Elektronik Ticaret Mevzuatındaki Güncel Gelişmeler

Elektronik Ticaretin Düzenlenmesi Hakkında Kanun (“Kanun”) 07.07.2022 tarihinde değiştirilmiştir. Bu doğrultuda da Elektronik Ticaret Aracı Hizmet Sağlayıcı ve Elektronik Ticaret Hizmet Sağlayıcılar Hakkında Yönetmelik (“Yönetmelik”) Resmî Gazete’de yayınlanmıştır.

İlgili Yönetmelik kapsamında elektronik ticaret aracı hizmet sağlayıcıların (“ETAHS”) ve elektronik ticaret hizmet sağlayıcıların (“ETHS”) yükümlülükleri, elektronik ticarette haksız ticari uygulamalar, hukuka aykırı içerik, aracılık sözleşmesi, elektronik ticaret lisansı ve elektronik ticarete ilişkin diğer hususlar düzenlenmiştir.

Amaç, daha küçük elektronik ticaret şirketlerinin rekabet etmesine yardımcı olmak ve adil rekabet ortamını sağlamak olsa da elektronik ticaret mevzuatındaki bu değişiklik ve gelişmeler, sıkılaştırma ve aşırı düzenleme nedeniyle birçok tartışmayı gündeme getirdi.

Bununla birlikte de Danıştay'da, Yönetmelik için yürütmenin durdurulması talep edildi. Yönetmelik'in hukuka aykırı içerik, fikri mülkiyet haklarının ihlali, aracılık sözleşmesi, ödeme hizmetleri, reklam ve indirim bütçesi dahil olmak üzere birçok maddenin yürütmesi durduruldu.

Yürütmenin durdurulması kararı ise Ticaret Bakanlığı tarafından temyiz edildi, bu sebeple ilgili hükümlerin uygulanmasının İdari Dava Daireleri Genel Kurulu tarafından incelenecektir.

Ayrıca Kanun'un ilgili hükümlerinin iptali için Anayasa Mahkemesi'nde de iptal davası açıldı. Anayasa Mahkemesi geçtiğimiz günlerde, belirlenen barajların aşılması halinde şirketlerin faaliyetlerini kısıtlayan hükümlerinin anayasaya uygun olduğuna karar vererek iptal talebini reddetti. Gerekçeli karar henüz yayınlanmamış olsa da İdari Dava Daireleri Genel Kurulu'nun, Anayasa Mahkemesi'ne paralel olarak Yönetmelik’in kanuna uygunluğuna ilişkin karar vermesi bekleniyor. İdari Hukuk Daireleri Genel Kurulu'nun Yönetmelik’in uygulanmasına ilişkin aldığı karar uyarınca, elektronik ticaret şirketlerinin yol haritasının Yönetmelik gerekliliklerine uyum sağlayacak şekilde güncellenmesi gerekebilir.

İdari Dava Daireleri Genel Kurulu'nun Yönetmelik’in yürütmenin durdurulması kararını değiştirmesi halinde uygulanacak hükümlerden bazıları şunlardır:

  • ETAHS ve ETHS elektronik ticaret lisansı almak zorunda kalacak ve lisans ücretleri parasal eşiklere göre belirlenecektir.
  • Büyük ve çok büyük ölçekli ETAHS ve ETHS'lerin reklam ve indirim bütçeleri kısıtlanmış olup, bu bütçeler net işlem hacmi gibi bazı ekonomik göstergeler ile orantılı olarak belirlenecektir. Sponsorluk giderleri için sınırlı bir muafiyet olsa da sponsorluk harcamaları da reklam bütçesi kapsamında değerlendirilecek.
  • Ödemeler hariç olmak üzere, çok büyük ölçekli ETAHS’ler, kendileriyle aynı ekonomik bütünlük içinde olan bankaların, finansal kiralama şirketlerinin, faktoring şirketlerinin, finans şirketlerinin ve tasarruf finansmanı şirketlerinin hizmetlerini (krediler dahil) sunmasını kolaylaştıracak herhangi bir faaliyette bulunamayacaktır. Ayrıca, aynı iktisadi işletme bünyesinde bulunan elektronik para kuruluşları tarafından ihraç edilen elektronik paraları, ödeme kabulünü kolaylaştırıcı şekilde herhangi bir faaliyette kullanamayacaktır.
  • Çok büyük ölçekli ETAHS’ler (i) kendi elektronik ticaret pazarındaki satışlar; (ii) elektronik ticaret hizmet sağlayıcısı olarak yaptıkları satışlar, ve (iii) elektronik ticaret sektörü dışındaki satışlar dışında eşya taşımacılığı, taşıma işleri organizatörlüğü ve posta hizmet sağlayıcılığı faaliyetlerinde bulunamayacaktır.
  • ETAHS, üreticisinin kim olduğuna bakılmaksızın kendisinin veya ekonomik bütünlük içinde bulunduğu kişilerin markasını taşıyan ya da marka kullanım hakkını haiz olduğu malları, aracılık hizmeti sunduğu elektronik ticaret pazar yerlerinde satışa sunamaz veya bu malların satışına aracılık edemeyecektir.

Bu hükümler özellikle büyük ve çok büyük ölçekli ETAHS/ETHS'lerin agresif reklam politikaları ile tüketiciyi yanıltıcı ve rekabet ortamını bozan uygulamaları izlemesini engellemeyi amaçlamaktadır. Reklam ve indirimler için ayrılabilecek bütçeler ile bu bütçeler kapsamında ayrılabilecek tutarların kazuistik yöntemle belirlenmesinde de haksız rekabetin önlenmesi amaçlanmaktadır.

Tüketiciler açısından bakıldığında, indirim bütçesindeki harcamalar düzenlenirken büyük miktarlarda indirim ve kampanyaların ortadan kalkması beklenmektedir. Ayrıca elektronik ticarette alternatif ödeme ve kargo yöntemlerinin kullanımı azalacaktır.

Önümüzdeki günlerde Anayasa Mahkemesi gerekçeli kararını açıklayacak ve İdari Dava Daireleri Genel Kurulu, Yönetmelik’in uygulanmasına ilişkin kararını verecek olup Yönetmelik’in yürütmesinin durdurulmasına ilişkin kararla birlikte elektronik ticaret mevzuatında yeni bir dönem başlayacak.

Yazarlar: Hatice Ekici Tağa, Bensu Özdemir

by Ebru Gümüş

Recent Developments in Turkish E-Commerce Legislation

The Law on the Regulation of Electronic Commerce (“Law”) was amended on 07.07.2022. Accordingly, the Regulation on Electronic Commerce Intermediary Service Providers and Electronic Commerce Service Providers (“Regulation”) was published in the Official Gazette on 29.12.2022.

Within the scope of the relevant Regulation, the obligations of electronic commerce intermediary service providers (“ETAHS”) and electronic commerce service providers (“ETHS”), unfair commercial practices in electronic commerce, illegal content, intermediation agreement, electronic commerce license and other issues related to electronic commerce are regulated.

Even though the purpose is to help smaller e-commerce companies while competing and ensure a fair competition environment, these amendments and developments on e-commerce legislation has brought many discussions to the table due to the tightening and overregulated.

Accordingly, the stay of execution has been requested for the Regulation at the Council of State. It has decided to stay of execution for the Regulation’s several provisions including but not limited to unlawful content, violation of intellectual property rights, intermediation agreement, payment services, advertising and discount budget. Having said that, the Ministry of Trade has appealed the stay of the execution decision, and execution of the relevant provisions will be examined by the Plenary Session of the Administrative Law Chambers.

Furthermore, a lawsuit has been filed for the cancellation of relevant provisions of the Law at the Constitutional Court. The Constitutional Court recently ruled that the provisions of the Law which restrict companies’ activities if their sales exceed the determined threshold is in line with the constitution and rejected the cancellation request. Even though the reasoned decision has not been published yet, it has been expected that the Plenary Session of the Administrative Law Chambers will decide on the compliance of the Regulation with the law parallel to the Constitutional Court. Pursuant to the Plenary Session of the Administrative Law Chambers’ decision regarding the execution of the Regulation, the roadmap of the e-commerce companies may be needed to be updated to comply with the requirements of the Regulation.

If the Plenary Session of the Administrative Law Chambers changes the rule on the stay of execution of the Regulation, the followings are some of the provisions which will be executed:

  • ETAHS and ETHS will be obliged to obtain an electronic commerce license, and license fees will be determined pursuant to the monetary thresholds.

  • Advertising and discount budgets of the large and very large-scale ETAHS and ETHS have been restricted, and these budgets will be determined based on proportion to certain economic indicators such as the net transaction volume. Even though there is a limited exemption for sponsorship expenses, this is considered under the scope of the advertising budget.

  • Very large-scale of ETAHS will not engage in any activity to facilitate the provision of the services (including credits) of banks, financial leasing companies, factoring companies, finance companies, and savings finance companies that are in the same economic integrity as them except for payments.

  • Very-large-scale of ETAHS will not carry out delivery services, transportation organizer services, and postal services except for: (i) sales under its e-commerce marketplace; (ii) sales made by them as an electronic commerce service provider; and (iii) sales outside of the e-commerce sector.

  • ETAHS will not offer to sell or intermediate the sale of the goods bearing:

                - its own trademark,

                - trademark of the persons with whom it has economic integrity with or,

                - trademark that ETAHS has the right to use.

In particular, these provisions aim to prevent large and very large-scale ETAHS/ETHS from following aggressive advertising policies, and practices that mislead the consumer and disrupt the competitive environment. It is also aimed to prevent unfair competition in the determination of the budgets that can be allocated for advertising and discounts and the amounts that can be allocated within the scope of these budgets with a casuistic method.

From the perspective of the consumers, it is expected that huge amounts of discounts and campaigns will be eliminated while arranging the expenses from the discount budget. Also, use of alternative payment and shipping methods on e-commerce will decrease.

In the upcoming days, Constitutional Court will issue its reasoned decision, and the Plenary Session of the Administrative Law Chambers will rule a decision regarding the execution of the Regulation. Upon the decision regarding the stay of execution of the Regulation, a new era will begin in Turkish e-commerce legislation.

Authors: Hatice Ekici Tağa, Bensu Özdemir

by Ebru Gümüş

VERBIS'e Kayıt Şartlarında Değişiklik

Bugün Resmi Gazete’de yayımlanan Kişisel Verileri Koruma Kurulu’nun (“Kurul”) 06 Temmuz 2023 tarihli ve 2023/1154 sayılı kararıyla Veri Sorumluları Sicili’ne (“VERBİS”) kayıt yükümlülüğüne istisna getirilmesine kriter olarak kabul edilmiş olan “yıllık mali bilanço toplamı” tutarında, ülkemizdeki ekonomik koşullar doğrultusunda yeniden değerlendirme yapılmıştır.

İlgili kararla birlikte, daha önce Kurul’un 19 Temmuz 2018 tarihli ve 2018/87 sayılı kararıyla yıllık mali bilanço toplamı bakımından 25 milyon Türk Lirası olarak belirlenen istisna sınırı, 100 milyon Türk Lirası olarak değiştirilmiştir.

Bu doğrultuda, bugünden itibaren, “yıllık çalışan sayısı 50’den az ve yıllık mali bilanço toplamı 100 milyon Türk Lirası’ndan az olan gerçek veya tüzel kişi veri sorumlularından ana faaliyet konusu özel nitelikli kişisel veri işleme olmayanlar” VERBIS’e kayıt yükümlülüğünden istisnadır.

Veri sorumluları, istisnaya tabii olup olmadıklarını değerlendirirken, yürürlük tarihinden (25 Temmuz 2023) itibaren verecekleri beyannameleri dikkate almalıdır.

Bu istisna, yalnızca Türkiye’de faaliyet gösteren veri sorumluları için belirlenmiştir ve yabancı veri sorumlularını kapsamamaktadır.

by Ebru Gümüş

Changes to the Requirements for Registration to VERBIS

Turkish Personal Data Protection Board’s (“Board”) decision dated 06 July 2023 and numbered 2023/1154, that was published on the Official Gazette today, reevaluated “annual financial balance sheet total” amount, which was accepted as a criterion to be exempt from the obligation to register with the Data Controllers Registry (“VERBIS”), due to economic conditions in the country.

With this decision, the exemption limit is amended to 100.000.000 Turkish Liras for the annual financial balance sheet, which was previously determined as 25.000.000 Turkish Liras with the Board's decision dated 19 July 2018 and numbered 2018/87.

In this context, as of today, “natural person or legal entity data controllers -whose main field of activity is not processing special personal data- with less than 50 employees annually and annual financial balance sheet total less than TRY 100.000.000” are exempted from the obligation to register to VERBIS. Data controllers should consider the declarations to be submitted as of the effective date (25 July 2023) when evaluating whether they are subject to this exception.

This exception has been determined only for local data controllers and does not apply to foreign data controllers.

by Ebru Gümüş

Enerji Sektöründe Siber Güvenlik Yetkinlik Modeli Yönetmeliği

06.06.2023 tarihli ve 32213 sayılı Resmi Gazete’de, Enerji Piyasası Düzenleme Kurumu (“Kurum”) tarafından Enerji Sektöründe Siber Güvenlik Yetkinlik Modeli Yönetmeliği (“Yönetmelik”) yayınlanarak yürürlüğe girmiştir. Yönetmelik ile 13.07.2017 tarihli Enerji Sektöründe Kullanılan Endüstriyel Kontrol Sistemlerinde Bilişim Güvenliği Yönetmeliği (“Mülga Yönetmelik”) yürürlükten kaldırılmış ve yapılan tüm atıfların Yönetmelik’e yapılmış sayılacağı düzenlenmiştir.

Yönetmelik ile enerji piyasası uyarınca lisans sahibi tüzel kişilerden oluşan kuruluşların[1] (“Yükümlü Kuruluşlar”) endüstriyel kontrol sistemlerinin (“EKS”) güvenliğinin ve güvenilirliğinin sağlanmasına ilişkin uygulanacak hükümler düzenlenmiştir.

Yönetmelik’te EKS “enerjinin üretilmesi, enerji sağlayan ham petrol, taş kömürü ve benzeri hammaddelerin işlenip tüketime hazır hale getirilmesi, enerjinin iletim veya dağıtım katmanları aracılığı ile aktarılması gibi süreçlerin bir veya birden fazla merkezden izlenmesini, bazen de yönetilmesini sağlayan, kendisi ve/veya bileşenleri bilinen işletim sistemleri üzerinde çalışan ya da bilinen zafiyetleri bulunan özel işletim sistemine sahip yönetim ve kontrol sistemleri” olarak tanımlanmıştır ve aşağıda belirtilen yetkinlik modeline ilişkin düzenlemeler EKS ile uyumlu hale getirilmiştir:

  • Bilgi ve İletişim Güvenliği Rehberi
  • Enerji Sektöründe Kullanılan Endüstriyel Kontrol Sistemleri İçin Güvenlik Analiz ve Test Usul ve Esasları
  • TS ISO/IEC 27001
  • TS EN ISO/IEC 27019
  • Enerji sektöründe EKS güvenlik kontrolleri

Yetkinlik modelinin, enerji alt sektörlerine göre farklılık göstermekle birlikte aşağıdaki başlıklardan oluşacağı düzenlenmiştir:

  • Endüstriyel altyapılar için yerel ağ güvenliği, geniş alan ağı güvenliği, iletişim güvenliği, protokol güvenliği, kablosuz ağ güvenliği, entegrasyon güvenliği kontrollerini içeren endüstriyel ağ güvenliği
  • Endüstriyel altyapıda yer alan tüm istemci ve sunuculara ilişkin mantıksal ve fiziksel güvenlik kontrollerini içeren endüstriyel istemci ve sunucu güvenliği
  • Endüstriyel altyapılarda uygulanan tehdit ve zafiyet yönetimi kontrollerini içeren endüstriyel tehdit ve zafiyet yönetimi
  • Endüstriyel altyapının dinamiklerine uygun endüstriyel siber güvenlik risk yönetimi kontrollerini içeren endüstriyel siber güvenlik risk yönetimi
  • Endüstriyel altyapılarda bulunan varlıkların yönetimi, bileşenlerin değişim ve konfigürasyon yönetimi kontrollerini içeren endüstriyel varlık, değişim ve konfigürasyon yönetimi
  • Endüstriyel altyapıda bulunan bileşenler için kimlik ve erişim yönetimi kontrollerini içeren endüstriyel kimlik ve erişim yönetimi
  • Endüstriyel siber güvenlik olay yönetimi, süreklilik, yedekleme ve yedeklilik kontrollerini içeren endüstriyel olay yönetimi ve süreklilik
  • Sayaç ve nesnelerin interneti teknolojisinin kullanıldığı endüstriyel altyapılar için güvenlik kontrollerini içeren akıllı cihaz güvenliği;
  • Endüstriyel operasyon güvenliği
  • Kritik enerji altyapılarında çalışan tüm personel için istihdam öncesi, sırası ve sonrasında uygulanması gereken kontrolleri içeren insan kaynakları güvenliği
  • Endüstriyel altyapıların sektörlerine uygun, dağıtık veya tekil yapıdaki fiziksel ortamların güvenlik kontrollerini içeren fiziksel güvenlik.
  • Endüstriyel altyapılar için teknoloji, insan ve altyapı tedarikçilerine ilişkin siber güvenlik kontrollerini içeren tedarikçi yönetimi
  • Programlanabilir Mantık Kontrolcüsü (PLC) güvenliği

Yönetmelik’te, yetkinlik modelinin üç temel yetkinlik seviyesinden oluştuğu ve Yükümlü Kuruluşlar’ın hangi yetkinlik modeline uymakla yükümlü olduğu Kurum tarafından belirlenen sektörel kritiklik dereceleri ile tespit edileceği düzenlenmiştir. Yönetmelik ile düzenlenen kritiklik seviyeleri aşağıdaki gibidir:

Seviye 1: Giriş seviyesi kontroller, bu seviyede yer alır. İlgili kontrollerin hali hazırda uygulandığı ya da kolayca uygulanabileceği değerlendirilen maddeler bu seviyede toplanır.

Seviye 2: İkinci aşama kontroller, bu seviyede yer alır. İlgili kontrollerin uygulanabilmesi için Yükümlü Kuruluş sistemlerinde veya süreçlerinde değişiklik yapılmasını gerektiren maddeler bu seviyede toplanır.

Seviye 3: Üçüncü seviye kontroller, bu seviyede yer alır. Bu seviyede yer alan kontroller yeni bir projelendirme ya da uzun soluklu değişim gerektirir.

Buna göre Yükümlü Kuruluşlar, Kurum tarafından tespit edilen “seviye 1, seviye 2 ve seviye 3” temel yetkinlik seviyelerinden uygun oldukları seviyeye bağlanan ve zorunlu olarak gerçekleştirmeleri gereken maddeleri hedeflenen tamamlama süresi içerisinde yerine getirmekle yükümlüdür. Bununla birlikte, Yükümlü Kuruluşlar’ın zorunlu olarak gerçekleştirmeleri gereken kontrol maddeleri belirlenirken aşağıda yer ala sınıflandırma kullanılacak olup bu parametreler sektörel olarak ayrıca belirlenmekte ve Kurum tarafından belirli aralıklarla güncellenmektedir.

Sektör Asgari Seviye Kritiklik Derecesi
Elektrik Dağıtım Seviye 2 Yükümlü Kuruluşa özel
Doğal Gaz Dağıtım Seviye 1 Yükümlü Kuruluşa özel

 

Kritiklik Derecesi Açıklama Asgari Seviye
 

A Sınıfı

 İlgili sektörde kritiklik derecesi en yüksek olan Yükümlü Kuruluşlar’ın sınıfını ifade eder.  

Seviye 3
 

B Sınıfı

 İlgili sektörde kritiklik derecesi orta olan Yükümlü Kuruluşlar’ın sınıfını ifade eder.  

Seviye 2
 

C Sınıfı

 İlgili sektörde kritiklik derecesi beklenen seviyede olan Yükümlü Kuruluşlar’ın sınıfını ifade eder.  

Seviye 1

Bu doğrultuda yetkinlik modeli uygulama yükümlülüğü, Kurum tarafından kritiklik dereceleri belirlenip Yükümlü Kuruluşlar’a tebliğ edildiğinde başlamaktadır. Yükümlü Kuruluşlar, Kurum tarafından belirlenen kritiklik derecelerine uygun olarak uygulamakla yükümlü oldukları kontrolleri, hedeflenen tamamlama süresinde gerçekleştirmekle yükümlüdür ve bu kontroller değerlendirilirken aşağıda yer alan uyum sınıflandırması kullanılır:

  • Tam uyum: Yetkinlik modeli kapsamında yer alan ana kontrol başlıklarında bulunan her bir kontrol maddesine ilişkin gereksinimin modelde yazıldığı şekilde karşılanması durumudur.
  • Kısmen uyum: Yetkinlik modeli kapsamında yer alan ana kontrol başlıklarında bulunan her bir kontrol maddesine ilişkin gereksinimin tam olarak karşılanamadığı, geçici ya da iyileştirici önlemlerin uygulandığı durumdur.
  • Uyumsuz: Yetkinlik modeli kapsamında yer alan ana kontrol başlıklarında bulunan her bir kontrol maddesine ilişkin gereksinimin hiçbir şekilde karşılanamadığı durumdur.
  • Kapsam dışı: Yetkinlik modeli kapsamında yer alan alt kontrol başlıklarında birbirine alternatif olabilecek teknoloji veya yöntem bulunması durumunda Yükümlü Kuruluşlar’da mevcut bulunan teknoloji ve yönteme uygun kontrollerin uygulanması, diğer alternatif teknoloji ve yöntemlere ilişkin kontrol maddelerinin kapsam dışı bırakılması durumudur.

Uyması gereken maddelere ilişkin kontrolleri gerçekleştiren Yükümlü Kuruluşlar bakımından ayrıca Yönetmelik’te yetkinlik modeline uyumluluğun üç aşamada denetlenerek gerçekleştirileceği düzenlenmiştir:

  1. Öz denetim/fark analizi
  2. Sektörel denetim
  3. Kurum denetimleri

Öz denetimler, Yükümlü Kuruluşlar’ın ilgili kontrol maddelerini kendi iç kaynakları ile denetlemesi sürecidir. Bu aşama, bir fark analizi olarak değerlendirilir. Bu sürecin, yükümlülüklerin başlamasından itibaren üç ay içerisinde tamamlanması gerekir.

Sektörel denetimler, Kurum’un bu Yönetmelik kapsamında belirlediği şartlara uyan firma ve personeli tarafından gerçekleştirilen çalışmalardır. Bu çalışmalar, bağımsız denetim olarak değerlendirilir.

Kurum denetimleri, Kurum’un Yükümlü Kuruluşlar tarafından yapılan öz denetimleri, denetçi firmaları ve yükümlü kuruluşları denetlediği çalışmalardır. Bu çalışmalar çapraz denetim ya da kontrol denetimi olarak değerlendirilir. Kurum, bu denetimleri süreç içerisinde her zaman yapabilir.

Çok aşamalı denetimler, sektöre göre farklılık gösteren yetkinlik modellerinin oluşturulması ve Kurum tarafından sektörlerin kritik derecelendirilmesi gibi hükümlerin düzenlendiği Yönetmelik ile, enerji piyasası sektöründe faaliyet gösteren kuruluşların siber güvenlik açısından yeterli ve etkin bir koruma sağlaması hedeflenmiştir. Daha önce Mülga Yönetmelik’te detaylarına yer verilmeyen siber güvenlik esasları, yürürlüğe giren Yönetmelik ve eklerinde yer alan siber güvenlik şemaları ile Yükümlü Kuruluşlar bakımından alınması gereken tedbirleri yansıtmakta ve aşamalı denetimler sayesinde söz konusu tedbirlerin tam ve eksiksiz şekilde uygulanmasını amaçlamaktadır.

Yönetmelik’in tam metnine buradan ulaşabilirsiniz:

[1] Elektrik iletim lisansı sahibi, elektrik dağıtım lisansı sahibi, geçici kabulü yapılmış ve işletmedeki kurulu gücü 100 MWe ve üzeri lisansa sahip her bir elektrik üretim tesisi sahibi, boru hattı ile iletim yapan doğal gaz iletim lisansı sahibi, sevkiyat kontrol merkezi kurmakla yükümlü doğal gaz dağıtım lisansı sahibi, doğal gaz depolama lisansı sahibi (LNG, yer altı), ham petrol iletim lisansı sahibi ile rafinerici lisansı sahibi. OSB dağıtım lisansı sahipleri ile OSB üretim lisansı sahipleri kapsam dışındadır.

 

Yazarlar: Burak Özdağıstanli, Ebru Gümüş

by Ebru Gümüş

Regulation on Cyber Security Competency Model in the Energy Sector

The Regulation on Cyber Security Competency Model in the Energy Sector (“Regulation”) was published by the Energy Market Regulatory Authority (“Authority”) in the Official Gazette dated 06.06.2023 and numbered 32213. The Regulation has entered into force on the publishing date and the Regulation on Information Security in Industrial Control Systems Used in the Energy Sector (“Repealed Regulation”) dated 13.07.2017 was repealed with the Regulation and that all references to the Repealed Regulation would be deemed to have been made to the Regulation.

The Regulation regulates that provisions to be applied to ensure the safety and reliability of the industrial control systems (“ICS”) of the institutions consisting of legal entities holding a license in accordance with the energy market[1] (“Obligated Institutions”).

In the Regulation, ICS is defined as “the system that enables the monitoring and sometimes management of processes such as the production of energy, the processing of crude oil, hard coal and similar raw materials that provide energy, and the transfer of energy through transmission or distribution layers, from one or more centers, and/or management and control systems with a special operating system whose components work on known operating systems or have known vulnerabilities” and the provisions stated below regarding the competence model have been brought into line with the ICS:

  • Information and Communication Security Guide
  • Safety Analysis and Test Procedures and Principles for Industrial Control Systems Used in the Energy Sector
  • TS ISO/IEC 27001
  • TS EN ISO/IEC 27019
  • ICS security controls in the energy sector

Although the competency model differs according to the energy sub-sectors, it is regulated that it will consist of the following headings:

  • Industrial network security including local network security, wide area network security, communication security, protocol security, wireless network security, integration security controls for industrial infrastructures
  • Industrial prompt and server security, including logical and physical security controls for all clients and servers in the industrial infrastructure
  • Industrial threat and vulnerability management including threat and vulnerability management controls applied in industrial infrastructures
  • Industrial cyber security risk management including industrial cyber security risk management controls appropriate to the dynamics of the industrial infrastructure
  • Industrial asset, change and configuration management including management of assets, change and configuration management controls of components in industrial infrastructures
  • Industrial identity and access management including identity and access management controls for components in industrial infrastructure
  • Industrial incident management and consistency, including industrial cyber security incident management, continuity, backup and redundancy controls
  • Smart device security, including security controls for industrial infrastructures using counter and IoT technology
  • Industrial operation security
  • Human resources security, including controls to be applied before, during and after employment for all personnel working in critical energy infrastructures
  • Physical security, including security controls of distributed or singular physical environments, suitable for sectors of industrial infrastructures
  • Supplier management, including cyber security controls for technology, people and infrastructure suppliers for industrial infrastructures
  • Programmable Logic Controller (PLC) security

The Regulation regulates that the competency model consists of three basic competency levels and the competency model of the Obligated Institutions will be contemplated by the sectoral criticality degrees determined by the Authority. The criticality levels set out by the Regulation are as follows:

Level 1: Entry level controls are located at this level. Provisions that have already been implemented or that are considered to be easily implemented are aggregated at this level.

Level 2: Second stage controls are located at this level. Provisions that require changes in the systems or processes of the Obligated Institution in order to implement the relevant controls are collected at this level.

Level 3: Third level controls are located at this level. The controls at this level require a new project or long-term change.

Accordingly, the Obligated Institutions are obliged to fulfill the items in which the basic competency levels as "level 1, level 2 and level 3” within the targeted completion time. In addition, the following classification will be used when determining the control items that the Obligated Institutions must perform, and these parameters are determined separately by the sector and are updated by the Authority periodically.

Sector Minimum Level Criticality Degree
Electricity Distribution Level 2 Specific to the Obligated Institution
Gas Distribution Level 1 Specific to the Obligated Institution

 

Criticality Degree Explanation Minimum Level
Class A It refers to the class of the Obligated Institutions with the highest degree of criticality in the relevant sector. Level 3
Class B It refers to the class of Obligated Institutions with medium criticality in the relevant sector. Level 2
Class C It refers to the class of Obligated Institutions whose criticality level is at the expected level in the relevant sector. Level 1

In this respect, the obligation to implement the competency model begins when the criticality levels are determined by the Authority and notified to the Obligated Institutions. Obligated Institutions are obliged to perform the controls they are obliged to implement in accordance with the criticality levels determined by the Authority, within the targeted completion time, and the following compliance classification is used when evaluating these controls:

  • Full compliance: It is the situation where the Obligated Institutions has met the requirements for each control item in the main control headings as written in the model.
  • Partial compliance: It is the situation where the Obligated Institutions has met the requirements for each control item in the main control headings within the scope of the competency model and applied temporary or remedial measures.
  • Incompatible: It is the situation where the requirement for each control item in the main control headings within the scope of the competency model cannot be met in any way.
  • Out of scope: It is the application of controls appropriate to the technology and method available in the Obligated Institutions, and the exclusion of control items regarding other alternative technologies and methods in case there are alternative technologies or methods in the sub-control headings within the scope of the competency model.

Obligated Institutions that carry out the controls regarding the substances to be complied with that compliance with the competency model will be carried out by auditing in three stages:

  1. Self-audit/difference analysis
  2. Sectoral audits
  3. Authority audits

Self-audits are the process by which Obligated Institutions audit the relevant control items with their own internal resources. This stage is considered as difference analysis. This process must be completed within three months as of the commencement of obligations.

Sectoral audits are the audits carried out by the company and its personnel that comply with the conditions determined by the Authority within the scope of the Regulation. These are considered as independent audits.

Institution audits are the audits in which the Authority audit the self-audits carried out by the Obligated Institutions, and auditor firms. These are considered as cross-checking or control-checking. The institution can always make these audits during the process.

With the Regulation, it is aimed to provide adequate and effective protection in terms of cyber security for organizations operating in the energy market sector in which provisions such as multi-stage audits, the creation of competency models that differ according to the sector, and the critical rating of sectors by the Authority. The details of cyber security principles which were not previously included in the Repealed Regulation, reflect the cyber security schemes and the measures to be taken in terms of Obligated Institutions in the Regulation and its annexes, and aim to implement the said measures fully and completely through multi-staged audits.

You can access the full text of the Regulation here.

[1] Electricity transmission license holder, electricity distribution license holder, each electricity generation facility whose provisional acceptance has been made and has an installed capacity of 100 MWe or more, holder of natural gas transmission license transmitting via pipeline, natural gas distribution license responsible for establishing a shipment control center holder, holder of natural gas storage license (LNG, underground), holder of crude oil transmission license and refiner license. Organized industrial site distribution license holders and organized industrial site generation license holders are out of the scope.

Authors: Burak Özdağıstanli, Ebru Gümüş

by Ebru Gümüş

Sending Invoices Issued to Third Parties to a Data Subject’s E-Mail Address

The Personal Data Protection Board (“Board”) evaluated a complaint regarding the processing of personal data through sending e-invoices to the e-mail address of a data subject in the decision dated 08.09.2022 and numbered 2022/925.

The complaint subject to the decision is related to sending e-invoices of other subscribers to the data subject since 2018, even though the Board decided to instruct the data controller to take all necessary administrative and technical measures since the data subject has previously filed a complaint regarding the same incident.

The Board made the following explanations regarding the complaint;

  • Although the data controller was instructed to take all necessary administrative and technical measures regarding the security of personal data in the previous Board decision, continuing to send invoices of third parties to the data subject and specifying the e-mail address of the data subject in the subscription agreement of a third party shows that there is no mechanism for verification of communication channels.
  • Failure of the data controller to take the necessary measures with a proactive approach in order to ensure the accuracy of the personal data constitutes a violation of the principle of "being accurate and up to date when necessary" of the Law on the Protection of Personal Data No. 6698 (“DPL").

In this regard, the Board adopted the following decision;

  • Sending invoices issued to third parties to the e-mail address of the data subject violates the DPL's principle of "being accurate and up to date when necessary". It is seen that the data controller acts in violation of its obligations in Article 12 of the DPL. Considering that the data controller was instructed to take the necessary administrative and technical measures regarding the security of the personal data of the subscribers in the Board decision, it was decided to impose an administrative fine of TRY 200,000 (approx. EUR 6,954) against the data controller.
  • It has been decided to instruct the data controller to take necessary measures in order not to transmit personal data of third parties to the e-mail addresses of the data subjects and to inform the Board of the result.

Authors: Burak Özdağıstanli, Bensu Özdemir, Ebru Gümüş

by Ebru Gümüş

Sending SMS for Marketing Purposes Without Explicit Consent

The Personal Data Protection Board (“Board”) evaluated a complaint regarding the processing of personal data by sending text messages for marketing purposes without explicit consent in its decision dated 02.09.2022 and numbered 2022/902.

The incident subject to the complaint is sending a message to the data subject for marketing purposes without fulfilling the obligation to inform and without obtaining explicit consent, even though no commercial activity has been carried out with the data controller company and no communication approval has been given. In response to the data subject’s request, the data controller apologized to the data subject for the mistake and stated that the necessary corrections were made after the data subject’s request.

The Board made the following explanations regarding the complaint;

  • In the response given by the data controller, it was stated that the messages that are sent to the customers who gave their consent to receive e-mail/SMS on the company's website were sent to all customers who shopped at their stores on the sales platform. It was also stated that the cancellation procedure was initiated upon noticing the aforementioned transaction, but sending SMS to some customers could not be prevented. Within this scope, the phone number of the data subject is processed without relying on any of the processing conditions in Article 5 of the Personal Data Protection Law No. 6698 (“DPL”), and the incident is a data breach, but the data breach notification was not made within the scope of Article 12 of the DPL.

In this regard, the Board adopted the following decision;

  • Through the messages that were sent to the data subject, the telephone number of the data subject, which is considered personal data, is processed without relying on any of the processing conditions in Article 5 of the DPL. Also, the data controller did not take the necessary technical and administrative measures to ensure the appropriate level of security to prevent the unlawful processing of personal data under Article 12 of the DPL. When considering that the incident subject to the complaint constitutes a data breach and the data controller did not notify the Board, it is decided to impose an administrative fine of TRY 30,000 (approx. EUR 1.056) against the data controller.

Authors: Burak Özdağıstanli, Bensu Özdemir, Ebru Gümüş

by Ebru Gümüş

Sending Commercial Electronic Message Without Obtaining Consent

The Personal Data Protection Board (“Board”) evaluated a complaint regarding a data controller sending commercial electronic message to a data subject's work e-mail address, which was found as a result of an internet search, without the data subject's consent in its decision dated 01.09.2022 and numbered 2022/861.

The complaint subject to a decision is sending e-mails regarding the campaign and advertisement to the work e-mail address of the data subject who is a lawyer and failure to inform the data subject about the source of collection of the personal data.

The Board made the following explanations regarding the complaint;

  • As a result of the examination by the Board, the e-mail address is different from the e-mail address which is subject to the complaint. It was understood that the e-mail address has been made publicly available by the data subject when that the data controller’s statement stating the e-mail address which is subject to the complaint has been reached through the internet search was considered.

  • It is possible to process personal data if personal data have been made public by the data subject himself/herself pursuant to Article 5/d of the Law on the Protection of Personal Data w. no. 6698 (“DPL”). However, making personal data public does not mean that such personal data may be processed personal data for any purpose. Personal data processing must be limited and relevant to the purpose made available to the public by the data subject.

  • Further, the data controller stated that personal data was processed through sending marketing e-mails based on Article 6 of the Law on the Regulation of Electronic Commerce No. 6563 containing that "Commercial electronic messages can be sent to tradesmen and merchants without prior consent". However, commercial electronic messages cannot be sent to a person who is a lawyer without obtaining prior consent based on this provision since lawyers cannot act as either tradesmen or merchants pursuant to Article 11 of Attorneyship Law w. no. 1136.

  • Thus, it has been understood that the data controller has violated the obligation to prevent the unlawful processing of personal data since there are not any conditions for processing personal data set out in Article 5 of the DPL.

  • It has been also understood from the response given by the data controller to the data subject, only information was given that his/her personal data was erased, but other information requests of the data subject within the scope of Article 11 of the DPL were unanswered. Therefore, the data controller has acted contrary to Article 6 of the Communiqué on Principles and Procedures for the Request to Data Controller (“Communiqué”).

In this regard, the Board adopted the following decision;

  • The data controller has not submitted any document proving that there is a will of the data subject for processing the e-mail address information for advertising and marketing purposes. Also, there are not any conditions set out in Article 5 of the DPL for processing personal data. In this respect, it has been decided to impose an administrative fine of TRY 150.000 (approx. 5.772 EUR) on the data controller.

  • Since answering only some of the questions in the application to the data controller made by the data subject constitutes a violation of the DPL, it has been decided to instruct the data controller to respond to the data subject in accordance with Article 6 of the Communiqué.

  • The letter submitted by the data controller states that the e-mail address of the data subject has been deleted from the records of the data controller upon the request of the data subject. However, it is understood that no document proves the deletion. So, it has been decided to instruct the data controller that the personal data of the data subject must be deleted, destroyed, or anonymized and the related documents must be sent to the Board.

Authors: Burak Özdağıstanli, Bensu Özdemir, Ebru Gümüş

by Ebru Gümüş

Dispute Resolution Mechanism for “.tr” Domain Names

For many years, the allocation of ".tr" domain names in Turkey was carried out through the Nic.TR system under the authority of Middle East Technical University (“METU”). As a result of the protocol signed between METU and the Information Technologies and Communications Authority (“BTK”) and IANA/ICANN approvals, this authority was transferred to BTK and it transitioned to the .tr Network Information System (“TRABIS”) as of 14 September 2022.

With the launch of TRABIS, the "first come, first served" principle began to apply to domain names with the ".tr" extension, which were previously allocated only with documentation. This principle means that persons who want to allocate domain names such as "com.tr", "org.tr" and "net.tr" should be the first person to apply for that domain name. There is no requirement to submit a proof such as a trademark application/registration or commercial document regarding right of ownership.

It is clear that with the first come first serve principle, allocating a domain name became easier and the process is accelerated. However, this may also result in allocation of domain names in bad faith by non-right holders and the prevention of their use by the rightholder.

In this context, the procedures and principles concerning the operation of the domain names dispute resolution mechanism, the determination of dispute resolution service providers and their obligations are regulated with the relevant provisions of the Regulation on Internet Domain Names and the Communiqué on Internet Domain Names Dispute Resolution Mechanism (“Communiqué”) enforced by the Ministry of Transportation and Infrastructure.

Thus, a system similar to the Uniform Settlement Policy of Domain Name Disputes (“UDRP”) of the World Intellectual Property Organization (“WIPO”) is implemented in our country as well. Internet domain name disputes are resolved by the Dispute Resolution Service Providers (“DRSP”) within approximately 1 month, and therefore, the loss of rights related to the domain names can be prevented quickly.

I. APPLICATION TO DISPUTE RESOLUTION MECHANISM

First of all, it should be noted that this alternative dispute resolution mechanism does not apply to domain names that were allocated before TRABIS became operational. However, it is possible to apply for said domain names whose renewal process has been carried out after TRABIS became operational.

Disputes are resolved by DRSPs as an alternative. Currently, there are 2 entities that are approved by BTK to operate as DRSP (Information Technology and Internet Security Association (BTİDER) and TOBB UYUM Mediation and Dispute Resolution Center).

The complainant can make an application online to their choice of DRSP. When making the application, the complainant should state their request for the domain name and arbitrator/committee preference, together with the relevant information and documents proving the right of ownership. After the application, the domain name is frozen for the duration of the dispute.

If DRSP detects any missing document or information in the application, it notifies the complainant and gives 5 days to provide such document or information. If complainant can’t provide the missing document or information within this period, the application will be deemed invalid. However, this does not prevent the complainant from applying again.

Within 1 business day after the DRSP accepts the application, DRSP sends the information about the complaint and explanations about the information and documents required for the response to the complainee. The complainee should submit (if any) an extension request, necessary and supporting information and documents, arbitrator/committee preference and contact information to the DRSP within 10 days.

According to the arbitrator/committee preference of the parties, 1 or 3 arbitrators are determined by the DRSP. If one of the parties prefers a committee, the choice of 2 arbitrators, one of which is a substitute, is notified to the DRSP from the list of arbitrators on the website of the DRSP; otherwise, the selection of arbitrators is made by the DRSP directly. It is possible to request a refusal if a situation arises that may affect the impartiality of the arbitrators.

Unless otherwise agreed by the parties, the language to be used in the dispute resolution process is Turkish.

II. CONDITIONS FOR APPLICATION

It is possible to apply to the domain name dispute resolution mechanism if the following conditions are met. When the decisions published on the DRSPs’ websites are examined, it is seen that some arbitrators/committees refer to the UDRP decisions and the WIPO Overview of WIPO Panel Views on Selected UDRP Questions, Third Edition (WIPO Overview 3.0) when evaluating these conditions.

a. The domain name is similar or identical to the trademark, trade name, business name or other identifying marks owned or used in trade

The complainant must first be able to prove the rights ownership of the trademark, trade name, business name or other identifying marks and demonstrate that the domain name subject to the complaint is the same or similar to these elements.

In the Magnum Piering, Inc. v. The Mudjackers and Garwood S. Wilson, Sr., WIPO Case No. D2000-1525 decision, it is stated that “where the domain name incorporates a complainant's registered trademark, this may be sufficient to establish that the domain name is identical or confusingly similar for the purposes of the policy”. In this context, in cases where a domain name incorporates an entire trademark or where at least one dominant feature of the relevant trademark is recognizable within the domain name, it is accepted that the domain name is similar enough to the trademark to create confusion under normal circumstances. However, a similarity assessment is made specific to each concrete event.

b. The party allocating the domain name has no legal right or affiliation with this domain name

Although it is the complainant who has to prove the conditions necessary for the application to the dispute resolution mechanism, it is often considered that it is difficult for the complainant to prove a negative situation. Therefore, if the complainant can clearly show at first glance (prima facie) that the complainee lacks the right or legitimate interest in the domain name, the burden of proof is considered to pass to the complainee. In this case, the complainee must prove that they have a right or legitimate interest in the said domain name.

According to the UDRP policy, which are also accepted by the DRSP arbitrators/committees, it is accepted that the complainee has a right or legitimate interest if the following situations are proven:

  • Before any notice of a dispute, the use of, or demonstrable preparations to use, the domain name or a name corresponding to the domain name in connection with a bona fide offering of goods or services; or

  • The complainee has been commonly known by the domain name, even if they have acquired no trademark or service mark rights; or

  • The complainee makes a legitimate non-commercial or fair use of the domain name, without intent for commercial gain to misleadingly divert consumers or to tarnish the trademark or service mark at issue.

In cases where the complainee cannot prove a legal right or affiliation with the domain name and the complainant has not granted any license, permission or authorization to the complainee to use the domain name, it is considered that the domain name carries the risk of showing an implied affiliation with the complainee.

c. Allocation or use of the internet domain name by the registrant in bad faith

There is also a bad faith condition for the complainant to be found justified. In the Communiqué, the situations that can be considered as the allocation or use of the domain name by the complainant in bad faith are set out as:

i. The domain name has been allocated for the purpose of selling or transferring the domain name to the complainant, who is the owner of the trade or service mark, trade name, business name or person’s name or other identifying mark, or to the complainant’s commercial competitor, for an amount exceeding the documented allocation costs and investment cost of the domain name,

ii. The domain name has been allocated in order to prevent the owner of the trademark, trade name, business name or other identifying mark used in trade, from using this trademark, title, name or sign in a domain name,

iii. The domain name has been allocated primarily for the purpose of harming the business or activities of commercial competitors,

iv. The domain name is used for the purpose of directing internet users to the website of the owner of the domain name or any other website, by causing confusion by creating a similarity with the trademark, trade name, business name or other identifying mark used in trade and owned by the complainant, for commercial gain.

However, the cases of allocation/use in bad faith are not limited to the ones listed above but are at the discretion of the arbitrator/committee based on the concrete case. In this context, the following cases can also be considered as the allocation or use of the domain name in bad faith:

  • Registration and use of domain names that are associated with widely known trademarks

  • Registration of the disputed domain name after the registration date of the similar trademark

  • No rights or legitimate interests and no reasonable bona fide use of the complainee with regards to the domain name

  • Failure of the complainee to respond to the application or to show proof regarding the existing bona fide use or any planned use of the disputed domain name

  • In certain situations, inactivity of the complainee/non-active use of the domain name (passive ownership doctrine)

  • The complainee concealing their identity or providing inaccurate contact information

  • When a simple trademark search and/or internet search can easily reveal the complainant's previous trademark and com domain name, when the complainee allocated the disputed domain name.

III. DECISION PHASE

The arbitrator/committee, within 15 days of the complainee's response to the DRSP, decides to:

  • cancel the domain name,

  • transfer the domain name to the complainant, or

  • reject the request.

In this process, the arbitrator/committee may request additional information and documents and may use an additional period of up to 5 days if a decision cannot be made within this period. If the complainant and the complainee demand the conclusion of the dispute resolution process by mutual agreement before the decision is taken, the arbitrator/committee concludes their work. If only the complainant requests to conclude the process, it is up to the arbitrator/committee whether they will continue or not.

The DRSP sends the arbitrator/committee decision and the justification to the parties within 1 day and publishes on its website.

Within 10 business days after the decision is sent to the parties or at an earlier stage of the dispute resolution mechanism process, if the DRSP is notified that a preliminary injunction decision has been taken, the dispute resolution mechanism process continues, but the arbitrator/committee decision is not implemented. In this case, the litigation process is expected to be completed.

If the decision is to transfer the domain name to the complainant and if a preliminary injunction is not taken within 10 working days after the decision, a code for the transfer of the domain name is sent to the complainant by the DRSP. The complainant can transfer the domain name using this code.

IV. CONCLUSION

With TRABIS becoming operational, disputes can now be resolved quickly through the dispute resolution mechanism, where the domain names with the “.tr” extension are allocated in a way that causes violation of rights. It is essential for parties of the complaint to follow to the application procedure and deadlines as well as to present claims and defenses properly.

Authors: Hatice Ekici Tağa, Sümeyye Uçar, Öykü Su Sabancı, Ebru Gümüş

by Ebru Gümüş