Insights

The Regulation on Processing of Personal Data and Protection of Confidentiality in the Electronic Communications Sector (“Regulation”) which stipulates procedures and principles for the processing of personal data and protection of confidentiality in the electronic communications sector, in order to provide the privacy of private life and the personal fundamental rights and freedoms, was published in the Official Gazette dated 04.12.2020 and numbered 31324. This Regulation enters into force six months after its publication.

Pursuant to the Regulation, companies that provide electronic communication services and/or networks and operate their infrastructure within the framework of authorization (“Operator”) are obliged to,

• take all kinds of technical and administrative measures which their minimum conditions are specified under the Regulation, by considering technological possibilities at a level appropriate to possible risks;
• keep records of transactions regarding access to personal data and other related systems for two years;
• report risks and personal data breaches to relevant subscribers/users as soon as possible;
• obtain explicit consent under the conditions specified under the Regulation in cases where explicit consent is required; and
• provide various opportunities and rights to subscribers/users.

In case the Operators do not fulfill these obligations, the provisions of the Information Technologies and Communication Authority Administrative Sanctions Regulation published in the Official Gazette dated 15.02.2014 and numbered 28914 shall apply.

• Please find the Turkish version of the Regulation here.