, the existence of a structured opening record will often be the first sign that the matter was handled seriously.
The next step is evidence preservation. In Turkey, evidence preservation is not just good practice; it may also have criminal-law significance. Article 281 of the Turkish Penal Code punishes destroying, erasing, hiding, altering, or corrupting evidence in order to prevent the truth from emerging. Competition law adds a second layer: the Competition Authority may inspect electronic systems and can impose sanctions if an on-site inspection is hindered or likely to be hindered. That means the company should issue preservation instructions immediately, suspend ordinary deletion where necessary, protect devices and accounts relevant to the allegations, and document who was told what and when.
After preservation comes controlled fact collection. In Turkish internal investigations, fact collection usually includes document review, limited custodian collection, interviews, and chronology building. But the company should not confuse speed with disorder. Article 392 gives board members strong inspection rights, and internal investigations should usually be designed so that management or the board can later understand the factual basis of the result. A defensible investigation file therefore separates raw facts from legal analysis and should preserve source integrity rather than summarize everything into unsupported conclusions.
Data protection limits during internal investigations
A Turkish internal investigation is itself a personal-data processing activity, which means the KVKK applies to the process. Article 4 requires lawfulness, fairness, purpose limitation, proportionality, and limited retention. Article 5 requires a valid legal basis for processing ordinary personal data, and Article 6 treats health data, criminal-conviction data, biometric data, union membership, and several other categories as special categories of personal data subject to stricter rules and adequate measures. If the company is reviewing emails, HR records, access logs, disciplinary files, or hotline reports, it should therefore ask not only what is useful for the investigation, but also what is lawful and proportionate to collect and review.
Transparency and data-subject rights also matter. Article 10 requires the controller to inform data subjects about identity, purpose, transfer recipients, collection method, legal basis, and rights; Article 11 gives rights of access, correction, deletion, and other claims. That does not mean every ongoing internal investigation must be explained in full to every person affected while evidence is still being gathered. It does mean that the company should ensure that its employee notices, internal policies, and case-handling practices create a lawful framework for investigation-related processing and that it can later explain the legal basis and purpose of the processing if challenged.
Cross-border investigations require special attention. Article 9 now allows transfers abroad only if Article 5 or 6 conditions exist and either an adequacy decision or another recognized safeguard is present. The law also requires notification to the Authority within five business days when the standard contract route is used. This matters in Turkish investigations because multinational groups often want foreign parent companies, foreign counsel, or global forensic vendors to review evidence. If investigation files containing personal data are exported abroad without checking Article 9, the company may solve one problem while creating another.
Employee interviews, disciplinary findings, and labour-law consequences
Internal investigations in Turkey often lead to employment decisions. When that happens, labour-law procedure becomes critical. The Ministry of Labour’s official English guidance states that an employer who wishes to terminate an employment contract based on the worker’s performance, behavior, the requirements of the job, the business, or the workplace must notify the employee in writing and observe the applicable notice periods. The same guidance also states that when termination is made without a valid reason being stated, or the stated reason is claimed to be invalid, the employee may seek invalidity of termination and reemployment, and mediation must be initiated within one month. That means a Turkish company should treat disciplinary outcomes as legally document-heavy decisions, not as informal managerial acts.
The same official guidance also notes that immediate-termination cases falling within Article 25 of the Labour Law are outside the notice-compensation regime. In practice, if an internal investigation reveals theft, serious dishonesty, grave misconduct, or another just-cause scenario, the employer may have a stronger termination position. But that does not eliminate the need for a properly documented investigation. Quite the opposite: because the company may later need to defend the dismissal in mediation or litigation, the evidentiary quality of interviews, records, and written findings becomes even more important.
Internal investigations also intersect with foreign-worker compliance. The Ministry’s official 2026 fines page states that employers employing foreigners without a work permit face an administrative fine of TRY 102,503 for each foreigner. If an internal review uncovers unauthorized work, the company is not merely dealing with an HR defect. It is dealing with a regulatory exposure that may require immediate remediation, payroll and social-security review, and sometimes a broader governance inquiry into how the hiring and approval process failed.
When an internal investigation may require external reporting
Turkish law sometimes makes non-reporting itself risky. Article 278 of the Penal Code punishes failure to report an ongoing crime, or a completed crime whose consequences can still be limited, to the competent authorities. Articles 279 and 280 go further for public officials and health professionals, imposing specific reporting duties where crimes are learned in connection with duty or indicated during professional practice. This does not mean every internal investigation in a private company automatically requires an external criminal report. It does mean that internal investigators should assess early whether the allegation involves conduct that may trigger a legal reporting obligation rather than assuming the matter can remain entirely internal.
Competition law also creates structured external-resolution paths. Article 43 allows undertakings to offer commitments in Article 4 or 6 matters and permits settlement after investigation has been initiated. The Board may apply up to a 25 percent discount in administrative fines through settlement, but settled parties cannot later take the fine or settlement text to court. For companies in Turkey, that means an internal investigation following a dawn raid or competition complaint should not stop at fact gathering. It should also assess early whether the case is a defense case, a commitment case, a settlement case, or some combination of these.
Privacy incidents create another external-reporting path. The Board’s breach-notification materials require notice to the Board without undue delay and at the latest within 72 hours, allow phased submissions where necessary, and require the controller to keep documentation ready for Board review. If an internal investigation confirms a breach, the company should shift quickly from exploratory fact gathering to notification, containment, and remediation. Waiting until every technical uncertainty has been resolved may create a separate compliance failure.
Corporate liability in Turkey: what can actually happen
Corporate liability in Turkey is not a single concept. Under criminal law, Article 20(2) of the Turkish Penal Code states that criminal punishments cannot be imposed on legal entities. But the same article preserves security measures prescribed by law, and Article 60 expressly provides that where certain intentional crimes are committed for the benefit of a private-law legal entity through abuse of an activity permit, the court may order cancellation of the permit, while confiscation rules may also apply. So a Turkish company does not face “criminal punishment” in the same way an individual does, but that does not mean the company is legally safe if crimes are committed for its benefit.
The second layer is corporate-law and civil liability. Article 553 of the Turkish Commercial Code states that founders, board members, managers, and liquidators are liable to the company, shareholders, and creditors for losses caused by culpable breach of duties arising from the law or the articles of association. It also says that where duties are lawfully delegated, the delegating organ is not liable for the acts and decisions of delegates unless it failed to exercise reasonable care in selecting them. This is one of the most important reasons internal investigations matter in Turkish practice: they are often how a board later shows that it did not ignore red flags and that it supervised, documented, and reacted with reasonable care.
The third layer is administrative and regulatory liability. Under competition law, companies can face fines of up to 10 percent of annual gross revenue for infringements of Articles 4, 6, and 7, and managers or employees with decisive influence may face additional fines of up to 5 percent of the penalty imposed on the undertaking. Under the KVKK, Article 18 establishes administrative fines for failures concerning the duty to inform, data security, compliance with Board decisions, registry obligations, and Article 9(5) notification obligations. The Ministry of Labour separately publishes work-permit fines. In practice, this means the most immediate liability following a failed internal investigation in Turkey is often administrative rather than criminal.
What a defensible Turkish investigation process looks like
A defensible internal investigation in Turkey usually has six features. It starts with a written opening and scope. It moves immediately to evidence preservation. It uses a lawful and proportionate data-processing model under the KVKK. It documents interviews and findings carefully enough to support employment, regulatory, or board-level decisions. It evaluates whether external reporting is required under competition, privacy, AML, or criminal-law rules. And it ends with remediation, not just fact collection. These features are not copied from one Turkish statute, but they reflect the combined demands of the Turkish Commercial Code, the KVKK, competition law, labour guidance, and criminal-law evidence rules.
The remediation phase is often where Turkish companies gain or lose credibility. If the investigation finds weak controls, management should update the internal directive, authority matrix, approval process, processor contract, hiring workflow, or dawn-raid protocol that failed. If the issue involved misconduct by individuals, the company should separate personnel action from system repair. If the issue involved a regulator-facing event, the company should align its internal report with its external position. The key principle is consistency: Turkish regulators and courts are more likely to trust a company that can show a clean line from allegation, to investigation, to decision, to remediation.
Conclusion
Internal investigations and corporate liability in Turkey should be understood as part of one governance continuum. There is no single general Turkish law on internal corporate investigations, but the board’s non-delegable duties, the board’s information rights, the risk-oversight framework, labour-law termination rules, the KVKK, competition-law enforcement powers, MASAK’s compliance architecture, and the Penal Code’s evidence and reporting rules together create a very real legal framework for how internal investigations should be conducted.
The practical takeaway is simple. In Turkey, the question is rarely whether a company is allowed to investigate internally. The real question is whether it can do so lawfully, proportionately, quickly, and in a way that will withstand scrutiny if the matter later becomes a dismissal, a regulator inquiry, a board-liability dispute, or a criminal file. Companies that treat internal investigations as structured legal processes are in a much stronger position than companies that treat them as informal management reactions.
Yanıt yok