The Regulation on the Processing of Personal Data and Protection of Confidentiality in the Electronic Communications Sector has been Published.

After the Law No. 6698 on the Protection of Personal Data (“Law”) came into force, an important part of the pain experienced in practice was having to deal with the contradictions between the legal regulations specific to different sectors. We see that these contradictions are gradually being removed with new regulations. An important step in this direction is the Regulation on the Processing of Personal Data and the Protection of Privacy in the Electronic Communications Sector (“Regulation”), which was published in the Official Gazette dated 04.12.2020 by the Information Technologies and Communication Authority.

We have tried to briefly examine the topics that we consider important in the regulation, without going into too much detail.

First of all, it should be noted that the Regulation has been prepared in accordance with the Electronic Communications Law No. 5809 and covers the procedures and principles that the operators operating in the electronic communication sector will comply with in terms of the data they obtain within the scope of providing electronic communication services, including legal person subscriptions.

The effective date of the regulation is 04.06.2021.

• In Article 5 of the Regulation, an additional regulation was introduced to the principles within the scope of the Law by stating that "it is essential not to export traffic and location data abroad for national security reasons".
• Article 6 of the Regulation is about the security of data. In summary, it has been stated that the necessary security measures will have to be taken at a level appropriate to the possible risk, taking into account the technological possibilities. This level of security should be handled as a minimum;
  • Security policies should be determined
  • Personal data must be protected against loss or alteration by unauthorized or external interference.
  • Only authorized persons should access personal data, and the security of the systems where the data is stored and accessed must be ensured.
• The Authority may request changes in the measures taken by the operator.
• Operators must keep records of access to personal data and related systems for 2 years.
• The Regulation states that in case of any data breach in parallel with the Law, it should be reported to the BTK and the Personal Data Protection Authority as soon as possible. In the previous statement of the Personal Data Protection Board, it was stated that the "shortest period" should be understood as 72 hours in parallel with the GDPR. Furthermore, the Regulation is obliged to inform the relevant subscriber/users as soon as possible in case of any risk regarding network or service security, that is, before a data breach occurs. No time has been determined for this provision, and in our opinion, it is not legally possible to apply the 72-hour application specified by the Personal Data Protection Board in relation to this provision by analogy. We believe that a reasonable “shortest time” should be taken into account, in direct proportion to the magnitude and urgency of this risk.
• The Regulation has determined the way of obtaining Explicit Consent in detail in Article 8. In addition to this, it is stated in the 4th paragraph of Article 13 that the Explicit Consent will also expire if the subscription agreement is terminated (unless the subscriber requests otherwise).

---