New Regulation on Processing of Personal Data in Electronic Communication Sector Has Been Published

The New Regulation on Processing of Personal Data and Protection of Privacy in the Electronic Communication Sector (the "Regulation") published in the Official Gazette on December 4, 2020 will come into force as of June 4, 2021.

The Regulation sets forth procedures and principles applicable to the operators in  in the electronic communication sector with respect to data (including personal data and data related to legal person subscriptions) which they collect within the scope of providing their electronic communication services. The Regulation introduces specific provisions applicable to operators in addition to the Personal Data Protection Law (the “DPL”) and resolutions of the Personal Data Protection Board. The important issues stipulated under the Regulation can be summarized as follows:

1. It is essential that traffic and location data be not transferred outside Turkey for national security reasons. We understand that this means the relevant data will be required to be stored in Turkey. In addition, transfer of such data to third parties is also further restricted even if there is no cross-border transfer and is subject to explicit consent in any case. In order to obtain explicit consent, in addition to the information to be made within the scope of the DPL, information with respect to the scope of the data to be transferred as well as name and open address of third parties which the relevant data is transferred to must be provided to the subscriber/users in detail. Furthermore, if the recipient is located outside of Turkey, data subjects will also be explicitly informed about which country the data will be transferred. In case of any change in the information that needs to be provided to subscribers / users, explicit consent must be obtained again.
2. It is necessary to take security-related measures and establish policies to ensure data security. The Information Technologies and Communication Authority ("ICTA") may request information and documents from the operators regarding the security measures taken by them when it deems necessary. Save for ICTA’s authority to impose administrative sanction against the operator, ICTA may request changes in the said security measures taken by the operator.
3. Operators are obliged to keep transaction records regarding access to personal data and other related systems for two years.
4. In case of a data breach, operators are be required to notify ICTA in addition to the required notification to the Personal Data Protection Authority and the relevant data subject (the respective subscribers and user).
5. Additional conditions have been introduced for processing activities based on explicit consent. It has been emphasized that explicit consent shall be specific to the process and shall not be requested as pre-requisite or condition to provide any service. On the other hand, although it is controversial in terms of the DPL, it is explicitly regulated that explicit consent can be requested from the subscriber/user for additional benefits such as bonus minutes, SMS and data. So, a new mechanism for consent is introduced to electronic communication sector.
6. In addition to the information obligation arising from the DPL, the operators are obliged to provide information about retention period of all type of personal data and traffic and location data types to be processed based on explicit consent. It is regulated that if the information will be provided in writing, font size in the relevant texts shall be at least twelve.
7. It has been regulated that explicit consent of the subscribers/users must be obtained in written or electronic form, and the relevant records must be kept for subscription period at least. Besides, the operators will be obliged to remind the relevant subscribers/users in the Q3 of each year within the scope of their processing purposes based on explicit consent. Otherwise, data processing activity based on explicit consent should be suspended until the reminder is made in this context. In case of the termination of the subscription, as of the expiry, all explicit consents given before are deemed to be withdrawn unless the subscriber's request otherwise.
8. In accordance with the Information Technologies and Communication Authority Administrative Sanctions Regulation, operators may be subject to an administrative fine amounting up to 3% of their net sales in the previous calendar year in case of incompliance with the Regulation. Furthermore, in cases that the violation is related to the provisions regarding national security, authorization of the operator may also be terminated/cancelled.