Single Blog Title

This is a single blog caption

Personal Liability of Company Executives in the Use of Unlicensed Software

Personal Liability of Company Executives in the Use of Unlicensed Software

While the use of unlicensed software is often viewed by many companies as merely an "IT compliance issue," the matter is far broader in Turkish law. It falls within the realm of intellectual property law, contract law, tort liability, criminal law, and corporate law. The approach that "if the company used it, the company is liable" is often insufficient, particularly for board members in joint-stock companies and managers, general managers, IT managers, and senior executives who make decisions in limited liability companies. In some cases, the defendant may not only be the company but also the executive themselves.

In Turkish law, computer programs are explicitly protected as works. According to the Law on Intellectual and Artistic Works (FSEK), computer programs and their preparatory designs that produce the program's result are considered scientific and literary works. The same law also defines "computer program" separately; actions such as loading, displaying, running, transmitting, and storing the program are also included within the scope of the right of reproduction. The practical consequence of this is that not only copying or cracking a program from a CD, but also installing, running, or storing it on a server without a license can give rise to a copyright infringement dispute.

Therefore, the issue of unlicensed software is not limited to simply purchasing pirated copies. Software that has been purchased but whose license has been exceeded, the shared use of a single-user license by a team, the use of a trial version in commercial activities, the use of an educational license for company business, or the active retention of legally obtained copies within the company also pose risks. The exception in the Copyright Law regarding personal use is intended for non-profit reproductions that meet certain conditions; furthermore, in the case of computer programs, the freedom to use the software is tied to the person who legally acquired it. Therefore, in a corporate environment, the defense that "it was only for internal use anyway" does not provide a safe haven in most cases for pirated or illegally acquired software.

Why does the personal responsibility of a company executive come into question?

The answer to this question cannot be given in a single sentence. Because "personal liability" manifests itself on at least three separate levels. First, there is private law liability towards the rights holder, the software producer. Second, there is the liability of the perpetrator in criminal investigations and criminal trials that may arise due to copyright infringement. Third, there is the internal liability that may arise for the manager towards their own company, shareholders, or company creditors. The main risk in Turkish law is that these three lines of liability can converge in the same case.

A company executive is not automatically held personally responsible for every software breach simply because they hold a title. However, the situation changes if they authorized unlicensed use, explicitly instructed it, knowingly disabled procurement and compliance processes, continued use despite warnings or audit alerts, or deliberately left the organization unsupervised. In criminal law, responsibility is personal; no one can be punished for the actions of another. Conversely, the perpetrator, instigator, or accomplice of a crime bears criminal risk. Furthermore, an order that constitutes a crime can never be carried out; otherwise, both the person giving the order and the person carrying it out are held jointly responsible. In this context, the defense of "I only gave instructions on behalf of the company" does not exempt the executive from liability in every case.

Legal risks to the company and its manager under the Law on Intellectual and Artistic Works

The Turkish Copyright Law provides the rights holder with powerful tools to stop the infringement and remedy its consequences. The person whose moral and financial rights have been violated can request the cessation of the infringement. More importantly, if the infringement occurred during the provision of the service by company representatives or employees, the business owner can also be sued, and fault is not required. This provision weakens the company's defense of "personnel did it, the headquarters didn't know." The rights holder can also claim compensation up to three times the hypothetical license fee or market value; if fault is present, material and moral damages can also be claimed according to tort principles.

The crucial point here is that Article 66/2 of the Copyright Law states that a lawsuit can be filed directly against the "business owner." In the case of companies, the business owner is, in most cases, the legal entity itself. However, if the manager is involved in the case not only in their capacity as an organ of the organization but also as the actual architect of the infringement, the matter is no longer solely the company's responsibility. For example, the general manager who gave the instruction for unlicensed installation, the IT manager who kept records against audit, or the manager who approved the use of counterfeit license keys can be considered not merely a representative but a person directly involved in the infringement. In this case, the personal tort liability of the manager in relation to the rights holder's claims is also discussed separately. According to the Turkish Code of Obligations, whoever causes harm to another through a negligent and unlawful act is obliged to compensate for that harm.

Another important issue is the risk of internal recourse. A company that pays a software producer may, in some cases, seek recourse against the manager who caused the damage. This is because in joint-stock companies, board members and managers can be held liable to the company, shareholders, and creditors if they violate their legal and articles of association obligations through their negligence. This liability regime applies by analogy to limited liability companies. Therefore, reaching an external settlement with the software company does not mean the manager is completely removed from the case; the risk of an internal liability lawsuit may continue.

Criminal responsibility: who is the perpetrator of the crime?

Article 71 of the Turkish Copyright Law stipulates imprisonment for one to five years or a judicial fine for individuals who, without the written permission of the copyright holder, process, reproduce, distribute, disseminate, purchase for commercial purposes, import or export, possess or store a work other than for personal use, thereby violating moral, financial or related rights. The use of unlicensed software within a company for commercial purposes may fall within the scope of this provision, depending on the specifics of the case. In this case, the perpetrator is a natural person, not a company. This is because, according to Article 20 of the Turkish Penal Code, criminal liability is personal, and as a rule, no criminal sanctions are applied to legal entities.

In this context, the most frequently debated question in practice is: Who is liable for the use of pirated software on behalf of the company? There is no single answer. The employee who actually installed the program, the IT personnel who applied the crack, the manager who knowingly and willingly instructed this, the decision-maker who systematized the unlicensed use within the company, and in some cases, the senior management who knowingly conducted the software procurement process illegally, can all be included in the case file. In criminal law, it is not the title but the act, intent, form of complicity, and concrete contribution that are decisive. Especially in cases where an unlawful order is carried out, the joint liability of the person giving the order and the person carrying it out is a serious risk for the manager.

Many companies place too much trust in the statement "legal entities are immune from punishment" at this point. While this is true, it is incomplete. The correct approach is for the punishment to be directed at individuals, not the company. What is missing is the assumption that the criminal case will not affect the company. This is because during a criminal investigation, company computers, servers, license records, emails, purchase documents, and user logs can be used as evidence. Article 134 of the Code of Criminal Procedure permits the search, copying, and, if necessary, seizure of computers and computer programs in cases of strong suspicion based on concrete evidence and the impossibility of obtaining evidence by other means. For managers, this means not only a lawsuit but also an operational and reputational crisis.

Internal responsibility in anonymous and limited companies

In joint-stock companies, board members and third parties entrusted with management duties are obligated to perform their duties with the diligence of a prudent manager and to protect the company's interests in accordance with the principles of honesty. Delegation of management is possible; however, for this delegation to be valid and protective, a legally compliant organizational structure and internal regulations are required. Furthermore, those delegating duties or authority cannot be absolved of responsibility if it is proven that they did not exercise reasonable care in selecting the transferee. In other words, the defense of "we outsourced the IT work" or "the IT manager was handling it" is not sufficient on its own unless proper delegation and oversight are established.

The situation is similar in limited liability companies. Article 629 of the Turkish Commercial Code (TTK) applies the provisions relating to joint-stock companies by analogy regarding the scope and limitations of the representation authority of directors. Article 644 of the TTK explicitly states that Articles 553 and subsequent articles, which regulate the liability of directors of joint-stock companies, also apply to limited liability companies. Furthermore, it is stipulated that the company will be liable for torts committed by the person authorized to manage and represent the limited liability company while performing their duties. When these provisions are read together, both the company's liability to external parties and the director's personal liability to internal parties can be discussed in the event that a director of a limited liability company condones or organizes the use of unlicensed software.

The scenarios in which personal responsibility most frequently arises

The first scenario involves explicit instruction. If a manager has instructed employees against purchasing licenses to reduce costs, directed them to use cracks or keygens, refused purchase requests, or knowingly allowed illegal use by saying "just manage like this for now," then the personal risk increases significantly. In this case, the manager is considered not only responsible for organizational misconduct but also as someone directly involved in the violation.

The second scenario is deliberate turning a blind eye. A warning letter may have been received from the software manufacturer, an internal audit may have identified missing licenses, a vendor audit may have been initiated, or employees may have reported the situation to management. If usage continues despite these warnings, the "I didn't know" defense weakens in the face of subsequent violations. The manager is no longer merely passive but accepts the outcome. This situation can lead to discussions of intent in criminal cases and negligence in private law cases.

The third scenario is a lack of organization and control. If a company lacks a software inventory, doesn't track licenses, has scattered purchasing and installation authorizations, transfers outdated equipment without control, employees conduct corporate business using personal accounts, and management hasn't established any internal policies, then serious assessments can be made against the manager, especially within the framework of the duty of care under the Turkish Commercial Code and the employer's liability under the Turkish Code of Obligations. This is because, in a modern commercial enterprise, software license compliance is no longer a secondary detail, but one of the fundamental compliance requirements.

The fourth scenario is improperly established delegation. The manager may have delegated their duties partially or completely. However, if there are no internal guidelines, job descriptions are unclear, a reporting chain is not established, or the delegators were not chosen with reasonable care, the delegation defense does not provide complete protection to the manager. The law explicitly acknowledges that liability persists if the delegators did not exercise reasonable care in their selection.

The fifth scenario arises in mergers, acquisitions, and group company structures. When one company acquires another business, or when centralized IT management is established within a group, if it is unclear who owns the licenses, which legal entity they will be used under, and under which agreement the number of users falls, the breach decision may effectively originate from central management. In this case, even if the formal user is another company, the liability of the de facto decision-making manager may also come into play. This is particularly important for the group CIO, the holding IT manager, or decision-makers managing the joint purchasing structure.

What should a manager do if they receive a warning notice or an inspection report?

The biggest mistake is panicking and deleting data, changing devices, clearing log records, or giving employees unofficial instructions to "say nothing." While such a reflex may seem practical in the short term, it can worsen the case in the long run. The first thing to do is to initiate a privileged internal investigation, identify which programs are on which devices and under what licenses, immediately isolate any illegal copies, and create a controlled compliance plan that will not raise suspicion of tampering with evidence. If there is a possibility of a criminal investigation, Article 134 of the Code of Criminal Procedure already elevates operations on information systems to a high level of sensitivity.

Secondly, the matter should not be viewed as merely a "money negotiation with the software company." Because the case may involve claims for up to three times the amount under Article 68 of the Turkish Copyright Law (FSEK), as well as the risk of penalties under Article 71, internal recourse, and managerial liability. Therefore, the technical inventory, license agreements, invoice chain, number of users, server access records, subscription records, and installation history should be evaluated together. Simply looking at accounting records is often insufficient.

The most effective protection method for company executives: a document-based compliance system

The most effective way to protect against the risk of unlicensed software is not to create defenses when a crisis arises, but to establish management standards before a crisis occurs. For a manager, the strongest protection is not the "I didn't know" defense, but being able to say, "I established a software licensing compliance system in the company, restricted purchasing and installation permissions, conducted regular audits, and took immediate action when warnings were received." The duty of care stipulated in the Turkish Commercial Code demands precisely this.

Therefore, every company should have at least a software inventory, license matrix, authorized installation procedure, employee device policy, trial and training license usage rules, outsourcing team access terms, and a periodic internal audit mechanism. Furthermore, software license due diligence should be conducted in mergers and acquisitions; “grey areas,” such as the use of licenses acquired in the name of another company within the group, should be clarified on a contractual basis. These are not only IT regulations but also legal safeguards that reduce managerial liability.

Conclusion

The personal liability of company executives for using unlicensed software is a much more tangible risk than commonly believed. In Turkish law, computer programs are protected as works; unlicensed installation and use can result in copyright infringement. The rights holder can demand the cessation of the infringement, compensation up to three times the original amount, and, if the conditions are met, material and moral damages. In criminal law, however, it is the individuals involved in the act, not the legal entity, who are held liable. In company law, an executive who violates their duty of care may also be held accountable to their own company, shareholders, and creditors.

Therefore, the issue is not simply a matter of "was pirated software used?" The real question is: Who organized this use, who knew about it, who ignored it, and what management measures were taken within the company to prevent this risk? The answers can either protect the manager or place them directly at the heart of the matter. For this reason, license compliance is not just an IT policy for every company today, but a fundamental legal and corporate governance issue governing managerial responsibility.

Leave a Reply

Call Now Button