Category: Turkiye

On 09.09.2019, the Turkish Competition Authority (“TCA”) published its reasoned decision¹ in which it granted individual exemption to the Facility Consolidation Cooperation Agreement (“Agreement”) signed between Vodafone, TT Mobil and Turkcell, the only three mobile operators in Turkey. The concerned decision is important to illustrate the potential approach to be pursued by the TCA with regard to the cooperation agreements between mobile telecommunications service providers.

Per the Agreement, the parties agreed to share all kinds of passive mobile infrastructure elements used in the provision of mobile electronic communications services such as tower, field, cabin, energy and ventilation. The notifying parties stated that the main aim of this Agreement is to create cost efficiency, effective use of resources and constitution of an environment of cooperation to ensure that the obligations of the parties to the legislation are fulfilled.

One of the most significant details with respect to the evaluation of the respective notification is that in accordance with the relevant legislation of the Information and Communication Technologies (“ICT”), mobile operators are already encouraged, and even obliged in certain areas, to share facilities provided that the necessary conditions are satisfied. Information and Communication Technologies Authority’s (“ICTA”) aim on imposing such obligations are; providing effective and efficient use of country’s resources by avoiding repeated investments, reflecting of increasing infrastructure investments to the consumer at minimum level and ensuring the sustainability of mobile communication.

As the Agreement is made between competitors, in order to be deemed as lawful, it must satisfy the conditions² set forth in the Article 5 of the Competition Act regarding individual exemption.

As for the first condition concerning the efficiency gains expected to arise from the Agreement, the TCA focused on whether the concerned cooperation would strengthen the parties’ market power and whether it would bring with any efficient gains. The TCA held, by taking into consideration the information provided by the parties as well as the relevant regulations, that passive network sharing provides significant efficiency gains in terms of both actual and planned cost savings.

Whilst assessing whether said efficiency gains also benefit the consumers, the TCA particularly focused on the improvements regarding the quality of the service provided. The TCA further expressed that the Agreement will contribute to the consumer welfare to an appreciable extent due to enhancement of the signal quality and strength, reduction of imports, saving on energy expenditures and increase in the quality of service. By pointing to the consumers’ rate of switching between different mobile operators (rendered possible by ICTA’s mobile number portability regulations), it is clarified that the market has a competitive structure and that the operators will have sufficient incentives to reflect the efficiency gains to their subscribers via increasing their service quality, and providing more comprehensive, more diverse and cheaper services in order to gain new subscribers and to retain existing subscribers.

As for the third condition of the individual exemption, the potential restrictive effects of the Agreement have been evaluated by the TCA. When the market structure and the quality of services provided was analyzed, the market data indicated that as of the third quarter of 2018, Turkcell, Vodafone and TT Mobil had 43.3%, 30.9%, 25.8% market shares in terms of number of subscribers, respectively. Whereas Turkcell’s market share in terms of revenue was slightly higher (45.2%) when compared with its market shares in terms of traffic and number of subscribers. The TCA stressed that although there is increasing competition in the market between the existing operators, there has been no change in the long-standing trilateral structure of the market due to significant entry barriers. It should be noted here that there are two major reasons as to why the Turkish mobile telecommunications market consists of only three players. First, the existing players are reluctant to allow Mobile Virtual Network Operators (“MVNOs”) to use their networks (also there are no sector specific regulations that oblige the operators to provide access to MVNOs) and the current tax regime creates a significant disadvantage for potential MVNOs. Second, ICTA and the relevant ministry does not opt for an authorization regime that would introduce new market players and allow the existing players to acquire all newly available spectrum.

With respect to the potential anti-competitive effects of the Agreement, the TCA particularly focused on the (i) possibility of exchange of sensitive information between the operators, (ii) cost similarities and (iii) the right of first refusal stipulated in the Agreement. The first two concerns were eliminated as there was a specific provision in the Agreement that aimed to prevent any exchange of sensitive information, and the TCA concluded that there were material differences between the cost structures of the operators. As for the right of first refusal in the Agreement, the parties stated that such a provision was necessary to ensure that the other party is able to maintain its activities by paying the facility fee, in case one party decides to leave the facility. The parties stressed that this was crucial for the protection of the consumers since it guarantees that the subscribers of the mobile operator that would be able to maintain its activity in a given facility won’t encounter any degradation in the service quality.

As one of the most critical issues concerning this Agreement, the operators were asked whether facility sharing could lead to an entry barrier for existing or potential competitors. Upon this inquiry, the operators declared that in the event that the criteria set forth in the relevant ICTA regulations are met, new entrants would be able to benefit from the Agreement as well.

In the light of the above, the TCA concluded that the conditions required for an individual exemption were cumulatively satisfied in the case at hand. The TCA’s decision will serve as an important guide as to the future assessments for determining when the expected efficiency gains could be deemed sufficient to outweigh the potential anti-competitive effects of such agreements. The evaluations of the TCA both with respect to the efficiency gains and the anti-competitive effects should be taken into consideration when designing similar cooperation agreements.

¹TCA’s decision dated 11.04.2019 and numbered 19-15/203-90.

²The relevant conditions are as follows:

a) Ensuring new developments and improvements, or economic or technical development in the production or distribution of goods and in the provision of services,

b) Benefitting the consumer from the abovementioned,

c) Not eliminating competition in a significant part of the relevant market,

d) Not limiting competition more than what is compulsory for achieving the goals set out in sub-paragraphs (a) and (b).

By Baris Yuksel, Senior Associate, and Alper Karafil, Associate, Actecon

I. Data breach under Turkish laws: There is no specific definition of “data breach” under the Turkish data protection law (“Turkish DP Law”). However in terms of notification obligations, “illegal seizure of or access to personal data” is considered as a data breach. Under the Turkish DP Law in case of a data breach (illegal seizure of or access to personal data), the data controller is obliged to notify the breach to (i) the data subjects (affected individuals) and (ii) the Turkish Personal Data Protection Authority (“Turkish DPA”), within the shortest time (“shortest time” applies to both notifications). There is no distinction as to eligibility of the data breach for notification and there are no exceptions provided under the legislation for the breach notification.

II. Scope of data breach notification obligation

Data breach notification requirement of data controllers is principally regulated under Article 12/5 of Turkish DP Law. Article 12/5 of Turkish DP Law provides that “in case of a data breach, data controller is obliged to notify the breach to the data subjects and the Turkish Personal Data Protection Board, within the shortest time”. Although the term “the shortest time” is not specified, Turkish DPA interprets and applies “the shortest time” for notifying Turkish DPA as “within 72 hours after becoming aware of the breach” (Turkish DPA’s decision no. 2019/10), also in line with the GDPR, which requires notification without undue delay and, where feasible, not later than 72 hours after having become aware of the breach. In the event that the data controller is unable to notify the Turkish DPA within 72 hours for a justified reason, the data controller’s notification should also include the reasons of the delay as well. The information on the data breach, its effects and the measures that are taken should be recorded and kept ready for Turkish DPA’s inspection.

Furthermore, data controllers should have a data breach response plan in place, defining the issues such as whom the data breach will be internally reported to and who will be responsible for the legal notifications and evaluation of the possible effects of the breach, and such plan should be regularly reviewed and revisited. 

III. Notification of the breach to the Turkish DPA

“Data Breach Notification Form” issued by the Turkish DPA should be used while notifying the Turkish DPA. If all of the information requested in this form cannot be provided at the same time, data controller is obliged to provide the outstanding information later without causing undue delay. Notification should either be sent by e-mail to the e-mail address provided by the Turkish DPA for data breach notifications or by post to the Turkish DPA’s notification address with all supporting documents attached to the form. Turkish DPA requires that data controllers to submit notifications hard-copy through post or by hand. The notification needs to be submitted in Turkish language, signed by an authorized signatory and should include the company seal.  

IV. Notification of the breach to the data subjects

In terms of notifying the data subjects, data controller should notify data subjects within the reasonably shortest time, same as notifying the Turkish DPA. As per the Turkish DPA’s decision no. 2019/271, such notification should be made directly to the data subject, if the contact address of the data subject is known. If the data subject’s contact address is not known to the data controller, then data controller must notify the data subject through other proper communication methods such as publishing a notification on its website.

According to the same decision, the language of the data breach notification to the data subjects should be plain and the data breach notification should include the following elements:  

(i) The time of the data breach,

(ii) Information on the personal data affected from the data breach based on personal data categories (by distinguishing personal data and special categories of personal data),

(iii) Possible consequences of the data breach,

(iv) Measures taken or proposed to reduce the negative effects of data breach,

(v) The name and contact details of the contact persons who will provide information to the data subjects regarding the data breach or the specific address of the data controller’s website, call center and any other communication methods. 

V. Consequences of non-compliance in light of the recent penalties imposed by the Turkish DPA

Failure to comply with the data breach notification obligation is subject to an administrative fine ranging from TL 15,000 up to TL 1,000,000 (subject to updates per the yearly reevaluation rates). Turkish DPA strictly and seriously enforces the obligation to notify the authority and data subjects on data breaches and issued remarkable amounts of penalties against a variety of data controllers in this regard.

In a recent decision issued on September 18, 2019 with the number 2019/169, the Turkish DPA unanimously decided to impose an administrative fine in the amount of TL 450,000 on Facebook due to failure to notify a data breach to the Turkish DPA.¹

Similarly the Turkish DPA granted another decision on August 28, 2019 with the number 2019/254 and imposed an administrative fine on “S Sans Oyunlari A.S” in the amount of TL 30,000 for failure to notify data subjects of a data breach.²

In another decision issued on August 28, 2019 with the number 2019/255, the Turkish DPA decided to impose an administrative fine on a tourism company in the amount of TL 100,000, due to their failure to (i) notify the data subjects and (ii) notify the Turkish DPA within “shortest time” as required under the law.³ 

The foregoing are only some examples of the Turkish DPA’s enforcement of the data breach notification obligation which are publicly available. Turkish DPA strictly applies this requirement and requires data controllers to notify an incident to the Turkish DPA even if the specifics of the incident are not yet certain (e.g. even if the data controller has not yet determined whether data subjects in Turkey are certainly affected). Data controllers will need to establish data breach response plans or protocols, determine and allocate duties for handle data security incidents and data breaches to make sure they duly comply with their notification obligation vis-à-vis the Turkish DPA and the data subjects in Turkey and avoid possible administrative fines.

¹Turkish DPA’s decision with the number 2019/169 available at https://kvkk.gov.tr/Icerik/5534/2019-269

²Turkish DPA’s decision with the number 2019/254 available at https://kvkk.gov.tr/Icerik/5535/2019-254

³Turkish DPA’s decision with the number 2019/255 available at https://kvkk.gov.tr/Icerik/5537/2019-255. 

By Gonenc Gurkaynak, Partner, Ceren Yıldız, Counsel, Burak Yeşilaltay, Associate Attorney, Kübra Keskin, Junior Associate,  ELIG Gürkaynak Attorneys-at-Law

In the last ten years, e-commerce has become the most important platform of today’s consumer habits, becoming a major competitor to both retailers and their suppliers. As a result, many giant retailers are now directing their investments towards e-commerce activities.

Since e-commerce is rapidly becoming widespread in Turkey (as it is around the world), it is more important than ever to understand the relationship between data privacy regulations and the e-commerce sector in recent years.

Turkey’s Personal Data Protection Law (Law No. 6698, or the “Law”), which is similar to the GDPR, contains the framework for processing personal data in Turkey. And pursuant to the Law, the Data Protection Authority (the “Authority”) has started ex officio examinations of companies in various sectors. 

Main Responsibilities of e-Commerce Companies Under The Data Privacy Law

Obtaining personal data clearly requires “explicit consent,” and under the Law, this explicit consent should be: (i) related to a specific topic, (ii) based on informative clarifications, and (iii) given freely. There is no specific requirement about how to obtain explicit consent, however; it can be given either as a statement or by a clear affirmative action. It is hoped that the Authority will clarify the rules about valid methods of obtaining this consent soon.

Companies engaged in e-commerce activities are responsible for complying with all obligations regulated under the Law. Under the Law, all companies must register with the Data Controller’s Registry System (VERBIS) before starting to process personal data. Companies which fail to do so may face severe sanctions.

E-commerce companies must also obtain explicit consent from data subjects before processing their personal data. If they are unable to obtain this explicit consent, the data subjects’ personal information should be immediately anonymized or erased from the system completely. In addition, e-commerce companies that conduct online sales in the absence of a signed membership contract must, at the ordering stage, obtain explicit consent from the data subject with respect to the storing and processing of the customer’s personal data, except where storing the personal data is necessary for the e-commerce company in order to comply with the terms of the sale contract. Finally, even for the general use of the site, it will be necessary to inform users about and obtain their explicit consent for the use of cookies and the processing of personal data. 

The meaning of “explicit consent” in e-commerce remains in debate, as e-commerce companies generally require their customers’ personal data before they render services to them, but it is unclear whether this practice satisfies the GDPR’s requirement that consent be given “freely.”

Sanctions that Companies Will Face If They Do Not Fulfill The Data Privacy Obligations

As mentioned above, the Authority carries out ex officio data protection examinations of e-commerce companies, and companies that do not fulfill their obligations may face penalties of up to TRY 1 million under Article 18 and Article 19 of the Law. Indeed, one of the most famous decisions by the Authority is the administrative fine of TRY 1.1 million it levied upon Facebook for its failing to take the necessary administrative and technical measures to prevent a data breach and failing to comply with the data security obligations, and an additional administrative fine of TRY 550,000 for its failure to make necessary notifications following the data breach. 

Conclusion

The obligations of companies regarding the protection and processing of personal data are changing and increasing within the scope of both the GDPR and Turkey’s Law No. 6698. Increasing personal data breaches and cybercrimes are forcing the Authority to take control of e-commerce companies which obtain personal data and process it for profit or share it with third parties without the explicit consent of the data subjects. 

By Nazli Sezer, Executive Partner, and Kaya Kayaoglu, Senior Associate, Sezer & Utkaner

This Article was originally published in Issue 6.8 of the CEE Legal Matters Magazine. If you would like to receive a hard copy of the magazine, you can subscribe here.

The Legislative Proposal on Amending the Law No. 6493 on Payment and Security Systems, Payment Services and Electronic Money Institutions (“Proposal”), has recently been submitted before the Grand National Assembly of Turkey.

The rationale of the Proposal is unifying payment practices and addressing the emerging needs in the field of payments. The Proposal also mentions the amendments in the EU payment services and e-money legislation during the past years (such as PSD2) and the need to align the local legislation with these recent developments. 

The most significant amendment introduced in the legislation is the transfer of the authorities of Banking Regulation and Supervision Authority (“BRSA”) under the Law No. 6493 to Central Bank of the Turkish Republic (“CBTR”). If the proposal is accepted as is, all institutions regarding payment institutions and e-money institutions will be subject to CBTR’s supervision. The Legislative Proposal also aims to broaden the supervision authorities of CBTR in a manner to include all parties that are involved in the operation of the payment systems. Accordingly, the CBTR will be authorized to request records, information and documents regarding any transactions that are conducted by institutions under its supervision where it deems necessary. CBTR may also be a shareholder to existing and future system operators in order to enable uninterrupted operation of the systems.

The Legislative Proposal grants the CBTR the authority to monitor legal relations where the payment service providers are a party due to their activities, in order to determine issues and fields of development. The Legislative Proposal also grants CBTR the authority to determine the rules and procedures of the legal relations therein and form working committees, if it deems the relevant activities as harmful to the field of payments. 

Another significant development proposed is the establishment of the Turkish Payment and Electronic Money Institutions Association, which will require mandatory membership by the institutions. Accordingly, this Association will aim to relieve common needs of payment and e-money institutions, making professional activities easier, developing the profession in line with general activities, enabling mutual honesty and trust between the members of the profession and the payment service users, and protecting the professional discipline and morals.

The Legislative Proposal excludes payment institutions and e-money institutions from entities that can obtain contribution margin from BRSA, as CBTR will be the authorized institution in terms of the field of payments. 

The Legislative Proposal which is signed by various deputies of Justice and Development Party is submitted to and currently pending before the Commission of the Grand National Assembly of Turkey. Therefore, it is not final yet. 

By Gonenc Gurkaynak, Partner, Ceren Yıldız, Counsel and Yasemin Doğan, Associate  ELIG Gürkaynak Attorneys-at-Law