Turkish Law Blog
Draft Regulation on the Processing of Personal Data and Protection of Confidentiality in the Electronic Communications Sector
Founding Attorney Hatice Zümbül – Legal Intern Mehmet Turgut
The Information Technologies and Communication Authority in Turkey published the Draft Regulation on the Processing of Personal Data and Protection of Confidentiality in the Electronic Communication Sector (“Draft Regulation”) on 23.03.2020, on its website by the decision of the Information Technologies and Communication Board (“Board”). Accordingly, essential changes on electronic communications sector will be issued with the entry into effect of the Draft Regulation.
The Draft Regulation established for the protection of privacy and the fundamental rights and freedoms regulates the procedures and principles by whom natural or legal person carrying on a business in electronic communication sector follows for data obtained in providing service in the electronic communication sector. In the Draft Regulation, while certain definitions of the terms such as personal data, processing of personal data are taken from the Law on Personal Data Protection no 6698, the definition of user is referred to as real or legal person benefiting from the electronic communication services, regardless if they are a subscriber or not.
In this article, the Draft Regulation will be examined under three chapter as follows; “Implementation Fundamentals”, “Provided Opportunities” and “The Sanctions”. Each chapter will be explained with details and sub-titles. By using this way, the measures and principles of the Draft Regulation will be clear and article will be readable.
II. Implementation Fundamentals
According to the Draft Regulation, operators must establish a security policy regarding processing of personal data, pursuant to article 51 of the Electronic Communication Law no 5809. In this sense, the liability of operators to take technical and administrative measures in order to protect their user/subscribers’ personal data and services they provide, shall be proper level for any kind of risk, with the consideration of technological opportunities.
The Authority will be able to require any documents and information regarding the system where personal data is stored and taken security measures from operators when needed. Moreover, the Authority may ask changes on security measures if required. Hence, it is particularly important that the obligation of operators to ensure confidentiality, safety, accessibility of the personal data obtained in the context of the services they provide, covers also the authorised person by the operators. Furthermore, operators will be liable for all damages occurred because of the breach on transfer of personal data to third party by the operators. Lastly, operators are required to stamp records of access to personal data and other relevant system with time stamp for a period as at least every three hours and until 30 minutes followed each period and operators are required to store these records for 2 years.
2. Notification of Risk and Breach of Personal Data
Operators are obliged to immediately notify to the Authority, the Personal Data Protection Authority, the users/subscribers and the relevant authorisations in case of a personal data breach risk. In other words, the obligation to notify is not only subject to the breach, it is also applied in a risk situation. Where such risks are out of the measures operator takes, users/subscribers shall be notified in 72 hours about the scope of the risk and resolution methods of the risk. In case of breach of personal data, operators shall notify to the Authority and other relevant authorities in 72 hours in respect to the measure taken and the details on the informing provided to the subscribers/users about the qualification and consequences of the breach. Furthermore, operators also inform the users/subscribers if they can take measures so as to reduce effects of the breach. Lastly, operators are obliged to record information containing the reason, effects and measures for resolution of the breach, by providing confidentiality, security and integrity.
3. Receiving Explicit Consent
The main difference between the Draft Regulation and the Regulation which is in force but will be abolished with the effective date of the Draft Regulation is that conditions for explicit consent and other principles are detailly regulated in the Draft Regulation. Hence, it can be implied that the Authority herein particularly focuses on the explicit consent received from the subscribers/users.
In this context, first of all, explicit consent shall be received in relation with a specified issue before the transaction so that explicit consents on general issues will be invalid. Also, explicit consent shall be declared by freewill and intention of the users/subscribes declaring it shall not be affected. Furthermore, explicit consent cannot be a precondition for the provision of a service, however; it can be requested as a precondition for the provision of an “additional benefit” such as voice, internet and text messaging services. If the explicit consent is obtained in exchange for an additional benefit, this benefit must be provided for the term of the data processing. Users/subscribers also shall be informed clearly and understandably before obtaining explicit consent about the personal data type that will be processed, types of traffic and location data, scope, processing purpose and the term of the processing. After the necessary informing, declaration of users/subscribers’ intention like “yes/confirm/accept” shall be stored. Where explicit consent is obtained electronically, operators are required to keep records of the collection of explicit consent by time stamping these records for at least thirty minutes every three hours. These records must be kept during the subscription period, notwithstanding the periods stipulated in the relevant legislation. Explicit consent declarations will be deemed invalid if they are not timestamped.
In the case that personal data are transferred to third party but official authority as per relevant legislation, explicit consent shall be received by providing information as the following; the scope of the personal data that will be transferred, name and address of person to whom personal data will be transferred, the purpose and period of transfer, the method of destruction of personal data. In addition to them, where transfer will be accomplished to abroad, the information that are as follows; the country to where transfer will be made, the purpose and period of transfer in abroad and relevant legislation of the country to where data are transferred. In case of any changes to this information, explicit consent shall be obtained again. In light of the rule on transfer of personal data to abroad herein, it can be implied that the fundamentals provided for the obligation to inform, stipulated by the Law on Personal Data Protection and Personal Data Protection Board are expanded in respect to electronic communication sector. Where personal data are transferred to third party, operators must ensure that these personal data are processed by the third person given in the disclosure statement. The burden of proof about obtaining explicit consent and obligation to inform is on operators.
Beside them, another important matter is that operators are obliged to provide simple and free method for users/subscribers to take back their consent that has been provided by them in the way of text, call center, internet or similar method. Users/subscribers shall be informed about this facility when explicit consent is obtained. Additionally, every January, operators shall inform all subscribers and users in respect to the processing of personal data within the scope of explicit consent obtained before. Otherwise, they shall cease their data processing activities until they inform subscribers and users. In the case that the subscription is terminated, all explicit consents are deemed revoked unless the subscriber requests otherwise.
Lastly, upon entry into force of the Draft Regulation, the explicit consents obtained in compliance with the law will still be valid. However, data processing shall be ceased in 1 month starting from the effective date of the Draft Regulation if those whose personal data are processed based on the explicit consent obtained before the effective date of the Draft Regulation and in compliance with the law.
4. Obligation to Inform in Respect to Traffic and Location Data
In the case that the traffic and location data can be processed without the explicit consent for the situations set forth under the related legislation and judicial decisions, Operators shall provide general information to subscribers/users about the traffic and location data that will be processed, the purpose, period and method of the processing.
III. Provided Opportunities
The opportunities under this chapter, are regulated quite similar with the Regulation in force. So, in the case that the calling number is allowed to shop up on the phone, operators shall provide a simple and free method to the calling user to hide his phone number. Operators also provide a simple and free method to the called person to avoid the calling number showing up on the phone. Furthermore, if calling person hides his/her phone number to appear, the call is terminated only if the called user/subscriber has declared its intention regarding the get silent number call.
Moreover, operators shall provide a simple and free method to users/subscribers to automatically divert a call made by third party. However, if there is any charge for call diverting imposed by operators, the users/subscribers’ explicit consent shall be obtained for this issue.
Additionally, operators shall inform subscribers before they are included in the directory about the purpose of the publication, the personal data included in such directory, the enquiry options and the opportunity to use, which may be provided in the electronic directory. Subscribers may be included in the directory if they provide their explicit consent after being informed. Upon the request by subscribers, operators shall ensure that personal data included in the directory are rectified, verified or/and removed from the directory.
Lastly, upon the subscriber’s request, operators are obliged to omit certain digits of phone numbers in telephone bills.
In the case that operators do not comply with the obligations set forth under the Regulation, provisions of “the Regulation on the Information and Communication Technologies Authority's Administrative Sanctions” (“Sanction Regulation”) will be applied.
In this sense, operator will be imposed an administrative fine of up to 3% of the net sales in the previous calendar year in the case that;
- If the operator does not fulfil the obligation to protect personal data and the applications used for storing access of personal data and the system storing personal data,
- If operator does not fulfil the obligation to retain or delete of the processed and the retained traffic data of the subscribers/user within the period stipulated in the relevant legislation,
- If the operator does not fulfil the obligation related with the process of traffic and location data,
- If the operator does not fulfil the obligation regarding personal data protection against illegally, involuntary or unauthorised destroying, missing, changing, storing or recording in another media, processing, disclosing and accessing of personal data herein,
- If the operator does not fulfil the obligation to keep detailly record of all access of personal data and other related systems and transactions made by authorised person,
- If the operator infringes obligation stipulated under the other relevant legislation with respect to processing of personal data and confidentiality.
In this context, according to the Regulation on the Processing of Personal Data and Protection of Confidentiality, operators who provide electronic communication service or/and electronic communication network shall take all sufficient administrative and technical measures with the consideration of any kind of risk, in order to protect personal data and confidentiality. Also, operators must inform the Information Technologies and Communication Authority of personal data breaches and any risk that may cause a breach. The most important arrangement with the scope of the Regulation is the provisions with respect to the condition and validity of explicit consent given above. It then can be implied that explicit consent carries particular importance in the Authority’s point of the view. The provisions that they are informed every January about processing of personal data with the scope of the explicit consent obtained before, are really essential for users/subscribers. Moreover, the implementations like that users/subscribers can hide their number or prefer confidentiality in the detailed bill, will still be applied.