Introduction
Data theft by former employees in Turkey is one of the most common and legally complex forms of corporate cybercrime. Former employees may retain passwords, continue accessing company systems, export customer lists, copy trade secrets, download source code, transfer confidential files to personal e-mail accounts, delete business records, take employee data, misuse client information or share company databases with competitors.
In modern business life, company data is often more valuable than physical assets. Customer portfolios, pricing models, supplier contracts, technical designs, software codes, marketing strategies, CRM records, patient files, employee records, accounting documents and e-mail archives may determine a company’s competitive advantage. When a former employee unlawfully copies, transfers or uses such information, the company may suffer financial loss, reputational harm, regulatory exposure and serious operational damage.
Under Turkish law, data theft by former employees may trigger several legal routes at the same time. Depending on the facts, the conduct may constitute unauthorized access to an information system, system interference, unlawful acquisition or transfer of personal data, disclosure of trade secrets, unfair competition, breach of confidentiality, employment-related misconduct, civil tort liability and compensation claims. Turkish Penal Code Article 243 punishes unlawful access to an information system, while Article 244 covers deletion, alteration, transfer or making data inaccessible. Article 243 does not require the offender to alter data; unlawful entry or remaining may be sufficient where the statutory conditions are met.
This article explains the criminal and civil legal remedies available in Turkey when a former employee steals, copies, transfers, deletes or misuses company data.
1. What Is Data Theft by a Former Employee?
Data theft by a former employee generally means the unauthorized taking, copying, transferring, storing, deleting, disclosing or using of company data after or in connection with the end of employment. The conduct may occur before resignation, during the notice period, immediately after dismissal or long after the employment relationship ends.
Common examples include:
A former sales employee exporting a customer list from the company CRM.
A dismissed IT employee continuing to access company e-mail accounts.
A former manager copying pricing strategies and supplier contracts.
A software developer downloading source code before joining a competitor.
A former HR employee taking payroll or employee identity files.
A healthcare worker copying patient records.
A departing employee forwarding business e-mails to a personal account.
A former employee changing passwords and blocking company access.
A former employee deleting logs, documents or project files.
A salesperson sending customer data to a new employer.
The legal analysis depends on the nature of the data, the method of acquisition, whether the employee still had authorization, whether personal data was involved, whether the information was confidential, whether competitors benefited, and whether the company suffered measurable damage.
2. Unauthorized Access After Employment Ends
The starting point in many former employee cases is unauthorized access. During employment, an employee may have lawful access to company systems. However, that access is normally limited by employment duties, internal policies, confidentiality obligations and the duration of the employment relationship.
After resignation, dismissal or termination, continued access to company systems may become unlawful unless the company expressly authorizes it. A former employee who logs into the company’s CRM, e-mail account, cloud archive, accounting software, internal server, social media account or database after termination may face liability under Turkish Penal Code Article 243.
Article 243 punishes a person who unlawfully enters or remains in all or part of an information system. The provision covers both initial unlawful access and continued presence in a system without legal authorization. Turkish legal commentary and case-law summaries also emphasize that access may occur physically or remotely, and that the method or distance does not change the legal characterization.
The critical question is this: Did the former employee have legal authority to access that specific system at that specific time and for that specific purpose?
If the answer is no, Article 243 may be relevant even if the former employee did not delete or alter any data.
3. Data Transfer, Deletion and System Interference
If the former employee does more than merely access the system, Turkish Penal Code Article 244 may become relevant. Article 244 concerns preventing or disrupting the operation of an information system, deleting, altering, making inaccessible, inserting or transferring data.
Former employee data theft may fall under Article 244 where the person:
Downloads customer lists from a company system.
Transfers confidential files to a personal e-mail account.
Copies source code to an external drive.
Exports personal data from company databases.
Deletes e-mails, logs or accounting records.
Changes administrator passwords.
Moves files to a private cloud account.
Makes company data inaccessible.
Creates hidden forwarding rules in company e-mail systems.
Alters invoice, payment or customer records.
The difference between Article 243 and Article 244 is important. Article 243 is about unlawful access or remaining. Article 244 is about interference with data or system functioning. In a company complaint, it is not enough to say “the former employee entered the system.” The petition should explain whether data was copied, transferred, deleted, changed, blocked or misused.
4. Personal Data Crimes Under Turkish Penal Code Articles 135 and 136
Former employee data theft frequently involves personal data. Customer lists, identity numbers, phone numbers, addresses, e-mail addresses, bank account details, employee files, payroll information, patient records, student information and user account data may all constitute personal data if they relate to identified or identifiable individuals.
Turkish Penal Code Article 135 punishes unlawful recording of personal data. Article 136 punishes unlawfully delivering personal data to another person, publishing it or acquiring it through illegal means. WIPO’s Turkish Criminal Code materials identify Articles 135 and related provisions as part of the criminal law framework concerning personal data and undisclosed information.
For example, if a former employee copies a customer database and sends it to a competitor, Article 136 may be considered. If a former HR employee stores employee identity documents for personal use after termination, Article 135 or Article 136 may arise depending on the facts. If a clinic employee copies patient information, the matter may involve both personal data crimes and heightened confidentiality concerns.
A company should carefully classify the stolen data. Was it personal data, trade secret, commercial information, financial data, source code, or publicly available information? The classification affects both the criminal complaint and civil remedies.
5. KVKK Data Breach Obligations
If a former employee unlawfully obtains company-held personal data, the company may need to assess whether a personal data breach occurred under the Turkish Personal Data Protection Law No. 6698, known as the KVKK.
Under Article 12(5) of the KVKK, where processed personal data is obtained by others through unlawful means, the data controller must notify the data subject and the Personal Data Protection Board within the shortest time. The Personal Data Protection Board’s Decision No. 2019/10 interprets this period as without delay and no later than 72 hours after the data controller becomes aware of the breach. The same decision requires controllers to document all personal data breaches, including facts, effects and measures taken.
This is highly important in former employee cases. A company may view the incident as an internal employment dispute, but if personal data left the company’s control or was accessed without authorization, KVKK breach notification duties may arise.
The company should ask:
What categories of personal data were taken?
How many data subjects are affected?
Was special category personal data involved?
Was the data sent to a competitor or third party?
Was the data merely accessed or actually copied?
When did the company become aware of the breach?
What measures were taken to contain the incident?
Should the Board and affected persons be notified?
Was the incident documented internally?
The company should document its assessment even if it concludes that notification is not required.
6. Trade Secrets and Confidential Business Information
Former employee data theft often involves trade secrets. Under Turkish law, trade secrets are primarily protected through unfair competition rules under the Turkish Commercial Code and through criminal law provisions concerning disclosure of trade, customer and banking secrets. Comparative legal guidance notes that Turkey protects trade secrets mainly under the Turkish Commercial Code’s unfair competition framework and under the Turkish Criminal Code in relation to disclosure of trade, customer and banking secrets.
Trade secrets may include:
Customer portfolios.
Supplier lists.
Pricing strategies.
Technical drawings.
Manufacturing methods.
Software source code.
Business plans.
Marketing strategies.
Financial projections.
Tender documents.
Internal procedures.
Product formulas.
Strategic correspondence.
Commercial agreements.
A trade secret generally must not be publicly available and must not be generally known in the relevant sector. Guidance discussing Turkish trade secret protection refers to Court of Cassation criteria requiring that the information not be publicly available and not be known by competitors in the relevant sector.
If a former employee takes such information and uses it in a competing business, the company may pursue criminal, civil and unfair competition remedies.
7. Unfair Competition Claims
Data theft by a former employee may constitute unfair competition if the employee or the new employer uses confidential business information in a manner contrary to honest commercial practice. Under Turkish Commercial Code principles, dishonest conduct affecting competition may create civil liability, injunctive remedies and damages claims.
Unfair competition may arise where:
A former employee uses stolen customer lists to solicit clients.
Confidential pricing data is used by a competitor.
Technical know-how is transferred to a rival company.
Supplier terms are copied to undercut the former employer.
Internal business strategies are used in a new competing venture.
A new employer knowingly benefits from stolen data.
Civil unfair competition claims may seek cessation of unlawful conduct, prevention of use, removal of consequences, correction of misleading conduct, compensation for damages and, where applicable, publication of the judgment. The company may also seek interim injunctions where continued use of stolen data would cause serious harm.
8. Breach of Employment Contract and Confidentiality Duties
Former employees may also be liable under employment contracts and confidentiality undertakings. Many employment agreements include provisions requiring employees to protect company secrets, return company property, avoid unauthorized use of data and refrain from disclosing confidential information after termination.
Even if the conduct does not reach the level of a criminal offence, it may still constitute breach of contract. For example, a former employee who keeps copies of non-public business documents may be civilly liable if the contract clearly prohibits retention. A former employee who contacts customers using confidential data may breach post-employment confidentiality duties.
Companies should review:
Employment contract.
Confidentiality agreement.
Non-disclosure undertaking.
IT use policy.
Data protection policy.
Remote work policy.
Device return form.
Exit interview documents.
Non-compete agreement, if any.
Customer non-solicitation clauses, if any.
Clear written policies strengthen the company’s position. If the company never defined what was confidential or never restricted data exports, the dispute may become harder to prove.
9. Non-Compete and Non-Solicitation Issues
Some former employee data theft cases also involve non-compete or customer non-solicitation disputes. A former employee may join a competitor and use stolen customer lists to contact clients. Whether a non-compete clause is enforceable depends on Turkish law requirements such as scope, duration, territory, employee position and protection of legitimate employer interests.
Even where a non-compete clause is invalid or overly broad, the former employee does not have a right to steal data. Unlawful copying of customer lists, confidential pricing files or trade secrets may still create liability independently of a non-compete clause.
Therefore, employers should not rely only on non-compete provisions. They should also establish strong confidentiality, data access and cybersecurity policies.
10. Digital Evidence in Former Employee Data Theft Cases
Digital evidence is the foundation of these cases. The company must prove not only that data was taken, but also when, how, by whom and what damage resulted.
Important evidence includes:
Access logs.
VPN records.
Cloud activity logs.
CRM export logs.
Download records.
USB connection records.
E-mail forwarding records.
Mailbox audit logs.
File metadata.
Deleted file recovery reports.
Endpoint security alerts.
Device assignment records.
Employee login history.
Screenshots of external use.
Customer complaints.
Competitor communications.
Witness statements.
Server logs.
Backup records.
CCTV records, if device removal is involved.
Companies should preserve evidence immediately. If IT staff deletes accounts, formats devices, changes logs or overwrites data without documentation, the criminal and civil case may be weakened.
11. CMK Article 134 and Forensic Examination
If a criminal complaint is filed, digital devices may need to be examined under the Turkish Criminal Procedure Code. Article 134 regulates search, copying and seizure of computers, computer programs and computer records. UNODC’s material on Article 134 states that data in the system shall be copied during seizure, and that a copy may be provided to the suspect or counsel upon request, with the process recorded and signed.
This matters for both sides. A company should request lawful forensic examination through the prosecutor where necessary. A suspect should examine whether the search and copying of digital records complied with procedural safeguards.
Evidence gathered informally by a company may still be useful, but its reliability may be challenged if collection was undocumented, excessive or technically flawed. In serious cases, forensic imaging, hash verification and chain-of-custody documentation are critical.
12. Internal Investigation by the Company
Before filing a criminal complaint, companies often conduct internal investigations. This is practical, but it must be lawful, proportionate and well documented.
A proper internal investigation should:
Identify affected systems.
Preserve logs.
Limit review to relevant data.
Avoid unnecessary review of private employee communications.
Document who accessed evidence.
Secure company devices.
Review downloads and exports.
Check e-mail forwarding rules.
Identify personal data impact.
Review contractual duties.
Assess whether urgent injunction is necessary.
Prepare evidence for criminal complaint.
Coordinate with legal counsel and forensic experts.
Companies should not conduct an unlimited search through an employee’s private accounts or personal devices without legal basis. Employer rights do not eliminate privacy and data protection principles.
13. Criminal Complaint Strategy
A criminal complaint should be detailed and evidence-based. A vague complaint saying “our former employee stole data” may not be sufficient.
A strong complaint should include:
The former employee’s role and duties.
Employment start and termination dates.
Systems the employee was authorized to access.
Date when access authority ended.
Description of the stolen data.
Evidence of access, download, transfer or deletion.
Whether personal data was involved.
Whether trade secrets were involved.
Whether data was used by a competitor.
Evidence of damage or risk.
Relevant contracts and policies.
Logs and forensic findings.
Requests for device examination.
Requests for bank, platform or provider records where relevant.
Legal qualification under Articles 243, 244, 135, 136 and other relevant provisions.
If a competitor is suspected of receiving or using the data, the complaint should explain the connection and request investigation of all persons who participated in the conduct.
14. Civil Legal Remedies
Civil remedies may be as important as criminal proceedings. A company may seek:
Compensation for material damages.
Return or deletion of stolen data.
Interim injunction preventing use of data.
Prohibition of contacting customers using stolen data.
Unfair competition claims.
Contractual penalty, if agreed.
Damages for breach of confidentiality.
Evidence preservation measures.
Claims against the new employer if it knowingly benefited from stolen data.
Material damages may include lost customers, lost profit, reduced competitive advantage, forensic costs, legal expenses, data breach response costs and reputational repair expenses.
Civil claims require proof of unlawful conduct, damage and causation. Criminal proceedings may support the civil case, but the company should still document its losses carefully.
15. Interim Injunctions and Evidence Preservation
In urgent cases, the company may need interim relief. For example, if a former employee is actively soliciting customers using stolen data, or if a competitor is about to use confidential source code, waiting for the final judgment may cause irreversible harm.
Trade secret guidance in Turkey notes that the trade secret owner may apply to the competent court for interim injunctions or evidence preservation where delay may cause substantial damage or make securing the claim difficult or impossible.
Possible measures may include:
Evidence preservation from devices or systems.
Order to stop using confidential data.
Order to return or destroy copied files.
Prohibition of disclosure to third parties.
Prevention of customer solicitation based on stolen data.
Inspection through expert examination.
The requested measure must be proportionate and supported by prima facie evidence.
16. Liability of the New Employer or Competitor
A competitor may be liable if it knowingly receives, uses or encourages theft of confidential data. If the new employer instructs the former employee to bring customer lists, pricing files or source code, the matter may become more serious.
Evidence may include:
Messages between the former employee and new employer.
Sudden contact with former employer’s customers.
Use of identical pricing or contract templates.
Access to source code or technical files.
Customer complaints.
Statements from employees.
Marketing materials based on confidential data.
Timing of resignation and customer solicitation.
Claims against a new employer require careful evidence. Mere employment of a former worker is not unlawful. The company must show misuse of confidential information or dishonest competitive conduct.
17. Defence Strategies for Former Employees
A former employee accused of data theft may raise several defences depending on the facts.
Possible defence arguments include:
The employee had authorization at the relevant time.
The files were not confidential.
The data was publicly available.
The data was not personal data.
The employee did not copy or transfer data.
The account was shared with other employees.
The company failed to revoke access.
The download was for legitimate work purposes.
The data was retained accidentally.
The evidence does not prove personal use.
Logs are incomplete or unreliable.
The device was used by others.
The case is an employment dispute, not a crime.
The company collected evidence unlawfully.
The legal classification is excessive.
A strong defence should focus on authorization, intent, data classification, technical attribution and lawfulness of evidence.
18. Defence: Authorization and Scope of Access
Authorization is often the central issue. A former employee may have been authorized to access certain data during employment. If the alleged download occurred before termination and within work duties, the criminal allegation may be weaker.
However, authorization is not unlimited. An employee authorized to view customer records for sales purposes may not be authorized to export the full database to a personal account. An IT employee authorized to maintain servers may not be authorized to copy confidential business documents.
Both sides should examine the exact scope of permission. Job descriptions, policies, access logs, internal e-mails and supervisor instructions may become decisive.
19. Defence: Civil Dispute vs. Criminal Offence
Not every data-related employment dispute is a crime. A former employee may keep copies of employment documents, payslips, performance records or correspondence relevant to labour claims. A company may exaggerate ordinary document retention as “data theft” during a contentious dismissal.
Criminal law should not be used as pressure in ordinary employment disputes. However, copying customer databases, personal data, trade secrets or source code for competitive use is different.
The line between civil dispute and crime depends on the type of data, purpose of retention, method of acquisition, confidentiality level, authorization and later use.
20. Company Prevention Measures
Companies can reduce former employee data theft through preventive controls:
Role-based access control.
Multi-factor authentication.
Data loss prevention tools.
Restricted USB use.
Monitoring of unusual downloads.
Strong offboarding procedures.
Immediate access revocation.
E-mail forwarding rule audits.
Confidentiality agreements.
IT and data protection policies.
Employee training.
Customer data access limits.
Logging and audit trails.
Source code repository controls.
Cloud access monitoring.
Exit interviews and device return forms.
Vendor and contractor access management.
Periodic permission reviews.
Prevention is legally valuable. A company that can show clear policies and reasonable controls is in a stronger position before prosecutors, courts and regulators.
21. Offboarding Checklist
When an employee leaves, the company should:
Disable e-mail access.
Revoke VPN credentials.
Terminate CRM and ERP access.
Remove cloud permissions.
Change shared passwords.
Recover laptops and phones.
Disable mobile device synchronization.
Check recent downloads.
Review external forwarding rules.
Remove social media administrator rights.
Preserve logs.
Remind the employee of confidentiality duties.
Collect signed return forms.
Secure source code and repository access.
Notify relevant departments.
Poor offboarding is one of the main reasons former employees continue to access company data.
22. Practical Checklist After Discovering Data Theft
If a company discovers possible former employee data theft, it should:
Preserve all logs immediately.
Do not delete the former employee’s account before exporting evidence.
Identify affected systems.
Determine what data was accessed or copied.
Assess whether personal data was involved.
Assess whether trade secrets were involved.
Review employment contract and policies.
Secure remaining systems.
Check whether data was sent to a competitor.
Conduct a lawful internal investigation.
Assess KVKK notification duties.
Prepare a criminal complaint.
Consider civil injunctions.
Document all damages.
Engage forensic experts if necessary.
Fast action is important, but uncontrolled action can damage evidence. The company must act quickly and carefully.
Conclusion
Data theft by former employees in Turkey may create serious criminal, civil, employment and data protection consequences. If a former employee continues to access company systems after termination, Turkish Penal Code Article 243 on unauthorized access may apply. If the employee deletes, alters, transfers, copies or makes data inaccessible, Article 244 may become relevant. If personal data is copied, shared or unlawfully acquired, Articles 135 and 136 may also be considered. If trade secrets or confidential business information are used competitively, unfair competition and civil remedies may arise.
For companies, the most important steps are prevention, evidence preservation and correct legal classification. Access rights should be limited, logs should be retained, offboarding should be strict and confidentiality obligations should be clearly documented. When theft is discovered, the company should preserve digital evidence, assess KVKK breach obligations, prepare a detailed criminal complaint and consider civil injunctions or compensation claims.
For former employees and defendants, the key issues are authorization, intent, data classification, evidentiary reliability and whether the matter is truly criminal or primarily an employment dispute. A username, IP address or download record may be important, but it does not automatically prove unlawful intent or personal guilt.
In Turkey’s digital economy, employee access to data is necessary for business operations, but it also creates risk. The strongest legal protection combines cybersecurity controls, employment documentation, data protection compliance, digital forensic discipline and a carefully structured legal strategy.
Yanıt yok