The Electronic Communication Law No. 5809 entered into force on 11.12.2008. Electronic communications are defined as “the transmission, exchange and receiving of all kinds of signals, symbols, sounds, images and data which could be converted into electrical signals, by means of cable, radio, optic, electric, magnetic, electromagnetic, electrochemical, electromechanical and other types of transmission systems” and the purpose of the law is “to create effective competition, to ensure the protection of consumer rights, to promote the deployment of services throughout the country, to ensure efficient and effective use of the resources, to promote the new investments and technological developments in communications infrastructure, network and services through regulations and inspections in electronic communications sector and to determine relevant principles and procedures thereto.”.

Article 12 of the law regulates that “The Authority(Information and Communication Technologies Authority), considering the factors such as requirements of the sector, international regulations, and technological developments, shall be entitled to impose legislation oriented obligations on the operators”

Administrative Law Chambers of the Council of State requested a decision in 2013 to cancel Article 51 of the Electronic Communications Law through an appeal, claiming that it is contrary to Article 2(rule of law), Article 7(The rule that legislative power is vested in the Grand National Assembly of Turkey on behalf of Turkish Nation and not be delegated) Article 13 and Article 20(assurance that the procedures and principles related to the protection of personal data can only be regulated by law) of the Constitution, and to stop its validity. Article 51 which was requested to be cancelled at the time lawsuit was filed was regulated as “The Authority is authorized to determine the procedures and principles for the processing of personal data related to the electronic communication sector and the protection of its confidentiality.” With the decision numbered E 2013/122 and K 2014/74, the Constitutional Court made a cancellation decision by finding the article unconstitutional. The ground of the cancellation was “The concept of personal data refers to all information about a person that can be identified or identifiable. In this context, informations that not only reveal the identity of the individual such as first name, last name, date of birth and place of birth ; phone number, vehicle plate number, Social Security number, passport number, resume, picture, image and sound records, fingerprints, genetic information, IP address, e-mail address, hobbies, preferences, interaction with respondents, group memberships, and family information, all the data that a person can be identified, directly or indirectly is within the scope of personal data. The right to request the protection of personal data, as a special form of the protection of a person’s dignity and the right to freely develop one’s personality, aims to protect the rights and freedoms of the individual during the processing of personal data. As a result of developments in information technologies, it is possible to collect a wide range of data that is not possible with traditional methods; the ability to centralize many data that were previously kept unrelated to each other; increasing the capacity to produce new data from data by subjecting the data to analysis with advanced technological facilities such as data matching and data mining; facilitating access to data and data transfer; as a result of personal data becoming a valuable asset for commercial enterprises, factors such as the risks created by private sector elements reaching more widespread and significant dimensions and the increasing activities of terrorist and criminal organizations to seize personal data, today makes it obligatory to protect the personal data at the highest level. In this context it is stated in Article 20/3 of the Constitution that “The principles and procedures regarding the protection of personal data shall be laid down in law.” and The right to request the protection of personal data is protected by Constitution and thus protected against arbitrary interference by public authorities. In accordance with the principle of the non-delegation of legislative power, on issues that the Constitution explicitly provides for to be regulated by law, it cannot be given to the executive power. the objected rule, which gives the authority to determine the procedures and principles for processing personal data related to the electronic communications sector and protecting its privacy to the Information Technologies and Communications Authority, is contrary to the assurance that the procedures and principles for the protection of personal data can only be regulated by law as stipulated in Article 20 of the Constitution.”. After cancellation, Article 51 of the Electronic Communications Law was reorganized as follows on 27.03.2015 with Article 32 of the Act No. 6639 amending some Acts and Decrees having force of Law.

           The following regulation regarding personal data is available in Article 51 of the law.

• “In the processing of personal data; The principles of being in compliance with the law and rules of honesty, being accurate and up-to-date when necessary, being processed for specific, clear and legitimate purposes, being related to the purpose for which they are processed, limited and measured, and being kept for the period necessary for the purpose for which they are processed are complied with.
• ……
• …….
• Operators shall take appropriate technical and administrative measures in order to ensure the security of the personal data of their subscribers / users and the services they offer.
• Personal data may be processed within the scope of Article 49 of this Law or in order to fulfill the obligations imposed on operators by the Institution for the purpose of ensuring public interest.
• It is possible to transfer traffic and location data abroad, only on condition that the explicit consent of the relevant persons is obtained, provided that the provisions of the relevant legislation on the transfer of personal data abroad are reserved.
• Traffic data can be processed provided that it remains limited for the resolution of disputes, particularly: traffic management, interconnection, billing, fraud detection and performing similar operations or consumer complaints, billing disputes. Traffic data can be processed only by the persons who are given an authority by the operators, they shall ensure the confidentiality and integrity of the stored data until the process is completed. Value-added services or electronic communication services needed for the purpose of marketing traffic data and location data may processed with anonymization or with the explicit consent of the relevant subscribers / users and limited only to the persons authorized by the operator, to the extent and duration required by the specified activities.
• Operators provide the possibility to refuse the processing of location data to the subscribers/ users. Except for the cases stipulated by the relevant legislation and judicial decisions, location data and identification information of the relevant persons may be processed without seeking the explicit consent of subscribers / users in case of disasters and emergencies defined in the Law on the Organization and Duties of the Disaster and Emergency Management Authority dated 29/5/2009 and numbered 5902, provided that they are limited to persons authorized by the operator.
• Traffic and location data and personal data may be processed within the scope of the investigation of subscriber / user complaints and audit activities, within the limits of the specified activities.
• Regarding the services provided within the scope of this Law;
  • until the relevant process is completed about the personal data that are the subject of investigation, examination, supervision or disagreement,
  • Transaction records related to access to personal data and other related systems are stored for two years,
  • Records showing the consent of subscribers / users to the processing of personal data are stored at least during the subscription period. The storage periods of the data are determined by the regulation, not less than one year and not more than two years from the date of communication with the data categories.
  • For the purpose of managing the risk related to collection and preventing malicious uses, the invoice amount and pay information generated in the parties’ own systems for subscribers’ electronic communication services and devices containing electronic informations, as well as records related to suspicious or damaging cases and transactions involving fraud, fraud risk, may be shared or processed between operators and the Institution’s Central Equipment Identity Register.
• Within the scope of this Law, operators are responsible for ensuring the confidentiality, security and use of personal data in the limits of its purpose.
• The procedures and principles regarding the application of this article are determined by the Institution.

            It is regulated in the Electronic Communications Law in Article 55 titled as ‘Equipments with electronic identity register’ that “Unless permitted by the Authority, specific information including subscriber’s identity and communication data or electronic identity used for identifying the equipment shall not be reconfigured, altered, reproduced or distributed for any reason.” And in Article 56 “Without authority and consent, specific information including subscriber’s identity and communication data as well as any kind of software, board, tool and material which has the equipment’s electronic identity shall in no way be copied, kept, distributed or used for taking advantage on one’s own or by third parties….. Subscription shall not take place until the copy of required identity cards are presented to the operators or the agency acting on behalf of the operator.” In Article 63 of the law titled as ‘Penal provisions’ it is regulated that “In instances where the personnel of any operator authorized to provide electronic communications services commit offense against the secret life and the secret parts of life regulated under Book Two, Chapter Two, Part Nine of Turkish Criminal Act no. 5237 dated 26/9/2004, sentences prescribed within this part shall be imposed. However, the punishment shall be multiplied by one as per Article 137.” and the increase rate to be applied within the scope of Article 137 for personnels who provide electronic communication services has beenregulayed from half to one-fold. Those who violate the above-mentioned paragraph of Article 55 of the law will be subject to a judicial fine from one thousand days to fifteen thousand days, and those who violate the above-mentioned provisions of Article 56 will be subject to a judicial fine from one thousand days to five thousand days.

          On the basis of Articles 4, 6, 12 and 51 of the Electronic Communications Law No. 5809, a By-Law on the Processing and Protection of Personal Data in the Electronic Communications Sector was prepared by the Information and Communication Technologies Authority and published on 24.07.2012. The principles regarding the processing of personal data, communicational secrecy, processing of traffic data, processing of location data, secrecy of detailed invoices, etc. are regulated in detail in the by-law. According to Article 21 of the Regulation, if operators fail to fulfill the obligations set out in this by-law it is regulated that the provisions of the By-law on Administrative Fines and Other Sanctions and Measures Applicable to Operators by the Telecommunications Authority published in the Official Gazette dated 5/9/2004 and numbered 25574 will be applied. By-law on Administrative Sanctions Regulation of the Information Technologies and Communication Authority entered into force on 15.02.2014. By-law on Administrative Fines and Other Sanctions and Measures Applicable to Operators by the Telecommunications Authority has been repealed with the Article 49 of the by-law published in the official gazette on 5/9/2004 numbered 25574. It is regulated that references to the by-law are made to the Administrative Sanctions Regulation of the Information Technologies and Communication Authority with Article 48. In the said by-law, the actions to be punished with an administrative fine are determined in detail.

In Article 13 of the by-law it is stated that an administrative fine of up to three percent (3%) of their net sales in the previous calendar year will be applied in the case of performing any of these actions such as: The operator’s failure to fulfill the obligation to ensure that personal data can only be accessed by authorized persons and to ensure the security of the systems in which personal data is stored and the applications used to provide access to personal data, Failure to fulfill the obligation to keep or delete the traffic data of subscribers/users processed and stored in accordance with the relevant legislation within the stipulated time, Failure to fulfill its obligations regarding the processing of traffic data and location data, Failure to fulfill its obligations regarding the protection of personal data against the destruction, loss, modification, storage or storage of personal data in another medium, processing, disclosure and access to such data, as a minimum unintentional, unauthorized or illegal, Failure to fulfill the obligation to keep detailed transaction records of all accesses provided to personal data and other related systems and the transactions made by the personnel authorized to access for the period specified in the relevant legislation or violation of other obligations regulated in the relevant legislation on the processing of personal data and secrecy.   

            Pursuant to article 21 of the By-law “In the cases of: Failure to use the safe products and system in administrative, technical, legal requirements and processings, Failure to perform the service reliably, Failure to have the required administral and technical opportunity and abilities to perform its duties in determined quality, Acting contrary to the rules set out regarding the protection of personal data and information security in these systems or failure to comply with other obligations determined by the relevant legislation by the Institution, Failure to properly record the data required to be recorded at all stages of the functioning of the registered electronic mail system an administrative fine of up to three percent (3%) of the net sales in the previous calendar year will be imposed on the registered electronic mail service provider.”