Turkey: The Commercial Electronic Message Management System in a nutshell
In Turkey, rules regarding commercial communications are governed under Law No. 6563 of 2014 on the Regulation of Electronic Commerce ('the E-Commerce Law') and the Regulation on Commercial Communications and Electronic Commercial Messages 2015 ('the Regulation on Commercial Communication'). In 2020, with the amendments made under the Regulation on Commercial Communication, Turkish legislators introduced the Commercial Electronic Message Management System ('İYS'). Can Sözer, Berfu Öztoprak, Ecem Elver, and Ecenur Etiler, from Esin Attorney Partnership, provides an overview of the İYS, including which data companies need to submit to it and details regarding the registration procedure.
The Regulation on Commercial Communication considers all communications prepared/built in a way to promote services or goods and increase one's visibility, recognition, and reputation, including greeting messages and newsletters as commercial communication. Turkish legislation adopts an opt-in approach for commercial electronic messages. In other words, service providers who are willing to send commercial communications to recipients are obliged to receive prior opt-ins.
With the İYS mechanism, regardless of the extent companies, whether based in Turkey or abroad, pursue foregoing marketing operations and send commercial communications to their customers in Turkey, they are obliged to register with the İYS and transfer customer consents (opt-ins) previously received to İYS. Transfer obligation merely covers opt-ins, and thus opt-out information is not required to be transferred to İYS.
Is consent required for all commercial electronic communication?
Consent is required for all commercial electronic communication targeting customers. Under the related legislation, there are certain exemptions applicable to the consent requirement. For instance, consent is not required for commercial electronic communication targeting merchants or craftsmen. Service providers, however, must still store their electronic communication addresses in relation to such merchants or craftsmen (such as suppliers, resellers, business partners etc.) on the İYS to enable these recipients to use their right of withdrawal.
Apart from the foregoing, a service provider does not have to obtain consent for electronic messages concerning:
- cases where the recipient provided its contact details regarding the electronic messages on the use or maintenance of the goods or services; and
- a continuous membership, membership or partnership status, debt reminder, information update, purchase, delivery or similar messages, and messages that the service providers are obliged to send due to the respective legislation; however, in such notices, goods or services must not be promoted or advertised.
Nevertheless, foregoing exemptions from consent requirement do not release companies from registering with the İYS, if they send commercial communication that fall within the consent requirement to their customers.
The burden of proof regarding the receipt of consent pertains to the service providers. Also, as a general rule, service providers are prohibited from sending commercial electronic messages to consumers for requesting their opt-ins.
What is the İYS?
The İYS is an online platform built to facilitate the consent management system for service providers, intermediary service providers, and recipients. Information on recipients' consents and withdrawals regarding commercial electronic messages are retained in the İYS, which also enables recipients to file a complaint and give consent or opt-out from receiving commercial electronic messages.
The İYS infrastructure is established and managed by the Union of Chambers and Commodity Exchanges of Turkey ('TOBB'), as authorised by the Ministry of Trade.
Who must register with the İYS?
Further to the Regulation on Commercial Communication, service providers that conduct commercial electronic communication are required to register with the İYS. In theory, the E-Commerce Law, and by extension, the Regulation on Commercial Communication apply to service providers located in Turkey with both not having an extraterritorial effect. However, according to the frequently asked questions published on the İYS' website ('the FAQs'), the Ministry of Trade evaluated that companies who are not resident in Turkey but who conduct commercial communication targeting those in Turkey must register with the İYS.
What is the deadline for registration?
The İYS registration deadline expired as of 31 December 2020 for service providers that have more than 150,000 opt-ins and, as of 31 May 2021 for the service providers that have 150,000 and less opt-ins. All consents, which were obtained prior the deadline and were not uploaded to the İYS, are deemed invalid.
What is the registration procedure?
For registration with the İYS, service providers that are registered with the Central Registration System ('MERSIS') must make a pre-registration first through central e-government system (tr. e-devlet) or through e-signature. For registration, the following information should be submitted to İYS:
- MERSIS number of the service provider;
- trademark registration certificate of each brand related company holds;
- electronically signed copy of the Undertaking on Usage of Primary Services of İYS;
- turkish identity number, mobile phone number and business e-mail address of company's authorized signatory; and
- number of total consented customer contact information each brand possess.
If the company does not have a registration with MERSIS, the company must send the following information and documentation to the İYS's email address1:
- an authentic trade registry certificate/certificate of activity;
- documentation setting out signatory authorities (if not provided in trade registry certificate);
- information on the applicant entity (trade name, tax number, website, address);
- trademark registration certificate of each brand related company holds;
- signed and stamped copy of the Undertaking on Usage of Primary Services of the İYS;
- Turkish identity/passport number, mobile phone number, and business email address of the company's authorised signatories;
- the number of total consented customer contact information each brand possess; and
- any additional documentation that may be required by the İYS.
Once the foregoing procedures are completed, the İYS internally approves the application and notifies the applicant of such approval.
The service provider must also execute an agreement with the İYS, unless the service provider requires only the 'basic services'.
As a rule, service providers who have less than 250,000 consents must work with an İYS business partner2 to assist with consent transfer proceedings and providing ongoing integration of systems.
In case of a use of business partners, the business partner gains access to the service provider's data only when they are authorised by the service provider.
The business partner authorisation process can be done through a corporate login on the İYS website. A service provider can authorise multiple partners. For instance, a service provider can work with a business partner for sending commercial communications through text messages, while working with a separate service provider for commercial communications through a call centre. Authorisation can also be done on the basis of data access communication channel (message, call, email, and reconciliation service). However, each service provider can authorise only one business partner for the reconciliation services. The business partner that is authorised for reconciliation service can access all the records regarding opt-ins; however, the other business partners, if any, can access only records of the opt-ins they received through their own channels.
Which information should be submitted to the İYS?
The following information should be submitted to the İYS:
- contact information of the recipient (phone number or email address);
- opt-in date;
- contact channel (call/SMS/email);
- receiver type (individual/legal person); and
- consent source (for example, 'pre May 1st 2015', 'consent form bearing wet signature', and 'website' etc).
As mentioned above, although consent is not required for commercial electronic communication targeting merchants and craftsmen, it should also be provided with the right to opt-out from such communication via the İYS. Accordingly, contact information of merchants and craftsmen must also be submitted to the İYS.
The required information can be transferred to the İYS via iys.org.tr, individually or collectively through .csv files. The İYS also has a service tool called Application Programming Interface, designed to intergrade separate software for easy update of brands' İYS accounts. This service provides various membership functions accordingly with the size of customer portfolio3.
How often should the İYS be updated?
As a rule, İYS records must be updated on a regular basis, as a service provider must cease sending commercial communication to individuals who have opted-out within three business days as of the date of opt-out.
Consent received through means other than the İYS (e.g., email), must also be notified to the İYS (i.e., registered in İYS records) within three business days. Consents that are not notified to the İYS within this time period are deemed invalid.
What are the potential results of not registering with the İYS?
The legislation is silent on specific consequences of not registering with the İYS. However, not registering with the İYS has certain indirect consequences that prevents service providers from sending commercial electronic messages to customers. As per the FAQs published under the İYS website, consent that is not transferred to the İYS by the deadline are deemed invalid. Consequently, companies have had to cease sending further commercial communications to their current customer portfolio despite holding their opt-ins, since these opt-ins are not transferred to the İYS.
Nevertheless, sending commercial electronic messages without opt-ins may trigger higher risks as customers are allowed to file complaints against unwanted commercial communications.
As the Ministry of Trade is authorised to audit companies' compliance with İYS requirements and thus is allowed to impose the monetary fines determined under the E-Commerce Law, not fulfilling the registration obligation may result in facing the administrative fines imposed in case of non-compliance with the opt-in requirement. Failure to comply with opt-in and opt-in obligations may triggers monetary fines up to TRY 42,420 (approx. €2,320) per infringement. In case of the dispatch of unsolicited messages to more than one person at once, the administrative fine will be applied by increase up to ten times.
Further, from a data protection law perspective, breaches relating to the processing of personal data, in particular, unlawful processing such as failure to obtain explicit consent where required, is evaluated by Personal Data Protection Authority ('KVKK') as a violation of data protection laws, which may result in further administrative sanctions.
With the new amendments to the E-Commerce Law, the Ministry of Trade will be entitled to obtain the information on real and legal persons that send commercial communications via call and message from Information and Communication Technologies Authority ('BTK'). Such provision will be applicable as of 1 January 2023. One might argue that the reasoning behind this provision is to increase the supervision on commercial communication practices of the entities. Hence, in the future, the Ministry of Trade may increase its focus on compliance with requirements related to commercial communication and İYS registration. Accordingly, revisiting commercial communication practices and taking actions for local law compliance in this respect would be a safe and recommended approach.