Long-time expected Electronic Commerce Law No.6563 has been enacted by The Grand National Assembly of Turkey on October 23, 2014 in harmonization with 2000/31/ EC ECommerce Directive. The Law published on November 05, 2014 in the Official Gazette and will come to into force on May 1, 2015.

Law provides two new definitions i.e. "Service Provider" and " Intermediary Service Provider." The concept of "service provider" refers to any natural or legal person operating electronic commerce whereas "intermediary service provider" refers to any natural legal person who provides electronic commerce media for others to pursue economical and commercial purposes.

The Law briefly aims to regulate following major issues given below:

  • Liability on the information to be provided for the contracts concluded by electronic Means
  • Unsolicited commercial communication
  • Non-Liability of the "intermediary service providers" on monitoring regarding the content provided by natural or legal persons who uses electronic means in line with their services
  • Protection of personal data collected on the basis of the transactions carried out under the code

- Liability on the information to be provided for the contracts concluded by electronic Means

Article 3 refers that before concluding a contract by electronic means the service provider shall provide;

  • accurate and accessible information regarding the commercial communication
  • different technical steps to follow to conclude the contract
  • the information with respect to whether or not the concluded contract will be kept by the service provider and the accessibility of such document.
  • the information related to the applied privacy policies and alternative dispute resolution mechanisms, if any

- Unsolicited commercial communication

Unsolicited commercial communication measure in the sense of 2000/31/EC translated as the "requirement of commercial electronic communication" under Article 6.

The Turkish E-Commerce Law refers opt-in only which requires a prior consent of the recipient.

However it should be noted that this provision will not be applied to the B2B communications and only valid for B2C or C2C communications.

- Non-Liability of the "intermediary service providers" on monitoring

Article 9 refers that intermediary service providers shall not be liable for any monitoring regarding the content provided by natural or legal persons who uses electronic means in line with their services.

In any case, the intermediary service providers are obligated to exercise due care during their business according to the current Commercial Code.

- Protection of personal data collected on the basis of the transactions carried out under the code

Article 10 provides the requirements of data storage by the service provider as follows;

Service Provider and intermediary service provider shall;

a) be liable for storing and providing the security of the data provided by the virtue of transactions in the sense of the law.

b) not transmit the personal data to third parties or use for other purposes without the consent of that legal or natural person.

Despite the above obligation, the Law does not impose any pecuniary fine for the breach of liability under Article 10. However any breach can still be evaluated under the Criminal Law provisions1 protecting the personal data.

It is to be noted that the Protection of Personal Data Code has not been enacted yet in Turkey and The Turkish Parliament is still working on a draft. Therefore, in the absence of a Data Protection Code; data protection rules provided by several provisions in different codes such as The Constitution of Republic of Turkey Article 20, Turkish Criminal Code Articles 134-140 (Law No. 5237), Turkish Civil Code Article 23-35 (Law. No.4721), and other related regulations (telecommunication, health, banking and employment). It is possible to state that the data protection measures regulated under the E-Commerce Directive will be interpreted along with abovementioned laws and regulations.

Footnote

1 Recording of personal data

ARTICLE 135-(1) Any person who unlawfully records the personal data is punished with imprisonment from six months to three years. (2) Any person who records the political, philosophical or religious concepts of individuals, or personal information relating to their racial origins, ethical tendencies, health conditions or connections with syndicates is punished according to the provisions of the above subsection.

Unlawful delivery or acquisition of data

ARTICLE 136-(1) Any person who unlawfully delivers data to another person, or publishes or acquires the same through illegal means is punished with imprisonment from one year to four years.

Qualified forms of offense

ARTICLE 137- (1) In case of commission of the offenses defined in above articles;

a) By a public officer or due influence based on public office,

b) By exploiting the advantages of a performed profession and art, the punishment is increased by one half.

Destruction of Data

ARTICLE 138-(1) In case of failure to destroy the data within a defined system despite expiry of legally prescribed period, the persons responsible from this failure is sentenced to imprisonment from six months to one year.

Complaint

ARTICLE 139-(1) Excluding recording of personal data, unlawful delivery or acquisition of data and destruction of data, commencement of investigation and prosecution for the offenses listed in this section is bound to complaint.

Imposition of security precautions on legal entities

ARTICLE 140-(1) Security precautions specific to legal entities are imposed in case of commission of offenses defined in the above articles by legal entities.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.