Turkiye: Adopted Regulation on the Processing of Personal Data and the Protection of Confidentiality in the Electronic Communications Sector including data localisation

On 4 December 2020, the Information Technologies and Communication Authority (ITCA) adopted a regulation on the Processing of Personal Data and the Protection of Confidentiality in the Electronic Communications Sector. This regulation establishes comprehensive guidelines for operators in the internet and telecom services sector on handling personal data. It mandates adherence to principles such as legality, accuracy, purpose limitation, and data minimization, and introduces stringent requirements for explicit consent, security measures, and breach notifications. The regulation explicitly prohibits the cross-border transfer of traffic and location data for national security reasons and outlines the obligations of operators in obtaining explicit consent for data processing. This regulation supersedes the 2012 regulation, aligning with the principles of Law No. 6698 on the Protection of Personal Data and addressing specificities for electronic communications operators.