Artificial Intelligence Law and Governance: Legal Guide for Companies in Türkiye and Cross-Border Markets

Artificial intelligence is becoming part of ordinary business infrastructure.

Companies use AI to write, code, translate, analyse data, screen documents, support customer service, generate images, automate decisions, detect fraud, manage logistics, personalise marketing, review contracts, assess risk and improve productivity. For founders and executives, AI can look like an opportunity for speed, scale and efficiency.

For lawyers, regulators, investors and boards, AI also creates a different question: who is responsible when an AI system uses data unlawfully, produces a harmful output, infringes intellectual property, discriminates, misleads a customer, breaches confidentiality, exposes trade secrets or makes a decision no one can properly explain?

AI law is not only about future legislation. It is already here through existing legal frameworks — data protection, contracts, intellectual property, confidentiality, employment, consumer protection, unfair competition, cybersecurity, sector-specific rules, professional duties, product liability, corporate governance and dispute resolution. For companies in Türkiye, Northern Cyprus and cross-border markets, AI governance should not wait until a regulator, customer, investor or counterparty asks difficult questions.

This guide explains the legal issues companies should consider when developing, procuring, deploying or investing in artificial intelligence systems.

1. AI Is Not Only a Technology Question

A company may describe an AI project as a technical deployment. In legal terms it may also be a data processing operation, a software procurement, a licensing arrangement, a consumer-facing service, an employment monitoring tool, a decision-support system, a regulated-sector risk, an intellectual property issue, a cybersecurity exposure, a confidentiality risk, an outsourced service, a governance responsibility — and a potential dispute.

The legal analysis depends on what the AI system does. A chatbot used for basic customer service is not the same as an AI system used for credit scoring, medical triage, recruitment, legal document review, biometric identification, fraud detection or employee performance monitoring. The first task in AI legal governance is therefore to understand the use case. The question is not simply "are we using AI?" but rather: what function does the AI perform, what data does it use, who relies on the output, what harm could occur, and who is responsible for controlling the risk?

2. AI Developers, Deployers and Users

AI projects involve different actors. A company may be developing its own model, fine-tuning an existing one, integrating a third-party tool, reselling an AI product, using AI internally, offering AI-powered services to clients, processing client data through AI, relying on AI-generated outputs, or investing in an AI startup. Each role creates different legal responsibilities.

A developer may need to consider training data, model documentation, IP rights, testing, safety, bias, security and user instructions. A business user may need to consider procurement, vendor contracts, confidentiality, employee training, output review, data protection, customer disclosures and liability. An investor may need to examine AI governance during due diligence. A company that treats itself as "only a user" may still face responsibility if it deploys AI in a way that affects employees, customers, patients, students, consumers, counterparties or legal rights.

3. AI Governance Starts With an Inventory

A company cannot manage AI risk if it does not know where AI is being used. The first step should be an AI inventory: the tools officially procured by the company, AI features embedded in existing software, tools used informally by employees, systems used by contractors, AI in marketing, HR, sales, finance or legal teams, AI in customer service, analytics or profiling, AI in cybersecurity, recruitment or employee monitoring, AI in product development, and AI used by external vendors on the company's behalf.

Many companies underestimate "shadow AI". Employees may use public generative AI tools to summarise documents, draft emails, translate contracts, analyse spreadsheets or create marketing content without formal approval — exposing confidential information, personal data, trade secrets and client materials. An AI governance framework begins with visibility.

4. Data Protection and Personal Data

Most AI legal risk begins with data. AI systems may process personal data during training, fine-tuning, prompting, retrieval, user interaction, analytics, monitoring, output generation, feedback loops, model improvement and automated decision-making.

Companies should examine what personal data is collected, whose data is processed, whether special categories are involved, the legal basis for processing, whether data minimisation is respected, whether transparency notices are sufficient, whether consent is required, whether data is transferred abroad, whether vendors act as processors or independent controllers, whether the system uses data for further training, whether outputs may reveal personal data, whether data subjects can exercise their rights, and how data is retained, deleted and secured. In Türkiye, AI projects involving personal data must be assessed under the Personal Data Protection Law No. 6698 and secondary legislation. The mere fact that data is processed by an AI system does not remove ordinary data protection obligations: a company should be able to explain why the data is needed, how it is processed, who has access, where it is transferred and how long it is retained.

5. Training Data and Lawful Use

Training data is one of the most difficult legal issues in AI. A model may be trained on large datasets containing personal data, copyrighted works, images, code, audio, video, confidential information, scraped website content, customer or employee data, licensed databases, public records, synthetic data, or anonymised and pseudonymised data.

The legal questions include whether the data was lawfully obtained, whether it was used within the scope of consent or licence, whether the dataset contains personal data, copyrighted material, trade secrets or confidential documents, whether scraping was permitted, whether robots.txt or website terms were considered, whether the data can be used for commercial model training, whether individuals can object or request deletion, and whether the dataset is documented and problematic data can be removed. A company developing or fine-tuning AI should not assume that publicly accessible data is free for all purposes — public availability is not the same as lawful use.

6. Cross-Border Data Transfers

AI tools often involve cross-border data flows. A company in Türkiye or Northern Cyprus may use cloud-based AI tools operated from the United States, the European Union, the United Kingdom or other jurisdictions. Data may move through prompts, uploaded documents, API calls, model training, analytics, customer support, cloud hosting, security logging, vendor access and subprocessors.

This creates legal and operational questions. Companies should consider where the AI vendor is located, where data is hosted, whether subprocessors are used, whether personal data leaves Türkiye or the relevant jurisdiction, whether sensitive data is involved, whether the vendor uses data for model improvement, whether contractual safeguards exist, whether the transfer is permitted under applicable law, and whether data localisation, sector rules or client commitments apply. A cross-border AI system should be reviewed before deployment, not after an incident.

7. Confidentiality and Trade Secrets

Generative AI tools create a serious confidentiality risk. Employees may upload contracts, financial records, client documents, litigation materials, source code, board presentations, acquisition targets, business plans, customer lists, trade secrets, HR files, legal memoranda or strategy documents. If the tool is not properly controlled, the company may lose confidentiality, breach contractual obligations or expose privileged material.

Companies should adopt clear rules on what may not be uploaded to public AI tools, which platforms are approved, when internal approval is required for sensitive use cases, how client data is handled, how prompts and outputs are retained, what confidentiality the vendor owes, and how training, audit, monitoring and incident response work. AI policies should be practical: a policy that simply says "do not use AI" may be ignored, while one that explains approved and prohibited uses is more likely to work.

8. Intellectual Property Ownership

AI-generated content raises difficult intellectual property questions. Companies may use AI to create marketing text, logos, images, software code, product descriptions, design concepts, reports, translations, presentations, music or video, and legal or technical drafts.

The legal questions include who owns the output, whether it can be copyrighted, whether the AI vendor claims rights, whether the output was trained on protected works, whether it could infringe third-party rights, whether it can be used commercially, what licensing restrictions apply, who is liable if an output infringes, whether AI-generated code can be integrated into proprietary software, and whether the tool produces similar outputs for other users. Companies should review the terms of AI tools before using outputs commercially. For valuable brand assets, software, product design or client-facing materials, human review and IP clearance may be necessary — AI can assist creation, but it does not eliminate ownership risk.

9. AI and Software Development

AI-assisted coding is now common. Developers use AI tools to generate code, debug, write tests, document systems, refactor, identify vulnerabilities, suggest architecture and translate code between languages. This can improve productivity but also introduces legal and technical risk.

Companies should consider whether generated code includes open-source elements and triggers licence obligations, whether the code is secure, whether confidential code is uploaded to AI tools, whether developer tools retain prompts, whether output is reviewed by qualified engineers, whether AI-generated code creates hidden vulnerabilities, whether IP ownership is clear, and whether client contracts permit such use. A software company should adopt an AI coding policy — the goal is not to prevent innovation, but to avoid uncontrolled legal and security exposure.

10. Contracts for AI Procurement

Companies buying AI tools should not accept vendor terms blindly. AI procurement contracts should address the description and intended use of the system, performance standards and service levels, data-protection roles and processing terms, cross-border transfers, the use of customer data for training, confidentiality, security, audit rights, explainability and documentation, bias testing where relevant, output ownership, IP indemnities, third-party claims, limitation of liability, regulatory cooperation, subcontractors, incident notification, suspension rights, termination, data return and deletion, and governing law and dispute resolution.

The more important the AI system is to the business, the less acceptable generic click-wrap terms become. AI procurement should be treated like strategic technology contracting.

11. AI SaaS and Customer Terms

Companies that provide AI-powered products or services need strong customer terms. These should address what the system does and does not do, user responsibilities and prohibited uses, input-data responsibilities, output limitations, human-review requirements, a "no professional advice" disclaimer where appropriate, an acceptable use policy, data processing, IP ownership, model improvement, service availability, security, liability limitations, regulatory responsibilities, suspension rights, customer indemnities, termination and dispute resolution.

For AI SaaS providers, customer terms are not only legal protection — they define the product's risk boundary. A company should not allow customers to use its AI system in ways it cannot safely support.

12. AI Outputs and Human Review

AI outputs may be inaccurate, incomplete, biased, outdated or misleading. This matters particularly where outputs affect legal rights, financial decisions, healthcare, recruitment, education, insurance, credit, employment, consumer advice, compliance, safety or regulated services. Companies should decide when human review is mandatory.

A human review process should be meaningful, not symbolic. The reviewer should understand the purpose of the output, the limits of the system, the data used, the risk of error, the consequences of relying on it and when escalation is required. "Human in the loop" is not enough if the human does not have the time, expertise or authority to challenge the AI system.

13. Bias, Discrimination and Fairness

AI systems can produce discriminatory or unfair outcomes. Risk may arise from biased training data, proxy variables, historical discrimination, poor model design, an untested deployment environment, lack of monitoring, feedback loops, overreliance on automated scoring and the absence of appeal mechanisms. This is especially relevant in recruitment, lending, insurance, education, healthcare, housing, public services, employee monitoring, fraud detection and customer segmentation.

Companies should test AI systems for unfair outcomes where the use case affects individuals, combining legal review with technical assessment. A company should be able to explain not only that the AI works, but that it works lawfully and responsibly.

14. Employment and Workplace AI

AI use in the workplace creates specific legal risks. Employers may use AI for recruitment screening, CV ranking, interview analysis, employee monitoring, productivity and performance scoring, scheduling, training, internal investigations, document drafting and HR analytics. These uses may affect employee rights, privacy, equality, transparency and trust.

Employers should consider whether employees are informed, whether personal data is processed lawfully, whether monitoring is proportionate, whether automated decisions affect employment rights, whether bias has been tested, whether HR staff can override AI recommendations, whether records are kept, whether employees can challenge outcomes, whether sensitive data is involved and whether third-party vendors process employee data. AI in employment should be approached carefully because it affects people directly — the reputational damage from unfair AI-based HR decisions may exceed the legal cost.

15. Consumer Protection and Transparency

AI systems used with consumers may require clear communication — where customers interact with chatbots, AI recommends products or personalises pricing, AI generates financial or health-related suggestions, AI creates marketing content or simulates human communication, AI makes eligibility assessments, deepfake or synthetic media is used, or AI-generated images and reviews appear in advertising.

Companies should ask whether the user knows they are interacting with AI, whether the output is presented as professional advice, whether the user could be misled, whether limitations are disclosed, whether disclaimers are clear but not abusive, whether vulnerable users are affected, whether consumer rights are respected and whether a human escalation route exists. Transparency is not only a regulatory requirement — it is part of trust.

16. AI in Regulated Sectors

AI risk increases in regulated sectors — banking and finance, insurance, healthcare, legal services, education, employment, real estate, transportation, cybersecurity, public procurement, energy, telecoms and defence-related industries. In these sectors, AI use should be reviewed against sector rules, and a general AI tool may be unsuitable for a regulated use case unless it has been assessed, documented, tested and controlled.

For example, AI in insurance may affect underwriting, claims handling and discrimination risk; AI in healthcare may affect patient safety, privacy and professional liability; AI in finance may affect credit decisions, AML monitoring and consumer protection; AI in education may affect student data, assessment and fairness; and AI in legal services may affect confidentiality, privilege and professional responsibility. Sector-specific AI review should happen before deployment.

17. EU AI Act Exposure

The European Union Artificial Intelligence Act creates a risk-based framework for AI systems. Even companies outside the EU may need to consider it if their AI systems, outputs or services are placed on the EU market or used in ways connected with the EU.

Companies in Türkiye, Northern Cyprus or the wider region should assess EU AI Act exposure where they sell AI systems to EU customers, provide AI-powered SaaS to EU users, process data for EU-based clients, integrate AI into products used in the EU, provide AI tools to multinational companies, act as distributors or importers of AI systems, or use AI outputs in services delivered to EU markets. The AI Act is not the only framework, but it is becoming an important reference point — a company that plans to scale internationally should not design AI governance only for today's local requirements.

18. AI Policies for Companies

Every company using AI in a meaningful way should consider an internal AI policy. It should address approved AI tools and prohibited uses, confidential information, personal data, client and customer data, employee responsibilities, human review and output verification, IP and copyright, code generation, customer-facing AI, record-keeping, vendor approval, security, incident reporting, disciplinary consequences and escalation procedures.

The policy should be realistic. If employees need AI for productivity, the company should provide safe channels rather than pretending AI is not being used. Good governance enables responsible use.

19. Board and Management Responsibility

AI governance is not only an IT issue. Boards and senior management should understand where AI is used, which use cases are material, which systems affect customers or employees, which vendors are critical, what data is processed, whether AI use is documented, whether risks have been assessed, whether policies exist, whether incidents are reported, whether insurance covers AI-related risk, whether AI creates regulatory exposure, and whether AI affects strategy, reputation or valuation.

AI risk can become corporate governance risk. An executive team that cannot explain its AI systems may face difficulty with investors, regulators, customers, insurers and counterparties.

20. AI Due Diligence in Investments and M&A

AI due diligence is increasingly important in investments and acquisitions. Investors should examine what AI systems the target uses, whether it develops AI products, the training-data sources, data-protection compliance, IP ownership, model documentation, vendor and customer contracts, use of open-source tools, cybersecurity, regulatory exposure, EU AI Act relevance, employee AI use, pending complaints, output liability, dependency on third-party models and the ability to scale lawfully.

An AI startup may have attractive technology but weak legal foundations. A buyer should ask whether the company owns what it claims to own, whether it can lawfully use the data it relies on, and whether its product can be sold into target markets without major regulatory obstacles. AI due diligence is not a technical luxury — it is central to valuation.

21. Liability for AI-Related Harm

When AI causes harm, several parties may be involved — the AI developer, model provider, software vendor, deployer, business user, employee, contractor, customer, data provider, system integrator, professional advisor or platform operator. Liability may arise from breach of contract, negligence, a defective product or service, a data-protection breach, IP infringement, discrimination, misleading statements, consumer harm, a confidentiality breach, a cybersecurity failure, an employment-law breach or regulatory non-compliance.

Contracts should allocate responsibility clearly. A company should not assume that an AI vendor will bear liability for all AI-related harm — many vendor terms limit liability significantly. Risk allocation must be negotiated where the AI system is business-critical.

22. Evidence, Audit Trails and Disputes

AI disputes will often turn on evidence. A company may need to show which model and version were deployed, what data was input, what prompt was used, what output was generated, who reviewed it, whether it was modified, whether warnings were displayed, whether policies were followed, whether the system was tested, whether a vendor was notified and whether logs were preserved.

Without audit trails, a company may struggle to defend its position. AI governance should include documentation — this is not bureaucracy, it is future evidence.

23. AI Incident Response

Companies should prepare for AI-related incidents — personal data exposure, confidential information uploaded to a tool, a harmful automated decision, a discriminatory output, a customer complaint, an IP infringement claim, a hallucinated or misleading statement, a security vulnerability, model misuse, unauthorised employee use, a vendor breach or a regulatory enquiry.

An AI incident response plan should define who must be notified internally, whether external counsel is needed, whether data-breach obligations apply, whether customers or regulators must be informed, whether vendor notification is required, whether logs must be preserved, whether system use should be suspended, who communicates externally and how remediation is documented. A company should not create its incident response plan during the incident.

24. Insurance and AI Risk

Companies should review whether existing insurance covers AI-related risk — cyber, professional indemnity, directors-and-officers, technology errors-and-omissions, product liability, media liability, general liability and employment-practices liability policies. The questions include whether AI-related errors, data breaches, IP-infringement claims, professional-advice outputs, discriminatory decisions and vendor failures are covered, whether contractual liabilities are excluded, whether fines or regulatory costs are covered, whether notification costs are covered, and whether AI tools must be disclosed to insurers.

Insurance should not be assumed. It should be reviewed.

25. AI and Professional Services

Professional service providers using AI should be especially careful — lawyers, accountants, consultants, architects, engineers, doctors, financial advisors, insurance professionals, real estate advisors and compliance consultants. Professional duties may require confidentiality, competence, human judgment, client consent in certain contexts, verification of outputs, record-keeping, avoiding unauthorised disclosure, supervision of junior staff and tools, and compliance with sector rules.

AI can assist professional work, but it cannot replace professional responsibility. If a professional relies on AI without review and the output is wrong, the problem is not only technical — it may become a professional liability issue.

26. Cross-Border AI Strategy: Türkiye, Northern Cyprus and the UK

Many AI businesses and users operate across borders. A company may be incorporated in Türkiye, serve UK clients, store data in the EU, use a US-based AI vendor and hire developers in Northern Cyprus — creating overlapping legal questions.

Cross-border AI strategy should examine the governing law of contracts, data-transfer rules, vendor and customer location, AI Act exposure, UK data-protection and AI guidance, Türkiye KVKK compliance, Northern Cyprus operational considerations, IP ownership across jurisdictions, employment contracts, tax and permanent-establishment issues, dispute resolution and enforcement. AI legal planning should follow the business model, not the country of incorporation alone.

27. A Practical AI Legal Checklist

Companies should be able to answer: Where is AI used in the business, and who approved each tool? What data is input, and is personal or confidential information involved? Does the vendor use data for training, and where is data stored or transferred? Are employees using unapproved tools? Are customers interacting with AI? Are outputs reviewed by humans? Are AI-generated materials used commercially, and is IP ownership clear? Are vendor contracts and customer terms sufficient? Are sector-specific regulations relevant, and is EU AI Act exposure possible? Are bias and discrimination risks assessed? Is there an internal AI policy? Are audit trails preserved? Is there an incident response plan? Does insurance cover AI-related risk? Has AI been reviewed in investment or M&A due diligence? And can management explain the company's AI governance?

The answers should then drive the governance framework — policy, oversight, contracts, documentation and accountability.

Frequently Asked Questions

Is there a specific AI law in Türkiye?

Türkiye does not currently have a comprehensive AI law equivalent to the EU AI Act. However, AI projects are already affected by existing laws, including data protection, contracts, IP, employment, consumer protection, cybersecurity, sector regulations and liability principles.

Does the EU AI Act matter for Turkish companies?

It may. Turkish, Northern Cyprus or regional companies may need to consider the EU AI Act if they provide AI systems, AI-powered services or outputs into the EU market or work with EU-based customers.

Can companies use personal data in AI systems?

Only where the processing is lawful, necessary and compliant with applicable data protection rules. Companies should review legal basis, transparency, data minimisation, cross-border transfers, vendor terms and retention.

Can employees use ChatGPT or similar tools at work?

They may be able to, but companies should adopt clear AI policies. Confidential information, personal data, client documents and trade secrets should not be uploaded to public tools without proper safeguards.

Who owns AI-generated content?

This depends on the tool's terms, applicable law, the nature of the output and whether third-party rights are involved. Companies should review ownership, licensing and infringement risks before using AI-generated content commercially.

What should AI vendor contracts include?

AI vendor contracts should address data protection, confidentiality, security, training use, IP, output ownership, liability, audit rights, incident notification, subcontractors, termination and regulatory cooperation.

Is AI due diligence necessary in investments?

Yes. Investors should examine training data, model ownership, IP, data protection, vendor dependency, regulatory exposure, customer contracts, security and scalability before investing in AI companies.

Can AI create liability for a business?

Yes. Liability may arise from inaccurate outputs, discrimination, data breaches, IP infringement, misleading consumer communication, confidentiality breaches, employment decisions or regulatory non-compliance.

Conclusion

Artificial intelligence can create speed, scale and competitive advantage. But AI also creates legal responsibility. Companies that adopt AI without governance may expose themselves to data protection violations, confidentiality breaches, intellectual property disputes, misleading outputs, employee claims, customer complaints, regulatory scrutiny and contract liability.

The strongest AI strategy is not simply to use the newest tools — it is to use them with discipline. For companies in Türkiye, Northern Cyprus and cross-border markets, AI legal governance should include data protection review, contract discipline, IP analysis, vendor control, internal policy, human oversight, documentation, incident response and board-level accountability.

AI may be new, but the legal principle is familiar: a company should understand the risk before it scales the system.

How Terziolu & Partners Can Assist

Terziolu & Partners advises businesses, investors, entrepreneurs, families and private clients on Türkiye, Northern Cyprus and cross-border legal matters. Our work may include reviewing AI use cases and legal risk; advising on AI governance frameworks; drafting internal AI policies; reviewing AI vendor contracts; drafting AI SaaS and customer terms; advising on data protection and cross-border transfers; reviewing IP ownership and AI-generated content risks; supporting AI-related due diligence in investments and acquisitions; advising on employment and workplace AI issues; assisting with AI-related disputes, confidentiality breaches or contract claims; and coordinating with technical experts, data protection advisors and foreign counsel where required.

Discuss an AI governance, technology contract or AI-related legal matter with our team.

This article is provided for general informational purposes only and does not constitute legal advice. Artificial intelligence law and governance are rapidly developing areas. Legal obligations may vary depending on the jurisdiction, AI system, data used, sector, user group, contractual structure, regulatory exposure, technical design, deployment context and timing of advice. No action should be taken or withheld solely on the basis of this publication. Specific legal, technical, data protection, regulatory and commercial advice should be obtained before developing, deploying, procuring, investing in or relying on AI systems. Submission of an enquiry to Terziolu & Partners does not create a lawyer-client relationship unless and until the engagement is formally accepted in writing.