Law on the Regulation of Electronic Commerce numbered 65631 ("E-Commerce Law") and the Regulation on Commercial Communication and Commercial Electronic Messages2 ("Regulation") constitutes the regulatory framework applicable to commercial electronic messages sent to recipients located in Turkey. In addition to above, since personal data processing will often be carried out in the course of marketing activities, provisions of Law on Protection of Personal Data numbered 6698 should be taken into consideration.
Legal entities or real persons (service providers) residing in Turkey or abroad, wishing to send electronic commercial messages to the recipients located in Turkey and the intermediary service providers who initiate the commercial electronic message transmission at the service provider's instructions are within the scope of the Regulation.
Please note that this FAQ regards service providers' obligations and that intermediary service providers that initiate the commercial electronic message transmission at the service provider's instructions are also regulated under the E-Commerce Law and the Regulation.
According to the Regulation, commercial electronic messages are defined as messages containing data, audio or visual content, transmitted electronically for "commercial purposes", by making use of mediums such as telephone, call centers, fax, automated calling machines, smart voice recording systems, e-mail and short message services.
In other words, commercial electronic messages are e-mails, SMS and phone calls sent/made to the recipients by the service providers to promote, advertise and/or remind their business/products/services. This promotional intention is interpreted broadly. For example, birthday messages or holiday greetings are considered sent with commercial intent as they increase brand value and loyalty in the eyes of the recipient.
Pursuant to the Ministry of Trade's non-binding interpretation, push notifications and in-app ads are not within the scope of the Regulation/ commercial electronic messages legislation. However, it should be noted that push notifications and in-app ads are not explicitly excluded from the application of the Regulation.
Following message types are not within the scope of the Regulation;
As the general rule, in order to send commercial electronic messages, permission of the recipient should be obtained. Since the Regulation does not foresee a soft opt-in regime, service providers must obtain such recipients' permission in advance and in accordance with the Regulation and relevant legislation3.
Regulation also defines certain exceptions for electronic messages which do not require permission;
With the amendment made on the Regulation on January 4, 2020, Turkish Commercial Electronic Message Management System ("IYS") has been introduced.
Service providers wishing to send electronic commercial messages to the recipients located in Turkey are under the obligation to register before the IYS and align their relevant activities with the amended Regulation. Deadline for the registration is September 1, 2020.4
The main functions of the IYS are: (i) obtaining commercial electronic message permissions, (ii) using the right to opt-out by recipients, and (iii) managing the complaints regarding unsolicited commercial electronic messages. Whether the recipient has provided permission or not shall be confirmed through the IYS, prior to the sending of the messages.
Legal or real persons (service providers) wishing to send electronic commercial messages to recipients located in Turkey are now under the obligation to register to the IYS and align their relevant activities with the Regulation. Both local and foreign entities falling within this scope are expected to register to the IYS and provide certain information about their permissioned recipient lists.
Yes. With respect to the service providers located abroad, Ileti Yönetim Sistemi A.S. (entity conducting IYS operations) has clarified this issue, on their official website as follows;
"It is considered that real persons or legal entities, whether located in Turkey or abroad, who wish to send commercial electronic message must comply with the legislation and register to IYS. Accordingly, entities not located in Turkey but sending commercial electronic messages to recipients in Turkey must send their apostilled commercial activity certificate and authorization certificate of the authorized person for the registration to bilgi@iys.org.tr. Same documents must be sent to the central office address of Ileti Yönetim Sistemi A.S. via post."
Therefore, entities located abroad, who send commercial electronic message to the recipients in Turkey, are indeed under the obligation to register to the IYS and to comply with the Regulation's requirements accordingly.
Please see Answer 1.3. Service providers sending messages that are not within the scope of the Regulation shall also not be obliged to register to the IYS.
Yes. Even though companies are benefiting from the exemption foreseen for merchants/craftsmen and do not necessitate prior opt-in, service providers are still under the obligation to register to the IYS until September 1, 2020 and upload the recipient's communication addresses to the IYS before sending commercial electronic messages.
First step of the registration form requires an e-mail address belonging to a designated contact person to which an activation code shall be sent. After entering this code, registration process shall start.
Local service providers should enter (i) their MERSIS number and (ii) the identity number of the authorized person. When the MERSIS number of the company and the identity number matches, pre-application form shall appear which is filled automatically by the system. After entering remaining information, a verification code shall be sent and the service provider shall be able to download an undertaking on the use of main features of IYS ("Undertaking"). This Undertaking shall be signed with the electronic signature of the relevant authorized person and then, an application code shall be delivered to be used for monitoring the process. When the information and documents presented during the application are all verified, service provider shall be able to use its IYS account.
Foreign service providers are required to submit following documentation: (i) circular of signature, (ii) trade registry certificate/commercial activity certificate and (iii) signed version of an undertaking on the use of main features of IYS.
If the registering service provider wishes to separate its permissioned database to respective trademarks/brands (which is not mandatory), they must enter their trademark(s) and the number of registered permissioned electronic contact address based on the relevant trademark. Service providers may use the section "add trademark" (where trademark registration certificate is not mandatory) and/or update current state of their trademark(s) after the registration.
Pursuant to the current situation, service providers are expected to upload following data; (i) data on recipient's relevant contact information (phone number/e-mail address), (ii) channel for which recipient has given its permission, (iii) channel through which recipient has given its permission and (iv) date of permission shall be entered (among other entries). It should be noted that the processes regarding the data entry is yet to be clarified and required datasets may be different once the relevant interfaces are opened for upload.
The basic registration with IYS is free. Basic registration allows access to main services offered by the IYS such as querying, communication of opt-in/opt-out requests by recipients and reporting. However, service providers wishing to acquire additional value-added services (e.g. API integration, advanced agency/dealer functionalities, option to collect opt-in's over IYS) will be required to purchase paid service packages from IYS. The details, fee amounts, and the payment model of these value-added programs are not published yet.
IYS's portal is currently only in Turkish.
Service providers not registered to the IYS cannot upload their permissions to the IYS. E-Commerce Law and the Regulation states that permissions not uploaded to the IYS shall be deemed invalid. Therefore, existing and future permissions shall be invalid (due to not being uploaded to the IYS).
Consequently, sending commercial electronic messages without valid permission shall constitute a violation of E-Commerce Law and the Regulation and may result in administrative fines from 1,899 up to 9,514 Turkish Liras. If service provider sends commercial electronic messages without permission to multiple recipients at once, relevant administrative fines shall be calculated up to 10 times of the relevant amount.
Additionally, failure to cease sending messages to a recipient who has opted-out within 3 working days (which may occur due to not checking the permission status of the recipient from the IYS) may result in administrative fines from 3,799 up to 28,544 Turkish Liras.
Two obligations shall be applicable within the scope of opt-outs; (i) after December 1, 2020, it will be mandatory to check the permission status of the recipients over the IYS before sending the messages and (ii) service providers shall notify the opt-outs (transmitted by the recipient directly to the service provider itself) to the IYS within three working days. Please note that if the recipient uses its right to opt-out directly from the IYS, service provider's sole responsibility within the scope of opt-outs shall be the one defined above under (i).
Please note that for recipients whose permissioned data have been uploaded to the IYS, service providers obligation to control such recipients' permission status shall start without waiting December 1, 2020 (in other words; such controlling obligation shall be present during the period between the uploading date and December 1, 2020).
The obligation to check the permission status regards recipients who are (i) individuals/consumers and (ii) merchants and craftsmen. For the following messages -since the Regulation does not foresee an opt-out regime- it is not necessary to check the status;
After complying with obligations to register and to upload above-explained databases to the IYS, an obligation to check the permission status of the recipients over the IYS shall continue perpetually.
In addition to these obligations, service providers must comply with the following;
Footnotes
1. Law on the Regulation of Electronic Commerce dated October 23, 2014 and numbered 6563; published in the Official Gazette dated November 5, 2014 and numbered 29166; entered into force as of May 1, 2015.
2. Regulation on Commercial Communication and Commercial Electronic Messages published in the Official Gazette dated July 15, 2015 and numbered 29417; entered into force as of July 15, 2015.
3. Permission should be also in line with the Personal Data Protection Law numbered 6698.
4. The former deadline was June 1, 2020 (as foreseen by the Regulation). However, Ministry of Trade, having the power to delay this deadline for 3 months, has prolonged the deadlines foreseen by the Regulation. On May 23, 2020, Ministry of Trade announced that the deadlines have been extended for 3 months, such that the deadline for June 1, 2020 has been moved to September 1, 2020.
