The Regulation on the Processing of Personal Data and Protection of Privacy in the Electronic Communications Sector (“Regulation”), published by the Information Technologies and Communications Authority in the Official Gazette on 4 December 2020 and to be entered into force in the following six months, has entered into force as of today.

The purpose of the Regulation is to determine the procedures and principles for the processing of personal data and the protection of confidentiality in the electronic communication sector in order to protect the right to privacy and the fundamental rights and liberties of individuals. In this respect, the Regulation covers the procedures and principles to be followed by the operators operating in the electronic communication sector in terms of the data they obtain within the scope of providing electronic communication services, including legal person subscribers, and the principles and application principles in terms of the Law on the Protection of Personal Data No. 6698 (“PDP Law”).
The Regulation, which in its general framework, is regulated in parallel with the PDP Law, some issues were determined differently;

Principles:
•    In addition to the principles regulated in the PDP Law, it is clearly determined in the relevant Regulation that it is essential not to transfer any traffic and location data on the grounds of national security. With this provision, it is understood that the traffic and location data defined in the Regulation should be stored in Turkey.

Security:
•    It is necessary to take security-related measures by the operators within the scope of the regulation and to establish security policies to ensure data security.
•    Information Technologies and Communication Authority (“ICTA”) may request information and documents from operators regarding the security measures taken when deemed necessary.
•    It is also regulated that the ICTA may request changes in the said security measures, without prejudice to its right to impose administrative sanctions. In addition, operators are obliged to keep the transaction records of access to personal data and other related systems for two years.

Notification of Risk and Personal Data Breach:
•    In addition to the regulation in the PDP Law; in cases of data breaches, operators shall be obliged to notify the ICTA in addition to the notification to be made to the Personal Data Protection Authority and the relevant person (subscribers/users).
Obtaining Explicit Consent:
The concept of explicit consent regulated in the PDP Law is also mentioned in the relevant Regulation and additional conditions are determined for obtaining explicit consent. In this direction;
•    The explicit consent must be specific to the transaction and cannot be subject to any preconditions.
•    A specific explicit consent requirement was introduced for the telecommunication sector, by clearly stipulating that explicit consent can be requested from the subscriber/user in exchange for additional benefits such as gift minutes, SMS and data.
•    In cases where traffic and location data are transferred to third parties it has been regulated that explicit consent should be obtained by giving the information below;

    The scope of the data to be transferred,

    Name and full address of the party to be transferred,

    The purpose and duration of the transfer,

    If the third party is abroad, the name of the country to which the data will be transferred,

It is regulated that in case of changes in this information, explicit consent will be obtained by the operator again.

Obligation to Inform: 
•    In addition to the obligation to inform set out in the PDP Law, operators are obliged to provide information about the type of personal data to be processed in terms of processing activities subject to explicit consent, the purpose and processing time of traffic or location data types.
Other Rights of the Subscribers and Users:
•    Operators will be obliged to remind the relevant subscribers/users within the scope of processing purposes based on explicit consent in the third quarter of each year. Otherwise, the data processing activity within the scope of express consent will be paused until a notification is made in this context. In case the subscription is terminated, as of the expiration date, all previously given explicit consents are deemed to be withdrawn unless the subscriber requests otherwise.

Administrative Sanctions:
•    In the case where operators act in violation of the Regulation, administrative fines of up to three percent (3%) of their net sales in the previous calendar year may be imposed on the operators in accordance with the Information Technologies and Communication Authority Administrative Sanctions Regulation. It will also be possible to revoke the operator's authorization if the violation is related to the national security provisions of the Regulation. 

Status of Existing Consents
•    The consents obtained in accordance with the law before 04.06.2021 will be considered valid.
•    In the event that the data of the parties whose data has been processed by obtaining their consent before the effective date of the relevant Regulation continues to be processed without their explicit consent, despite the termination of their subscription, the processing must be halted within one month following the effective date of the Regulation, without prejudice to the obligations in the relevant legislation. 
In conclusion, the relevant Regulation follows the PDP Law in terms of its general framework and has brought a more detailed regulation in terms of traffic and location data, explicit consent and other rights of subscribers and users.