Protection Of Personal Data In Turkish Electronic Communications Sector
ADMD Law Firm
Helin Yıldız
The responsibilities incumbent upon companies providing electronic communication services, networks, or operating infrastructure ("Operators") concerning the data they acquire in Turkey during service provision are delineated by the Electronic Communications Law No. 5809 dated November 5, 2008 ("Law No. 5809") and the Regulation on the Processing of Personal Data and Protection of Confidentiality in the Electronic Communications Sector ("Regulation") published in the Official Gazette dated December 4, 2020, numbered 31324 by the Information Technologies and Communication Authority ("ITCA"). According to the legislation, Operators bear direct responsibility for ensuring the confidentiality, security, and purposeful use of personal data.
Article 5 of the Regulation, harmonized with Law No. 6698 on the Protection of Personal Data ("LPPD"), underscores that personal data processing must adhere to lawful and bona fide procedures for specific, accurate, current, and legitimate purposes. It necessitates that such data processing remains connected, limited, and proportional to its intended purpose, and that data must be retained for the duration specified in the legislation or required for the intended processing purpose. Similarly, Article 51 of Law No. 5809 titled 'Processing of personal data and protection of privacy' echoes these principles.
I. TECHNICAL AND ADMINISTRATIVE SAFEGUARDS
Article 4 of Law No. 5809 and Article 6 of the Regulation mandate the fulfillment of all technical and administrative measures in compliance with the legislation and international standards during data processing activities. The primary measures delineated in the Regulation include defining security policies concerning personal data processing, ensuring that only authorized personnel access such data and the reliability of systems storing such data, and safeguarding personal data against infringements such as destruction, loss, alteration, or unauthorized access, processing, disclosure, or storage in alternative systems, in line with legislative provisions.
II. RISK NOTIFICATION AND PERSONAL DATA BREACH
Article 7 of the Regulation obliges Operators to promptly inform their subscribers/users about any risks jeopardizing network security and the provided services, outlining the relevant risk, its scope, and methods of mitigation. In case of a personal data breach, Operators must notify not only the subscribers/users but also the ITCA and the Personal Data Protection Authority ("DPA") as soon as possible. Although the legislation doesn't explicitly specify a deadline for ITCA notifications, it is understood that notifications must be immediate to the DPA and affected subscribers/users, within a maximum of 72 hours, as per the DPA's decision.
III. CONDITIONS FOR OBTAINING EXPLICIT CONSENT
Another notable aspect pertains to the conditions outlined in Article 8 of the Regulation for acquiring explicit consent. Explicit consent must pertain solely to a specific subject matter preceding the relevant transaction and be given voluntarily. General consents not tied to specific subjects are deemed invalid. When obtaining this explicit consent, subscribers or users must receive clear and comprehensive information regarding the type of personal data to be processed. If provided in writing, the disclosure statement should be in at least a twelve-point font. Post-informing the data subject, their intention declaration in the form of "yes/approval/acceptance" can be obtained electronically or in writing specific to the consent acquisition situation. However, combining this consent declaration with other intentions for legal transactions is unacceptable as per Turkish legislation. Similarly, Article 3 of Law No. 5809 emphasizes explicit consent and the obligation to inform, stating that electronic communication networks should be used for storing or accessing information in subscribers/users' terminal devices, excluding communication provision, provided the Operator thoroughly and explicitly informs the relevant subscriber/user about data processing and obtains explicit consent.
IV. TRAFFIC AND LOCATION DATA
Within Turkish legislation, particularly in the electronic communications sector, processing and transfer of traffic and location data abroad or to third parties necessitate adherence to specific conditions for personal data protection.
Article 51, paragraph 7 of Law No. 5809 specifies that traffic data may be processed for traffic management, interconnection, billing, fraud detection, dispute resolution (particularly consumer complaints, interconnection, and billing disputes), limited to authorized persons by the Operator. Such data must be stored confidentially and integrally until the resolution of these disputes. Traffic and location data essential for value-added electronic communication services or service marketing must be anonymized or processed to the extent and duration required for specific activities, upon explicit consent of concerned subscribers/users. Access to such data must be restricted to authorized persons by the Operator. Operators must provide subscribers/users the option to decline location data processing. Exceptionally, without explicit consent, location data and identity information can be processed in cases of emergency aid calls or disasters and emergencies defined in Law No. 5902, limited to authorized persons by the Operator. Traffic, location, and personal data may also be processed for subscriber/user complaint investigations and audit activities, confined to specified activities.
Paragraph 2 of Article 51 of Law No. 5809 stresses electronic communications' and traffic data's confidentiality, prohibiting listening, recording, storing, interrupting, or monitoring communications without the consent of all parties involved. The Regulation, aligned with Article 6 of Law No. 5809, details traffic and location data, adhering to the principle of not transferring such data abroad for national security reasons. When data is transferred to third parties, explicit consent is mandatory, including information on the data scope, recipient details, purpose, duration of transfer, and destination country. Subscribers/users must be informed about the type, purpose, and duration of traffic or location data processing. Operators must ensure third-party processing only as specified in the explicit consent information and for the intended purpose. Regarding disclosures to subscribers/users and elements to include in explicit consent, Operators must inform subscribers/users, whose mobile number information is available, about data processing within the scope of their prior explicit consent in the third quarter of each year. Explicit consent specifically permitting data transfer abroad is mandatory if the traffic or location data is to be transferred internationally.
V. TIME PERIODS AND OBSERVANCE CONDITIONS
An essential consideration is complying with maximum data retention periods to prevent personal data breaches. Pursuant to Article 10 of Law No. 5809, personal data under investigation, examination, audit, or dispute must be retained until the process's conclusion. Transaction records related to personal data access and associated systems should be stored for two years, and records displaying subscribers/users' consent for personal data processing must be retained at least throughout the subscription period.
The legislation outlines conditions for sharing and processing personal data. Care must be taken not to share or transfer personal data beyond specified conditions. For instance, Article 11 of Law No. 5809 stipulates that to mitigate collection risk and prevent malicious use, Operators may share or process subscribers' invoice amounts, payment information for electronic communication services, devices with electronic identification information, records of suspicious or damaging incidents, and transactions associated with fraud risks, subject to specific conditions. Likewise, Article 5 of the relevant Law asserts that personal data may be processed to fulfill obligations imposed on Operators by the Authority to serve public interest or transparency.
VI. RIGHTS OF SUBSCRIBERS/USERS AND ADDITIONAL OBLIGATIONS OF OPERATORS
Operators must respect subscribers'/users' rights in the execution of their activities. As per Article 13 of the Regulation, explicit consent granted by subscribers/users must be revocable through a simple, cost-free method, with Operators obliged to facilitate such an opportunity. Operators must inform subscribers about this option while obtaining explicit consent. Upon subscription termination, unless otherwise requested, all previously given explicit consents are deemed revoked from the termination date. Consequently, upon explicit consent withdrawal, Operators must promptly cease data processing based on such consent. The same obligation applies if Operators fail to inform subscribers/users within the third quarter annually about data processing concerning previously obtained explicit consents, necessitating an immediate halt to data processing until information is provided. All notifications to subscribers/users must be free of charge, and for those benefiting from disabled tariffs, notifications should comply with ICTA regulations using auditory and/or visual methods. Operators bear the burden of proof regarding information, explicit consent, subscriber/user requests, and approvals within the Regulation's purview.
In addition to the Operator's obligations related to subscriber/user rights, they have other obligations highlighted in Articles 10, 11, and 12 of the Regulation:
- Hiding specific digits of telephone numbers in usage details or invoices upon subscriber request,
- Enabling subscribers/users to stop third-party automatic redirections,
- Obtaining subscriber/user consent for paid redirections to another number or automated message system,
- Granting callers, the option to hide their number free of charge when the Operator allows caller numbers to appear,
- Providing called subscribers the opportunity to prevent the display of calling numbers in incoming calls by a simple, cost-free method,
- Terminating a call only if the called subscriber has expressed a desire to receive hidden calls,
- Granting connected subscribers, the opportunity to prevent their numbers from being displayed to calling users, following specified conditions (except for emergency calls),
- Informing subscribers/users of these possibilities via text messages, the internet, or similar tools.
VII. SANCTIONS
Failure by Operators to meet these detailed obligations may result in sanctions regulated under the Regulation on Administrative Sanctions of the Information Technologies and Communication Authority published in the Official Gazette dated February 15, 2014 and numbered 28914. As per Article 13 of the Regulation on Administrative Sanctions of the Information Technologies and Communication Authority regarding personal data protection violations, Operators failing to comply with specified obligations may face administrative fines of up to three percent (3%) of their net sales from the previous calendar year.