NEW REGULATION ON PROCESSING OF PERSONAL DATA IN ELECTRONIC COMMMUNICATIONS SECTOR PUBLISHED 23 December 2020

REGULATION ON OF PERSONAL DATA IN ELECTRONIC COMMUNICATIONS SECTOR (“The Regulation”) was published in the Official Gazette dated 4 December 2020 and numbered 31324. The Regulation regulates the procedures and principles for the processing of personal data and protection of privacy in the electronic communications sector, and aims to ensure the protection of privacy and fundamental rights and freedoms of individuals.

What did the regulation bring with it?

The Regulation regulates the procedures and principles that the operators operating in the electronic communications sector will comply with in terms of the data they obtain within the scope of providing electronic communication services to legal and natural person subscribers.

With this Regulation, principles have been introduced in parallel with the Personal Data Protection Law No. 6698 (“DPL”), which must be followed in the processing of personal data. In addition to these principles that are in line with the law, a separate situation has been brought at this point. It is essential that traffic and location data be not transferred outside Turkey for national security reasons.

With the regulation, the obligation of the Operators to ensure the security of the personal data of their subscribers or users has been brought. In this context, Operators are obliged to take all necessary measures in accordance with the national and international standards regarding the protection of these data, provided that they keep the minimum measures specified in the Regulation in any case.

The Information Technologies and Communication Authority ("Authority") may request information and documents from the operators and request changes in measures. Another obligation imposed on operators here is the obligation of the operators to keep their records regarding access to personal data and other related systems for two years.

Operators will also notify the Information Technologies Authority in addition to the Personal Data Protection Authority, subscribers or users in case of any personal data breach.

In cases requiring explicit consent, some additional conditions have been introduced to the conditions specified in the DPL. It is also clearly regulated in the Regulation that express consent can be requested from the subscriber/ user in exchange for additional benefits such as gift minutes, SMS and data.

The regulation states that the explicit consent of the subscriber/ user must be obtained in written or electronic form and that the records regarding this will be kept for the minimum subscription period. In addition, operators will remind relevant subscribers/ users in the third quarter of each year for processing purposes based on explicit consent. Otherwise, personal data processing activity based on explicit consent will be stopped until notification is made.

The Regulation also stipulates that the explicit consent given by the subscriber will be automatically withdrawn if the subscription is terminated as of the expiration date, unless otherwise requested by the subscriber.

In cases where traffic and location data are transferred to third parties, it is stipulated to also obtain explicit consent by including the data specified within the scope of subparagraph e of paragraph 1 of Article 8 of the Regulation.

In cases where traffic and location data can be processed, the operators are obliged to inform the subscribers/ users about the types, processing purposes and periods of these data and the scope of the information obligation specified in the DPL has been expanded specifically for these data.

It has been stated that if the operators violate their obligations specified in this Regulation, sanctions in the form of administrative fines and cancellation of their authorization will be applied by the Authority in accordance with the Administrative Sanctions Regulation.

The Regulation will enter into force six months after its publication in the Official Gazette, in other words, on June 4, 2021.

As a result, with this Regulation published, additional obligations have been imposed on the operators providing electronic communication services within the scope of personal data, and it is planned to secure the personal data of subscribers / users with these obligations. In this context, complying with the provisions of this Regulation while processing personal data of the operators in this sector will prevent them from facing any administrative sanctions.

 

Other News