Turkey: Regulation On Protection Of Personal Data In Electronic Communications Sector Has Been Published

1. Principles

• In the Regulation, the principles included in the Personal Data Protection Law numbered 6698 ("KVKK") are adopted for the privacy and protection of personal data.
• It is essential not to take traffic and location data related to electronic communication abroad for national security purposes.

2. Measures to be Taken for Security and Notification of Risk and Violations

• In order to ensure the security of personal data, all kinds of technical and administrative measures required in accordance with the measures stipulated in KVKK and the Law, and national and international standards will be taken with the risk-based approach.
• When deemed necessary, the Information Technologies and Communication Authority may request information and documents from the operators regarding the security measures taken, impose administrative sanctions and request changes in the said security measures.
• Operators will keep transaction records regarding the access to data-related systems and personal data for 2 years.
• Operators will be responsible for compliance with the Regulation, confidentiality, security, integrity, accessibility of data and purpose limitation of data processing.
• When there is a risk threatening the security of the service, the relevant subscriber users will be informed; in case of a personal data breach, the breach in question will be notified to the Personal Data Protection Authority and the relevant subscriber/users as soon as possible, by providing the conditions stipulated in KVKK. You can find the conditions of KVKK on relevant issue here.

3. Conditions of Explicit Consent

• In cases where explicit consent is required, explicit consent will be obtained prior to the transaction and will be limited to a specific issue.
• Consent will not be subject to a precondition such as the provision of the service and it will be ensured to be freely given.
• Clear and understandable information about the type of personal data to be processed and the types of traffic and location data, its scope, the purpose and duration of processing will be given to the data subject before obtaining the consent, in the text using characters of at least 12 font size.
• After the notification, the declaration of the subscriber/user as "yes/approval/acceptance" can be received in written or electronic environment. This approval cannot be combined with a declaration of intent for a different transaction, such as the agreement or acceptance of the service.
• These explicit consent records will be kept at least during the subscription period.
• Information obligation will be fulfilled with the conditions in KVKK.
• Subscribers/users will always be able to withdraw their explicit consent free of charge, using the same or a simpler method.
• Operators will inform subscribers /users that their data has been processed within the scope of their explicit consent, in the third quarter of each year. Otherwise, data processing activities within the scope of explicit consent previously given will be stopped until the notification is made.

4. Administrative Fines and Sanctions

In case the operators do not fulfill the obligations determined by the Regulation, the provisions of the Regulation Information Technologies and Communication Authority Administrative Sanctions will be applied.

5. Force

The Regulation will enter into force on 4.06.2021, six months after its publication.

You can find the full text of the Regulation here (in Turkish).

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.