In parallel with the ongoing economic and social developments in communities, the personal data collection and processing has gained momentum with the increase in the interaction between individuals and legal entities. Data security has gained importance today in consequence of collection and processing of personal data becoming quite easy, and in this regard, some obligations have been brought to individuals and to real and legal entities in the get in interact with individuals by the Law on Protection of Personal Data No. 6698 (“PPD“). Today, especially the technological systems and communication sector gained variety and therefore, with the amendment conducted within the Communication and Commercial Electronic Messages Regulation, the Commercial Electronic Communication Management System ("IYS") has been introduced to the real and legal persons who are engaged in commercial activities and the storage, destruction of personal data in the implementation of this system, the obligation to carry out the activities regarding the retention period and processing in accordance with PPD was introduced. Hereby in this article, we will evaluate the obligations that companies engaged in commercial activities regarding data security within the scope of the implementation of the Message Management System.
I.INTERACTION BETWEEN PERSONAL DATA AND COMMERCIAL ELECTRONIC MESSAGE
Personal data within the scope of PPD; is defined as any specific or identifiable information about the person. In this manner, information such as name, surname, age, gender, occupation, telephone number and e-mail address of the individuals are considered as personal data. Any action performed on personal data shall be considered as "data processing" within the scope of PPD and the processing of personal data, as a rule, depends on the explicit consent of the person. Therefore, it is unlawful to carry out processing activities on any personal data without any explicit consent of the individual.
Within the scope of the 2. (second) article of The Code on Electronic Commerce Regulation numbered 6563("Code"); data, voice, and visual content messages sent for commercial purposes by using electronic means such as telephone, call centers, fax, automatic dialing machines, smart voice recorder systems, e-mail, short message service are described as "commercial electronic messages". Nevertheless, in accordance with the mentioned provision, real or legal persons engaged in electronic commerce activities are defined as “service providers“. Accordingly, commercial electronic messages are the messages sent to consumers' electronic communication addresses by institutions and organizations that provide services to promote, market, promote their business or increase their recognition with content such as celebrations and wishes.
As it is known, today thanks to the development and diversity of communication and electronic commerce systems, institutions and organizations which provide commercial services; as a result of their transactions with consumers, they may store individuals' personal data; such as phone number, name, surname, e-mail address, gender, professional experience, order information, invoice, registration, etc.; and afterward they may use these for commercial electronic messages. However, the service providers' activities for storing personal data and then using it for commercial electronic messaging is considered as a data processing activity within the scope of PPD and is subject to the principles to be followed in data processing in accordance with the provisions of PPD. Otherwise, the activities of the service providers regarding the sending of commercial electronic messages will be considered illegal under the PPD.
II. EVALUATION OF THE MESSAGE MANAGEMENT SYSTEM UNDER THE PROTECTION OF PERSONAL DATA
Institutions and organizations providing commercial services have the title of the data controller within the scope of PPD. For this reason, they are obliged to carry out their data processing activities in accordance with the law, especially for the commercial electronic message transmission which is mentioned above. In this context, the institutions and organizations that provide commercial services; in order to be able to process commercial electronic messages for marketing and advertising purposes; must obtain clear consent from consumers and even enlighten consumers about what personal data will be used for, and for what purposes the personal data is required. Otherwise, sending commercial electronic messages; in other words, the processing of personal data of consumers; without the explicit consent of consumers shall be considered as an illegal activity.
Regulation on the Amendment of the Regulation on Commercial Communication and Commercial Electronic Messages published in the Official Gazette dated January 4th, 2020 and numbered 30998 ("Regulation"), legal arrangements have been regulated concerning the rules and procedures that natural or legal persons; engaged in electronic commerce activities; must follow. Also, the Regulation gains importance since it regulates the foundations of the IYS. The IYS is the national database system where service providers may store and manage different types of messaging permissions, such as calls, messages, and e-mails, to view and remove the permissions granted by the receiver, to complain about unauthorized submissions, and to view the status of the public's complaints and the message subject of the complaint, website, text message number, and call center and it shall record all permissions of service with a timestamp and securely store them. As per the Regulation, real and legal persons who want to send commercial electronic messages are required to register to the IYS.
As it is known, the service provider must obtain prior consent for commercial electronic messages which shall be sent to the e-mail addresses of the recipients in order to promote their products and services, to promote their business, or to increase their recognition with content such as celebrations and wishes. While the explicit consent of the consumers before the amendment made by the Regulation may only be obtained by the service providers by their own means, today it is possible to obtain the explicit consent of the service providers regarding the data processing of the consumers through the IYS. At this stage, should the service provider receives the explicit consent of the consumers with his own means, the burden of proof shall belong to him, he shall save the relevant approval to the IYS within three working days. Approvals that are not registered in the IYS shall be deemed invalid, and commercial electronic messages cannot be sent to the recipients who do not have approval over the IYS.
Another issue that the IYS provides convenience for the consumers is the use of the right to refuse to receive commercial electronic messages. Because the practice of this right is equivalent to the withdrawal of open consent within the scope of PPD, and giving open consent is reversible since the given consent is strictly due to the right of the person. However, since the recall process will have forward-looking results, all activities carried out on explicit consent should be stopped by the data officer from the moment that the recall statement reaches the data controller. The IYS has a practical benefit in terms of the immediate retrieval of this consent declaration regarding the withdrawal of open consent to the data controller. Because the receivers shall have the opportunity to make the rejection notification over the IYS, as they have the right to withdraw their consent at any time without giving any reason, in other words, to refuse to receive the message. In this context, the service provider, who is responsible for the data, shall report the rejection notification to the IYS within three working days.
However, under the PPD regarding the protection of personal data in the IYS application, the obligations of the service providers who are considered as data controllers are not only open consent, approval, declaration of declaration, and notification but at the same time, they have responsibilities within the scope of PPD for transferring communication and other personal information of consumers to the IYS and storing them in the IYS database.
Because, in accordance with the Regulation, service providers record their approvals regarding commercial electronic messages sent to receivers' electronic communications addresses to promote their products and services, or to increase their recognition with content such as celebrations and wishes, and other records related to commercial electronic messages from the date on which the approval expires and it is obliged to keep other records of commercial electronic messages for “three years” as of the date of registration. In this regard, storing the personal data of the recipients by the service providers for more than three years is illegal under the PPD, therefore, the personal data must be deleted, destroyed, or anonymized by the data controller.
Today, due to the diverse development of the commercial activities in the communication and information sector, the issue of personal data security has gained considerable importance hence steps taken both on a legal and practical level have gained momentum in the protection of personal data security. While personal data security is framed legally with PPD, it is aimed to comply with the systems implemented in practical life. In this context, it is a data processing activity to send electronic commercial messages to consumers in order to promote their business or to increase their recognition with content such as celebrations and wishes, by real or legal persons that have the capacity of data controller due to their transactions with consumers. the explicit consent requirement and lighting obligation must be fulfilled.
The IYS, on the other hand, is a national database system which is designed in accordance with the personal data policies envisaged by PPD and where service providers with the title of data supervisors shall store and manage their commercial electronic messaging permissions, and where receivers with personal data can view and remove their permissions and complain about unauthorized submissions. The explicit consent requirement for data processing within the scope of PPD is ensured with "approval" in the IYS application and therefore sending commercial electronic messages without the express consent or approval of the service providers, who have the title of the data controller, shall be deemed unlawful. In this regard, it is important to note that open consent or consent can be withdrawn practically through the IYS by recipients with data. At the same time, the data responsible for service providers' transfer and storage of personal data of the recipients to the IYS is related to data security and should be examined within the framework of the retention and destruction policies envisaged under the PPD.
Kılınç Law & Consulting
1 Mustafa Anıl PINAR, Ticari Elektronik İleti Yönetim Sistemi (IYS) Hakkında Kısa Değerlendirme https://www.mondaq.com/turkey/Privacy/881708/Ticari-Elektronik-304leti-Ynetim-Sistemi-IYS-Hakk305nda-K305sa-De287erlendirme
2 Nesibe ÖNDER, 6698 Sayılı Kişisel Verilerin Korunması Kanunu Işığında Tüketicilere Gönderilen Ticari Ve Elektronik İletiler https://www.rskveri.com/6698-sayili-kisisel-verilerin-korunmasi-kanunu-isiginda-tuketicilere-gonderilen-ticari-ve-elektronik-iletiler/
3 15.07.2015 tarihli 29417 sayılı Ticari İletişim ve Ticari Elektronik İletiler Hakkında Yönetmelik
4 6698 sayılı Kişisel Verilerin Korunması Kanunu
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.