Regulations On The Processing And Protection Of Personal Data Under The Electronic Signature Law
General
The Electronic Signature Law No. 5070, which entered into force on 23.07.2004, also contains provisions on personal data and the protection of personal data.
Article 1 of the Law states its purpose as:
“to regulate the legal and technical aspects of electronic signatures and the principles of their use.”
In the Law, “Electronic data” is defined as: “Records generated, transmitted, or stored by electronic, optical, or similar means.”
“Electronic signature” is defined as: “Electronic data that is attached to another electronic data or that is logically associated with electronic data and used for authentication purposes.”
The electronic certificate, which ensures the connection between the electronic signature and the electronic signature holder, is defined in the Law as:
“An electronic record that links the signature verification data of the signature holder with the identity information.”
The electronic certificate in question is provided by public institutions and organizations authorized by law, as well as by natural and private persons.
Protection of Information (Article 12)
Article 12 of the Law, titled “Protection of Information,” regulates the personal data that the electronic certificate service provider may request for issuing an electronic certificate and the obligations regarding the protection of such personal data. The relevant text of Article 12 is as follows:
“The electronic certificate service provider:
a) May not request any information from the person requesting the electronic certificate, except for the information necessary to issue the electronic certificate, and may not obtain such information without the person’s consent,
b) May not keep the certificate in environments accessible to third parties without the permission of the electronic certificate holder,
c) Shall prevent third parties from obtaining the personal data of the person requesting the electronic certificate without their written consent. Such information may not be transmitted to third parties or used for other purposes without the approval of the certificate holder.”
Liability of the Certificate Service Provider (Article 13 and General Provisions)
Article 13 of the Electronic Signature Law provides that the liability of the electronic certificate service provider towards the electronic certificate holder is subject to general provisions. In this context, since no special provision is established by the Law, it is understood that liability will arise under the provisions of the Turkish Penal Code (TCK), the Personal Data Protection Law (KVKK), the Turkish Civil Code regarding the protection of personality rights, and the Turkish Code of Obligations (TCO) regarding infringements of personality rights.
The Law further provides that the electronic certificate service provider is liable for damages caused to third parties due to violations of the provisions of the Electronic Signature Law and the regulations issued under the Law, unless the provider proves that it is not at fault.
It is also regulated that the electronic certificate service provider shall be liable for damages where the breach of obligations is based on the conduct of its employees, and it cannot avoid liability by bringing forward the exculpatory defense available under the Turkish Code of Obligations concerning employers.
In Articles 55 of the Code of Obligations and 66 of the Turkish Code of Obligations, the employer is granted the possibility to avoid liability by proving that due care was exercised in the selection of the employee, in giving instructions related to the job, and in supervising and monitoring the work to prevent the occurrence of damage. However, this possibility of exculpation is removed by the Law, thereby aggravating the conditions of liability and creating strict liability.
Invalidity of Limitation Clauses and Insurance Obligation
Except for limitations relating to the scope of use and the material content of the electronic certificate, any conditions that eliminate or restrict the liability of the electronic certificate service provider towards third parties and the qualified electronic signature holder are invalid.
As a guarantee of this strict liability, the service provider is obliged to take out liability insurance with an insurance company authorized to operate in the relevant branch in Turkey. The electronic certificate service provider is obliged to deliver the qualified electronic certificate to the electronic signature holder insured.
Atty. Yalçın TORUN LL.M.
⚠️ WARNING
The copyright of the above written text published on our website belongs to Atty. Yalçın TORUN© 2025 Torun Law Firm – All Rights Reserved.
This article is protected under the provisions of the Law on Intellectual and Artistic Works (No. 5846). The content, in whole or in part, may not be copied, reproduced, published, or shared on any other website without the prior written permission of the author and Torun Law Firm.
This material may only be shared by licensed attorneys, for professional purposes, without any modifications, and with full attribution to the author and the source.
Any unauthorized use may result in legal and criminal liability.