Legal Responsibilities of Internet Service Providers in Turkey

Introduction

Internet Service Providers, commonly referred to as ISPs, play a central role in Turkey’s digital economy. They provide internet access to individuals, businesses, public institutions, schools, hospitals, banks, e-commerce platforms, technology companies and digital service providers. Because internet access has become essential for communication, commerce, education, public services, financial transactions and freedom of expression, ISPs in Turkey are subject to a detailed legal and regulatory framework.

The legal responsibilities of Internet Service Providers in Turkey are not limited to providing internet connectivity. ISPs must comply with electronic communications legislation, BTK authorization rules, internet law obligations, consumer protection rules, data protection requirements, cybersecurity standards, network and information security duties, access-blocking procedures, traffic data rules, complaint-handling obligations and administrative audit mechanisms.

The main regulatory authority for ISPs in Turkey is the Information and Communication Technologies Authority, known in Turkish as Bilgi Teknolojileri ve İletişim Kurumu or BTK. BTK supervises the electronic communications sector and imposes obligations on operators under Law No. 5809 on Electronic Communications and related secondary legislation. BTK states that the electronic communications framework includes authorization, supervision, regulation and sanctions concerning electronic communications services, devices and systems.

In addition to Law No. 5809, Law No. 5651 on the Regulation of Publications on the Internet and Combating Crimes Committed by Means of Such Publications is highly relevant for ISPs. Law No. 5651 regulates internet actors such as content providers, hosting providers, access providers and public internet use providers.

For this reason, any company planning to provide internet access services in Turkey must understand whether it qualifies as an electronic communications operator, access provider, hosting provider or another regulated internet actor. Correct legal classification is the first and most important step in determining ISP obligations.

What Is an Internet Service Provider under Turkish Law?

An Internet Service Provider is generally a company that enables users to access the internet through electronic communications networks. In practice, ISPs may provide fixed broadband, fiber internet, wireless internet, satellite internet, mobile broadband, corporate internet lines, leased lines, public Wi-Fi connectivity, wholesale internet access or data transmission services.

Under Turkish law, ISP activities are closely connected to the concept of electronic communications. Electronic communications services are regulated under Law No. 5809, and companies that provide electronic communications services or operate electronic communications networks may be required to obtain BTK authorization before starting operations. BTK explains that companies wishing to provide electronic communications services or establish and operate electronic communications networks or infrastructure must notify the Authority before commencing their activities. Where the service requires scarce resources such as numbers, frequencies or satellite positions, usage rights may also be required.

This means that an ISP cannot treat internet access as an ordinary commercial service. Providing internet connectivity to third parties usually falls within the electronic communications regulatory framework. Therefore, before launching services, an ISP must determine the correct authorization category, prepare the necessary corporate documents, comply with BTK procedures and establish internal compliance systems.

BTK Authorization and Licensing Obligations

One of the most important legal responsibilities of ISPs in Turkey is obtaining proper authorization from BTK. In international terminology, this is often called an “ISP license.” Under Turkish law, the more accurate concept is “authorization.”

BTK authorization may be based on notification or usage rights, depending on the nature of the service. If the ISP does not require scarce resources such as frequency, number or satellite position, notification-based authorization may be sufficient. If the service requires such resources, the operator may need usage rights.

ISPs must not start commercial operations before completing the required authorization process. Operating without authorization may result in administrative sanctions, suspension of activities, termination of unauthorized services, consumer disputes, contractual liability and reputational harm.

A company planning to provide ISP services in Turkey should ask the following questions:

Does the company provide internet access to end users?

Does it operate fiber, wireless, satellite or fixed infrastructure?

Does it resell internet access obtained from another operator?

Does it provide corporate connectivity or leased line services?

Does it offer public Wi-Fi access to third parties?

Does it use radio frequencies or satellite connectivity?

Does it operate infrastructure or only provide software?

If the answer indicates electronic communications activity, BTK authorization should be analyzed before launch.

Access Provider Responsibilities under Law No. 5651

ISPs are also important actors under Law No. 5651 because they may qualify as access providers. An access provider is an entity that enables users to access the internet. This status creates specific obligations concerning access-blocking decisions, traffic information, record-keeping, cooperation with competent authorities and compliance with legally issued orders.

Law No. 5651 distinguishes between content providers, hosting providers, access providers and public internet use providers. This distinction is crucial because each actor has different responsibilities. A content provider is generally responsible for content it creates or publishes. A hosting provider provides or operates systems that host services and content. An access provider enables users to access the internet.

ISPs should therefore identify their legal role correctly. A company may be both an ISP and an access provider. If it also hosts websites, cloud systems or customer content, it may additionally have hosting provider obligations. If it operates public internet access in a hotel, café, shopping mall, university or workplace, public internet use provider rules may also become relevant.

The legal classification affects liability. An access provider is generally not the author of content accessed by users. However, it may be required to implement access-blocking decisions and comply with technical and administrative obligations under Law No. 5651.

Access Blocking Obligations

One of the most sensitive responsibilities of ISPs in Turkey is compliance with access-blocking decisions. Access-blocking measures may arise under Law No. 5651 in relation to certain unlawful online content, personal rights violations, privacy violations, catalogue crimes or other legally regulated situations.

ISPs are not usually responsible for creating the unlawful content. However, as access providers, they may be legally required to implement access-blocking decisions issued by competent authorities. This requires both technical capacity and legal review.

An ISP should establish a formal internal process for access-blocking orders. This process should include:

Receiving and registering official decisions.

Verifying the issuing authority.

Identifying whether the decision concerns a URL, domain name, IP address or other technical target.

Assessing technical feasibility.

Implementing the decision within the required timeframe.

Recording the implementation date and method.

Preserving evidence of compliance.

Escalating unclear, excessive or technically impossible decisions to legal counsel.

Access-blocking compliance is not merely a technical ticketing task. It affects freedom of expression, privacy, public order, criminal investigations and user rights. Therefore, ISPs should handle access-blocking orders through coordinated legal and technical teams.

Traffic Data and Log Retention

Traffic data is one of the most important legal responsibilities of ISPs. Internet access naturally creates technical records such as IP address allocation, connection time, session logs, subscriber identifiers, port information, routing data and other connection-related metadata.

Traffic data is legally sensitive because it can connect online activity with an identifiable subscriber. Even if it does not reveal the content of communications, it may show when a person connected, which IP address was assigned, which services were accessed technically and which subscriber account was involved.

Under Turkish internet law, access providers may have duties concerning traffic information, retention, integrity and confidentiality. Unlawful disclosure, inaccurate logging, excessive retention, failure to preserve required logs or insecure storage may expose the ISP to regulatory and legal risks.

ISPs should maintain a clear traffic data policy. This policy should determine:

Which logs are collected.

Why they are collected.

How long they are retained.

Who can access them.

How they are protected.

How official requests are handled.

When and how they are deleted.

How integrity and confidentiality are ensured.

Traffic data should be protected with strong technical and administrative measures. Access should be restricted to authorized personnel, and every access should be logged. Traffic data should not be used for unrelated commercial profiling unless there is a lawful basis.

Personal Data Protection Responsibilities

ISPs process large amounts of personal data. Subscriber names, identity numbers, passport numbers, addresses, e-mail addresses, phone numbers, IP addresses, payment information, invoices, subscription documents, customer service recordings, modem details, complaint records and traffic data may all qualify as personal data.

The main data protection law in Turkey is Law No. 6698 on the Protection of Personal Data. Article 12 of the law requires data controllers to take all necessary technical and organizational measures to ensure an appropriate level of security, prevent unlawful processing, prevent unlawful access and safeguard personal data.

For ISPs, personal data protection is not optional. The ISP should identify whether it acts as a data controller or data processor in each processing activity. In most subscriber relationships, the ISP will be the data controller because it determines the purposes and means of processing subscriber data.

A compliant ISP should prepare:

Privacy notices.

Data processing inventory.

Subscriber consent mechanisms where required.

Data retention and deletion policy.

Data breach response procedure.

Access control rules.

Vendor and processor agreements.

Cross-border data transfer analysis.

Employee training records.

Customer request response procedures.

Data subject rights are also important. Subscribers may request information about whether their data is processed, request correction of inaccurate data, request deletion under legal conditions and object to certain processing activities. ISPs must respond to such requests within the legal framework.

Cybersecurity and Network Security Obligations

Cybersecurity is a core legal responsibility for ISPs in Turkey. ISPs operate critical infrastructure that affects public communication, financial transactions, business continuity and access to public services. A cyberattack against an ISP may cause internet outages, data breaches, DDoS disruptions, DNS manipulation, customer portal compromise, billing system exposure or traffic data leakage.

BTK states that Law No. 5809, authorization regulations and other sectoral instruments include obligations related to network and information security. BTK’s network and information security framework requires operators to comply with procedures and principles designed to ensure network and information security.

For ISPs, cybersecurity obligations should include:

Network monitoring.

DDoS protection.

Incident response planning.

Access control.

Encryption.

Log monitoring.

Vulnerability management.

Penetration testing.

Malware protection.

Secure backup.

Business continuity planning.

Vendor security controls.

Employee training.

ISPs should also be prepared for audits and official information requests. BTK may supervise operators financially, technically, legally and administratively, and may request documents and information.

Consumer Rights and Subscriber Protection

ISPs also have important consumer law responsibilities. Internet subscribers have rights concerning transparent contracts, accurate billing, service quality, cancellation, complaint handling, data privacy and fair treatment.

Common ISP consumer disputes in Turkey include slow internet speed, frequent disconnections, unfair invoices, excessive cancellation fees, modem charges, installation delays, continued billing after cancellation, misleading campaigns, unauthorized additional services and poor customer service.

An ISP must provide clear pre-contractual information. The subscriber should understand:

The service type.

Advertised and expected internet speed.

Infrastructure limitations.

Monthly fee.

Taxes and additional charges.

Commitment period.

Cancellation rules.

Modem or equipment fees.

Installation charges.

Complaint channels.

Data processing terms.

Marketing statements such as “unlimited internet,” “free modem,” “no commitment,” “fiber speed” or “no cancellation fee” must not mislead consumers. If technical limitations, infrastructure conditions or additional fees apply, these must be clearly disclosed.

Billing and Cancellation Responsibilities

Accurate billing is one of the most practical ISP responsibilities. ISPs must not charge consumers for services that were not requested, not activated or not properly disclosed. Billing systems should be auditable and should preserve evidence of subscriber approval, tariff selection and service activation.

Cancellation is another frequent dispute area. If a subscriber lawfully requests termination, the ISP must process the request under the applicable rules. Continued billing after a valid cancellation request may create liability. The ISP should keep records of termination requests, confirmation notices, service closure dates, final invoices and equipment return processes.

Commitment-based contracts are common in Turkey. ISPs may offer discounts in exchange for a fixed-term commitment. However, early termination fees must be lawful, transparent and properly calculated. A consumer may challenge excessive or unclear cancellation fees.

Public Wi-Fi and Shared Internet Access

Some ISPs provide internet access to hotels, cafés, shopping malls, municipalities, universities, airports, co-working spaces and public venues. In these cases, public internet access rules may also become relevant.

Businesses offering public Wi-Fi should understand whether they are merely customers of an authorized ISP or whether their service structure creates additional obligations under Law No. 5651. User authentication, traffic logs, access policies and cooperation duties may become important depending on the model.

ISPs that provide infrastructure or managed services for public Wi-Fi should clearly allocate responsibilities in contracts. The agreement should address user identification, log retention, data protection, access-blocking compliance, technical support, cybersecurity and liability.

Hosting, Cloud and Related Services

Some ISPs also provide hosting, cloud, data center, e-mail, domain, server or content-related services. If so, they may have additional obligations as hosting providers or digital service providers.

A hosting provider is not the same as an access provider. However, a company may act in both capacities depending on the services offered. For example, an ISP may provide internet access to consumers and also host business websites. The access service and hosting service should be legally separated in the compliance framework.

Hosting-related obligations may involve traffic data, content removal, cooperation with official decisions, customer contracts, data security, server location, vendor responsibilities and data protection.

Cooperation with Public Authorities

ISPs may receive requests from courts, prosecutors, administrative authorities, BTK or other competent institutions. These requests may concern traffic data, subscriber identity, access blocking, cybersecurity incidents, fraud investigations, personal rights violations or other legal matters.

ISPs must respond only within the limits of law. They should not disclose subscriber data to unauthorized persons or institutions. Each official request should be checked for authority, scope, legal basis and required format.

A strong internal procedure should determine:

Who receives official requests.

Who verifies legality.

Who approves disclosure.

What data may be shared.

How disclosure is logged.

How confidentiality is maintained.

How subscribers are informed where legally possible.

Improper disclosure of subscriber data may create KVKK liability, civil liability and reputational harm.

Administrative Sanctions and Legal Liability

ISPs may face administrative sanctions if they violate BTK regulations, authorization conditions, Law No. 5651 obligations, consumer rights, data protection rules or network security duties. BTK’s audit function includes monitoring compliance with license conditions, equipment standards, sectoral legislation, spectrum usage and other regulatory requirements, and sanctions may be imposed on operators that fail to comply.

Legal liability may arise in several ways:

Administrative fines by BTK.

Data protection penalties by KVKK.

Consumer arbitration committee decisions.

Consumer court lawsuits.

Commercial lawsuits by corporate customers.

Compensation claims for service interruption.

Claims arising from data breaches.

Criminal complaints in cases involving unlawful access or misuse of data.

Regulatory non-compliance can also affect investment value. Foreign investors acquiring an ISP should review authorization status, BTK audit history, consumer complaints, data protection compliance, traffic data policies, cybersecurity controls and access-blocking procedures.

Practical Compliance Checklist for ISPs in Turkey

An ISP operating in Turkey should maintain a structured compliance program. The following checklist may be used:

Confirm BTK authorization status before launching services.

Identify whether the company is an access provider, hosting provider or both.

Prepare Law No. 5651 compliance procedures.

Create access-blocking order response workflows.

Maintain lawful traffic data retention and deletion policies.

Protect subscriber data under KVKK.

Prepare privacy notices and data subject response procedures.

Implement network and information security measures.

Prepare DDoS and cybersecurity incident response plans.

Maintain accurate billing systems.

Prepare transparent subscription agreements.

Disclose internet speed, fees and commitment terms clearly.

Process cancellation requests lawfully.

Maintain complaint response records.

Train customer service, sales, dealer and technical teams.

Review public Wi-Fi service contracts.

Review hosting and cloud service obligations.

Prepare audit-ready documentation.

Monitor BTK decisions and legislative changes.

Seek legal advice before launching new services.

Conclusion

The legal responsibilities of Internet Service Providers in Turkey are broad, technical and compliance-sensitive. ISPs are not merely commercial internet sellers. They are regulated actors within the electronic communications and internet law framework.

Their responsibilities arise mainly from Law No. 5809, BTK regulations, Law No. 5651, personal data protection law, cybersecurity rules, consumer protection legislation and administrative supervision. ISPs must obtain proper BTK authorization, comply with access provider obligations, handle traffic data securely, implement access-blocking decisions, protect personal data, maintain network security, treat consumers fairly and respond to official requests lawfully.

For consumers and businesses, ISP compliance directly affects internet access, privacy, billing, service quality and digital security. For ISPs, compliance is essential to avoid administrative sanctions, data protection penalties, customer disputes, service interruptions and reputational damage.

As Turkey’s digital economy continues to expand, the role of ISPs will become even more important. Companies that establish strong legal compliance systems will reduce regulatory risk, protect subscribers, strengthen trust and operate more sustainably in the Turkish internet market.

Frequently Asked Questions

Do Internet Service Providers need BTK authorization in Turkey?

Yes. Companies providing electronic communications services or operating electronic communications networks generally need BTK authorization before starting activities.

What is the main law regulating ISPs in Turkey?

The main legal framework includes Law No. 5809 on Electronic Communications and Law No. 5651 on internet publications and crimes committed through internet broadcasts.

Are ISPs considered access providers under Turkish law?

In many cases, yes. ISPs that enable users to access the internet may qualify as access providers under Law No. 5651.

Are ISPs responsible for user content?

ISPs are generally not the creators of user content. However, they may have obligations to implement lawful access-blocking decisions and comply with access provider duties.

Must ISPs retain traffic data?

Access providers may have obligations concerning traffic information and log retention. Such data must be protected, accurate, confidential and processed only within the legal framework.

Are IP addresses personal data in Turkey?

IP addresses may qualify as personal data where they relate to an identified or identifiable person. ISPs should treat IP allocation records and subscriber logs as sensitive personal data.

What are the main consumer disputes against ISPs?

Common disputes include slow internet speed, unfair invoices, cancellation fees, installation delays, continued billing after cancellation, misleading campaigns and service interruptions.

Can ISPs face administrative sanctions?

Yes. ISPs may face BTK sanctions, KVKK penalties, consumer claims and other legal consequences if they fail to comply with authorization, internet law, data protection, cybersecurity or consumer protection obligations.

Categories:

Yanıt yok

Bir yanıt yazın

E-posta adresiniz yayınlanmayacak. Gerekli alanlar * ile işaretlenmişlerdir

Our Client

We provide a wide range of Turkish legal services to businesses and individuals throughout the world. Our services include comprehensive, updated legal information, professional legal consultation and representation

Our Team

.Our team includes business and trial lawyers experienced in a wide range of legal services across a broad spectrum of industries.

Why Choose Us

We will hold your hand. We will make every effort to ensure that you understand and are comfortable with each step of the legal process.

Open chat
1
Hello Can İ Help you?
Hello
Can i help you?
Call Now Button