Focus on…
TRENDS AND DEVELOPMENTS IN IT LAW
1. General
Banking and payment systems are heavily regulated in Turkish Law. Banking Law No. 5411 (“Banking Law”) is the main legal document that regulates banking sector; and, the payment systems are regulated by Law on Payment and Securities Settlement Systems, Payment Services and Electronic Money Institutions (“Payment Law”), with their secondary legislation.
Under the Payment Law, payment system and securities settlement system can only be operated with a license acquired from the Central Bank of the Republic of Turkey (“Central Bank”). Payment system is defined under the Payment Law as “the structure that has common rules and provides the infrastructure required for clearing and settlement transactions carried out in order to realize fund transfers arising from transfer orders among three or more participants” and securities settlement system is defined as “the structure that has common rules and provides the infrastructure required for the clearing and settlement transactions carried out in order to realize securities transfers arising from transfer orders among three or more participants”.
Moreover, the following activities are defined as payment services under Article 12 of the Payment Law:
According to the Payment Law, payment institutions are legal persons authorized pursuant to the Payment Law to provide and execute payment services.
As an important step the Regulation on Payment Services, Electronic Money Issuance and Payment Service Providers (“PSR”) and the Communiqué on Information Systems of Payment and Electronic Money Institutions, and Data Sharing Services of Payment Service Providers in the Field of Payment Services (“DS Communiqué”) drafted by the Central Bank was published in Official Gazette numbered 31676 on 1 December 2021 and entered into force. With the PSR and Communiqué drafted based on the following amendments made in Payment Law, which was published in Official Gazette on 22 November 2019, Turkish legislation has been aligned with Directive (EU) 2015/2366 of European Commission, Payment Services Directive 2 (“PSD2”).
DS Communiqué first granted a transition period for the compliance of the market players until 28 February 2023. Thereafter this transition period was extended until 30 April 2023 with the Amendment Communiqué on the DS Communiqué published in the Official Gazette numbered 32118 and dated 28 February 2023.
Moreover, digital banks are regulated under the Turkish law for the first time.
Crypto assets are, on the other hand, mainly unregulated under Turkish law, and until 2021 there was no provision directly addressing crypto assets. The very first legal document, specifically regulating crypto assets, is the Regulation on the Use of Crypto-Assets in Payment promulgated in 2021, which prohibits the use of crypto assets in payments. Non-Fungible Token (“NFT”) usage and fan token issuance has rapidly grown in Turkey. Fan tokens especially became very popular among sport teams including major league football clubs such as Fenerbahçe and Altay providing additional income.
On a further note, blockchain on its own is not regulated, but rather, governed by the rules applicable to the area where it is used.
2. Recent Key Developments in Payment Systems, Digital Banking, Digital On-Boarding and Crypto Assets
2.1 The Regulation on Payment Services, Electronic Money Issuance and Payment Service Providers
The regulation aims to draw the procedures and principles regarding the authorization and activities of payment institutions and electronic money institutions (“Institutions”), the provision of payment services to payment service providers, and the issuance of electronic money.
The PSR regulates licensing conditions and proceedings of the Institutions One of the most critical regulations is that intangible assets that are only issued in exchange for a one-to-one fiat currency, created virtually and distributed over digital networks are considered as electronic money in case they are issued against funds accepted by the issuing institution, stored electronically, used to perform the payment transactions defined in Payment and accepted as a payment instrument by real and legal persons other than the issuing institution. The Central Bank will determine how the secondary regulations enacted pursuant to Payment Law will be applied to intangible assets that will be considered as electronic money within the scope of this paragraph, and other procedures and principles needed for such electronic money.
According to the PSR payment order refers to the instruction given by the customer to the payment service provider for the purpose of realizing the payment transaction, and in accordance with Law No. 6493, the institutions have the right to issue a payment order initiation service (“PIS”). In case of initiations of payment through the PIS provider, the institution holding the sender's payment account will promptly return the unfulfilled or incorrectly executed part of the payment transaction to the sender and restore the payment account if the amount has been deducted from the payment account. In such transactions, the obligation to prove that the payment order has been received by the institution where the payment account is held, the transaction has been approved by the customer, is recorded correctly, processed into the accounts and is not affected by a technical failure or problem in the services under its responsibility will belong to the PIS provider.
The procedures and principles regarding the execution of transactions related to the PIS and the account information service (“AIS”) and the technical and operational requirements to be complied with by the parties are determined by the Central Bank. Compliance with the technical and operational requirements of the Central Bank is audited through technical control and evaluation process to be carried out by Interbank Card Center (“BKM”). Parties who complete this technical control and evaluation process without any problems are registered by BKM and publicly announced on the website and are accepted as authorized PIS and AIS providers after the necessary permissions are given by the Central Bank by Institutions operating as of the date of entry into force of the PSR are obliged to harmonize with the PSR within one year from the date of publication of the PSR. PSR mainly granted a transition period for the compliance of the payment and electronic money institutions operating as of the date of the entry into force of the PSR until 1 February 2022 to comply with the requirements set forth under the PSR. This transition period was first extended until 28 February 2023 with the Amendment Regulation on the PSR published in the Official Gazette numbered 32024 and dated 25 November 2022. Thereafter, the second extension was made with the Amendment Regulation on the PSR published in the Official Gazette numbered 32118 and dated 28 February 2023 and the transition period was finally extended until 30 April 2023.
2.2 Digital Banking Regulation
As a result of the amendments made in article 76 of the Banking Law, and with entry into force the Regulation on the Establishment of a Contractual Relationship in the Electronic Environment and the Remote Identity Detection Methods to be Used by Banks; establishing contractual relations between banks and their customers in electronic environment became possible. With these developments, Banking Regulation and Supervision Agency (“BRSA”) has aimed to construct the foundations of the digital banking model, which operates only in the digital environment. Therefore, BRSA published the Regulation on the Operating Principles of Digital Banks and Service Model Banking (“DBR”)
The DBR aims to determine the operating principles of branchless banks that serve exclusively through digital channels and the conditions for the provision of banking as a service model (banking as a service, “BaaS”) to businesses and innovative enterprises – in other words, start-ups.
The DBR defines digital banks as “credit institutions that provide banking services mainly through electronic banking services distribution channels instead of physical branches”. Unlike the branchless banking application in Europe, the DBR allows neo banks to obtain a license to operate directly over the BaaS infrastructure, without the requirement to have a licensed sponsor bank.
Unless otherwise stated in the DBR or the relevant legislation, digital banks can perform all the activities that credit institutions can perform, depending on whether they are deposit or participation banks. Digital banks are obliged to comply with the provisions of the DBR in addition to all the legislative provisions that credit institutions are obliged to comply with within the framework of the Banking Law and related legislation.
The DBR sets forth certain restrictions for the activities of digital banks. According to the DBR, customers of digital banks can only be financial consumers and small and medium enterprises (“SMEs”). In this respect, digital banks were prevented from carrying out commercial banking activities exceeding the SME size. The total of unsecured cash loans that digital banks can make available to a certain financial consumer cannot exceed four times the average monthly net income of the relevant customer, and if the customer's average monthly net income cannot be determined, the total of unsecured cash loans that can be extended for such customer cannot exceed ten thousand Turkish Liras.
The DBR defines the BaaS as “a service model in which customers can perform banking transactions through the service bank by connecting directly with the systems of service banks via open banking services by the interface offered by the interface providers.” The service bank can only provide service model banking services to domestically resident interface providers and only within the framework of their own operating permits.
2.3 Regulation on the Use of Crypto-Assets in Payment
Regulation on the Use of Crypto Assets in Payments has been published on 16 April 2021 to be effective as of 30 April 2021 and became the first legal document specifically regulating crypto assets under Turkish Law.
Crypto asset is defined under Article 3 as “intangible assets that are created virtually using distributed ledger technology or a similar technology and distributed over digital networks but are not qualified as fiat money, dematerialized money, electronic money, payment instrument, security or another capital market instrument”. As per Article 3, crypto assets may not be used directly or indirectly in payments. Article 4 prohibits payment service providers to develop business models or provide services regarding those business models where crypto assets are used in the provision of payments services and issuance of electronic money. Article 4 also prohibits payment and electronic money institutions to mediate platforms and fund transfers from the platforms offering trading custody, transfer, or issuance services for crypto assets.
2.4 Regulations Allowing IBAN Issuance by Payment Service Providers
Communiqué numbered 2021/5 (“Amendment Communiqué”), published in Official Gazette dated 5 August 2021, numbered 31559, amends Communiqué number 2008/6 on International Bank Account Numbers to allow payment service providers to issue international bank account numbers (“IBAN”).
Amendment Communiqué provides that (i) payment service provider codes for use in issuing IBAN will be determined by the Central Bank, and (ii) non-bank payment service providers can issue IBAN for customer accounts subject to money transfers but are obligated to do so only where applicable payment system rules established pursuant to Payment Law so require.
2.5 Regulation on Remote Identity Verification and Remote Contract Execution
The Regulation on Remote Identification Methods to be Used by Banks and Establishment of Contractual Relations in Electronic Environment was published in the Official Gazette No. 31441, dated April 1, 2021. With the regulation, it became possible to perform identity verification proceedings by video calls online without the need for the customer representative and the customer to be physically present at the same environment. In addition, after identity verification was made remotely or through branches, it became possible to establish remote banking contracts
2.6 General Communiqué of Financial Crimes Investigation Board No. 19 on Remote Identity Verification
General Communiqué of Financial Crimes Investigation Board No. 19, effective as of 1 May 2021, on remote identity verification (“Communiqué 19”), was published in Official Gazette No. 31470 of 30 April 2021.
The Communiqué 19 allows, in accordance with extant applicable law, remote consumer identity verification to facilitate establishment of a commercial relationship. The method designed and utilized by the parties must minimize the risk of unauthorized publication of protected data. Notably, a signature sample need not be obtained in the process.
2.7 Crypto Asset Service Providers’ Obligations Regarding Anti Money Laundering and Terrorist Financing
The Regulation on Amendment of Regulation on the Measures for Prevention of Laundering Proceeds of Crime and Terrorist Financing, effective as of 1 May 2021 (“Crypto AML Regulation”), was published in Official Gazette numbered 31471 of even date.
The Crypto AML Regulation expands the definition of obligated entities under article 4 of the Regulation on the Measures for Prevention of Laundering Proceeds of Crime and Terrorist Financing (“AML Regulation”), - published in Official Gazette numbered 26751 of 9 January 2008 - with the following subparagraphs:
Accordingly, as of 1 May 2021, crypto-asset service providers, savings financing companies, their branches, agents, representatives, commercial agents, and affiliated entities are required to comply with the AML Regulation.
2.8 Digital On-Boarding
The BRSA has issued Circular numbered 2022/2 Regarding the Criteria to be Provided for Authentication and Transaction Security in the Establishment of Agreements in Electronic Banking Services and in Electronic Environment. The circular aims to clarify the application of the Regulation on Banks’ Information Systems and Electronic Banking Services, the Regulation on Remote Identification Methods to be Used by Banks and Establishment of Agreements in Electronic Environment and the Regulation on Operating Principles of Digital Banks and Service Model Banking, in a uniform manner without compromising transaction security.
2.9 Recent Developments on Equity Requirement for Payment Institutions
The Communiqué Regarding the Redetermination of Minimum Equity Amounts of Payment and Electronic Money Institutions (“Equity Communiqué) has been published by the Central Bank of the Republic of Türkiye, in the Official Gazette dated 28 January 2023 and numbered 32087, in order to update the minimum equity amounts of payment institutions and electronic money institutions regulated in the Regulation on Payment Services and Electronic Money Issuance and Payment Service Providers.
The Equity Communiqué will enter into force on 30 June 2023. Updated minimum equity amounts with the Equity Communiqué are as follows:
II. E-COMMERCE
1. General
E-commerce is regulated under Turkish law especially regarding e-commerce platforms and electronic commercial messages. Law on Regulation of Electronic Commerce No. 6563 is the main legislative document that governs e-commerce along with the Law on Protection of Consumer No. 6502 (“Consumer Law”) for the B2C side. In accordance with the E- Commerce Law; with certain exceptions, commercial electronic messages can be sent to recipients by service providers, only with recipient’s prior consent. Service providers, wishing sending commercial electronic messages, must register with and transfer their consent records to the commercial electronic communication management system before carrying out any commercial communication. A draft has been brought to Turkish parliament for the amendment of Consumer Law. The proposed amendments, if passed, will bring certain aggravated obligations to the intermediary service providers and stricter regulations regarding remote contracts.
2. Recent Key Developments in E-Commerce
2.1 Competition Authority’s Preliminary Findings on E-Marketplace Sector
On 7 May 2021, the Turkish Competition Board made public certain preliminary findings ("Report") from its e-marketplace sector inquiry, commenced 11 June 2020 (“Inquiry”), by publishing same on the Turkish Competition Authority’s (“TCA”) website.
The Inquiry was intended to, in the interest of general consumer and merchant protection, identify anti-competitive practices within the e-marketplace sector. In light of the Inquiry findings, the Report, inter alia, recommends implementing certain ameliorative measures. To that end, the Report contains the following recommendations:
2.2 Licence Requirement
Electronic commerce intermediary service providers with a net transaction volume over ten billion and number of transactions over 100,000 excluding cancellations and returns in a calendar year shall obtain a license from the Ministry of Commerce and renew such license annually. The provisions regarding the obligation to obtain a license will enter into force on 1 January 2025.
2.3 Content Management
Regarding intellectual and industrial property rights, the e-commerce intermediary service provider is obliged to unpublish the product of the e-commerce service provider, which is the subject of the complaint, and notify the e-commerce service provider and the right owner, upon a complaint based on information and documents regarding intellectual and industrial property rights violations. The product subject to the complaint may be republished upon e-commerce service provider’s submission of the information and documents refuting the complaint to the intermediary service provider. With the relevant regulation, the complaint and takedown procedure to be followed in case of violation of intellectual and industrial property rights of the content is regulated.
III. INTERNET - SOCIAL MEDIA AND DIGITAL PUBLICATIONS
1. General
All internet contents including online media services are regulated under the Law no.5651 on the Regulation of Publications on the Internet and the Suppression of Crimes Committed by Means of Such Publications (aka Internet Law) by Information and Communication Technologies Authority (��ICTA”) The Internet Law regulates obligations of content providers, hosting providers, internet providers and social network providers.
As per the Internet Law;
2. Recent Key Developments in Internet/Social Media
2.1 Bans Advertising on Twitter, Periscope, and Pinterest
Turkey has brought a set of amendments on the Internet Law and the amendment law was published in the Official Gazette on 31 July 2020. With the amendments, series of obligations were set forth for the local and foreign domiciled social network providers operating in Turkey including appointing a local representative.
ICTA banned advertising on Twitter, Periscope, and Pinterest for failure to appoint a local representative. The advertisement bans have been withdrawn later after appointment of such representatives.
2.2 Guidelines applicable to Social Media Influencer Advertising
To clarify the current state of the law on social media advertising governed by Consumer Law and the Regulation on Commercial Advertisement and Unfair Commercial Practices (“Advertising Regulation”), Turkey’s Advertisement Board published its Guideline on Commercial Advertisement and Unfair Commercial Practices of Social Media Influencers, effective 4 May 2021 (“Guideline”).
Social media posts by influencers deriving financial or other material benefit are commercial in nature under the Law and the Advertising Regulation; and with it such ads must fully comply. Accordingly, the Guideline, on top of certain other requirements, obliges social media influencer posts to be disclosed as commercial advertising.
2.3 Amendments to the Regulation on Presentation of Radio, Television, and On-Demand Internet Broadcasts
The Regulation Amending the Regulation on Presentation of Radio, Television, and On-Demand Internet Broadcasts (“Amendment Regulation”) was published in Official Gazette dated 10 April 2021 and numbered 31450. Amendment Regulation introduced certain amendments affecting the financial obligations of licensed broadcasters which are as follows:
2.4 Amendments on Social Media Platforms
Law Amending the Press Law and Certain Laws numbered 7418 (“Law No. 7418”) was published in the Official Gazette dated 18 October 2022 and numbered 31987. Accordingly, certain amendments introduced to Law No. 5651 (aka Internet Law) with regards to the regulations related to social network providers.
Notable amendments brought by the Law No. 7418 within the scope of the Internet Law are as follows:
2.5 Digital Publications
Law No. 7418 significantly amends a wide range of different legislations and includes amendments to Press Law numbered 5187 (“Press Law”), Law on the Establishment of the Press Advertising Agency numbered 195 (“Law No. 195”) and Turkish Criminal Code numbered 5237 (“Criminal Code”).
Notable amendments brought by the Law No. 7418 within the scope of the Press Law are as follows:
IV. CLOUD COMPUTING
1. General
In Turkey; although there is no specific regulation regarding cloud computing, certain rules prescribed in several laws and secondary legislation concerning cloud computing apply in most cases. These rules are mainly concentrated on the notification requirement and data localization.
As stated above, hosting providers should notify ICTA before providing hosting services.
Hosting provider is defined under the Internet Law as “natural or legal persons who operate or provide systems which stores the services and contents”. As such, cloud providers are regarded as hosting providers with respect to the Internet Law.
As per the Internet Law, hosting providers are required to retain traffic data for 1 year and ensure the integrity, accuracy and privacy of this data. However, as per Electronic Communication Law No. 5809 (“ECL”), traffic data cannot be transferred abroad without the data subject’s explicit consent. This is an important challenge for cloud computing providers servers of which are located in foreign countries. The Personal Data Protection Board (“DP Board”) has previously concluded with the “Gmail Decision” numbered 2019/157 dated 31 May 2019 that in case of the usage of Gmail services provided by Google, mails are being held at the data centers all around the world, therefore, it constitutes transferring personal data abroad.
2. Recent Key Developments in Cloud Computing
2.1 DP Board’s Decision Regarding Cloud Use
In the DP Board’s decision numbered 2021/359 dated 13 April 2021, the data controller employer has been sanctioned for the use of cloud services to store employees’ personal data without obtaining first the employees’ explicit consent. The employee data was stored in a cloud database with servers abroad, which could only be accessed by relevant authorized persons. As the servers of the cloud database were abroad, the DP Board ruled that the data was transferred abroad.
2.2 BRSA’s Regulation Regarding Cloud Use in Banking
Regulation on Information Systems and Electronic Banking Services of Banks (“BRSA Regulation”) has entered into force which governs cloud computing usage of banks. The use of cloud systems is not prohibited under the BRSA Regulation. However, certain conditions should be fulfilled for the use of cloud systems. According to BRSA Regulation, the primary and secondary systems of the Institutions should be kept in Turkey. If cloud computing services are used, the information systems of cloud computing service providers and their back-ups are also regarded as primary and secondary systems of the Institutions. In such cases, these data, hardware and software and their back-ups should also be kept in Turkey. Moreover, in case cloud computing services are used for primary and secondary systems, the hardware and software used should be dedicated to a single institution. However, the use of community clouds is permitted for banks and financial institutions in certain conditions. In the presence of BRSA approval, community cloud can be used by the banks and financial institutions, on condition that the software and hardware are dedicated to BRSA regulated institutions and logical separation is provided for each company. In addition, for the financial institutions, in the presence of BRSA’s approval, financial institutions may use the same dedicated software and hardware on condition that logical separation is provided for each company.
V. Artificial Intelligence (“AI”)
1. General
AI is not specifically regulated under Turkish law; however, use of it may trigger certain control mechanism under various laws and regulations. For instance, use of AI for automatic decision making can be challenged by data subject if the use of it results in negative impact on the data subjects and they can request human intervention for decision making. Product liability and tort provisions of Turkish law also apply to damages incurred due to use of AI.
2. Recent Key Developments in AI
2.1 Artificial Intelligence Strategy
The Circular numbered 2021/18 on the National Artificial Intelligence Strategy was published in the Official Gazette dated 20 August 2021 and numbered 31574, and the National Artificial Intelligence Strategy Document (“Strategy”) on Digital Transformation Office of the Presidency’s website on 24 August 2021.
The high-level targets foreseen for 2025, which is the end of the implementation period of the Strategy, are as follows:
VI. TELCO
1. General
Telecommunication (telco) is a highly regulated sector under Turkish Law. The ECL, which is prepared based on Directive (EU) 2018/1972 of the European Parliament and of the Council of 11 December 2018 Establishing European Electronic Communications Code (“EECC”), is the main legislative document that governs the telecommunication sector. ICTA is the national regulatory agency for the supervision of the sector and execution of the ECL. The telco sector is regulated by licensing, authorization, notification and other control mechanisms regarding establishment, conduct and structure of the telco companies. Electronic communication services can only be provided by obtaining a license from ICTA. On the other hand, electronic communication services and/or networks or infrastructure established within the immovables of a real or legal person and not exceeding the borders of each immovable, used exclusively for personal or corporate needs, not used to provide any electronic communication service to third parties, not intended for any commercial purpose in its provision and not made available to the public and those established by public institutions and organizations in accordance with their special laws regarding the services they provide exclusively are not subject to authorization. Unlike EECC, the ECL does not contain a provision to expressly scope the communication medium between individuals which are provided for a price.
2. Recent Key Developments in Telco
2.1 Regulation on Verification Process of the Applicant’s Identity in the Electronic Communications Sector
Regulation on Verification Process of the Applicant’s Identity in the Electronic Communications Sector (“RIR”) introduced in the Official Gazette dated 26 June 2021 and numbered 31523.
According to the RIR, only following channels can be used for identification verification:
The Regulation allows artificial intelligence to make the comparison of the face in the live image and the photograph in the identity document.
2.2 Communiqué on the Amendment of the Communiqué on the Processes and Technical Criteria Regarding Electronic Signatures
Communiqué on the Amendment of the Communiqué on the Processes and Technical Criteria Regarding Electronic Signatures (“Electronic Signatures Communiqué”) has entered into force on 28 December 2022 upon its publication in the Official Gazette numbered 32057.
With the published Electronic Signatures Communiqué, the validity of the algorithms and parameters specified in Article 6/1 of the Communiqué on Processes and Technical Criteria Regarding Electronic Signature that was published in the Official Gazette dated 6 January 2005 and numbered 25692 has been extended from 31 December 2022 to 31 December 2025.
2.3 Regulation on Protection of Personal Data in Electronic Communication Sector
ICTA’s long-awaited Regulation on Process of Personal Data and Protection of Privacy in Electronic Communication Sector (“DPR”) has been published on the Official Gazette numbered 31324 and dated 4 December 2020.
In the DPR, contrary to its predecessor, explicit consent requirement for the cross-border data transfer is not regulated for all personal data categories. The communication and location data are regarded as important for national security so that cross-border transfer of these data is prohibited unless user’s explicit consent is obtained.
The DPR obliges the operators to implement all necessary technical and administrative measures to ensure the security of the services provided with the user’s personal data. The minimum requirements are also provided in the DPR, such as determining policies, protection of personal data against all breaches including disruption, loss, alteration, recording to another environment; and implementing necessary measures to prevent unauthorized access to these data. The operators are also obliged to save the log records to the systems containing personal data for two years.
In article 8 of the Regulation, specific provisions were brought regarding explicit consent. The provisions are generally in line with the Law on Protection of Personal Data number 6698 (“DP Law”). As with the DP Law, the explicit consent must be specific to a certain data processing activity and must be given in a free will, thus cannot be a condition for the service. It is, however, stated in the Regulation that explicit consent may be requested by providing additional benefits such as extra minutes or SMS rights. An obligation to inform is also implemented with the regulation as to the processed personal data, traffic, and location data. This information must be in 12 font size if made in writing. Operators are also obliged to inform the users that their data is processed based on their explicit consent in the third quarter of the year. Otherwise, the data processing activity of the Operators within the scope of the express consent given before is suspended until the privacy notice is submitted.
2.4 Increase in Direct Carrier Billing Usage
Direct Carrier Billing (“DCB”) has been used in Turkish market already widely for especially payment of electric, gas and water subscription bills. The pandemic, however, emerged the need for alternative payment methods to the card and cash. DCB use in Turkey during the Covid-19 pandemic has increased
VII. PERSONAL DATA PROTECTION
1. General
Privacy and protection of personal data is primarily regulated by the Law on Protection of Personal Data No. 6698 (“DP Law”). The DP Law set forth certain obligations of data controllers including comply with general principles of data processing, base data processing activities on a valid and legal ground, inform data subjects as to determined aspects of the data processing, respond to data subjects for their applications with regards to their rights under the DP Law, comply with prohibitions of domestic/cross border transfer, comply with erasure, destruction, and anonymization of personal data requirements, take adequate security measures for the protection of personal data, notify data breaches and register with data controllers registry.
2. Recent Key Developments in Personal Data Protection Law
2.1 Personnel Certification
The Communiqué on the Procedures and Principles Regarding the Personnel Certification Mechanism (“Certification Communique”) was published. With the Certification Communique, in accordance with the standard numbered EN ISO/IEC 17024 (ISO17024), the procedures and principles have been determined regarding the certification of persons with regards to DP Officer Program.
According to the Certification Communique, those who acquired a certificate by participation in the program, principles and procedures of which is determined by the Authority and has been successful in the respective exam will be entitled to use the title of "data protection officer". Organizations accredited by the Turkish Accreditation Agency within the scope of ISO17024 standard will be authorized to certify those who are successful in the relevant exams related to certification.
In accordance with the Certification Communique, a data protection officer is assumed to have sufficient knowledge in terms of personal data protection legislation within the scope of the program for which they are certified. It is also regulated that the data protection officer can only use this title during the validity period of their certificates.
Finally, it is emphasized in the Certification Communique that employing a data protection officer will not remove the responsibility of the data controller and data processor to comply with the DP Law.
2.2 Personal Data Categories in Privacy Notices
Regarding the obligation to inform, the most important decisions in 2021 were the DP Board's decisions regarding the need to include the personal data categories processed in the privacy notice. In Article 4 of the Communique on Principles and Procedures to be Followed In Fulfillment Of The Obligation To Inform, the information required to be included in the privacy notice is determined as the identity of the data controller and, if any, its representative, the purpose for which personal data will be processed, to whom and for what purpose personal data can be transferred. In the Board's decision dated 8 October 2020 and numbered 2020/765, however, stated that the categories of personal data processed in the privacy notice should also be included.
2.3 Guideline Regarding Good Practices on Protection of Personal Data in the Banking Sector
Guideline Regarding Good Practices on Protection of Personal Data in the Banking Sector (“Good Practices Guideline”) has been published on 5 August 2022 by the Personal Data Protection Authority. The purpose of the Good Practices Guideline is to guide the data controller banks to realize their personal data processing activities in accordance with the DP Law and the secondary legislation issued by the DP Board and to establish good practices examples within this framework.
The Good Practices Guideline includes the general explanations on the procedures and principles that the banks must comply with for the protection of the personal data and it underlines that the banks’ compliance obligation to the DP Law and the secondary legislations still continues.
The Good Practices Guideline sets out the principles regarding the relationship between the data controller and the data processor and explains which criteria should be considered for their identification.
The Good Practices Guideline also establishes the minimum content recommended to be included in a data processing agreement between a data controller and a data processor and recommends that a data processing agreement contains the obligation / indefinite responsibility of the data controller to delete or return the data following the termination of the contract and/or the purpose for which the personal data was obtained.