Anyone in the business of sending or supporting the delivery of commercial e-mails; in particular operators, business owners, software developers, e-mail marketing services suppliers, marketing teams, advertisers, publishers and the media must pay utmost attention to legislative developments with respect to personal data and prepare to comply with the draft bills pending in the Grand National Assembly of Turkey.
Any demographic data, such as gender, race, age, employment status, and even location; contact information such as e-mail addresses, telephone numbers; payment data such as bank account information and the like are regarded as personal data. Currently, personal data security is regulated by The Constitution of the Republic of Turkey, the Turkish Criminal Code, the Electronic Communication Law and also, where applicable, the Civil Code, the Code of Obligations; specific regulations including the Regulation on the Determination of Physics Identity, Physical Examination and Genetic Study on Criminal Procedure, the Regulation on Clinical Researches, the Regulation on Blood and Blood Products and the Regulation on Performing Services of Turkish Employment Agency on Internet, etc.
Additionally, although not yet applicable, three pieces of draft legislation pending at the Grand National Assembly of Turkey also include provisions on personal data protection; namely: Draft Law on Personal Data Protection, Draft Law on Regulating Electronic Commerce and Draft Law on Commercial Secrets, Banking Secrets and Customer Secrets.
1. Applicable legislation with respect to personal data protection and database rights of unfair extraction or reutilization
The Turkish Constitution lays down the legal framework for all legislative and administrative statutes regulating data protection:
Everyone has the right to ask his/her personal data to be protected. This right also contains the right to be informed, to access personal data, to demand that it be deleted and to be informed whether it is used and for what purpose. Personal data may only be processed upon the owner's explicit consent or when set forth by law. Principles and procedures with respect to protection of personal data shall be regulated by law.
The Electronic Communication Law contains norms regulating personal data. The Information and Communication Technologies Board is authorized under Articles 6, 12 and 51 to monitor and take necessary measures for the protection of personal data and privacy rights of subscribers, internet users and end-consumers. The Information and Communication Technologies Board may impose specific responsibilities upon electronic communication service and/or network providers in that context.
The Turkish Criminal Code provides for the imprisonment of those illegally recording, obtaining and disclosing personal data, according to Articles 135 and 136. The Code further provides a prison term of 6 months to 4 years for the negligent destruction of personal data.
The Turkish Criminal Code's interest in personal data and privacy protection is not limited to the topics mentioned above. Commercial secrets as well as banking and bank customer secrets also fall within the scope of criminal activities punishable both by imprisonment and judicial fines under Article 239.
2. Draft legislation with respect to personal data protection and database rights of unfair extraction or reutilization
2.1 Draft Law on Personal Data Protection
The purpose of the Draft Law on Personal Data Protection is defined as the protection of tangible or intangible assets and fundamental rights and liberties of persons; and procedures and principles on processing personal data to which natural and legal persons must adhere to.
The Draft Law on Personal Data Protection broadly defines personal data as "all types of information about identifiable natural and legal persons".
Various uses and processes of personal data; such as obtaining by automatic or non-automatic ways, recording, storing, modifying, deleting or destroying, re-formatting, declaring personal data or making personal data "obtainable" in other ways, transferring personal data to third persons; marking or classifying personal data or preventing the use of personal data so as to restrict the use thereof, are all defined as "processing of personal data". Processing of personal data may only be performed in accordance with the Draft Law on Personal Data Protection. When the Draft Law comes into force, the mentioned uses and processes of personal data must be conducted strictly under the provisions of the Draft Law and non-compliance may result in criminal liability.
There are three exceptions in the Draft Law on Personal Data Protection to the imposition of criminal sanctions arising from the processing of personal data: (i) personal data collection and recording based on the owner's open consent (ii) processing, transferring to third persons or publishing personal data for the purposes of conducting researches and statistical studies or planning provided that the personal data are in anonymous form, and (iii) lawful legal acts as listed in detail in Article 6 of Draft Law on Personal Data Protection.
2.2 Draft Law Regulating Electronic Commerce
The Draft Law on Regulating Electronic Commerce defines electronic communication as the "transfer of messages consisting of data, sounds and images; by the use of electronic devices such as telephones, faxes, automatic search engines, e-mails, SMS (short message services) for the purposes of direct marketing, advertising, introducing, promoting, fundraising, research, propaganda or transferring sexual content."
The Draft Law requires that the written or electronic consent of the addressee be present beforehand, and otherwise forbids the transfer of commercial electronic messages. Tradesmen and craftsmen are excluded from this restriction.
Commercial electronic messages' content must be in accordance with the prior consent of the addressee. Also, the identification and contact information of the sender, as well as the subject, purpose of the message; and where applicable, in the case of a message being sent on behalf of a third person, information on the person, must be included within the message.
Receivers may at any time, and without having to show any reason, refuse further communication. The sender must ensure that the refusal notification can be easily made and without charge; and also indicate where the refusal notification should be sent within the message.
The Draft Law also requires operators to protect the data they collect and abide by the privacy rules. However, it does not contain any references to the Turkish Criminal Code and imposes only administrative fines for violations.
2.3 Draft Law on Commercial Secrets, Banking Secrets and Customer Secrets
The Draft Law on Commercial Secrets, Banking Secrets and Customer Secrets covers commercial, banking and customer secrets of public organizations as well as banks, companies in the businesses of producing all types of commercial services, insurance companies, and trade facilities of various nature and brokerage houses. Again, the Draft Law provisions govern the acquisition of data to the usage of it.
"Customer secrets mean personal, economic, financial and credit status data collected by trade facilities and companies about their customers (...) concerning their activities during the course of the relationship with the customer"
Putting aside data and documents already known by the public or data made public based on the relevant person's consent or as a result of legislative statutes; the unlawful declaring, disclosing, transferring and using of personal data is punishable under Article 239 of Turkish Criminal Code.
3. Conclusion
It is advisable that concerned businessmen take into consideration the legal framework explained above, and addressees' written consent is obtained before processing personal data, e.g. e-mail addresses; or sending direct marketing, advertisement and similar messages thereto, as well as using best practices with respect to data protection.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
