Regulations On The Processing And Protection Of Personal Data Under The Electronic Communications Law
1. General Overview
The Electronic Communications Law No. 5809 entered into force on 11 December 2008. The Law defines electronic communications as:
“Transmission, sending and receiving of all kinds of signs, symbols, sounds, images and data convertible into electrical signals through cable, radio, optical, electrical, magnetic, electromagnetic, electrochemical, electromechanical and other transmission systems.”
The purpose of the Law is defined as:
“Establishing effective competition through regulation and supervision in the electronic communications sector, ensuring consumer rights, extending services nationwide, promoting efficient and effective use of resources, encouraging technological development and new investments in infrastructure, networks and services, and determining related procedures and principles.”
Article 12 stipulates that “The Information and Communication Technologies Authority may impose obligations on operators, in accordance with legislation, for the protection of personal data and privacy, taking into account sectoral needs, international regulations, and technological developments.”
2. The Right to Protection of Personal Data
In 2013, the Council of State’s Administrative Chambers, by way of objection, requested annulment and suspension of Article 51 of the Law on grounds of violation of Articles 2 (rule of law), 7 (legislative authority vested in the Turkish Grand National Assembly and non-transferable), 13 and 20 (guaranteeing that personal data protection procedures and principles must be regulated only by law) of the Constitution.
At the time of the case, Article 51 read:
“The Authority shall be entitled to determine the procedures and principles regarding the processing of personal data and protection of confidentiality in the electronic communications sector.”
In its judgment E. 2013/122, K. 2014/74, the Constitutional Court annulled the provision, holding it unconstitutional.
The Court reasoned that personal data encompasses all information relating to an identified or identifiable person — not only names, surnames, date and place of birth, but also telephone numbers, license plates, social security numbers, passport numbers, CVs, photographs, recordings, fingerprints, genetic information, IP addresses, email addresses, preferences, contacts, group memberships, and family information. The right to protection of personal data is a safeguard of human dignity and autonomy, shielding individuals against risks of arbitrary processing amid modern technological advances. The Court emphasized that Article 20 of the Constitution explicitly requires the regulation of procedures and principles on personal data protection by law. Legislative power cannot be delegated to the executive. Thus, empowering the ICT Authority to determine such procedures was unconstitutional.
Following annulment, Article 51 was re-regulated by Article 32 of Law No. 6639, dated 27 March 2015.
3. Related Legislation
The revised Article 51 contains the following provisions on personal data:
- (1) Personal data must be processed lawfully and in good faith, accurately and up-to-date, for specified, explicit and legitimate purposes, relevant, limited and proportionate to such purposes, and retained only as long as necessary.
- (4) Operators shall take appropriate technical and administrative measures to secure their networks, subscribers’/users’ personal data, and the services they provide.
- (5) For obligations under Article 49 or to safeguard the public interest, personal data may be processed.
- (6) With respect to transfers abroad, traffic and location data may only be transferred abroad with the explicit consent of the data subject, subject to applicable legislation.
- (7) Traffic data may be processed by authorized persons only, for network management, interconnection, billing, fraud detection, dispute resolution, etc., and retained confidentially until disputes are resolved.
- (8) Operators must enable users to refuse processing of location data. Exceptions apply only in emergencies or disasters, in which case consent is not required.
- (9) Traffic and location data may be processed for consumer complaints and supervision, limited to such purposes.
- (10) Personal data processed under this Law must be retained for minimum and maximum durations defined by regulation: e.g., access logs for two years; consents at least for subscription period.
- (11) To prevent fraud and manage billing risks, records of billing, payments, and suspicious/fraudulent activities may be shared with the ICT Authority and among operators.
- (12) Operators are responsible for ensuring confidentiality, security, and purpose-limited use of personal data.
- (13) The ICT Authority determines implementing procedures.
4. Devices with Electronic Identity Information
Article 55 prohibits re-creating, altering, copying, or distributing electronic identity information or subscriber identification details without authorization. Article 56 prohibits unauthorized copying, storage, distribution, or use of software, cards, or tools containing subscriber identity or device electronic identity. It further requires that no subscription may be established without obtaining a copy of the subscriber’s identification document.
Article 63 provides that employees of authorized operators who commit crimes against private life under Articles 132–140 of the Turkish Penal Code (TCK) are subject to those penalties, with Article 137 aggravation applied at double rate. Violations of Article 55 incur judicial fines from 1,000 to 15,000 days; violations of Article 56 incur fines from 1,000 to 5,000 days.
5. Regulation on the Processing of Personal Data and Protection of Privacy in the Electronic Communications Sector
Based on Articles 4, 6, 12 and 51, the ICT Authority issued the Regulation on the Processing of Personal Data and Protection of Privacy in the Electronic Communications Sector on 24 July 2012. This regulation details principles on processing personal data, confidentiality of communications, traffic and location data, and itemized billing.
Article 21 provides that if operators fail to comply, penalties under the Regulation on Administrative Sanctions applicable to operators shall apply. This regime was later replaced by the ICT Authority’s Administrative Sanctions Regulation (15 February 2014), which sets fines up to 3% of annual net sales for violations such as:
- Failing to restrict access to personal data to authorized persons only,
- Failing to securely store traffic/location data or to delete it on time,
- Unauthorized destruction, alteration, disclosure, or transfer of personal data,
- Failing to log detailed access records by authorized personnel,
- Violating any other privacy obligations under legislation.
Article 21 further provides that registered electronic mail (KEP) service providers may be fined up to 3% of their previous year’s net sales if they fail to use secure products and systems, provide reliable services, ensure required security and privacy measures, comply with other obligations set by the ICT Authority, or keep required records of KEP transactions.
Atty. Yalçın TORUN LL.M.
⚠️ WARNING
The copyright of the above written text published on our website belongs to Atty. Yalçın TORUN© 2025 Torun Law Firm – All Rights Reserved.
This article is protected under the provisions of the Law on Intellectual and Artistic Works (No. 5846). The content, in whole or in part, may not be copied, reproduced, published, or shared on any other website without the prior written permission of the author and Torun Law Firm.
This material may only be shared by licensed attorneys, for professional purposes, without any modifications, and with full attribution to the author and the source.
Any unauthorized use may result in legal and criminal liability.