REGULATION CONCERNING THE PROCESSING OF PERSONAL DATA AND THE PROTECTION OF PRIVACY IN THE ELECTRONIC COMMUNICATIONS SECTOR SECTION ONE

Transcription

1 REGULATION CONCERNING THE PROCESSING OF PERSONAL DATA AND THE PROTECTION OF PRIVACY IN THE ELECTRONIC COMMUNICATIONS SECTOR SECTION ONE Purpose, Scope, Basis and Definitions Purpose and scope ARTICLE 1 (1) The purpose of this Regulation is to set out the procedures and principles to be followed by operators performing activity in the electronic communications sector for the processing and the retention of personal data and the protection of privacy in the electronic communications sector. (2) Retention of data related to the content of communication is not included in the scope of this Regulation. Basis ARTICLE 2 (1) This Regulation has been issued on the basis of Articles 4, 6, 12 and 51 of Electronic Communications Law Nr Definitions and abbreviations ARTICLE 3 (1) In this Regulation the following definitions shall apply: a) Subscriber: means any natural person or legal entity who or which is party to a contract with a provider of electronic communications services for the supply of such services, b) Emergency calls: mean calls made to the fire department, the police, gendarmerie, healthcare and similar institutions with a request for emergency service in relation to emergency situations such as fire, health, natural disasters and security, which are recognized in national and international arrangements, c) Anonymization: means the processing of personal data in such a way that the data subject can no longer be associated with an identified or identifiable natural person or its source cannot be ascertained, ç) Unsuccessful call attempt: means a communication where a telephone call has been successfully connected but not answered or there has been a network management intervention, d) Cell ID: means the identity of the cell from which a mobile telephony call originated or in which it terminated, e) IMEI: International Mobile Equipment Identity, f) IMSI: International Mobile Subscriber Identity, g) Process log: means the electronic logs kept in relation to a process so as to ensure that such process executors authorized to access personal data can be identified at a subsequent date, and containing at least the person performing the process, date and time of the process, details, grounds and nature of the process performed and the details of the points to which the process executor connected, ğ) Operator: means any legal entity, which has the right to provide electronic communications services and/or to provide electronic communications network and to operate the infrastructure within the framework of authorization, h) Personal data: means any information relating to an identified or identifiable natural persons and legal entities,

2 ı) Personal data breach: means a breach of security leading to the accidental, unauthorized or unlawful destruction, loss, transmission, alteration, storage, process, disclosure of, or access to personal data, i) Processing of personal data: means a set of operations performed upon personal data, whether or not by automatic means,, such as collection, recording, storing, alteration, erasure or destruction, re-organization, dissemination or otherwise making available, disclosure by transmission, marking, combination or blocking, j) Location data: means any data processed in an electronic communications network or by an electronic communications service, indicating the geographic position of the terminal equipment of a user of a publicly available electronic communications service, k) User: means any natural person or legal entity using electronic communications services without necessarily having subscribed to that services, l) User ID: means a unique identifier allocated to persons when they subscribe to or register with an internet access service or internet communications service, m) Board: means the Information and Communication Technologies Board, n) Authority: means the Information and Communication Technologies Authority, o) Masking: means the processing of personal data by the operator in such a way that third parties cannot associate such data with the data subject, ö) Consent: means freely given and provable declaration of intention by the data subject before processing of his/her personal data and within the scope and aim of the processing of the data, p) Traffic data: means any data processed for the purpose of the conveyance of a communication on an electronic communications network or for the billing thereof, r) Data: means the traffic data, location data and other related information used to identify the subscriber or the user. (2) The definitions in the related legislation shall be applicable for the concepts and the abbreviations referred to herein and not defined in the first paragraph. SECTION TWO Principles of Implementation Principles regarding the processing of personal data ARTICLE 4 It is essential that personal data must be; a) processed fairly and lawfully, b) processed upon consent of the data subject, c) adequate, relevant and not excessive in relation to the purposes for which they are collected, ç) accurate and, where necessary, kept up to date, d) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed. Security ARTICLE 5 (1) Operators set out a security policy in respect of processing of personal data. Operators shall implement appropriate technical and organizational measures to ensure security of their networks, personal data of their

3 subscribers/ users and services they provide. Having regard to the state of the art, these measures shall ensure a level of security appropriate to the risk presented. (2) The measures referred to in paragraph 1 shall at least include protection of personal data against accidental, unauthorized or unlawful destruction, loss, alteration, storage, process, disclosure of, or access to personal data. (3) Operators are liable to ensure access to personal data only by authorized persons and security of systems in which personal data are kept, and of applications used to provide access to personal data. (4) Operators are liable to keep, for a period of five years, process logs of any and all access to personal data and to other associated systems, and of processes performed by the authorized personnel. (5) When necessary, the Authority is entitled to require operators to provide any information and documents related to the systems in which personal data are kept and security measures taken by them, and to request for change in the mentioned security measures. Notification of risk and personal data breach ARTICLE 6 (1) In case of a particular risk of a breach of the security of the network or personal data, the operator is liable to inform the Authority and its subscribers/users concerning such risk in an efficient manner and without undue delay. (2) Where the risk lies outside the scope of the measures to be taken by the operator, the operator shall inform the subscribers/users of the scope of risk, any possible remedies, including an indication of the likely costs involved in an efficient manner and without undue delay. (3) In case of a personal data breach, the operator shall inform the Authority in relation to details of the notification to be made to subscribers/users concerning the nature and consequences of the mentioned breach and measures taken for addressing the breach. (4) When the personal data breach is likely to adversely affect subscribers/users, the operator shall inform subscribers/users free of charge regarding the nature of personal data breach, the contact points where more information can be obtained and measures to mitigate the possible adverse effects of the personal data breach. (5) The operator is liable to keep an inventory of personal data breaches comprising the facts surrounding the breach, its effects and the remedies by ensuring confidentiality and integrity of the inventory. SECTION THREE Processing and Retention of Data Confidentiality of the communications ARTICLE 7 (1) It is essential to ensure the confidentiality of communications and the related traffic data; and prohibited to listening, tapping, storage or other kinds of interception or surveillance of communications without the consent of the parties of communication, without prejudice to the relevant legislation and judicial decisions. (2) Electronic communications networks can be used for other than carrying out the transmission of a communication, storing of information or the gaining of access to information already stored in the terminal equipment of subscribers/users on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, inter alia, about the purposes of the processing. Processing of traffic data ARTICLE 8 (1) Operators cannot process traffic data for purposes other than the scope of services they provide.

4 (2) Traffic data may be processed, in conformity with provisions of the relevant legislation, for traffic management, interconnection, billing, fraud detection and customer enquiries or settling disputes, in particular interconnection and billing disputes; and they are kept by ensuring their confidentiality and integrity until the period of settlement of such disputes has been completed. (3) Traffic data required for the purpose of marketing electronic communication services or for the provision of value added electronic communications services may be processed only to the extent and for the duration necessary for such services or similar services in line with the prior consent given by related subscribers/ users after having been informed to the type of traffic data to be processed and of the duration of such processing. (4) Traffic data relating to subscribers and users processed and stored by the operatorshall be deleted or anonymized after the completion of the activity which requires the processing and retention of such data. (5) Subscribers/users shall be provided by operators the possibility to withdraw their consent, given via short message service, call centers, internet and similar methods, at any time by using the same method or any other simple method, free of charge. Authorization for the processing of traffic data ARTICLE 9 (1) Processing of traffic data is restricted to persons acting under the authority of operators handling traffic management, interconnection, billing, fraud detection, customer enquiries, marketing electronic communications services or provision of a value added electronic communications service. (2) Traffic data cannot be taken out of the operator systems without masking in case of traffic data processing for marketing of electronic communications services or provision of value added electronic communications services. (3) Traffic data cannot be exported abroad. Notification of traffic data ARTICLE 10 (1) Traffic data for settlement of disputes, in particular interconnection and billing disputes, handling of customer enquiries and inspection activities shall be transmitted upon request in writing to the competent bodies. Processing of location data ARTICLE 11 (1) Location data of the subscribers/users may only be processed by operators when they are made anonymous or with the consent of the subscribers/users to the extent and for the duration necessary for the provision of a value added electronic communications service. (2) The operators must inform the subscribers/users, prior to obtaining their consent, of the type of location data which will be processed, of the purposes and duration of the processing. (3) Subscribers/users shall be provided by operators with the possibility to withdraw their consent, given for processing of their location data via short message service, call centers, internet and similar methods, at any time by using the same method or any other simple method, free of charge. (4) Without prejudice to the relevant legislation and judicial decisions, location data and data subjects s identity information may only be processed without the consent of the subscriber/user in case of emergency calls.

5 Authorization for the processing of location data ARTICLE 12 (1) Processing of location data is restricted to persons acting under the authority of the operator and to what is necessary for the purposes of providing the mentioned services. The mentioned data cannot be taken out of the operator systems without masking. (2) Location data cannot be exported abroad. Categories of data to be retained ARTICLE 13 (1) Below are the categories of data to be retained under this Regulation. a) To trace and identify the source of a communication: 1) Concerning fixed network telephony and mobile telephony, the calling telephone number and the name and address of the subscriber; the name and address of the subscriber to whom telephone number was allocated at the time of communication. 2) Concerning Internet access, Internet and Internet telephony, the user ID and telephone number allocated, internet protocol address at the time of communication, the name and address of the subscriber. b) To identify the destination of a communication: 1) Concerning fixed network telephony and mobile telephony, the number(s) dialled / called, and, in cases involving supplementary services such as call forwarding or call transfer, the number or numbers to which the call is routed, the name and address of the subscriber(s). 2) Concerning Internet and Internet telephony, the user ID of the recipients, the user ID or telephone number of the intended recipients of an Internet telephony call, the name(s) and address(es) of the Internet telephony or e- mail recipients. c) To identify the date, time and duration of a communication: 1) Concerning fixed network telephony and mobile telephony, the date and time of the start and end of the communication. 2) Concerning Internet access, Internet and Internet telephony, the date and time of the log-in and log-off of the Internet access service, together with the IP address, whether dynamic or static, allocated, and the user ID of the subscriber/user; the date and time of the log-in and log-off of the Internet service or Internet telephony service. ç) To identify the type of communication: 1) Concerning fixed network telephony and mobile telephony: the telephone service used; 2) Concerning Internet and Internet telephony: the Internet service used; d) Data necessary to identify users communication equipment or what purports to be their equipment: 1) Concerning fixed network telephony, the calling and called telephone numbers.

6 2) Concerning mobile telephony; the calling and called telephone numbers; the International Mobile Subscriber Identity (IMSI) of the calling and called parties; the International Mobile Equipment Identity (IMEI) of the calling and called parties; in the case of pre-paid anonymous services, the date and time of the initial activation of the service and the location label (Cell ID) from which the service was activated. 3) Concerning Internet access, Internet and Internet telephony; the calling telephone number for dial-up access, the digital subscriber line (DSL) or other end point of the originator of the communication. e) To identify the location of mobile communication equipment where necessary under the relevant legislation; the location label (Cell ID) at the start of the communication, data identifying the geographic location of cells by reference to their location labels (Cell ID) during the period for which communications data are retained, the cell address and dates when the cell ID was designated to and removed from such address. (2) Liabilities entailed hereunder in respect of retention of data concerning and internet telephony are only restricted to services provided by the operators themselves. Periods of retention ARTICLE 14 (1) The categories of data specified in Article 13 are retained by the operators for a period of one year from the date of the communication. (2) Personal data subject to inspection, examination, investigation or dispute shall be retained until the related period has been completed. Data protection and data security ARTICLE 15 (1) The operators shall ensure, as minimum principles with respect to data retained in accordance with this Regulation, that: a) the retained data shall be of the same quality and subject to the same security and protection as those data on the network, b) the data shall be retained by the operator in itself within the country, c) the data shall be subject to appropriate technical and organizational measures to protect the data against accidental, unauthorized or unlawful destruction, loss, transmission, alteration, storage, process, disclosure or access, ç) the data shall be subject to appropriate technical and organizational measures to ensure that they can be accessed by specially authorized personnel only, d) the data processed and retained shall be destroyed or anonymized at the end of the period of retention and such processes shall be recorded automatically or in form of a report or. (2) Operators are liable to guarantee at any stage the security, integrity, confidentiality and accessibility of data they acquired in the scope of services they provided. This liability also comprises processes executed by means of persons acting under the authority of the operator. (3) Data retained and any other necessary information relating to such data shall be transmitted upon request to the competent authorities without undue delay. Statistical information ARTICLE 16 - (1) Operators are liable to retain statistical information within the last one year relating to: a) categories of data requested by competent authorities in accordance with the relevant law and number of requests made for such data,

7 b) the time elapsed between the date on which the data were retained and the date on which the competent authority requested the transmission of the data, c) the cases where requests for data could not be met, and to transmit such information to the Authority upon request. (2) Such statistics shall not contain personal data. SECTION FOUR Possibilities Provided Preventing the presentation of the calling line identification ARTICLE 17 (1) Where presentation of calling line identification is offered, the operator must a) offer the calling user the possibility, using a simple means and free of charge, of preventing the presentation of the calling line identification on a per-call basis, b) offer the called subscriber the possibility, using a simple means and free of charge, of preventing the presentation of the calling line identification on incoming calls, c) offer the called subscriber/user the possibility, using a simple means and free of charge, of rejecting incoming calls where the presentation of the calling line identification has been prevented by the calling user or subscriber. (2) Where presentation of connected line identification is offered, the operator must offer the called subscriber the possibility, using a simple means and free of charge, of preventing the presentation of the connected line identification to the calling user. (3) The operator is liable to inform its subscribers/users free of charge about service possibilities mentioned in the first and the second paragraphs of this article by means of short message service, Internet, media organs, mail or similar means. (4) The possibility of preventing presentation of the calling line identification is not applicable for emergency calls. Automatic call forwarding ARTICLE 18 (1) Operators shall enable stopping of automatic call forwarding made to telephones and similar electronic communication devices by themselves or third parties, where technically possible, by a simple method and free of charge upon the subscriber s request. (2) In case forwarding to any other number or automatic message system by operators is charged, the subscriber s/user s prior consent shall be obtained. Directories of subscribers ARTICLE 19 (1) Subscribers are informed, free of charge and before they are included in the directory, about the purpose(s) of a printed or electronic directory of subscribers available to the public or obtainable through directory enquiry services, in which their personal data can be included and of any further usage possibilities based on search functions embedded in electronic versions of the directory. (2) Personal data in a public directory are determined in accordance with the purpose and scope of the directory service.

8 (3) Subscribers who agree to be included in directories are given the opportunity to have their personal data in the directory verified, corrected and/or withdrawed by a simple method and free of charge. (4) For inquiries in the scope of directory service, the arrangements made under article 27 of the Regulation on Authorization Regarding Electronic Communications Sector in respect of the Definition, Scope and Durations of Electronic Communications Service, Network and Infrastructures shall prevail. Itemized billing ARTICLE 20 (1) Upon request by subscribers, the operators shall offer them a type of detailed bill in which a certain number of digits of the calling or called numbers have been deleted. SECTION FIVE Miscellaneous and Final Provisions Administrative fines and other sanctions ARTICLE 21 (1) In case the operators fail to fulfill the liabilities set out hereunder, provisions of the Regulation dated 5/9/2004 and no on Administrative Fines and Other Sanctions and Measures to be Imposed Upon Service Providers by the Telecommunication Authority, which was published on the Official Gazette, shall be applicable. Provisions not stipulated herein ARTUCLE 22 (1) In circumstances which are not stipulated herein, arrangements shall be made by means of a Communique or a Board Decision. Abolished regulation ARTICLE 23 (1) The Regulation dated 6/2/2004 no on Processing of Personal Data and the Protection of Privacy in the Telecommunication Sector which was published on the Official Gazette has been abolished. References ARTICLE 24 (1) References to the Regulation dated 6/2/2004 no on Processing of Personal Data and the Protection of Privacy in the Telecommunication Sector which was published on the Official Gazette in the legislation shall be regarded as references to this Regulation. Status of current arrangements PROVISIONAL ARTICLE 1 (1) Procedures and principles on basis of the Regulation on Processing of Personal Data and the Protection of Privacy in the Telecommunication Sector, Board Decisions passed and other administrative procedures which are not in breach of this Regulation shall remain effective until a new procedure is executed in respect of the issue. Entry into force ARTICLE 25 (1) This Regulation shall enter into force six months after its publication.. Enforcement ARTICLE 26 (1) Provisions of this Regulation are executed by the President of Information and Communication Technologies Authority.