• NSN Law Bulletin

Regulation on Personal Data Processing and Protection of Privacy in Electronic Communication Sector

On the Official Gazette dated 4.12.2020 numbered 31324 “Regulation on Processing of Personal Data and Protection of Privacy in Electronic Communication Sector” (Regulation) prepared by Information Technologies and Communication Authority (Authority) was published. The regulation sets the principles and procedures applicable to the data from users or subscribers, including legal persons obtained by the operators in the electronic communications sector within the scope of providing communication services.

The regulation sets the mandatory principles of the processing of personal data as follows :

  • Processing in accordance with the law and good faith

  • Being accurate and current when necessary

  • Processing for specific, explicit, and legitimate purposes

  • Being related, limited, and measured for the purpose of processing

  • Preservation for the period stipulated in the relevant legislation or required for the purpose for which they are processed.

In addition to these principles, it was emphasized that not exporting traffic and location data abroad is essential. In this context, traffic data corresponds to any traffic data proccessed with encryption in an electronic communication network for the purpose of the transmission of communication or invocing of said communication.

The Regulation states that operators are obligated to provide all kinds of technical and administrative measures in accordance with the possible risks and Personal Data Protection Law numbered 6698 within the technological possibilities in order to ensure personal data of users /subscribers and the services being provided to them. To create a security policy within the framework of the above-mentioned principles, to ensure the protection of personal data against possible violations and to ensure the security of the applications used for assuring only authorized persons can access personal data are determined as the minimum level of protection expected in the Regulation. The Regulation also states that the operators are obligated to preserve the transaction records of access to personal data and other related systems for two years.

The Regulation imposes on the operators an obligation to inform the users/subscribers. In the event of security threatening risk or a breach of personal data, operators should immediately brief the user/subscriber and the Regulation on Processing of Personal Data and Protection of Privacy in Electronic Communication Sector about the situation.

8th Article of the Regulation lays detailed conditions for obtaining explicit consent. In transactions requiring explicit consent from the user/subscriber, operators must obtain the user/subscriber’s consent before the transaction and without any preconditions. In cases where traffic and location data will be transferred to third parties, the user/subscriber can consent only after being also informed about the scope of the transferred data, the name and the full address of the party to which data will be transferred, and the country to which data will be transferred if the third party located aboard. Again in such cases, the constant can be only use for the specific third party and the specific matter.

The Authority is in charge of supervising and directing the implementations and the manner of implementation of the Regulation Information Technologies and Communication Institution Administrative Sanctions Regulation published in the Official Gazette dated 15/2/2014 and numbered 28914 shall be imposed in case the operator does not fulfill the obligations specified in the Regulation.

With the publication of the Regulation, the old regulation published with the same name in the Official Gazette dated 24.7.2012 and numbered 28363 has been abolished. Any reference in the legislation made towards the old regulation dated 24.7.2012 will be deemed to be made to the current Regulation dated 4.12.2020. It is clearly stated that explicit consents obtained in accordance with the law on a date before the Regulation shall reserve their validity. If the personal data obtained before the Regulation continues to be processed despite the fact that the subscription has been terminated, the processing shall be stopped within 1 month of the Regulation coming into force.

The text of the Regulation can be accessed in Turkish via the link .

Authors: Bilge Derinbay, Aysu Eren

Article contact: Bilge Derinbay / E-mail: