Regulation on Processing of Personal Data and Protection of Privacy in the Electronic Communications Sector was Published
The Regulation on Processing of Personal Data and Protection of Privacy in the Electronic Communications Sector (“Regulation”), prepared by the Information and Communication Technologies Authority (“ICTA”), was published on the Official Gazette dated December 4, 2020. The Regulation will enter into force on June 4, 2021 and the regulation dated July 27, 2012 which was previously regulating processing of data in electronic communications sector has been abrogated.
The Regulation sets forth the procedures and principles to be followed by operators which operate in electronic communications sector and authorized by ICTA with respect to data which they collect within the scope of providing electronic communications services, including their legal person subscribers. Certain sector specific new obligations on operators are prescribed under the Regulation in addition to those already existing under the Law on Protection of Personal Data No. 6698 (“DPL”) and the secondary legislation. The major issues designated by the Regulation are the principles applicable in processing of personal data, security measures to be taken by operators, risk and data breach notifications, the conditions to be fulfilled by operators when obtaining explicit consent, the domestic and cross-border transfer of traffic and location data and the obligation to inform regarding such data, hiding of numbers and automatic call forwarding and other rights which can be exercised by the subscribers and users.
The significant issues set forth under the Regulation are summarized as follows:
- The Regulation includes definitions for the “subscribers” and “users” and as per the Regulation, a “subscriber” is defined as a real or legal person who is a party to a contract for the provision of electronic communication services by an operator, whereas a “user” means a real or legal person benefiting from the electronic communication services regardless of being a subscriber or not. Accordingly, processing activities concerning data of not only real person users and subscribers, but also legal person users and subscribers are within the scope of the Regulation.
- The Regulation accepts the principles applicable in processing of personal data stipulated under the DPL, and additionally, it basically forbids cross-border transfer of traffic and location data and foresees storage of traffic and location data within Turkey.
- In order to ensure that the personal data and services that are provided are secure, in accordance with technological capabilities and potential risks, operators are obliged to take all kinds of technical and administrative measures, to determine security policies in respect to processing of personal data and to keep records of access to personal data and other relevant systems for two years. ICTA is entitled to request information and documents from operators as to these measures and further request modifications in the measures.
- Operators are obliged to notify security risks and data breaches. In case any security risk occurs, operators shall inform their subscribers and users on such risk and if such risk is outside of the measures taken then the scope of and elimination methods of the risk as soon as possible. Additionally, in case any data breach occurs, it is foreseen that operators shall inform ICTA, their users and subscribers as soon as possible in addition to data breach notification set forth under the DPL.
- Certain obligations are imposed on operators in respect to events in which explicit consent from subscribers and users is required to be obtained. Prior to obtaining explicit consent of the subscribers and users, operators shall clearly and comprehensively inform their subscribers and users on type, scope, purpose and duration of processing of data and type of traffic and location data to be processed, and such information will be at least in twelve punto if available in text format. In accordance with the practices of Personal Data Protection Board, it is stipulated that a prerequisite of giving explicit consent for processing of data of subscribers and users cannot be a condition to provision of electronic communication services. Having said that, although it is debatable from DPL perspective, it is foreseen that explicit consent may be requested from subscribers and users in return for providing an additional benefit such as gift minutes, SMS and data and a different sector specific explicit consent mechanism is introduced. The Regulation prohibits compounding explicit consent with declarations of intent such as accepting an agreement or service or confirming marketing communications or other similar procedures.
- The Regulation brings additional rules regarding transfer of traffic and location data. Operators are obliged to inform their subscribers and users of the scope of the data to be transferred, the identity and open address of the person to be transferred, the purpose and duration of the transfer, the country where the data will be transferred, if the data is being transferred abroad and must obtain their explicit consent. Explicit consents must be obtained by operators again if any of this information is changed.
- The Regulation sets forth additional provisions on hiding numbers, automatic call forwarding and confidentiality of telephone bills.
- Additionally, operators are obliged to inform all their subscribers and users in the first quarter of each year that personal data has been processing. This notification can be made to subscribers and users whose mobile phone number information is kept through at least text messages, and to others through e-mails or by making phone calls. Otherwise, the data processing activities based on explicit consent must be ceased until subscribers and users are informed. Furthermore, if the subscription is terminated, all explicit consents are deemed withdrawn unless the subscriber requests otherwise.
- Pursuant to the Regulation, all legitimate consents which were taken prior to June 4, 2021 will be deemed valid, but if the processing of personal data continues, despite the subscriptions are terminated, such processing activities shall be ceased within one month as from effective date of the Regulation
If operators fail to fulfill their obligations foreseen under the Regulation, an administrative fine of up to three percent of the net sales of operators in the previous calendar year may be imposed. Furthermore, if the violation is in relation to the provisions concerning national security, the licenses of operators may be cancelled.