Technology law in Turkey: highlights from 2021

The ongoing covid-19 pandemic dominated legal developments in 2021 as restrictions were maintained in order to mitigate its impact. In addition to that, developments in the field of technology, especially relating to artificial intelligence or blockchain systems (such as non-fungible tokens and the metaverse), have started to affect the law in Turkey, as in the rest of the world. This article chronologically summarises the technology law highlights of 2021.

Employer data protection obligations in Remote Working Regulation

The Remote Working Regulation came into force on 10 March 2021, after being published in the Official Gazette No. 31419. Among other things, the regulation covers employers' obligations with regard to personal data protection. Please also see our article covering "Personal data protection in context of employment and vaccination".

Regulation on Not Using Crypto Assets in Payments

The Central Bank of the Republic of Turkey published the Regulation on Not Using Crypto Assets in Payments on 16 April 2021, and it entered into force on 30 April 2021. The regulation defines "crypto assets" and provides that cryptocurrencies cannot be used directly or indirectly in payments and that no service can be provided for the direct or indirect usage of crypto assets in payments.

Amendments to Regulation on Authorisation in the Electronic Communication Sector

The amendment entered into force on 1 May 2021, after being published in the Official Gazette No. 31471, and amended conditions of authorisation application, renewal periods, competency check and operator's obligations. Additionally, new attachment documents (a draft notification form, a draft application form for right of usage, and a form providing the definition, scope and duration of services, networks and infrastructures of electronic communication) were presented.

Guideline on Commercial Advertising and Unfair Commercial Practices by Social Media Influencers

The Turkish Ministry of Commerce published the guideline on 5 May 2021. The guideline determines the procedures and rules regarding commercial ads by social media influencers. Principally, social media ads must be clear, distinguishable and not covert. For this purpose, the guideline determines the use of tags for different types of social media platforms and obliges social media influencers and advertisers to comply with the legislation and to be fair, careful and responsible when advertising.

Regulation for Disclosure of Confidential Information

The regulation was published in the Official Gazette No. 31501 on 4 June 2021. It outlines banks' obligations with regard to the protection of confidential information, including exceptions, the concept of a "client secret", the principles of sharing secret information and the obligation to form an "Information Sharing Committee". All of the definitions provided by the regulation refer directly to the Data Protection Law. On 24 December 2021, the effective date was changed from 1 January to 1 July 2022.

Draft regulation amending Regulation Regarding the Rights of Consumers in the Electronic Communication Sector

The Information Technologies and Communication Authority (ICTA) published the draft on 6 July 2021. This draft provides additional obligations for operators and new rights for natural persons or legal entities that are party to a contract entered into with an operator for the provision of electronic communication services. The process of receiving the opinions of the public regarding the draft has been completed, and the ICTA is working to finalise the draft regulation.

Important DPA decision regarding international transfers of data

The Turkish Personal Data Protection Authority (DPA) made a public announcement regarding the ex officio investigation of an instant messaging app and published a decision on 3 September 2021, discussing data processing and data transfer operations. The DPA's decision presented its approach to accepting subsequent processing operations on personal data collected from Turkey as an international transfer – if performed in servers located outside of Turkey.

Protection of personal data in artificial intelligence systems

The DPA published its recommendations regarding the protection of personal data in artificial intelligence systems on 15 September 2021. These recommendations consist of three parts:

  • general recommendations;
  • recommendations for developers, manufacturers and service providers; and
  • recommendations for decision-makers operating in the field.

Guideline on Matters to be Considered When Processing Biometric Data

The DPA published the guideline on 17 September 2021. The guideline defines "biometric data" and divides it into two categories: physiological (eg, fingerprint and retina data) and behavioural (eg, the style of keyboard use). Additionally, to ensure that the guideline is useful, the DPA examined biometric data processing principles and biometric data security in detail.

DPA vaccine and PCR announcement

Following a letter of the Ministry of Labour and Social Security dated 2 September 2021, which stated that employers can request polymerase chain reaction (PCR) tests once a week from non-vaccinated employees, the DPA published a public announcement on its official website on 28 September 2021. In the announcement, the DPA stated that, in order to prevent the spread of the disease, covid-19 vaccine information and/or negative PCR test information can be processed within the scope of the exception provisions of the Personal Data Protection Law No. 6698, which regulates the lawfulness of the preventive and protective activities carried out by public institutions and organisations.

Guideline on Information and Communication Security Audit

The Digital Transformation Office published the Guideline on Information and Communication Security Audit on 27 October 2021. The new guideline regulates the audit processes which public institutions and enterprises that provide critical infrastructure services must carry out in order to ensure the security of critical data. The guideline regulates the planning, performing and reporting of those audits and obliges related institutions to establish an audit team.

Tax regulations for social media content producers and application developers

The Law on Amending the Tax Procedure Law No. 7338 was published on 26 October 2021 in the Official Gazette No. 31640. Pursuant to the amendments, content producers and application developers must open an account with a bank established in Turkey.

Management and allocation of ".tr" domain names

The enforcement of the Regulation on Internet Domain Names, which regulates the sale and transfer of ".tr" domain names and was published in 2010, was postponed until the ".tr" Network Information System (TRABIS) became operational. On 19 November 2021, the platform Nic.tr announced that it expected the management of ".tr" domain names to be completely transferred to the ICTA by January 2022. However, as of February 2022, TRABIS is still not operational.

Communiqué on the Procedures and Principles Regarding the Personnel Certification Mechanism

The DPA has introduced the concept of data protection officers with its communiqué published in the Official Gazette on 6 December 2021. Within the communiqué, a "data protection officer" is defined as a "natural person who is entitled to use the title of data protection officer by successfully passing the exam" and the training, examination and certification processes by which data protection officers are regulated.

Following the communiqué, the DPA announced on 10 December 2021 that data protection officers introduced via the communiqué are different from the concept of "data protection officer" under the EU General Data Protection Regulation.

Further, the Union of Turkish Bar Associations announced that it recently filed an annulment suit against the DPA in the Council of State. The Union claimed that the communiqué is contrary to the Attorneys' Act No. 1136 because data protection officers must be lawyers, as the field of data protection is a legal discipline. Nevertheless, there has been no further development on this subject.

Regulation on the Operational Principles of Digital Banks and Service Model Banking

The Banking Regulatory and Supervision Agency published the regulation on 29 December 2021, and it entered into force on 1 January 2022. The regulation outlines obligations for banks that only operate through digital channels without any branch.


Loss of Rights Due to Remaining Silent

The protection period of the registered trademark is ten years from the application date, as regulated in the Industrial Property Law numbered 6769 (“SMK”), and as long as the trademark is registered, it can benefit from the protection provisions stipulated in the SMK. In this context, trademark owner can demand invalidity of a trademark for subsequent trademark registration applications by showing its own trademark registration as a reason. SMK stipulated some conditions for the continuation of this protection and regulated some situations where registered trademark owner’s right is not protected. Loss of rights due to remaining silent is one of these situations.

Loss of right due to remaining silent is the trademark owner’s loss of the right to sue for invalidation against the person who subsequently registered the trademark in good faith, as a result of remaining silent. In order for this loss of right to occur, some conditions have been regulated under the SMK.

One of the conditions for loss of right due to remaining silent is the existence of the right to sue. Within this scope, primarily, previous right owner must have an interest to file an invalidation lawsuit. The invalidity of the trademark is regulated in detail in Art.5 and Art.6 under the SMK. If the trademark was still registered despite the existence of the conditions listed in these articles, the trademark can be invalidated with an invalidation lawsuit. In case of invalidation, it may be mentioned that the person who has the previous right and interest has the right of action against the later trademark registered in the trademark registry.

The other condition of loss of right due to remaining silent is the use of the subsequently registered trademark. If the subsequent trademark owner does not use the trademark, it cannot be claimed that the previous trademark owner lost the right due to remaining silent. To be able to claim loss of right, the subsequent trademark owner must have serious use of the relevant trademark. The meaning of the serious use of the trademark is that the trademark should be used in accordance with its function and for the goods or services it was registered under. Also, the previous trademark owner must have not objected and must remain silent. The 5-year period for remaining silent starts when the previous trademark owner become aware of this use. When considering the phrase “becoming aware”, the "obligation to act as a prudent businessperson" should be taken into account.

The last condition for the loss of right due to remaining silent is that the subsequent trademark owner’s registration must not made in bad faith. The concept of bad faith in the SMK refers to the abuse of the right. If the application owner was in bad faith at the registration time, they will not be able to claim loss of right due to remaining silent. Furthermore, if the existence of bad faith can be proven, the 5-year silence of the previous trademark owner will not have a legal consequence.

In addition to that, Supreme Court accepts that loss of right due to remaining silent is an objection. As so, it should be evaluated ex officio by the judge, even if it is not claimed. Right to sue for the invalidation lawsuit is lost only against the person who allege it. As long as the conditions do not occur for third parties, they cannot benefit from that loss of right due to remaining silent.


Sessiz Kalma Yoluyla Hak Kaybı

Tescilli markaların koruma süresi, 6769 sayılı Sınai Mülkiyet Kanunu’nda (“SMK”) düzenlendiği üzere, başvuru tarihinden itibaren on yıldır ve marka tescilli olduğu sürece, SMK’da yer alan özel korumadan yararlanabilecektir. Bu kapsamda, marka hakkı sahibi, kendi tescilini sonraki tescil başvuruları için bir hükümsüzlük nedeni olarak ileri sürebilecektir. Buna karşılık, SMK bu korumanın devam edebilmesi için bazı şartlar öngörmüş ve tescilli marka sahibinin hakkının korunmadığı bazı durumları düzenlemiştir. Sessiz kalma yoluyla hak kaybı, bu durumlardan birisidir.

Sessiz kalma yoluyla hak kaybı; marka hakkı sahibinin sessiz kalması sonucu, iyi niyetli bir şekilde markayı daha sonra tescil ettiren kişiye karşı hükümsüzlük davası açma hakkını kaybetmesidir. Bu hak kaybının gerçekleşmesi için SMK’da birtakım şartlar düzenlenmiştir.

Sessiz kalma yoluyla hak kaybının gerçekleşmesinin şartlarından ilki, dava hakkının varlığıdır. Bu kapsamda, öncelikle, önceki hak sahibinin hükümsüzlük davası açmada menfaati bulunması gerekmektedir. Markanın hükümsüzlük halleri, SMK Md.5 ve Md.6’da detaylı olarak düzenlenmiştir. Bu maddelerde sayılan hallerin varlığına rağmen marka yine de tescil edilmişse, markanın hükümsüzlüğü davası ile marka hükümsüz kılınabilmektedir. Hükümsüzlük halinin bulunması halinde, marka siciline tescili gerçekleştirilmiş sonraki markaya karşı, önceki tarihli hakka sahip menfaati bulunan kişinin dava hakkının varlığından söz edilebilecektir.

Sessiz kalma yoluyla hak kaybının diğer bir koşulu, sonraki markanın kullanılmasıdır. Eğer sonraki marka sahibi, markayı kullanmamakta ise, önceki tarihli marka sahibinin sessiz kalma yoluyla hak kaybına uğradığını ileri süremeyecektir. Sonraki marka sahibinin hak kaybı iddiasında bulunabilmesi için söz konusu markanın ciddi kullanımı gerekmektedir. Markanın ciddi kullanılmasından anlaşılması gereken, markanın işlevine uygun ve tescili istendiği mal veya hizmetlerde kullanılmasıdır. Aynı zamanda, önceki marka sahibi de söz konusu ciddi kullanıma herhangi bir şekilde itiraz etmemiş ve sessiz kalmış olmalıdır.  5 senelik sessiz kalma süresi ise, önceki marka sahibinin işbu kullanımdan haberdar olması ile başlamaktadır. Haberdar olması bakımından değerlendirme yaparken ‘’basiretli bir iş insanı gibi davranma yükümlülüğü’’ göz önüne alınmalıdır.

Sessiz kalma yoluyla hak kaybının gerçekleşme koşullarından sonuncusu ise, sonraki marka sahibinin tescilinin kötü niyetle yapılan bir marka tescili olmaması gerekliliğidir. SMK’da yer alan kötü niyet kavramı ile, hakkın kötüye kullanılmasından bahsedilmektedir. Tescil başvurusu anında başvuru sahibi kötü niyetli ise sessiz kalma yoluyla hak kaybı savunması yapamayacaktır. Hatta kötü niyetin varlığının ispatlanabilmesi durumunda önceki marka sahibinin 5 yıllık sessiz kalma durumu hukuki bir sonuç doğurmayacaktır.

Ek olarak, Yargıtay tarafından kabul edildiği üzere sessiz kalma yoluyla hak kaybı, itiraz niteliğindedir ve ileri sürülmese de hâkim tarafından re’sen gözetilmesi gerektiği ifade edilmektedir. Unutulmamalıdır ki, ilgili hak yalnızca savunmayı ileri süren kişiye karşı kaybedilecektir. Üçüncü kişiler bakımından sessiz kalma yoluyla hak kaybı şartları gerçekleşmediği takdirde, söz konusu hak kaybından yararlanamazlar.


Foreign Data Controllers Must Appoint a Data Controller Representative in Turkey

The Law on Personal Data Protection w. no: 6698 (“DPL”) sets forth obligations, principles and procedures which shall be binding upon natural or legal persons who process personal data.

Similar to Art. 27 of the GDPR, controllers that are not established in Turkey but process personal data of subjects in Turkey (“Foreign Controllers”) must appoint a Data Controller Representative (“Representative”) under the DPL and Regulation on Data Controllers’ Registry.

The Representative must be located in Turkey and either must be a legal entity or a Turkish Citizen. The Representative, at the minimum, must be vested with the powers below;

  • on behalf of the data controller, to receive or accept notifications and correspondences made by the Data Protection Authority (“DPA”),
  • to transmit the demands made by the DPA to the data controller and to submit the responses of the data controller to the DPA,
  • to receive data subjects’ requests on behalf of the data controller and to transmit the requests to the data controller, in cases where no other principle has been determined by the DPA.
  • to transmit the data controller’s response to the data subjects, in cases where no other principle has been determined by the DPA,
  • to perform operations relating to the Data Controllers’ Registry on behalf of the data controller.

The Representative must be appointed with an appointment decision by the Foreign Controller.

The Appointment Letter must contain the powers of the Representative as well as the full name and address of both the Foreign Controller and Representative.

Lastly, the Appointment Letter must be notarized and apostilled in the country of signing and must be sent to the Representative.

Please note that there is no deadline under the legislation specific to appointment of a Representative. Having said that, since the initial step that the Representative will take would be to register the Foreign Controller with the Data Controllers’ Registry, the deadline to register with the Data Controllers’ Registry (December 31st, 2021) is also treated as the deadline to appoint a Representative in Turkey.

Having said the above, since controllers have an obligation to receive, respond to and conclude DSARs and other personal data related requests in a timely and effective manner, many foreign controllers have already appointed Representatives in 2020 and 2021. Therefore, Foreign Controllers that process personal data collected from Turkey must appoint their Representative without delay to prevent risks.

Please note that there is no fine under the DPL for not appointing a Representative, however if the Foreign Controller cannot satisfy its obligation to receive, respond to and conclude DSARs and other personal data related requests in a timely and effective manner due to lack of a Representative, this may lead to complaints by data subjects to the DPA which may end up in administrative fines of up to TRY 1.966.862 (approximately USD 218,338.40).

Further, if Foreign Controllers fail to appoint a Representative and register with the Data Controllers’ Registry by December 31st 2021, an administrative fine of up to TRY 1.966.862 (approximately USD 218,338.40) may be imposed. Please note that it is also possible for the DPA to decide to restrict the data processing operations of the controller.


Yabancı Veri Sorumluları Türkiye’de Veri Sorumlusu Temsilcisi Atamak Zorunda

6698 sayılı Kişisel Verilerin Korunması Kanunu (“KVKK”), kişisel veri işleyen gerçek veya tüzel kişileri bağlayan yükümlülükleri, usul ve esasları düzenlemektedir.

Avrupa Birliği Genel Veri Koruma Regülasyonu’nun (GDPR) 27’nci maddesine benzer şekilde, KVKK ve Veri Sorumluları Sicili Hakkında Yönetmelik uyarınca, Türkiye’de yerleşik olmayan ancak Türkiye’de bulunan ilgililerin kişisel verilerini işleyen veri sorumlularının (“Yabancı Veri Sorumluları”), Veri Sorumlusu Temsilcisi (“Temsilci”) atama yükümlülüğü bulunmaktadır.

Temsilci, Türkiye’de yerleşik olması gerekliliğinin yanısıra tüzel kişi veya Türkiye Cumhuriyeti vatandaşı olmalıdır. Temsilci’ye, asgari olarak, aşağıdaki yetkiler tanınmalıdır:

  • Kişisel Verileri Koruma Kurumu (“Kurum”) tarafından yapılan tebligat veya yazışmaları veri sorumlusu adına tebellüğ veya kabul etme,
  • Kurum tarafından veri sorumlusuna yöneltilen talepleri veri sorumlusuna iletme, veri sorumlusundan gelecek cevabı Kuruma iletme,
  • Kişisel Verileri Koruma Kurulu tarafından başkaca bir esasın belirlenmemiş olması halinde; ilgili kişilerin veri sorumlusuna yönelteceği başvuruları veri sorumlusu adına alma ve veri sorumlusuna iletme,
  • Kurum tarafından başkaca bir esasın belirlenmemiş olması halinde; ilgili kişilere veri sorumlusunun cevabını iletme,
  • Veri sorumlusu adına Veri Sorumluları Siciline ilişkin iş ve işlemleri yapma.

 

Temsilci, Yabancı Veri Sorumlusu tarafından alınacak bir atama kararı ile atanmalıdır.

Atama Kararı, Temsilci’nin yetkileri ile birlikte hem Yabancı Veri Sorumlusu’nun hem de Temsilci’nin adı/unvanı ve açık adresini içermelidir.

Son olarak bu Atama Kararı, imzalandığı ülkeden apostilli ve noter onaylı olarak Temsilci’ye gönderilmelidir.

Temsilci atanması için mevzuatta belirli bir süre öngörülmemiştir. Bununla birlikte, Temsilci’nin atacağı ilk adım, Yabancı Veri Sorumlusu’nu Veri Sorumluları Siciline kaydetmek olacağından; Veri Sorumluları Siciline kayıt için öngörülen sürenin (31 Aralık 2021), Türkiye’de Temsilci atanması için de geçerli olduğu kabul edilmektedir.

Yukarıda bahsedilenlere ek olarak, veri sorumlularının ilgili kişilerden gelen ve diğer kişisel veriler ile ilgili talepleri süresi içinde ve etkili bir şekilde alma, cevap verme ve sonuçlandırma yükümlülükleri bulunduğundan, birçok yabancı veri sorumlusu 2020-2021 yıllarında Temsilci atamalarını gerçekleştirmiştir. Bu nedenle, Türkiye’den kişisel veri elde eden Yabancı Veri Sorumluları, riskleri önlemek için gecikmeden Temsilci atamasını gerçekleştirmelidir.

KVKK kapsamında, Temsilci atanmaması halinde bir yaptırım öngörülmemiştir. Ancak Yabancı Veri Sorumluları’nın, Temsilci atanmaması sebebiyle, ilgili kişilerden gelen ve diğer kişisel veriler ile ilgili talepleri süresi içinde ve etkili bir şekilde alma, cevap verme ve sonuçlandırma yükümlülüklerini yerine getirmemeleri halinde, bu durum ilgili kişilerin Kurum nezdinde şikayet yoluna başvurmalarına ve veri sorumlusuna 1.966.862 TL’ye kadar idari para cezası verilmesine yol açabilecektir.

Ayrıca, eğer Yabancı Veri Sorumlusu, Temsilci atamaz ve 31 Aralık 2021 tarihine kadar Veri Sorumluları Siciline kaydolmazsa, hakkında 1.966.862 TL’ye kadar idari para cezası uygulanabilecektir. Kurum’un veri sorumlusunun veri işleme faaliyetlerini durdurma kararı vermesinin mümkün olduğu da unutulmamalıdır.