Database

The Turkish e-commerce law bans commercial messages sent electronically by email, text messaging (sms), fax, and autodial machines to consumers without their prior approval.

According to the Data Protection Law, administrative fines of up to TRY 1,000,000 (EUR 311,000) and/or imprisonment of one to four years may be imposed for breaches of the Law.

According to the Regulation on Administrative Sanctions in the Electronic Communications Sector, administrative fines may reach 3% of relevant company's annual turnover for the previous year. Moreover, the Turkish Criminal Code provides for various fines and terms of imprisonment, which go up to six years.

According to the Data Protection Law, institutions and third parties are compelled to hand over any data to intelligence agencies and police without a warrant.

Law No. 5651 on Regulating the Internet was amended in September 2014, broadening the scope of administrative blocking and allowing the authorities to access user data without a warrant. While the Constitutional Court overturned these provisions a month later, they were once again passed in March 2015.

Under certain circumstances, telecommunications operators must inform, in an efficient and timely manner, the Information Technologies and Communication Authority (ITC Authority), the National Computer Emergency Response Centre (USOM) and the data subjects of cyber security breaches.

The Turkish courts accepted the existence of the right to be forgotten in 2015 (cases 2014/4-56 E and 2015/1679 K dated 17 June 2015). The Assembly of Civil Chambers of the Court of Appeal held that the right includes digital data, as well as non-digital personal data kept in publicly accessible mediums. This decision adopts and applies a similar scope of the ruling of the Court of Justice of the European Union which recognized the right to be forgotten.

Personal data may only be processed after informing the data subject and, significantly, having obtained the data subject’s explicit and freely-given consent.

Moreover, the Regulation of Electronic Commerce (the E- commerce law) came into force on May 2015 states that the service provider is not permitted to transfer the personal data to third parties or use the data for other purposes without the customer's consent.

Telecommunication companies have to delete all information regarding their customers following the accomplishment of their service.

Article 23 of Law No. 6493 requires that "the system operator, payment institution and electronic money institution shall be required to keep all the documents and records related to the matters within the scope of this Law for at least ten years within the country, in a secure and accessible manner". The article also specifies that "The information systems and their substitutes, which are used by system operator to carry out its activities shall also be kept within the country".

The transfer of traffic and location data abroad is permitted with the data subjects' explicit consent.

The legislation stipulates that data cannot be processed or transferred abroad without the individual's explicit consent. Consent will not be required if the transfer is necessary to exercise a right or is required by law, and either:
- Sufficient protection exists in the transferee country, or
- if the data controller gives a written security undertaking and Turkey’s Data Protection Board grants permission.

Article 23 of Law No. 6493 requires that "the system operator, payment institution and electronic money institution shall be required to keep all the documents and records related to the matters within the scope of this Law for at least ten years within the country, in a secure and accessible manner". The article also specifies that "the information systems and their substitutes, which are used by system operator to carry out its activities shall also be kept within the country".

For contract service supplier (CSS) some exceptions exists for which there are still labour market tests in place, but these are being progressively abolished.

Permits are only given to foreign service providers when they are considered "key" for computer services.