Information and Communication Technologies Authority of Turkey (“ICTA”) has recently issued the Regulation on the Processing of Personal Data and Protection of Privacy in the Electronic Communications Sector (“Regulation”), bringing out critical arrangements in terms of standards of personal data processing, further obligations of the operators and additional opportunities provided to the user/subscribers in the electronic communications sector.

The Regulation introduces certain definitions such as “explicit consent” in regard to the Personal Data Protection Law numbered 6698 (“Law No. 6698”). Accordingly, explicit consent means any consent that is given with free will and based on information regarding a certain subject. The Regulation adopts further definitions such as "user" meaning that a real person or legal entity benefiting from the electronic communication services, regardless if they are a subscriber or not. Whereas a "subscriber" means a real person or legal entity who is a party to a contract for the provision of electronic communication services by an operator under the Regulation. By thus, unlike previous regulations in terms of personal data processing, the terms of "user" and "subscriber" also involve legal entities by virtue of the Regulation.

Obtaining the Explicit Consent

Following to the Regulation, operators providing electronic communication network and operating infrastructure or servicing electronic communications in terms of authorization, are subject to several conditions while obtaining explicit consent from user/subscriber(s):

  • The statement of explicit consent in a specific issue is obtained before the transaction. General consents that are not limited to any other subject and not related to the relevant transaction are not accepted.
  • The statement of explicit consent must be given with free will.
  • The user/subscriber is informed regarding the scope, purpose, duration, types of personal data and spatial data to be processed before obtaining the explicit consent.
  • The statement of explicit consent including “yes/accept/consent” is obtained electronically or in writing subsequent to the information.
  • Records indicating statements of explicit consent must be retained pursuant to the provisions of the Regulation.

If operators violate these obligations, the ICTA is authorized to impose an administrative fine up to 3% of the operators' net sales in the previous calendar year.

Exceptional Provisions Regarding Obtaining the Explicit Consent

As per the Regulation, operators are not subject to condition of obtaining explicit consent from user/subscriber(s) in transactions of establishing a subscription and providing basic electronic communication services or devices. On the other hand, statement of explicit consent can be requested from the subscriber/user for additional benefits such as gift minutes, short message services and data.

Additionally, in case that the traffic and spatial data are subject to third party transfer, followings are subject to information and separate statement of explicit consent: (i) information regarding the scope of the transferred data, (ii) full address and name of the transferred party, (iii) purpose and duration of the transfer, (iv) the name of the country where the transferred party is in abroad.

The Regulation also stipulates that, statement of explicit consent cannot be combined with the acceptance of a contract or service, or statement of free will for marketing purposes, communication, approval, confirmation, and similar legal transactions.

Security Issues

The Regulation elaborates the obligations of operators in terms of security issues and thus, stipulates that they are obliged to retain transaction records regarding access for personal data and other related systems for two years.

Moreover, the Regulation brings additional responsibilities to operators including, ensuring the confidentiality, security, integrity, accessibility and use of the data obtained within the scope of the services they provide, including the violation of the provisions of the Regulation by the parties they authorize.

Opportunities Provided to User/Subscriber(s)

The Regulation also establishes caller ID blocking. Operators are obliged to provide user/subscriber(s) the opportunity to hide their phone numbers, and the opportunity to hide their phone numbers for incoming calls, via a simple and free method. Operators are also obliged to give subscribers/users the opportunity to end an automated redirected call through a simple and free method correspondingly.

The Regulation stipulates that, operators shall provide the opportunity to revoke the explicit consent of subscribers/users through text messages, call centers, internet, and similar methods, always free of charge, through the same or a simpler method.

Consents Obtained re Previous Regulations

The Regulation enlightens that, the consents obtained in accordance with the law before the effective date of this Regulation are deemed valid. However, if the processing of personal data continues without the explicit consent of the parties whose data is processed by obtaining their consent before the effective date of this Regulation, such process is stopped within one month following the effective date of this Regulation.