Regulations on the Processing and Protection of Personal Data in the Electronic Signature Law

The Electronic Signature Law, which came into effect on July 23, 2004, encompasses provisions regarding personal data and the protection of such data. The purpose of the law, as stated in Article 1, is to “regulate the legal and technical aspects of the use of electronic signatures.” The law defines “Electronic data” as records produced, transmitted, or stored by electronic, optical, or similar means and “Electronic signature” as electronic data attached to another electronic data or logically connected to electronic data and used for authentication purposes. The electronic certificate, which establishes the connection between the electronic signature and the electronic signature holder, is defined as an “electronic record linking the signature verification data and identity information of the signature holder.” Authorized public institutions and individuals provide this electronic certificate as stipulated by the law.

Article 12 of the Law, titled “Protection of Information,” regulates the personal data that an electronic certificate service provider may request from the applicant and the obligations for protecting this personal data. The relevant Article 12 of the law is as follows:

Protection of Information

ARTICLE 12

“The electronic certificate service provider:

a) Cannot request information from the person requesting the electronic certificate, except for the necessary information to issue the electronic certificate, and cannot obtain this information without the person’s consent,

b) Cannot keep the certificate in environments where third parties can access it without the permission of the electronic certificate holder,

c) Prevents third parties from obtaining the personal data of the person requesting the electronic certificate without the written consent of the person. It cannot disclose this information to third parties without the approval of the certificate holder and cannot use it for other purposes.“

Article 13 of the Electronic Signature Law states that the electronic certificate service provider is subject to general provisions regarding its liability to the electronic certificate holder. In this context, since no separate special provision is made by the law, it is understood that the service provider will be liable according to the provisions of the Turkish Penal Code, the Personal Data Protection Law, and the Turkish Civil Code in case of the violation of personality rights. The law also specifies that the electronic certificate service provider is liable for damages caused to third parties due to the violation of the provisions of the Electronic Signature Law and the regulations issued within the scope of the law, and this liability can be waived only if it proves that it is faultless.

Furthermore, the law states that if the breach of this obligation is based on the behavior of the employees employed by the electronic certificate service provider, the provider will still be liable, and it cannot be exempted from liability by providing evidence of care as stipulated for employers in the Turkish Civil Code. The possibility of providing evidence of exemption by showing due care during the selection of employees, giving instructions related to their work, and exercising supervision and control, as stipulated in Articles 55 and 66 of the Turkish Code of Obligations, has been taken away by the law, and the conditions for liability have been made more stringent, establishing strict liability.

Moreover, any clause that eliminates or limits the liability of the electronic certificate service provider to third parties and qualified electronic signature holders, except for limitations on the use and material scope of the electronic certificate, is deemed invalid. As a guarantee of this faultless liability, the electronic certificate service provider must obtain financial liability insurance from an insurance company authorized to operate in the relevant field in Turkey. The electronic certificate service provider is obliged to deliver the qualified electronic certificate to the electronic signature holder by insuring it.