Regulation on Protection of Personal Data in Electronic Communications Sector Has Been Published
The Regulation on the Processing of Personal Data and the Protection of Privacy in the Electronic Communications Sector ("Regulation") was published in the Official Gazette dated 4.12.2020 with no. 31324. The Regulation regulated within the scope of Electronic Communications Law Numbered 5809 ("Law"), and sets forth the terms and conditions to be followed by the operators who operate in the electronic communications sector in terms of the data they obtain within the scope of providing electronic communications services, including legal person subscriptions.
The regulation covers companies that provide electronic communication services and/or provide electronic communication networks and operate their infrastructure within the framework of authorization ("Operator"). The featured statements in the Regulation are as follows:
- In the Regulation, the principles included in the Personal Data Protection Law numbered 6698 ("KVKK") are adopted for the privacy and protection of personal data.
- It is essential not to take traffic and location data related to electronic communication abroad for national security purposes.
2. Measures to be Taken for Security and Notification of Risk and Violations
- In order to ensure the security of personal data, all kinds of technical and administrative measures required in accordance with the measures stipulated in KVKK and the Law, and national and international standards will be taken with the risk-based approach.
- When deemed necessary, the Information Technologies and Communication Authority may request information and documents from the operators regarding the security measures taken, impose administrative sanctions and request changes in the said security measures.
- Operators will keep transaction records regarding the access to data-related systems and personal data for 2 years.
- Operators will be responsible for compliance with the Regulation, confidentiality, security, integrity, accessibility of data and purpose limitation of data processing.
- When there is a risk threatening the security of the service, the relevant subscriber users will be informed; in case of a personal data breach, the breach in question will be notified to the Personal Data Protection Authority and the relevant subscriber/users as soon as possible, by providing the conditions stipulated in KVKK. You can find the conditions of KVKK on relevant issue here.
3. Conditions of Explicit Consent
- In cases where explicit consent is required, explicit consent will be obtained prior to the transaction and will be limited to a specific issue.
- Consent will not be subject to a precondition such as the provision of the service and it will be ensured to be freely given.
- Clear and understandable information about the type of personal data to be processed and the types of traffic and location data, its scope, the purpose and duration of processing will be given to the data subject before obtaining the consent, in the text using characters of at least 12 font size.
- After the notification, the declaration of the subscriber/user as "yes/approval/acceptance" can be received in written or electronic environment. This approval cannot be combined with a declaration of intent for a different transaction, such as the agreement or acceptance of the service.
- These explicit consent records will be kept at least during the subscription period.
- Information obligation will be fulfilled with the conditions in KVKK.
- Subscribers/users will always be able to withdraw their explicit consent free of charge, using the same or a simpler method.
- Operators will inform subscribers /users that their data has been processed within the scope of their explicit consent, in the third quarter of each year. Otherwise, data processing activities within the scope of explicit consent previously given will be stopped until the notification is made.
4. Administrative Fines and Sanctions
In case the operators do not fulfill the obligations determined by the Regulation, the provisions of the Regulation Information Technologies and Communication Authority Administrative Sanctions will be applied.
The Regulation will enter into force on 4.06.2021, six months after its publication.
You can find the full text of the Regulation here (in Turkish).
You can contact us for support and further information.