The Regulation on the Processing of Personal Data and Protection of Confidentiality in the Electronic Communications Sector (“the Regulation“) was published by the Information and Communication Technologies Authority (“the Authority“) in the Official Gazette dated December 4, 2020.
The Regulation sets forth the procedures and principles to be complied with regards to personal data obtained within the scope of electronic communication services.
The Regulation will enter into force on 4 June 2021, six months after its publication. The Regulation includes the following:
1. Who is in the scope of the Regulation?
Authorized operators operating in the electronic communication sector fall within the scope of the Regulation (such as GSM operators, internet service providers, infrastructure service providers, cable broadcast service providers, satellite communication service providers).
Legal entity subscriptions (in other words, personal data obtained within the scope of legal entity subscription) are also covered by the Regulation.
2. Who are the Operator, Subscriber and User under the Regulation?
Operator: Is the company that provides authorized electronic communication services and/or provide electronic communication networks and operates its infrastructure in accordance with the Authorization Regulation Regarding Electronic Communication Sector.
Subscriber: Is a real or legal person who is a party to an electronic communication service contract with an operator.
User: Refers to the real or legal person who benefits from electronic communication services, regardless of a subscription. For example, employees using the Company line are users, even though they are not subscribers. They are considered as both subscribers and users for their own personal GSM lines.
3. What does the traffic data and location data specified in the Regulation mean?
Traffic Data: Any data processed for communication or invoicing in an electronic communication network. For example, the parties in phone calls or the duration of the call.
Location Data: Is the specific data that determines the geographical location of the device belonging to the public electronic communication service user and processed in/through the electronic communication network.
4. What are the obligations envisaged for the operators under the Regulation?
The regulation stipulates obligations to the operators on the following issues:
a. Obligations to ensure the security of data.
b. Obligations stipulated in cases of security risks and data breaches.
c. Obligation to inform subscribers/users.
d. Obligations to be complied with when obtaining explicit consent of data subjects.
e. Obligations to be complied with after explicit consent is obtained.
a. Obligations to ensure data security
– Operators must ensure that personal data can only be accessed by authorized persons.
– Operators must ensure the security of the systems where personal data are stored and the applications used to access this data.
– Operators must determine the security policies regarding processing of personal data.
– Operators are obliged to store the transaction records of access to personal data and other related systems for 2 (two) years.
– Operators must take technical and organizational measures in accordance with Electronic Communication Law, the Law on the Protection of Personal Data and national and international standards in order to ensure the security of personal data and the services they provide.
– Operators are also responsible for ensuring that the parties they authorize (e.g. service providers) also meet data security obligations within the scope of this Regulation.
The Authority may request from the operators information and documents regarding the systems where the personal data is stored and the measures taken to secure personal data, and may also request reports of changes in such security measures.
Operators are required to take all necessary technical and organizational measures to ensure data security within the scope of both the Regulation and the Law on the Protection of Personal Data numbered 6698 (“Law No. 6698”).
Obligations stipulated by the Regulation within the scope of data security (prevention of unauthorized access to personal data, storage of access logs, ensuring the security of the environments where data is stored and creating security policies) are in line with the technical and organizational measures specified in the guidelines and opinions of the Personal Data Protection Authority. The Regulation states that security policies should be determined within the framework of data processing principles stipulated in Law No. 6698. In this context, it is important that such policies include data processing principles and the procedures and rules to be complied for compliance with these principles.
Operators are also responsible for ensuring data security of the parties they authorize. In this context, contracts/protocols about transfer of personal data should be signed with the authorized parties, and mechanisms such as audits and breach notifications should be determined in order to ensure that the relevant party processes data lawfully.
The Regulation stipulates compliance with national and international standards as well as legislative regulations for technical and organizational measures to be taken to ensure data security. In this context, Operators should follow up-to-date data security practices at national and global scale in terms of ensuring personal data security.
The Authority may request information and documents from the operators for compliance checks. Therefore, in case of a possible Authority request/audit, the operators must be ensure that the policies/procedures regarding the processing and protection of personal data are complete and up-to-date. Data security measures mentioned in the Regulation should be included in such policies/procedures.
b. Obligations stipulated in cases of security risks and data breaches
Liabilities of operators in case of risk to the security of personal data and personal data breaches are regulated in Article 7 of the Regulation.
Risk à are the risks that threaten the security of the operators’ networks and services.
Breach à refers to a security breach that causes unlawful, unauthorized or unintentional destruction, deletion, loss, transmission, modification, storage, recording, processing, disclosure or access to personal data.
The Law on Protection of Personal Data No.6698 stipulates the obligation to notify the Personal Data Protection Authority and the data subjects only in case of data breach. However, the Regulation also regulates the obligation to notify subscribers/users in case of a security risk.
Operators’ responsibilities regarding security risks and data breaches are as follows:
– In the event of a specific risk that threatens the security of their networks and the services they offer, operators are obliged to inform subscribers/users about the risk within the shortest time.
– If the risk falls outside the measures taken by the operator, the operator is obliged to inform the subscribers/users about the scope of the risk and the methods of elimination within the shortest time.
– In the event of a personal data breach, operators shall notify the Authority (ICTA), the Personal Data Protection Authority, and subscribers/users within the shortest time in accordance with the Law No. 6698 and the relevant legislation.
Different from Law No.6698, the Regulation stipulates notification to subscribers/users not only for data breaches but also for security risks. In this context, even if there is no personal data breach, subscribers/users will need to be informed about the relevant security risk.
The purpose of this notification is to prevent the negative consequences of possible security violations by taking the necessary measures by the subscribers/users. In this context, the Operator should also inform the subscribers/users about the measures to be taken within the scope of the relevant risk (such as password renewal measures).
c. Obligation to inform subscribers/users
i. Obligation to inform while obtaining explicit consent
Subscribers/users should be informed clearly on the following issues before their explicit consent is obtained:
– The type of personal data to be processed, the types of traffic and location data, and the scope of the processing,
– The purposes and duration of the processing,
– How explicit consent can be withdrawn.
In addition, if this information is submitted in writing, the size of the information notice text must be at least twelve (12).
The Regulation stipulates specific requirements that must be fulfilled while obtaining explicit consent, which differ from Law No. 6698. In this context, subscribers/users should be informed about the issues (such as purposes and legal grounds of data processing) as well as what types of personal data will be processed, the duration of the data processing, and the methods of withdrawing explicit consent.
Explicit consent forms to be submitted to subscribers/users will need to be prepared in line with these requirements. Ambiguous or general expressions should be avoided when specifying the duration of data processing. General Data Protection Regulation (“GDPR”) stipulates that while the data subject is informed, information should be given about the “the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period”. In line with the GDPR, the duration of the processing stipulated by the Regulation can be interpreted as “exact processing period if possible; if not, the criteria for determining this period”. However, in the upcoming period, the Authority may request to indicate the exact processing period in line with its practices and opinions regarding the Regulation.
While specifying the methods of withdrawing explicit consent, detailed steps that make it difficult to withdraw consent should not be stipulated. The person should be able to withdraw her/his consent easily (with the method she/he gave consent or in a simpler way). These methods should be clearly stated in the information notices.
ii. Information obligation in terms of traffic and location data
Without prejudice to the provisions of the Law numbered 6698, in cases where traffic or location data are processed, the operator is obliged to inform subscribers/users about the types of traffic or location data, the purpose and duration of the processing.
In order to transfer traffic or location data to third parties, explicit consent must be obtained by providing information on the following issues:
– The scope of the data to be transferred,
– The name and full address of the party to which data will be transferred,
– The purposes of the transfer and its duration,
– If the third party is abroad, the country to which the data will be transferred.
If there is a change in this information, the person must be informed again and his/her explicit consent must be obtained again.
Electronic communications legislation handles traffic and location data separetely due to their nature and stipulates specific regulations for these data. The Regulation has introduced additional rules that must be complied where these two data will be processed. It is recommended that the information and consent forms submitted in cases where traffic or location data will be processed, should be reviewed in line with the additional requirements of the Regulation.
The Regulation stipulates special conditions for information obligation regarding traffic or location data. In cases where traffic or location data will be processed, information should be given about the types of data to be processed and the duration of the processing, as well as the minimum elements under Law No. 6698. Information notices will therefore need to include these elements.
Specific requirements are stipulated in cases where traffic or location data will be transferred to third parties. If the traffic or location data is to be transferred to parties within the country or outside the country, the name and address of these parties must be clearly stated. If the party is abroad, the foreign country where it is located must be stated. Consent will be required by providing specific information about the scope and duration of the data transfer.
d. Obligations to be complied with when obtaining explicit consent
According to Article 51 of the Electronic Communications Law No. 5809, Operators can only use the personal data of subscribers/users by obtaining their explicit consent, except for the provision of communication. In addition, traffic and location data can be transferred abroad only with the explicit consent of the data subjects.
The regulation stipulates specific regulations on how to obtain explicit consent in cases where explicit consent is required:
– Explicit consent should be obtained on a specific issue before the relevant transaction.
– Explicit consent must be given freely. However, explicit consent can be requested from the subscriber/user in exchange for additional benefits such as gift minutes, messages and data. The additional benefit to be provided should not affect the freely given element of the explicit consent. There should be no serious/ unbalanced consequence for those who do not give their consent.
– It should be ensured that the given explicit consent can always be withdrawn free of charge with the same method or a simpler method.
Explicit consent can be obtained in written or electronic form. Giving explicit consent cannot be bound by the provision of the service or the approval of marketing communications. Explicit consent cannot be combined with declarations of will/consent in different transactions.
Providing additional benefits such as gift minutes and messages while requesting explicit consent is an issue discussed in practice but not included in Law No.6698 or other regulations on the protection of personal data. This Regulation clearly states that additional benefits can be provided while asking for explicit consent. Care should be taken that the additional benefit to be provided does not affect the element of “freely given”. Additional benefits should not be offered in a way that will have serious consequences for those who do not consent, or that may mislead the person, or affect her/his free will. Otherwise, the consents may be deemed invalid.
The Regulation stipulates that explicit consent cannot be combined with different transaction statements/consents. In this context, it has been clearly emphasized that marketing communication approvals, which are frequently encountered in practice (statements such as I want to be informed about the company’s products) and consent for processing of personal data cannot be combined. Matters requiring consent cannot be combined in a single text/consent, they will need to be asked separetely.
e. Obligations to be complied after explicit consent is obtained
The operator must regularly inform all subscribers/users whose personal data are processed within the third quarter of each year that their personal data are processed within the scope of their explicit consent. In the event that the said notification cannot be made, the activities within the scope of the explicit consent should be stopped until the notification is made.
Explicit consents are valid during the subscription period. In case the subscription is terminated, all explicit consents given before are deemed to be withdrawn if the subscriber does not request otherwise.
Records of explicit consent must be stored during the minimum subscription period (other legislation provisions are reserved).
Consents obtained in accordance with the law before the publication date of the Regulation will be considered valid. In the event that the processing of personal data continues despite the termination of the subscription, this data processing will be stopped within one (1) month from the publication date of the Regulation.
The Law No. 6698 regulates that the data subjects must be informed while their personal data are collected. The Regulation, unlike the Law No. 6698, stipulates the Operators’ obligation to inform regularly where explicit consent is obtained. Operators will be notifying subscribers/users that they have processed their personal data within the scope of the explicit consent previously given, between July and September of each year. It is important to make this information, otherwise data processing activities carried out within the scope of the data subject’s explicit consent have to be terminated.
The Regulation introduced a specific provision regarding the validity period of explicit consent. Law No. 6698 does not include a special provision regarding the expiration of explicit consent. As a rule, explicit consent will remain valid until it is withdrawn (when determining the validity period of the consent, the scope of the consent, the predictability of data processing by the data subject should also be taken into account). According to the Regulation, explicit consent will be valid during the subscription period, and data processing activities that require explicit consent will need to be terminated with the termination of the subscription.
The Regulation states that consents previously obtained in accordance with the law will be deemed valid. However, if there are subscribers/users whose subscription has ended as of June 2021 but whose data are still being processed, such data processing activities will have to be terminated by July 2021 if they rely on explicit consent. In this context, it should be accepted that the data subject’s consent (if consent is not obtained again) is withdrawn.
5. What are the other issues regulated by the Regulation?
– Operators will provide the opportunity to hide the calling user’s number with free and simple methods, except for emergency calls.
– Operators will allow subscribers/users to stop automatic redirects from third parties with free and simple methods.
– Operators will ensure that some sections of the phone numbers included in the usage details or detailed invoices are hidden, if the subscribers request.
6. What are the sanctions to be applied when operators do not fulfill the abovementioned obligations?
In case the operators do not fulfill the obligations determined by this Regulation, the provisions of the Information and Communication Technologies Authority Administrative Sanctions Regulation will be applied. In accordance with the Administrative Sanctions Regulation:
In the following cases, administrative fines up to three percent (3%) of net sales in the previous calendar year will be imposed:
– In the case that the obligation to ensure that personal data can only be accessed by authorized persons and the safety of the systems where the personal data is stored and the applications used to access personal data are not fulfilled,
– In the case that the obligation to store or delete the traffic data of the subscribers/users is not fulfilled within the foreseen period,
– In the case that the obligations regarding the processing of traffic data and location data are not fulfilled,
– In case that personal data is destroyed, lost, altered or stored in another media, processed, disclosed involuntary, unauthorized or illegally,
– In case the obligations regarding the protection of personal data are not fulfilled,
– In case the obligation to keep detailed transaction records for the period determined in the relevant legislation, regarding all access to personal data and other related systems and the transactions performed by person who is authorized to access data, is not fulfilled,
– In case of violation of other obligations regulated in the relevant legislation regarding the processing and confidentiality of personal data.
In addition to the sanctions to be imposed by the Authority regarding the above-mentioned issues, Personal Data Protection Authority may also impose administrative fines of up to TRY 1,966,861 – aproxx. € 210.819 (which can be increased in case of multiple violations) as of 2021.