Technology law in Turkey: highlights from 2021 – Commentary

Employer data protection obligations in Remote Working Regulation
Regulation on Not Using Crypto Assets in Payments
Amendments to Regulation on Authorisation in the Electronic Communication Sector
Guideline on Commercial Advertising and Unfair Commercial Practices by Social Media Influencers
Regulation for Disclosure of Confidential Information
Draft regulation amending Regulation Regarding the Rights of Consumers in the Electronic Communication Sector
Important DPA decision regarding international transfers of data
Protection of personal data in artificial intelligence systems
Guideline on Matters to be Considered When Processing Biometric Data
DPA vaccine and PCR announcement
Guideline on Information and Communication Security Audit
Tax regulations for social media content producers and application developers
Management and allocation of “.tr” domain names
Communiqué on the Procedures and Principles Regarding the Personnel Certification Mechanism
Regulation on the Operational Principles of Digital Banks and Service Model Banking

The ongoing covid-19 pandemic dominated legal developments in 2021 as restrictions were maintained in order to mitigate its impact. In addition to that, developments in the field of technology, especially relating to artificial intelligence or blockchain systems (such as non-fungible tokens and the metaverse), have started to affect the law in Turkey, as in the rest of the world. This article chronologically summarises the technology law highlights of 2021.

Employer data protection obligations in Remote Working Regulation

The Remote Working Regulation came into force on 10 March 2021, after being published in the Official Gazette No. 31419. Among other things, the regulation covers employers’ obligations with regard to personal data protection. Please also see the article covering “Personal data protection in context of employment and vaccination“.

Regulation on Not Using Crypto Assets in Payments

The Central Bank of the Republic of Turkey published the Regulation on Not Using Crypto Assets in Payments on 16 April 2021, and it entered into force on 30 April 2021. The regulation defines “crypto assets” and provides that cryptocurrencies cannot be used directly or indirectly in payments and that no service can be provided for the direct or indirect usage of crypto assets in payments.

Amendments to Regulation on Authorisation in the Electronic Communication Sector

The amendment entered into force on 1 May 2021, after being published in the Official Gazette No. 31471, and amended conditions of authorisation application, renewal periods, competency check and operator’s obligations. Additionally, new attachment documents (a draft notification form, a draft application form for right of usage, and a form providing the definition, scope and duration of services, networks and infrastructures of electronic communication) were presented.

Guideline on Commercial Advertising and Unfair Commercial Practices by Social Media Influencers

The Turkish Ministry of Commerce published the guideline on 5 May 2021. The guideline determines the procedures and rules regarding commercial ads by social media influencers. Principally, social media ads must be clear, distinguishable and not covert. For this purpose, the guideline determines the use of tags for different types of social media platforms and obliges social media influencers and advertisers to comply with the legislation and to be fair, careful and responsible when advertising.

Regulation for Disclosure of Confidential Information

The regulation was published in the Official Gazette No. 31501 on 4 June 2021. It outlines banks’ obligations with regard to the protection of confidential information, including exceptions, the concept of a “client secret”, the principles of sharing secret information and the obligation to form an “Information Sharing Committee”. All of the definitions provided by the regulation refer directly to the Data Protection Law. On 24 December 2021, the effective date was changed from 1 January to 1 July 2022.

Draft regulation amending Regulation Regarding the Rights of Consumers in the Electronic Communication Sector

The Information Technologies and Communication Authority (ICTA) published the draft on 6 July 2021. This draft provides additional obligations for operators and new rights for natural persons or legal entities that are party to a contract entered into with an operator for the provision of electronic communication services. The process of receiving the opinions of the public regarding the draft has been completed, and the ICTA is working to finalise the draft regulation.

Important DPA decision regarding international transfers of data

The Turkish Personal Data Protection Authority (DPA) made a public announcement regarding the ex officio investigation of an instant messaging app and published a decision on 3 September 2021, discussing data processing and data transfer operations. The DPA’s decision presented its approach to accepting subsequent processing operations on personal data collected from Turkey as an international transfer – if performed in servers located outside of Turkey.

Protection of personal data in artificial intelligence systems

The DPA published its recommendations regarding the protection of personal data in artificial intelligence systems on 15 September 2021. These recommendations consist of three parts:

  • general recommendations;
  • recommendations for developers, manufacturers and service providers; and
  • recommendations for decision-makers operating in the field.

Guideline on Matters to be Considered When Processing Biometric Data

The DPA published the guideline on 17 September 2021. The guideline defines “biometric data” and divides it into two categories: physiological (eg, fingerprint and retina data) and behavioural (eg, the style of keyboard use). Additionally, to ensure that the guideline is useful, the DPA examined biometric data processing principles and biometric data security in detail.

DPA vaccine and PCR announcement

Following a letter of the Ministry of Labour and Social Security dated 2 September 2021, which stated that employers can request polymerase chain reaction (PCR) tests once a week from non-vaccinated employees, the DPA published a public announcement on its official website on 28 September 2021. In the announcement, the DPA stated that, in order to prevent the spread of the disease, covid-19 vaccine information and/or negative PCR test information can be processed within the scope of the exception provisions of the Personal Data Protection Law No. 6698, which regulates the lawfulness of the preventive and protective activities carried out by public institutions and organisations.

Guideline on Information and Communication Security Audit

The Digital Transformation Office published the Guideline on Information and Communication Security Audit on 27 October 2021. The new guideline regulates the audit processes which public institutions and enterprises that provide critical infrastructure services must carry out in order to ensure the security of critical data. The guideline regulates the planning, performing and reporting of those audits and obliges related institutions to establish an audit team.

Tax regulations for social media content producers and application developers

The Law on Amending the Tax Procedure(1) was published on 26 October 2021 in the Official Gazette No. 31640. Pursuant to the amendments, content producers and application developers must open an account with a bank established in Turkey.

Management and allocation of “.tr” domain names

The enforcement of the Regulation on Internet Domain Names, which regulates the sale and transfer of “.tr” domain names and was published in 2010, was postponed until the “.tr” Network Information System (TRABIS) became operational. On 19 November 2021, the platform Nic.tr announced that it expected the management of “.tr” domain names to be completely transferred to the ICTA by January 2022. However, as of February 2022, TRABIS is still not operational.

Communiqué on the Procedures and Principles Regarding the Personnel Certification Mechanism

The DPA has introduced the concept of data protection officers with its communiqué published in the Official Gazette on 6 December 2021. Within the communiqué, a “data protection officer” is defined as a “natural person who is entitled to use the title of data protection officer by successfully passing the exam” and the training, examination and certification processes by which data protection officers are regulated.

Following the communiqué, the DPA announced on 10 December 2021 that data protection officers introduced via the communiqué are different from the concept of “data protection officer” under the EU General Data Protection Regulation.

Further, the Union of Turkish Bar Associations announced that it recently filed an annulment suit against the DPA in the Council of State. The Union claimed that the communiqué is contrary to the Attorneys’ Act No. 1136 because data protection officers must be lawyers, as the field of data protection is a legal discipline. Nevertheless, there has been no further development on this subject.

Regulation on the Operational Principles of Digital Banks and Service Model Banking

The Banking Regulatory and Supervision Agency published the regulation on 29 December 2021, and it entered into force on 1 January 2022. The regulation outlines obligations for banks that only operate through digital channels without any branch.

For further information on this topic please contact Burak Özdağıstanli, Sümeyye Uçar or Öykü Su Sabancı at Özdağıstanli Ekici Attorney Partnership by telephone (+90 216 230 07 48) or email ([email protected], [email protected] or [email protected]). The Özdağıstanli Ekici Attorney Partnership website can be accessed at www.ozdagistanliekici.com/

Endnotes

(1) Law No. 7338.

Menu