Turkey: Opening The Black Box: Facts About Turkey's New Electronic Messages Management System

I. Introduction

According to the Regulation on Commercial Communication and Commercial Electronic Messages ("Regulation"), natural or legal persons wishing to send commercial electronic messages must register with the Electronic Messages Management System (tr. IYS) and transfer recipient consents to IYS. IYS was first introduced with the amendments made under the Regulation on January 4, 2020, and followed by a deadline extension to August 31, 2020. Recently, deadline for the transfer of consents to the IYS is once again extended to December 1, 2020¹.

II. What is IYS?

IYS is an online platform built to facilitate the consent management system for service providers, intermediary service providers and recipients. Information on recipients' consents and withdrawals regarding commercial electronic messages are retained on IYS, which also enables recipients to file a complaint and give or withdraw their previously given consent. IYS infrastructure is established and will be managed by the Union of Chambers and Commodity Exchanges of Turkey (Tr. TOBB) as authorized by the Ministry of Trade.

III. Who will register with IYS, are there any exemptions?

As per Article 5 of the Regulation, companies willing to communicate with their customers (via e-mails, sms or calls or any other electronic means) for promotional purposes, must obtain customers' prior consent. Regulation accepts all communications prepared/built in a way to promote services or goods, increase one's visibility including via greeting messages and newsletters, as commercial electronic messages and thus require customer's prior consent before sending them. To this end, to the extent companies, whether based in Turkey or abroad², pursue foregoing marketing operations and send commercial communications to their customers in Turkey, they will be obliged to register with IYS and transfer customer consents (opt-ins) previously received to IYS until December 1, 2020. This said, there are certain exemptions applicable to the consent requirement. For instance, commercial electronic messages sent to merchants or craftsmen are exempt from the consent requirement. Service providers, however, must still store their electronic communication addresses in relation to such merchants or craftsmen (such as suppliers, resellers, business partners etc.) on IYS to enable these recipients to use their opt-out right.

Transfer obligation until December 1, 2020 merely covers opt-ins, and thus opt-out information is not required to be transferred to IYS.

Also, IYS is a "declaration based" system and does not require copies (print or screen shot) of consent forms to be installed within the system.

IV. Will intermediary service providers register?

Entities providing commercial communication infrastructure as well as services such as sending multiple emails and SMS or external (outsourced) call centers are deemed intermediary service providers under the Regulation. In this regard, although the Regulation does not explicitly require intermediary service providers to register with the IYS, it imposes a number of obligations on the intermediary service providers in relation to the use of the IYS. Accordingly, intermediary service providers must (i) initially check whether the service provider is registered with the IYS before sending commercial communications on behalf of service provider, (ii) verify recipients' consent on the IYS before sending commercial electronic messages on behalf of service providers, and (iii) integrate and harmonize their systems with the IYS and notify the service provider through the IYS in case the recipients' cancel their subscribers line with the relevant telecom operator.

V. How to register?

For the registration with IYS, service providers must make a pre-registration first. For registration, following information should be submitted to IYS:

(i) Central registration system number (MERSIS No) of the service provider,

(ii) Trademark registration certificate of each brand related company holds,

(iii) Electronically signed copy of the Undertaking on Usage of Primary Services of IYS (After entering the requested information to the IYS, the system issues an Undertaking on Usage of Primary Services of IYS),

(iv) Turkish identity number, mobile phone number and business e-mail address of company's authorized signatory,

(v) Number of total consented customer contact information each brand possess.

Once the foregoing procedures are completed, IYS internally approves the application and notifies applicant of such approval. If the application documents are complete, IYS approves the application within the same day or the next day.

For transfer of each consent data to IYS, following information will have to be submitted:

(i) Contact information of the customer (phone number or e-mail address),

(ii) Opt-in date,

(iii) Contact channel (call/sms/e-mail),

(iv) Receiver type (individual/legal person), and

(v) Consent source ("pre May 1st 2015", "consent form bearing wet signature", website" etc.).

Consents can be transferred to IYS via iys.org.tr individually or collectively through .csv files. IYS also has a service tool called API (Application Programming Interface), designed to intergrade separate software for easy update of brands' IYS accounts. This service provides various membership functions accordingly with the size of customer portfolio, to which detailed information can be found (in Turkish) under https://iys.org.tr/hizmet-saglayici/paketler-ve-moduller

VI. How to keep IYS records updated?

Recipients may use their right to opt-out as well as opt-in through the IYS. In other words, IYS allows service providers to use IYS system for obtaining customer consents.

Service providers can nevertheless receive consents through other methods; in written form or through electronic communication. In such case, all opt-ins or opt-outs received outside the IYS system, should be transferred to IYS within three days after their receipt.

VII. Consequences of not transferring consents to IYS until December 1, 2020

As per the Frequently Asked Questions published under the IYS website, consents that are not transferred to IYS by the deadline of December 1, 2020, will be deemed invalid. Consequently, companies will have to cease sending further commercial communications to its current customer portfolio despite holding their opt-ins, since these opt-ins are not transferred to IYS. Otherwise, it may be deemed as a breach of consent requirement and may trigger monetary fines.

VIII. What about Data Protection Laws?

Although walking hand in hand, e-commerce legislation stands on its own feet and is separate from data protection laws in Turkey. Therefore, explicit consents for processing of data subjects' personal data should not be regarded as, and does not stand for consent for receiving commercial electronic messages, or vice-versa. Accordingly, companies will not have to transfer consents obtained accordingly with the Law No. 6698 on Protection of Personal Data ("LPPD") to IYS.

Needless to say, IYS A.S., which is a joint stock company established accordingly with Turkish laws to supervise the IYS platform, will have to comply with data protection laws and take necessary security measures for protecting its database.

Footnotes