In Turkey, a local and centralized commercial electronic communication management system (IYS) for obtaining, exercising, and tracking opt-in/opt-out requests as well as complaints from recipients of electronic commercial communications was established under the supervision of the Ministry of Trade, the competent authority, in line with recent amendments to the Regulation on Commercial Communication and Commercial Electronic Messages. Also, a company has been incorporated solely for the establishment and management of IYS on behalf of the institution authorized by the Ministry (IYSCo).
Registration Obligation and Deadline: As per the amended provisions of the Regulation, among other things, service providers are required to be registered with IYS and transfer all consent duly obtained under the Regulation to IYS. IYSCo has recently clarified that this requirement applies to all real persons and legal entities, whether incorporated in Turkey or abroad, aiming to send commercial electronic messages to the recipients in Turkey. Foreign entities are also obliged to provide their apostilled (i) circular of signature, and (ii) trade registry certificate/commercial activity certificate for the registration. IYS also requires service providers to divide their permitted databases with respect to their trademarks/brands and permitted communication channels.
The deadline for registration and transfer was June 1, 2020. However, just like other countries around the world, the COVID-19 pandemic has disrupted business operations in Turkey. Upon request from companies and non–governmental organizations in different sectors, the Ministry postponed the deadline to August 31, 2020 to eliminate possible losses and damages due to non-compliance.
As a result, before August 31, 2020, service providers must: (i) register with IYS, (ii) classify existing contact information as permitted / not permitted in a provable manner; and (iii) upload the permitted contact information to IYS in the required format.
Registration and Uploading Process: The application of the online registration of the service providers to IYS is made through the IYSCo website. Service providers are required to sign a standard service undertaking with the e-signature of the authorized signatories and provide information regarding: (i) their Central Registration System (MERSIS) numbers and the registration certificates of their trademarks subject to commercial communications; (ii) authorized signatories’ Turkish identity numbers, mobile phone numbers, and business e-mail addresses, and (iii) permitted contact details. Due to the increasing demand, it is expected that IYSCo may also offer alternative methods for verifying the identity of authorized signatories of service providers (i.e., through electronic government portal). Following verification, the (i) recipient’s contact details (telephone number and/or e-mail address); (ii) permission date; (iii) permitted channels (call/text message/e-mail); and (iv) source of permission (i.e., signed permission form or website) shall be uploaded to IYS for each recipient whose permission has been duly obtained under the Regulation.
The permitted database shall be uploaded by the service providers manually or through application programming interface (API) integration, which enables interaction among data, applications, and devices, and may necessitate further technical work/support on the service providers’ side.
Outcomes of Non-Compliance: Although there is no specific sanction provided under Law No. 6563 on Electronic Commerce for non-compliance with the registry obligation, pursuant to the Regulation, permissions that are not uploaded to IYS before the deadline shall be considered invalid. After the deadline, IYS shall notify recipients that (i) their contact data has been uploaded on IYS; (ii) they have the right to check their permissions until November 31, 2020; and (iii) their approvals will be deemed valid unless they exercise their right to opt-out through IYS before that date. Recipients may also freely opt-out anytime following that date. In brief, it will not be lawful for service providers to send any commercial electronic messages to recipients whose permitted contact data has not been uploaded to IYS.
The competent authority is the Ministry to impose fines for unsolicited electronic communications. However, it is important to note that Law No. 6698, which constitutes the main legislative instrument regarding the processing and protection of the personal data, must also be taken into consideration for electronic marketing communications since personal data is processed for such communications. Accordingly, commercial emails, text messages and outbound calls fall within the scope of both the e-communications and data protection legislation. Therefore, the competent data protection authority may separately impose administrative fines on service providers for unlawful processing activities. Last but not least, criminal sanctions may also be imposed for unlawful processing of personal data in line with Law No. 5237.
By Ayse Ulku Solak, Partner, and Tugce Gelir, Senior Associate, Nazali Tax & Legal