New Regulations regarding Personal Data and Consumer Rights in the Electronic Communication Sector
Regulation on Deletion, Destruction, or Anonymization of Personal Data
Following the publication of the Draft Regulation on Deletion, Destruction and Anonymization of Personal Data on May 20, 2017 (“Draft”), the final version of the Regulation on the Deletion, Destruction or Anonymization of Personal Data (the “Regulation”) was finally published on the Official Gazette dated 28 October 2017 and numbered 30224.
As the first secondary legislation published in relation to the Personal Data Protection Law numbered 6698 (“PDPL”), the Regulation builds upon the general rule established by Article 7 of PDL, according to which
personal data shall be d, destroyed or anonymized when the reasons underlying the processing thereof cease to exist. In this respect, the Regulation specifies the principles, procedures and timelines with respect to data eradication processes to be conducted by data controllers. It also provides clarification on such procedures by indicating definitions for deletion, destruction and anonymization of personal data.
According to Article 5 of the Regulation, data controllers that are required to register with the data controllers’ registry shall prepare and implement a personal data retention and destruction policy, in accordance with their personal data processing inventory and with the minimum content provided under Article 6 (“Policy”).
In principle, all data controllers are required to register with the respective registry as per Article 16 of the PDPL. However, pursuant to the objective criteria set forth under the respective Article, the Personal Data Protection Board (“PDPB”) may grant an exemption for this requirement to certain data controllers. Accordingly, if a data controller is exempted its registration obligation, it will also be exempted preparing and implementing the Policy. Nevertheless, the obligation of a data controller to comply with the provisions of the Regulation and PDL shall remain, even if it is not required to comply with such obligations. It should be noted that the respective registry has not been established yet.
While being mostly identical to the Draft, certain differences can be observed in the provisions of the Regulation. Unlike the Draft, the Regulation does not
explicitly indicate the instances where the grounds for processing of personal data shall considered to be disappeared. Instead, the Regulation merely refers to Articles 5 and 6 of the PPDL and states that the personal data shall be d, destructed or anonymized when the grounds for processing of personal data specified under the respective articles cease to exist.
Furthermore, the provision referring to the instances where the personal data will be deemed d if the deletion of personal data results in removal of the access to other data in the system has not been included in the Regulation.
The data eradication may take place either ex officio or upon the request of the data subject. In the event of ex officio deletion, destruction or anonymization, data controllers may choose the data eradication method they deem appropriate, unless the PDPB decides otherwise. However, if the deletion, destruction or anonymization of personal data is conducted upon the request of the data subject, data controller should also provide the reason for adopting the relevant data eradication method.
The timelines for the deletion, destruction or anonymization of personal data in the event of ex officio data eradication differ depending on whether the data controller is required to prepare and implement the Policy. In this respect, data controllers having a Policy shall fulfil their obligation pursuant to the first periodic demolition period indicated therein. However, such period may not exceed 6 months. On the other hand, data controllers which are not required to have a Policy, shall fulfil their obligation to eradicate personal data within 3 months starting the date on which their obligation to eradicate personal data arises.
With respect to the data eradication procedures to be conducted upon the data subject’s request, the Regulation stipulates that the data controller shall respond to the data subject’s request and inform it thereof within 30 days.
In the event that the respective personal data is transferred to a third party before the date of the data subject’s request, then the data controller is required to inform the data subject thereof within 30 days and procure that the necessary procedures are conducted by the third party retaining the respective personal data. If the legal grounds for the processing of personal data continue to exist, then the data controller may reject such request. In this case, the data controller shall provide justification for the rejection and shall notify the data subject thereof electronically or in writing within 30 days.
Finally, non-compliance with the provisions of the Regulation may result in criminal sanctions. In this respect, Article 7 of the PDPL makes reference to Article 138 of the Turkish Criminal Code numbered 5237, which stipulates that failure to eradicate personal data by anyone responsible therefor shall be punished by imprisonment for one to two years.
The Regulation will enter into force on January 1, 2018.
Regulation on Consumer Rights in the Electronic Communication Sector
The Regulation on Consumer Rights in the Electronic Communication Sector ('Regulation') has been published in the Official Gazette numbered 30224 on October 28, 2017. Information and Communication Technologies Authority (“ICTA”) has d the consumer rights in the sector pursuant to the directive in the sixth article of the Information Technologies Law no: 5809 (“Law”) dated 10 November 2016. Overall, the purpose of the Regulation is to govern the consumer rights and operator liabilities that exist within the subscription agreements, tariffs, campaigns, value added services, invoice deliveries and principles, and termination of contracts. With the annulment of the former regulation, the Regulation amends the present practice specifically in subscription agreements, invoicing periods, service disconnection and reconnection operations, and timeline targets for subscriber transfers. Changes under the Regulation apart those enabling electronically signed subscription agreements will apply 28 April 2018.
The Regulation initially lists the rights of the consumer and the transparency and information obligations that operators are burdened to provide the consumer with. The rights of the consumer are no longer allocated only to those who utilize the services but to all of the consumers, and the rights include equal and fairly priced access to services, freedom of contract, right to request invoice or information for certain transactions, and the inclusion/removal of information in directories. However, the Regulation revokes the consumer’s right to determine the upper limit of the billing, which was provided in the former regulation. It is only stated that ICTA may provide information obligations to the operators with respect to the upper limits of billing. The transparency and information obligations of the operator through the use of internet are enriched with the Regulation when compared to the former regulation that failed to set comprehensive general rules but rather approached each operation individually regarding this matter. Thus, the consumer has now been granted to seek protection if any matter required under this obligation is missing on the website. The operator is further encumbered with providing an online customer complaint management scheme.
Changes under the Regulation with respect to the subscription agreements grant the operator to execute such agreements in electronic environments, which will be legally valid 28 October onward. This alternative way will require the use of secure e-signatures. The changes further involve the information requirements for the defect and return policies in agreements with device supply, the documents to be submitted for the execution (ID cards, signature circular etc.) and the use of a newly-launched verification system of the Directorate General of Civil Registration and Citizenship Affairs.
The remaining of the Regulation mainly focuses on details regarding the interpretation of the unfair terms of the agreements between the consumers and the operators, the obligations and liabilities of the operators, invoicing and termination rules and the sanctions to be executed for the failure to fulfil the obligations herein.
The general structure of the former regulation is maintained however the changes with utmost significance include:
• the prohibition of the operators charging subscribers for any service that is not requested or confirmed prior to its provision;
• the flexibility of the operator in invoicing a service fee amount that falls below a certain threshold on the invoicing period it occurred in or the following one;
• the prohibition of the operators charging the first reconnection operation within a calendar year in cases where the services are suspended/limited due to non-payment of invoices; and
• the mandatory completion of 90% of the subscription transfer requests within a calendar year in seven days and the provision of three extra days for the remaining 10%.
The Energy Market Regulatory Authority Board’s Decision numbered 7422
On November 2, 2017, the Energy Market Regulatory Authority (“EMRA”) Board adopted the Procedures and Principles on Granting Remote Access to the EMRA Regarding the Information Systems of the Electricity Distribution Licensees (“Licensees”) in the Electricity Market (“Principles”).
The Principles are based on the Regulation on Notifications in the Energy Market numbered 29012 (“Regulation”) and Instructions Regarding the Use of Notifications in the Energy Market numbered 29215, which impose certain notification obligations on the Licensees. In this respect, the Principles indicate the rules regarding the fulfilment of the notification requirements of the Licensees arising there, through electronic means. For that purpose, the Licensees shall establish an online notification system and provide the EMRA remote access thereto until July 1, 2018. The Licensees shall complete the transfer of all data within the scope of their notification requirements until January 1, 2019. However, they shall have completed their first data transfer to the EMRA by July 1, 2018.
Amendment to the Regulation on the Merger, Acquisitions, Spin-off and Share Exchange of Banks
On the Official Gazette numbered 30242 and dated November 16, 2017 The Banking Regulation and Supervision Agency ('BRSA') published an amendment to the Regulation on Mergers, Acquisitions, Spin-off and Share Exchange of Banks ('Regulation') regarding the exclusion of certain partial spin-offs being subject to the procedures of the Regulation.
The amendment excludes certain partial spin-offs the scope of the Regulation. In order for such an exclusion, the transaction must give rise to the acquisition of the acquiring entity’s shares by the bank, in exchange of the bank’s transferred assets to the acquiring entity; and thus a subsidiary connection between the two parties. The transactions must not cause the dissolution of the bank, in order to be exempt the complicated spin-off procedures of the Regulation. With the new practice, the respective partial spin-offs will be subject to the general spin-off provisions in the Turkish Commercial Code.
* * *
This newsletter has been prepared only for information purposes. Please do not hesitate to contact us if you need assistance or more detailed information.