Open menu
07December2020

Regulation on Protection of Personal Data in Electronic Communications Sector Has Been Published

Regulation on Protection of Personal Data in Electronic Communications Sector Has Been Published

The Regulation on the Processing of Personal Data and the Protection of Privacy in the Electronic Communications Sector ("Regulation") was published in the Official Gazette dated 4.12.2020 with no. 31324. The Regulation regulated within the scope of Electronic Communications Law Numbered 5809 ("Law"), and sets forth the terms and conditions to be followed by the operators who operate in the electronic communications sector in terms of the data they obtain within the scope of providing electronic communications services, including legal person subscriptions.

The regulation covers companies that provide electronic communication services and/or provide electronic communication networks and operate their infrastructure within the framework of authorization ("Operator"). The featured statements in the Regulation are as follows:

1. Principles

  • In the Regulation, the principles included in the Personal Data Protection Law numbered 6698 ("KVKK") are adopted for the privacy and protection of personal data.
  • It is essential not to take traffic and location data related to electronic communication abroad for national security purposes.

2. Measures to be Taken for Security and Notification of Risk and Violations

  • In order to ensure the security of personal data, all kinds of technical and administrative measures required in accordance with the measures stipulated in KVKK and the Law, and national and international standards will be taken with the risk-based approach.
  • When deemed necessary, the Information Technologies and Communication Authority may request information and documents from the operators regarding the security measures taken, impose administrative sanctions and request changes in the said security measures.
  • Operators will keep transaction records regarding the access to data-related systems and personal data for 2 years.
  • Operators will be responsible for compliance with the Regulation, confidentiality, security, integrity, accessibility of data and purpose limitation of data processing.
  • When there is a risk threatening the security of the service, the relevant subscriber users will be informed; in case of a personal data breach, the breach in question will be notified to the Personal Data Protection Authority and the relevant subscriber/users as soon as possible, by providing the conditions stipulated in KVKK. You can find the conditions of KVKK on relevant issue here.

3. Conditions of Explicit Consent

  • In cases where explicit consent is required, explicit consent will be obtained prior to the transaction and will be limited to a specific issue.
  • Consent will not be subject to a precondition such as the provision of the service and it will be ensured to be freely given.
  • Clear and understandable information about the type of personal data to be processed and the types of traffic and location data, its scope, the purpose and duration of processing will be given to the data subject before obtaining the consent, in the text using characters of at least 12 font size.
  • After the notification, the declaration of the subscriber/user as "yes/approval/acceptance" can be received in written or electronic environment. This approval cannot be combined with a declaration of intent for a different transaction, such as the agreement or acceptance of the service.
  • These explicit consent records will be kept at least during the subscription period.
  • Information obligation will be fulfilled with the conditions in KVKK.
  • Subscribers/users will always be able to withdraw their explicit consent free of charge, using the same or a simpler method.
  • Operators will inform subscribers /users that their data has been processed within the scope of their explicit consent, in the third quarter of each year. Otherwise, data processing activities within the scope of explicit consent previously given will be stopped until the notification is made.

4. Administrative Fines and Sanctions

In case the operators do not fulfill the obligations determined by the Regulation, the provisions of the Regulation Information Technologies and Communication Authority Administrative Sanctions will be applied.

5. Force

The Regulation will enter into force on 4.06.2021, six months after its publication.

You can find the full text of the Regulation here (in Turkish).

You can contact us for support and further information.

Author CottGroup Hukuk ve Mevzuat Ekibi, Category Personal Data Protection Law

  • Notification!

    The content in this article is for general information purposes only and belongs to CottGroup® member companies. This content does not constitute legal, financial, or technical advice and cannot be quoted without proper attribution.

    CottGroup® member companies do not guarantee that the information in the article is accurate, up-to-date, or complete and are not liable for any damages that may arise from errors, omissions, or misunderstandings that the information may contain.

    The information presented here is intended to provide a general overview. Each specific case may require different assessments, and this information may not be applicable to every situation. Therefore, before taking any action based on the information provided in the article, it is strongly recommended that you consult a competent professional in the relevant fields such as legal, financial, technical, and other areas of expertise. If you are a CottGroup® client, do not forget to contact your client representative regarding your specific situation. If you are not our client, please seek advice from an appropriate expert.

    To reach CottGroup® member companies, click here.

About The Author

/tr/mevzuat/item/elektronik-haberlesme-kisisel-verilerin-korunmasina-iliskin-yonetmelik

Other Legislation

Lets start
Get a quote for your service requirements.

Would you like to know more
about our services?