There are numerous complaints submitted to the Turkish Data Protection Authority (“Authority”) that the advertising notifications received via e-mail addresses, mobile phones or SMS and phone calls without the explicit consent of the relevant persons in violation of the provisions of the Turkish Data Protection Law (“Law”) No. 6698. Therefore, the Authority has adopted a principle numbered 2018/119 and dated 16/10/2018 to ensure preventing data controllers and data processors from directing notifications to the relevant persons’ e-mail addresses or to mobile phones via SMS or call.
In accordance with the Article 15 titled “Procedures and Principles of Inspection Ex Officio or upon Complaint” paragraph 7 of the Law, data controllers who are directing messages containing advertising by sending SMS or phone calls or sending e-mails to e-mail addresses without obtaining the consent of the relevant persons without complying with the processing conditions specified in the Article 5 titled “Conditions for Processing of Personal Data” of the Law, and data processors who are using such data for the purpose of sending message/e-mail for advertising purposes or trough phone calls on behalf of the data controller without explicit consent of the relevant persons, shall immediately stop their aforementioned activities.
In the scope of Article 12 titled “Obligations regarding data security” of the Law, data controller is obliged to take all technical and administrative measure to provide the appropriate security level for the purpose of preventing unlawful processing of personal data, preventing unlawful accessing of personal data and protecting the personal data and if the personal data is processed by another real or legal person on data controller’s behalf, data controller is jointly responsible with these persons for taking such measures.
According to Article 136 titled “Illegally Obtaining or Giving Data” of the Turkish Criminal Code (“TCC”) No. 5237, any person who illegally obtains, disseminates or gives to another person someone’s personal data shall be sentenced to a penalty of imprisonment for a term of two to four years. Thus, if data controllers illegally share any phone numbers, e-mail addresses etc. personal data of another person to a data processor, they shall be subject to this penalty. Pursuant to Article 158 titled “Report of crimes and claims” of the Turkish Criminal Procedure Law No. 5271, these data controllers acting unlawfully can be reported to Office of the Public Prosecutor.
In addition, in accordance with Article 18 titled “Misdemeanours” paragraph 1 subclause (c) of the Law, the ones who do not fulfil decisions of the Authority, shall be imposed with an administrative fine of 25.000 Turkish liras to 1.000.000 Turkish liras. For this reason, data controller and data processors who are acting illegally shall be subject to this sanction if they do not immediately stop their activities after the receipt of the Authority’s resolution.
Furthermore, according to Article 18 paragraph 1 subclause (b) of the Law, person who does not fulfil obligations regarding data security stipulated in article 12 of Law, shall be imposed with an administrative fine of TL15.000 to TL 1.000.000. In other words, if data controllers and data processors fail to protect phone numbers, e-mail addresses etc. other personal data due to the lack of appropriate security level, this sanction shall also be applied.
Persons, who believe that personal data has been violated, shall firstly apply to the infringing real or legal person who is violating such rights i.e. data controllers and data processors. If the infringing party does not take the necessary steps to eliminate the violation, persons shall be able to file these complaints to the Authority. In addition, the Authority shall be able to make the necessary examination and investigation ex officio if it is noticed the alleged violation itself. If the Authority decides that there is a violation of personal data after making the necessary examination and investigation, the Authority shall impose sanctions stipulated in resolution. This resolution and its implementation has taken into effect as of November 1, 2018, which is the date of publication in the Official Gazette.
SMS, phone calls and e-mails are very important and effective advertising tools for companies -especially for e-commerce companies- in terms of creating ease of access to consumers. On the other hand, such advertising tools can be frustrating for the consumers in many ways. Around the world, the governments are trying to frame the limits of such activities with new regulations. Most recently, the European Union has released a wide range of regulations under the name of The General Data Protection Regulation. The reforms are designed to protect the personal data within the fast-paced flow of data in the internet-connected age. Similar to the European Union, Turkish Government is trying to set up certain rules for the processing and sharing personal data of its citizens who are using data and internet services every day. Although the Authority has actively started its supervision a short time ago, as this resolution shows, active measures shall be taken for any illegal data sharing activities. Parties which are using SMS or e-mail or phone calls for advertising purposes must receive prior approval from consumers no matter what. Otherwise, such advertising activities through commercial electronic messages and phone calls, shall be subject to the sanctions in the extent of the relevant provisions of TCC and Law.