Information and Communication Technologies Authority’s (“ICTA”) long-awaited Regulation on Process of Personal Data and Protection of Privacy in Electronic Communication Sector (“Regulation”) has been published on the Official Gazette number 31324 dated 4 December 2020. The Regulation will enter into force on 4 June 2021.

A regulation with the same (“Regulation to be Abolished”) name had been implemented by the ICTA in 2012 based on former article 51 of the Law on Electronic Communication (“ECL”). However, as the former article 51 of the ECL was repealed by the Constitutional Court, the Regulation to be Abolished lacked legal ground. The Regulation is prepared in order to replace this Regulation to be Abolished. 

In the Regulation, contrary to the Regulation to be Abolished, explicit consent requirement for the cross-border data transfer is not regulated for all personal data categories. The communication and location data are regarded as important for national security so that cross-border transfer of these data is prohibited unless user’s explicit consent is obtained.

The Regulation obliges the operators to implement all necessary technical and administrative measures to ensure the security of the services provided with the user’s personal data. The minimum requirements are also provided in article 6 of the Regulation, such as determining policies, protection of personal data against all breaches including disruption, loss, alteration, recording to another environment; and implementing necessary measures to prevent unauthorized access to these data. The operators are also obliged to save the log records to the systems containing personal data for two years.

The Regulation also brings an obligation to the operators to inform the users in case of a risk threatening the security of the network and services provided. If this risk is beyond the measures taken by the operator, the scope of the risk and remedies.

In article 8 of the Regulation, specific provisions were brought regarding explicit consent. The provisions are generally in line with the Law on Protection of Personal Data number 6698 (“DP Law”). As with the DP Law, the explicit consent must be specific to a certain data processing activity and must be given in a free will, thus cannot be a condition for the service. It is, however, stated in the Regulation that explicit consent may be requested by providing additional benefits such as extra minutes or SMS rights. An obligation to inform is also implemented with the regulation as to the processed personal data, traffic, and location data. This information must be in 12 font size if made in writing. Operators are also obliged to inform the users that their data is processed based on their explicit consent in the third quarter of the year. Otherwise, the data processing activity of the Operators within the scope of the express consent given before is suspended until the privacy notice is submitted.

In case the traffic and location data will be transferred to third persons an additional explicit consent must be obtained by informing the users as to the following:

  • Scope of the data to be transferred,
  • Name and address of the receiving party,
  • Purpose and duration of the transfer,
  • If the receiving party is abroad, the name of the residing country.

Additionally, ICTA is authorized to request information from the operators, to demand alterations of the security measures, and to impose administrative fines.

The Regulation grants the right to use the private number, the right to automatic call forwarding, and the right to masking phone bills to users.

Please see this link for the Regulation published in the Official Gazette on 4 December 2020 (only available in Turkish).