The Regulation on the Processing of Personal Data and the Protection of Confidentiality in the Electronic Communications Sector (“Regulation“) was published on the Official Gazette of December 4, 2020. The Regulation will enter into force on June 4, 2021. The Regulation is available online here (in Turkish).
The rules on data processing in the electronic communications sector was previously regulated by the Regulation on the Processing of Personal Data and the Protection of Confidentiality in the Electronic Communications Sector published on July 27, 2012. However, the Constitutional Court canceled the basis of this regulation, Article 51 of the Electronic Communications Law. As a result, the regulation was considered null and void as of January 26, 2015. The Information Technologies and Communication Authority (“ITCA”) published and requested public opinion about a draft regulation in 2017, but this draft regulation not enacted.
• The Regulation sets forth the liabilities of operators in the electronic communications sector with respect to the processing of data owned by both real and legal persons to whom they provide communication services.
• The Regulation adopts certain definitions found in the Law No. 6698 on the Protection of Personal Data (“Data Protection Law“) such as “personal data,” “processing” and “explicit consent”. Under the Regulation, a “user” is defined as “a real or legal person benefiting from the electronic communication services regardless of being a subscriber or not,” whereas “subscriber” is described as “a real or legal person who is a party to a contract for the provision of electronic communication services by an operator.” In this respect, the Regulation covers processing activities conducted on both real and legal person users/subscribers’ data.
• The Regulation underlines the data processing principles listed under Article 4(2) of the Data Protection Law and obliges operators to conform to general processing principles when processing personal data. In particular, the Regulation prohibits the cross-border transfer of traffic and location data due to national security reasons.
• Further, operators are responsible for taking administrative and technical measures to ensure data safety and are required to keep records of access to personal data and other relevant systems for two years.
• The Regulation also introduces the obligation to report security risks and personal data breaches. Accordingly, operators are obliged to notify the subscribers/users as soon as possible in case of a personal data breach risk. Further, if the risk is out of the scope of the applied measures, operators are obliged to inform their subscribers and users about the scope of and methods to mitigate the risk. In addition, operators are required to inform the ITCA, the Data Protection Authority and subscribers/users if the data breach occurs accordingly with the rules under the Data Protection Law as soon as possible.
• The Regulation specifically regulates conditions to be applied when obtaining explicit consent for processing of personal data. In line with the Data Protection Authority’s decision of August 2, 2018, the Regulation prohibits setting consent as a precondition for the provision of a service. The Regulation allows operators to request consent of subscribers or users in exchange for gifting minutes, text message or data. In addition, as per the Regulation, explicit consent cannot be merged with other consents such as consent for the execution of an agreement, acceptance of services or receiving electronic commercial messages.
• Operators must inform subscribers and users of the personal data type that will be processed, types of traffic and location data, scope, processing purpose and the term of the processing in a clear and understandable manner before obtaining explicit consent. If this information is provided in written form, the font size cannot be less than twelve point.
• In addition, operators are required to keep records of the collection of explicit consents throughout the period of subscription, notwithstanding the periods stipulated in the relevant legislation.
• The Regulation imposes more comprehensive obligations on operators when transferring traffic and location data. Accordingly, operators are obliged to inform their subscribers and users of the scope of the data to be transferred, the identity and open address of the person to be transferred, the purpose and duration of the transfer, the country where the data will be transferred, if the data is being transferred abroad and must obtain their explicit consent. In case there are any changes in the foregoing information, explicit consent must be collected again.
• As per the Regulation, in cases where traffic and location data is being processed, operators must inform subscribers and users of the types of traffic and location data, the processing purpose and term of the processing.
• Additionally, operators must inform all subscribers and users in the first quarter of each year about the processing of personal data. Operators can inform subscribers and users whose mobile phone number information is possessed through text messages, to other subscribers and users notification can be made through e-mails or by making phone calls. Otherwise, the data processing activities must be ceased until operators can convey the notification. The Regulation further states that, if the subscription is terminated, all explicit consents are deemed revoked unless the subscriber requests otherwise.
• The Regulation also regulates the hiding of numbers, automatic redirects and telephone bills.
• As per provisional Article 1 of the Regulation, consents legitimately obtained before the enforcement date will be deemed valid and if the processing activity continues, even if the subscription is over, such processing activity will be ceased within one month after enforcement of the Regulation.
The Regulation sets forth sector-specific regulations related to various matters, such as security measures for personal data processing, data breach and data breach risks, obtaining explicit consent, cross-border data transfers, traffic and location data, hiding numbers and automatic redirects. While the Regulation overall conforms with the principles of the Data Protection Law and decisions of the Data Protection Authority, it contains certain provisions that are more restrictive in relation to the processing of traffic and location data. The Regulation also specifically prohibits the cross-border transfer of traffic and location data due to national security reasons.