I. Introduction
Recently, many institutions in the digital world have faced administrative sanctions for violating the privacy of users. In the Digital Age we live in, the importance of protecting personal data has increased even more. In cases where we receive services regarding electronic communication in the digital age, our personal data is processed by businesses that provide services within the scope of the Electronic Communications Law No. 5809 (“EHK”). In this article, we wanted to talk about the issues that operators should pay attention to when processing personal data, together with the regulations in the legislation.
II. General Information
The definition of electronic communication is in the article 3/1-h of the EHK: “All kinds of signs, symbols, sounds, images and data that can be converted into electrical signals are transmitted and sent via cable, radio, optical, electrical, magnetic, electromagnetic, electrochemical, electromechanical and other transmission systems. and its receipt”. Companies that provide services or provide and operate electronic communication networks in one of the fields of activity listed in this definition are defined as operators in the EHK.
Personal data is defined as “Personal data: Any information relating to an identified or identifiable natural person” in article 3/1-d of the Personal Data Protection Law No. 6698 (“KVK Law”).
In Article 51 of the EHK, while the operators process personal data:
- “Being in compliance with the law and honesty rules
- Being accurate and up-to-date when necessary,Being accurate and up-to-date when necessary,
- Processing for specific, explicit legitimate purposes,
- Being connected, limited and measured with the purpose for which they are processed,
- It has been regulated that they must abide by the principles of “preserving for the period necessary for the purpose for which they are processed”.
III. Subscription Agreement
5/1-b of the Consumer Rights Regulation on the Electronic Communication Sector (“EHK Consumer Regulation“) published in the Official Gazette dated 28.10.2017 and numbered 30224, when every individual wishes to receive an electronic communication service, has the right to conclude a subscription agreement as regulated as “the right to conclude a contract with the operator that provides it. The subscription agreement is the most basic way for the personal data of consumers to be processed within the scope of the service provided by the operators. In this context, although it varies according to the form of establishment of the contract, the consumer’s name, title, full address, if any, identity documents.” Operators must comply with the principles listed above in the personal data they will process under the contract, and they must not demand any personal data that is not essential for the conclusion of the contract.
IV. Regulation on the Processing of Personal Data and Protection of Confidentiality in the EHK Sector
The Regulation on the Processing of Personal Data in the Electronic Communications Sector and the Protection of Confidentiality in the Official Gazette dated 04.12.2020 and numbered 31324, in order to detail the provisions of Article 51 of the EHK titled Personal Data Processing and Protection of Confidentiality and as an important regulation on the processing of personal data in the EHK sector. “EHK Personal Data Regulation”) was published and entered into force.
This published regulation regulates the procedures and principles that operators operating in the electronic communications sector must comply with when processing the personal data of private or legal person subscribers.
V. Conditions for Obtaining Explicit Consent in the EHK Industry
5/2 of the KVK Law for the processing of personal data. article and 6/3. Explicit consent must be obtained in order to process personal data, unless the circumstances in which explicit consent is not required in the article are not present in the concrete case.
Conditions to be complied with when obtaining express consent in Article 8 of the EHK Personal Data Regulation:
- “Explicit consent declaration is obtained before the relevant transaction regarding a particular subject. General consents that are not limited to a specific subject and not limited to the relevant transaction are considered invalid.
- The express consent must have been expressed freely. Establishing a subscription and providing basic electronic communication services or devices cannot be subject to the precondition of express consent for the processing of the subscriber’s/user’s data. Explicit consent may be requested from the subscriber/user in return for additional benefits such as gift minutes, SMS and data.
- The subscriber/user, prior to the receipt of the express consent; The operators are informed in a clear and understandable manner about the type of personal data to be processed and the types of traffic and location data, its scope, purpose and duration of processing. If this information is made in writing, the articles are prepared with at least twelve fonts.
- After the operator gives the necessary information, the subscriber/user's declaration of intent in the form of "yes/approval/acceptance" is received in written or electronic form. The declaration of intent in question must be specific to the situation in which consent is obtained. This statement of will cannot be combined with statements of will for the acceptance of a contract or service, approval of communications for marketing purposes, and similar legal proceedings. Söz konusu irade beyanı rıza alınan duruma özgü olmalıdır. Bu irade beyanı, bir sözleşmenin veya hizmetin kabulü ya da pazarlama amaçlı haberleşmelere onay verilmesi ve benzeri hukuki işlemlere yönelik irade beyanları ile birleştirilemez.
In accordance with the conditions listed, it is essential for the operators to comply with the above conditions while obtaining explicit consent from the persons concerned, in order for the express consent declaration received to be in compliance with the law.
VI. Processing of Private Personal Data
Operators can process specific personal data such as religion, blood group households in the identity cards of the persons concerned, and health report data, traffic and location data of the person concerned, in order to provide appropriate service if the person concerned is a person who needs social support. Personal data that are not essential should not be processed within the scope of the service to be provided in accordance with the principle of being limited and proportional to the purpose for which they are processed, and if they are processed, they should be destroyed using appropriate destruction methods.
In addition, in cases where traffic or location data is transferred to third parties;
- “The scope of the data to be transferred,
- Name and full address of the party to be transferred,
- The purpose and duration of the transfer,
- If the third party is abroad, the name of the country to which the data will be transferred”
It is necessary to obtain explicit consent again from the persons related to the lighting containing the information in the form of information.
VII. Conclusion
The contracts drawn up as a result of every electronic communication sector service we receive in our daily lives or our personal data, which are mandatory for receiving the service, are processed by the operators.
While the operators process the data; to be processed in accordance with the law and honesty, to be accurate and up-to-date when necessary, to be processed for certain clear and legitimate purposes, to be limited and measured in relation to the purpose for which they are processed, to be stored for the period required by the relevant legislation or for the purpose for which they are processed, and to keep the traffic and location on the grounds of national security. must comply with the fact that sensitive personal data such as In addition, while processing the data, it is of great importance to take all kinds of technical and administrative measures at the best possible level within the technological possibilities in accordance with the scope of both the EHK legislation and the KVKK legislation and international standards in terms of minimizing the victimization that may occur in potential violations.
