Data protection is an important key to maintain the consumer's trust to e-commerce environment. E-Commerce Law and two secondary legislations based on the foregoing law are introduced in Turkey in 2015. Recent e-commerce consumer reports show that data protection and security concerns are known to be the most significant concerns of consumers, keeping them away from online sales. For example, this year's consumer scoreboard of the EU Commission shows that there is still an underdeveloped cross-border e-commerce market in Europe, which is stated to be directly related with the consumer confidence. E-commerce service providers are gathering a massive amount of personal information from consumers and both governments and companies establish new measures to handle the data gathered from e-commerce activities. Recently enacted e-commerce legislations in Turkey introduce specific data protection and security measures for e-commerce service providers and intermediary service providers, which increases the expectation to boost the participation of customers, in the absence of a dedicated data protection law in Turkey.

The Regulation on Service Providers and Intermediary Service Providers in Electronic Commerce is published in Official Gazette on August 26, 2015 ("Service Providers Regulation"). The Regulation is secondary legislation, enacted based on Law No. 6563 on Regulation of Electronic Commerce. The Service Providers Regulation sets forth the obligations for service providers and intermediary service providers with respect to their electronic commerce activities. Intermediary service providers are defined as the entities which provide electronic environment to service providers for their economic and commercial activities. Service providers and intermediary service providers are responsible for maintaining and taking necessary measures to prevent access and processing of personal data acquired during their business.

The Regulation on Commercial Communication and Commercial Electronic Communications ("Regulation on Commercial Communication"), also covering protection of personal data, constitutes the second pillar of this structure. This regulation states that service providers and intermediary service providers are responsible for protection of the personal data and should take possible steps to prevent illegal use of personal data. Data owner's consent should be obtained in order to share the personal data with third parties, process or use the data for other purposes. The records pertaining to commercial electronic communications should be kept by the service providers for one year and should be provided to the Ministry of Customs and Trade, if requested.

Ministry of Customs and Trade is authorized to supervise and evaluate the consumer requests with respect to the aforementioned e-commerce matters and impose fines in case of a violation. Therefore, the data protection concerns of customers will have a supervisory addressee.

Aforementioned secondary legislations do not introduce the details of the principles for processing personal data. In this respect, general rules and principles with respect to processing of personal data under Turkish law apply. These rules and principles are established by Supreme Court decision, in the absence of a specific data protection law. Therefore, e-commerce service providers should take into account that personal data should be (i) processed based on the consent of the respective person, (ii) fit the purpose for gathering the data and be sufficient and proportionate to that purpose, (iii) be accurate and updated when necessary and (iv) be stored in a manner indicating the identities of the respective persons and stored as long as it is necessary for the purpose of its reprocessing.

In order to maintain the foregoing principles, e-commerce service providers may form a data protection policy within their enterprises, review and update those policies on a regular basis.  Along with the policies, it is recommendable that the companies which conduct e-commerce activities (i) to train their employees on data protection and privacy and why it is important, (ii) to limit the number of the employees who may access to the database, only with the persons who need to use the personal data for e-commerce services, and (iii) to collect the information which is required to provide the e-commerce services.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.