Data protection is an important key to maintain the
consumer's trust to e-commerce environment. E-Commerce Law and
two secondary legislations based on the foregoing law are
introduced in Turkey in 2015. Recent e-commerce consumer reports
show that data protection and security concerns are known to be the
most significant concerns of consumers, keeping them away from
online sales. For example, this year's consumer scoreboard of
the EU Commission shows that there is still an underdeveloped
cross-border e-commerce market in Europe, which is stated to be
directly related with the consumer confidence. E-commerce service
providers are gathering a massive amount of personal information
from consumers and both governments and companies establish new
measures to handle the data gathered from e-commerce activities.
Recently enacted e-commerce legislations in Turkey introduce
specific data protection and security measures for e-commerce
service providers and intermediary service providers, which
increases the expectation to boost the participation of customers,
in the absence of a dedicated data protection law in Turkey.
The Regulation on Service Providers and Intermediary Service
Providers in Electronic Commerce is published in Official Gazette
on August 26, 2015 ("Service Providers Regulation"). The
Regulation is secondary legislation, enacted based on Law No. 6563
on Regulation of Electronic Commerce. The Service Providers
Regulation sets forth the obligations for service providers and
intermediary service providers with respect to their electronic
commerce activities. Intermediary service providers are defined as
the entities which provide electronic environment to service
providers for their economic and commercial activities. Service
providers and intermediary service providers are responsible for
maintaining and taking necessary measures to prevent access and
processing of personal data acquired during their business.
The Regulation on Commercial Communication and Commercial
Electronic Communications ("Regulation on Commercial
Communication"), also covering protection of personal data,
constitutes the second pillar of this structure. This regulation
states that service providers and intermediary service providers
are responsible for protection of the personal data and should take
possible steps to prevent illegal use of personal data. Data
owner's consent should be obtained in order to share the
personal data with third parties, process or use the data for other
purposes. The records pertaining to commercial electronic
communications should be kept by the service providers for one year
and should be provided to the Ministry of Customs and Trade, if
Ministry of Customs and Trade is authorized to supervise and
evaluate the consumer requests with respect to the aforementioned
e-commerce matters and impose fines in case of a violation.
Therefore, the data protection concerns of customers will have a
Aforementioned secondary legislations do not introduce the
details of the principles for processing personal data. In this
respect, general rules and principles with respect to processing of
personal data under Turkish law apply. These rules and principles
are established by Supreme Court decision, in the absence of a
specific data protection law. Therefore, e-commerce service
providers should take into account that personal data should be (i)
processed based on the consent of the respective person, (ii) fit
the purpose for gathering the data and be sufficient and
proportionate to that purpose, (iii) be accurate and updated when
necessary and (iv) be stored in a manner indicating the identities
of the respective persons and stored as long as it is necessary for
the purpose of its reprocessing.
In order to maintain the foregoing principles, e-commerce
service providers may form a data protection policy within their
enterprises, review and update those policies on a regular
basis. Along with the policies, it is recommendable that the
companies which conduct e-commerce activities (i) to train their
employees on data protection and privacy and why it is important,
(ii) to limit the number of the employees who may access to the
database, only with the persons who need to use the personal data
for e-commerce services, and (iii) to collect the information which
is required to provide the e-commerce services.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
In this article Filippo Noseda examines the impact of the Common Reporting Standards (CRS), based on practical examples of data transfer and data breaches and analysed in the light of general tax law principles.
Four years after the overhaul of European data protection laws began, the final text of the new General Data Protection Regulation (GDPR) was approved in Spring 2016 and the new rules will come into effect on 25 May 2018.
This update is dedicated to covering the latest legislative developments affecting the way data is managed and protected, as well as reporting on the most recent news governing data breaches and industry developments.
The market of the so-called "connected vehicles" has been considerably growing since 2015. According to a recent study by AlixPartners, 78 million of connected vehicles will be commercialized in 2018, generating a EUR40 billion turnover.
Some comments from our readers The articles are extremely timely and highly applicable I often find critical information not available elsewhere As in-house counsel, Mondaqs service is of great value
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think youve read our Disclaimer).