TO THE PROCESSING OF PERSONAL DATA IN THE ELECTRONIC COMMUNICATIONS INDUSTRY PROTECTION OF PRIVACY REGULATION REGARDING

The regulation on the Processing of Personal Data and Protection of Privacy in the Electronic Communications Industry, published in the Official Gazette on 4 December 2020, entered into force on 4 June 2021.

In the Regulation In the Law No. 6698 on the Protection of Personal Data (“KVKK“). Subscribe in the regulation; is defined as a natural or legal person who is a party to a contract with an operator for the provision of electronic communication services, while the operator; The company and user that provides electronic communication services and/or provides electronic communication network and operates its infrastructure within the framework of authorization are also defined as real or legal persons benefiting from electronic communication services, regardless of whether they have a subscription or not.

The Regulation covers the procedures and principles to be followed by the operators operating in the electronic communication sector in terms of the data they obtain within the scope of providing electronic communication services, including legal person subscriptions.

The Information Technologies and Communications Authority was authorized to eliminate the problems and determine the standards within the scope of the Regulation, and in case the operators do not fulfill the obligations determined by this Regulation, it was decided to apply the provisions of the Information Technologies and Communication Authority Administrative Sanctions Regulation published in the Official Gazette dated 15/2/2014 and numbered 28914. .

It is stated in the regulation that it is essential not to export traffic and location data abroad for reasons of national security. It is concluded from this article that it should be stored in Turkey.

According to the regulation the operators;

According to the regulation, the operators;It is necessary to determine security policies in order to ensure the security of the personal data of their subscribers/users and the services they provide,

They must ensure that personal data can only be accessed by authorized persons and that the systems where personal data are stored and the applications used to access personal data are secure,

It is stated that they are obliged to keep records of personal data and access to systems for 2 years.

When deemed necessary, the Information Technologies and Communication Authority may request information and documents from the operators regarding the security measures taken, and may also request changes in the said security measures, without prejudice to its right to impose administrative sanctions.

Operators In case of risk and possible risks;

If the risk falls outside the scope of the measures taken, the user and subscribers should be informed as soon as possible about the scope of the risk and the removal methods. In case of breaches of Personal Data, it is necessary to notify the institution and persons within the required time, using the methods in accordance with the Law No. 6698 and the relevant legislation.

Obtaining Explicit Consent is also subject to conditions in the Regulation. According to these conditions, the operators;

1.On declaration of consent to a particular topic about willpower free and prior transactions must take. Explicit consent statements about unrestricted matters are invalid. Persons should be informed about the type of personal data to be processed, the types of traffic and location data, its scope, purpose and duration of processing. Information to be made in writing should be 12 points. After the notification, the subscriber's/user's declaration of intent in the form of "yes/approval/acceptance" is received in written or electronic form. The declaration of intent in question must be specific to the situation in which consent is obtained. It cannot be combined with declarations of intent for similar legal proceedings.

2. Establishing a subscription and providing basic electronic communication services or devices cannot be made subject to the precondition of express consent for the processing of the subscriber's/user's data. Explicit consent may be requested from the subscriber/user in return for additional benefits such as gift minutes, SMS and data.

3. Subscribers/users are obliged to keep the records showing their explicit consent for the minimum subscription period, without prejudice to the periods in the relevant legislation provisions.

4. Within the third quarter of each year, the operators are informed that their data is being processed within the scope of their previous explicit consent, by at least a short message to the subscribers/users with mobile number information, and to others by e-mail or one of the calling methods. Otherwise, the data processing activity within the scope of the previously given explicit consents is stopped until the notification is made.

5. The notifications to be made by the operators to the subscribers/users benefiting from the disabled tariffs within the scope of this Regulation are carried out in accordance with the Institution's regulations by using audio and/or visual methods.

6. In case the express consent is withdrawn, the operator immediately ceases the data processing activities based on the express consent.

7. The responsibility of proof regarding the notifications within the scope of this Regulation, express consent, subscriber/user request and approval belongs to the operator.

Regarding traffic and location data;
Without prejudice to the provisions of Article 10 of the Law No. 6698, in cases where traffic and location data can be processed, operators are obliged to inform subscribers/users about the types of traffic or location data that can be processed, the purpose and duration of processing.

For cases where traffic and location data are transferred to third parties;

1) The scope of the data to be transferred,

2) Name and full address of the party to be transferred,

3) The purpose and duration of the transfer,

4) If the third party is abroad, the name of the country to which the data will be transferred,

explicit consent is also obtained by giving information in the form of.

In case of changes in this information, explicit consent is obtained again.

In cases where traffic and location data are transferred to third parties with explicit consent, the operators are obliged to ensure that these data are processed only by the third parties specified in the express consent notification and for the stated purpose.

It is important to ensure only the third parties and purpose specified in the express consent notice.

The regulation provided various opportunities to subscribers and users:

a) Hiding the number

b) Automatic call forwarding

c)Confidentiality in detailed invoices

d)Other rights of the subscriber/user

Hiding the Number:

The possibility of hiding the caller number does not apply to emergency calls.

The possibilities provided as the calling user and the called subscriber are separated.

Operator;

In cases where the calling number allows to be seen;

a) By providing the calling user with the opportunity to hide his number in a simple way and free of charge,

b) By providing the called subscriber with a simple method and free of charge, to prevent the calling number from being displayed on incoming calls,

c) If the caller hides his number, but if the called subscriber/user has previously declared his will to receive a confidential call to the operator, to end the call,

In cases where it allows the connected number to be seen, such as for forwarded calls, it is obliged to provide the connected subscriber with a simple method and free of charge, to prevent the connected number from being shown to the calling user.

Automatic call forwarding

The operator is given the opportunity to stop the automatic forwarding from third parties with free and simple methods to the subscriber/user.

Confidentiality in detailed invoices

Operators ensure that some numbers of the phone numbers in the usage details or detailed invoices are hidden if the subscribers request it.

Other rights of the subscriber/user

Other rights of the subscriber and user are generally included in the regulation regarding the express consent declarations received by the operators.

Within the third quarter of each year, the operators are informed that their data is being processed within the scope of their previous explicit consent, by at least a short message to the subscribers/users with mobile number information, and to others by e-mail or one of the calling methods. Otherwise, the data processing activity within the scope of the previously given explicit consents is stopped until the notification is made.

Conclusion

The regulations made in the Regulation have been arranged in parallel with the Personal Data Protection Law No. 6698. In the regulation, especially the regulations regarding traffic and location data, the obligations of the operators and the principle of not exporting the data abroad are very important. This regulation, which is prepared specifically for the electronics and communication sector, can be seen as the first source to be consulted regarding the electronics and communication sector, but an interpretation should be made according to the necessary sources according to the concrete case. While processing personal data, operators are required to process it in accordance with the law and the rules of honesty, take care that the processed data is accurate and up-to-date when necessary, and most importantly, take the necessary administrative and technical measures. If measures are not takenAccording to the Information Technologies and Communication Authority's Administrative Sanctions Regulation, administrative fines and heavy sanctions will be applied by the institution.

İlgili Yönetmelikler:

Information Technologies and Communication Authority Administrative Sanctions Regulation
https://www.resmigazete.gov.tr/eskiler/2020/12/20201204-13.htm

Information Technologies and Communication Authority Administrative Sanctions Regulation
https://www.resmigazete.gov.tr/eskiler/2014/02/20140215-7.htm

 

 

REGULATION ON PROCESSING PERSONAL DATA AND PROTECTION OF PRIVACY IN THE ELECTRONIC COMMUNICATIONS INDUSTRY

The regulation on the Processing of Personal Data and Protection of Privacy in the Electronic Communications Industry, published in the Official Gazette on 4 December 2020, entered into force on 4 June 2021.

There are some definitions in the Regulation on the Protection of Personal Data No. 6698 (“ PDFA ”). Subscriber in the regulation; An operator is defined as a natural or legal person who is a party to a contract with an operator for the provision of electronic communication services; The company and user that provides electronic communication services and/or provides electronic communication network and operates its infrastructure within the framework of authorization are defined as real or legal persons benefiting from electronic communication services regardless of whether they have a subscription or not.
The Regulation covers the procedures and principles to be followed by the operators operating in the electronic communication sector in terms of the data they obtain within the scope of providing electronic communication services, including legal person subscriptions .
The Information Technologies and Communications Authority was authorized to eliminate the deficiencies and set standards within the scope of the Regulation, and it was decided to apply the provisions of the Information Technologies and Communication Authority Administrative Sanctions Regulation published in the Official Gazette dated 15/2/2014 and numbered 28914, in case the operators do not fulfill the obligations determined by this Regulation. .
It is stated in the regulation that it is essential not to export traffic and location data abroad for reasons of national security. It is concluded from this article that it should be stored in Turkey.
According to the regulation, the operators;It is necessary to determine security policies in order to ensure the security of the personal data of their subscribers/users and the services they provide ,
They must ensure that personal data can only be accessed by authorized persons and that the systems where personal data are stored and the applications used to access personal data are secure,
It is stated that they are obliged to keep records of personal data and access to systems for 2 years.
When deemed necessary, the Information Technologies and Communication Authority may request information and documents from the operators regarding the security measures taken, and may also request changes in the said security measures, without prejudice to its right to impose administrative sanctions.
Operators In case of risk and possible risks;
If the risk falls outside the scope of the measures taken, the user and subscribers should be informed as soon as possible about the scope of the risk and the removal methods. In case of breaches of Personal Data, it is necessary to notify the institution and persons within the required time, using the methods in accordance with the Law No. 6698 and the relevant legislation.
Obtaining Explicit Consent is also subject to conditions in the Regulation. According to these conditions, the operators;
1.On declaration of consent to a particular topic about willpower free and prior transactions must take. Explicit consent statements about unrestricted matters are invalid. Persons should be informed about the type of personal data to be processed, the types of traffic and location data, its scope, purpose and duration of processing. Information to be made in writing should be 12 points. After the notification, the subscriber’s/user’s declaration of intent in the form of “yes/approval/acceptance” is received in written or electronic form. The declaration of intent in question must be specific to the situation in which consent is obtained. It cannot be combined with declarations of intent for similar legal proceedings.
2. Establishing a subscription and providing basic electronic communication services or devices cannot be made subject to the precondition of express consent for the processing of the subscriber’s/user’s data. Explicit consent may be requested from the subscriber/user in return for additional benefits such as gift minutes, SMS and data.
3. Subscribers/users are obliged to keep the records showing their explicit consent for the minimum subscription period, without prejudice to the periods in the relevant legislation provisions.
4. Within the third quarter of each year, the operators are informed that their data is being processed within the scope of their previous explicit consent, by at least a short message to the subscribers/users with mobile number information, and to others by e-mail or one of the calling methods. Otherwise, the data processing activity within the scope of the previously given explicit consents is stopped until the notification is made.
5. The notifications to be made by the operators to the subscribers/users benefiting from the disabled tariffs within the scope of this Regulation are carried out in accordance with the Institution’s regulations by using audio and/or visual methods.
6. In case the express consent is withdrawn, the operator immediately ceases the data processing activities based on the express consent.
7. The responsibility of proof regarding the notifications within the scope of this Regulation, express consent, subscriber/user request and approval belongs to the operator.
Regarding traffic and location data;
Without prejudice to the provisions of Article 10 of the Law No. 6698, in cases where traffic and location data can be processed, operators are obliged to inform subscribers/users about the types of traffic or location data that can be processed, the purpose and duration of processing.
For cases where traffic and location data are transferred to third parties;
1) The scope of the data to be transferred,
2) Name and full address of the party to be transferred,
3) The purpose and duration of the transfer,
4) If the third party is abroad, the name of the country to which the data will be transferred,
explicit consent is also obtained by giving information in the form of
In case of changes in this information, explicit consent is obtained again.
In cases where traffic and location data are transferred to third parties with explicit consent, the operators are obliged to ensure that these data are processed only by the third parties specified in the express consent notification and for the stated purpose.
It is important to ensure only the third parties and purpose specified in the express consent notice.
The regulation provided various opportunities to subscribers and users:
a) Hiding the number
b) Automatic call forwarding
c) Confidentiality in detailed invoices
d) Other rights of the subscriber/user
Hiding the Number: The
possibility of hiding the caller number does not apply to emergency calls.
The possibilities provided as the calling user and the called subscriber are separated.

Operator;
In cases where the calling number allows to be seen;
a) By providing the calling user with the opportunity to hide his number in a simple way and free of charge,
b) By providing the called subscriber with a simple method and free of charge, to prevent the calling number from being displayed on incoming calls,
c) If the caller hides his number, but if the called subscriber/user has previously declared his will to receive a confidential call to the operator, to end the call,
In cases where it allows the connected number to be seen, such as for forwarded calls, it is obliged to provide the connected subscriber with a simple method and free of charge, to prevent the connected number from being shown to the calling user.
Automatic call forwarding The
operator is given the opportunity to stop the automatic forwarding from third parties with free and simple methods to the subscriber/user.
Confidentiality in detailed invoices
Operators ensure that some numbers of the phone numbers in the usage details or detailed invoices are hidden if the subscribers request it.
Other rights of the subscriber/user Other rights of the
subscriber and user are generally included in the regulation regarding the express consent declarations received by the operators.
Within the third quarter of each year, the operators are informed that their data is being processed within the scope of their previous explicit consent, by at least a short message to the subscribers/users with mobile number information, and to others by e-mail or one of the calling methods . Otherwise, the data processing activity within the scope of the previously given explicit consents is stopped until the notification is made.
Conclusion The
regulations made in the Regulation have been arranged in parallel with the Personal Data Protection Law No. 6698. In the regulation, especially the regulations regarding traffic and location data, the obligations of the operators and the principle of not exporting the data abroad are very important. This regulation, which is prepared specifically for the electronics and communication sector, can be seen as the first source to be consulted regarding the electronics and communication sector, but an interpretation should be made according to the necessary sources according to the concrete case. While processing personal data, operators are required to process it in accordance with the law and the rules of honesty, take care that the processed data is accurate and up-to-date when necessary, and most importantly, take the necessary administrative and technical measures. If measures are not takenAccording to the Information Technologies and Communication Authority’s Administrative Sanctions Regulation, administrative fines and heavy sanctions will be applied by the institution.

Related Regulations;
Information Technologies and Communication Authority Administrative Sanctions Regulation
https://www.resmigazete.gov.tr/eskiler/2020/12/20201204-13.htm
Information Technologies and Communication Authority Administrative Sanctions Regulation
https://www.resmigazete.gov.tr/eskiler/2014/02/20140215-7.htm

[:]