Communiqué on Commercial Electronic Message Management System Integrators

COMMUNIQUÉ ON COMMERCIAL ELECTRONIC MESSAGE MANAGEMENT SYSTEM INTEGRATORS HAS BEEN PUBLISHED

Commercial Electronic Message Management System prepared by the Ministry of Trade

Communiqué on Integrators (‘Communiqué’), published in the Official Gazette dated 18.09.2024 and numbered 32666

Published in the Gazette

Scope of the Communiqué

The Communiqué regulates the rules regarding the registration of the approval and rejection information of the recipients in the Commercial Electronic Message Management System (‘IYS’), the authorisation of the integrators authorised by the service providers in the processes of obtaining approval and exercising the right to reject through the IYS, and the cancellation of these authorisations.

Define

Integrator: A company authorised by the Ministry of Commerce (‘Ministry’), which operates to provide services to service providers in terms of recording the consent and rejection information of recipients to IYS, obtaining consent through IYS and exercising the right to reject in sending commercial electronic messages.

Service Provider Natural or legal persons who are obliged to register to the IYS that send commercial electronic messages or on whose behalf they are sent

Commercial Electronic Message Messages containing data, audio and video content sent for commercial purposes and carried out electronically using means such as telephone, call centres, fax, automatic dialing machines, smart voice recorder systems, electronic mail, short message service

Integrator Authorisation Conditions

According to the Communiqué, it has been made mandatory to obtain authorisation from the Ministry in order to provide service as an integrator to service providers in terms of recording commercial electronic message approval and rejection transactions to IYS or performing these transactions through IYS . In this context, with the Communiqué entering into force on the day of its publication, the relevant services can be provided by the institutions authorised by the Ministry

Other conditions required for obtaining integrator authorisation under the Communiqué are as follows

  • Being established as a joint stock or limited liability company according to the Turkish Commercial Code
  • Its paid-in capital must be at least one million Turkish Liras
  • In joint stock companies, all shares must be registered shares
  • Company partners and managers must not have been convicted of bribery, theft, fraud, forgery, breach of trust, fraudulent bankruptcy, bid rigging, bid rigging, bid rigging, laundering of assets arising from crime, financing of terrorism, smuggling, tax evasion and IT crimes
  • Keepingcommercial books and records in a regular and traceable manner
  • Employing at least five personnel, including network and network security specialists, database specialists, system specialists, quality systems specialists and software development specialists, either directly or through outsourcing
  • ISO 22301 Business Continuity Management System Certificate and ISO/IEC 27001 Information Security Management System Certificate and ISO/IEC 27701 Personal Data Management System Certificate obtained from a certification body accredited by the Turkish Accreditation Agency (‘TÜRKAK’)
  • Provided that the penetration test has been carried out by organisations performing A or B level penetration tests approved by the Turkish Standards Institute (‘TSE’), at most three months prior to the application date
  • The technical infrastructure should have a redundant structure that can ensure business continuity 24/7 without any interruption in commercial electronic message approval and rejection processes, have a trace recording (log) mechanism, be protected against unauthorised access, all information systems used within the body should be adjusted according to a consistent time source and work synchronously
  • The information processing system, software, hardware and server infrastructure to be used in the integrator service is regulated as being located in a database within the borders of the Republic of Turkey

Granting Integrator Authorisation

Companies that meet the above-mentioned conditions are required to apply to IYS A.Ş.(‘IYS A.Ş.’[1] ), which is the institution authorised by the Ministry to establish and manage IYS in accordance with the Regulation on Commercial Communication and Commercial Electronic Messages (‘Regulation’), with the application form attached to the Communiqué. The relevant Institution will subject the application to a preliminary examination in terms of form and content and will send the appropriate applications to the Ministry within 30 days, and as a result of the examinations made by the Ministry, the integrator authorisation will be granted to joint stock or limited liability companies that meet the conditions

Integrator and Service Provider Relationship

Within the scope of the Communiqué, integrators are obliged to provide technical means for the service provider to provide access to the data stored during the integrator service period, to provide technical means for the service provider to transfer these data free of charge and effectively, without any justification, including the termination of the integrator service or the cancellation of the integrator authorisation. In this context, it is stated that the service providers’ requests for data access and data transfer will be met by the integrator within fifteen days at the latest

Integrator’s Obligations

  1. Compliance of Integrator Service with Legislation Article 8 of the Communiqué stipulates that the integrator is obliged to carry out its services in accordance with the provisions of the relevant laws, regulations, communiqués and contracts, and must not act in a manner that is contrary to or detrimental to the interests of buyers, service providers and the public.
  2. Technical Obligations Article 9 of the Communiqué obliges the integrator to avoid transactions that may jeopardise the security of the IYS, to ensure network and system security against unauthorised access and cyber-attacks, to have backup and disaster recovery plans and to record all transactions In addition, the Ministry is authorised to determine additional obligations and to impose the obligation to comply with national and international standards
  3. Protection of Personal Data Article 10 of the Communiqué stipulates that the integrator is responsible for taking the necessary technical and administrative measures to protect the personal data obtained within the scope of the services it provides and to prevent unlawful access and misuse of such data In the event that personal data is processed by the integrator, the service provider is alsojointly responsible with the integrator for taking these measures
  4. Protection of Trade Secret Information Article 11 of the Communiqué holds the integrator responsible for the security and confidentiality of the trade secret information of the service provider It is regulated that this information cannot be used for purposes other than its intended purpose and cannot be shared with third parties other than the Ministry and relevant public institutions without the written permission of the service provider.
  5. Obligation to Keep Records Article 12 of the Communiqué stipulates that if the Integrator keeps the approval and rejection information received from the recipients, it is held jointly and severally responsible with the service provider for the submission of this information.
  • Cancellation of Integrator Authorisation

In the relevant regulation, if the integrator breaches the obligations or fails to meet the specified conditions, it is given 30 days to remedy the breach This period may be extended for another 30 days upon request for one time only

However, if the breach is not remedied or the conditions are not met within these periods , the integrator’s authorisation will be cancelled and the MKK will notify the service providers to which the integrator provides services via IYS or in writing without delay.

It is regulatedthat the integrator whose authorization is cancelled can only carry out its current business and transactions for 30 days from the date of cancellation , and the service will be stopped after this period expires. In addition, the integrator whose authorisation is cancelled will not be able to reapply for one year This rule is also considered valid for companies managed or partnered by the same persons

Integration of Service Provider to IYS

According to this regulation, the service provider may record commercial electronic message approval and rejection information by integrating its own information systems into the IYS or directly through the IYS within the scope of the contract to be made by the MKK If these transactions are performed directly through the IYS, the burden of proving that the consent has been received is placed on the integrator

  • Audit and Penalty Provisions

According to this regulation

  1. The Ministry is authorised to audit the activities and operations of the authorised integrators
  2. Integrators are obliged to have a penetration test at least once a year by TSE-approved penetration testing organisations specified in the Communiqué and a verification test after taking the necessary security measures The Ministry or the Organisation may request the integrator to have these tests performed even if one year has not passed since the last test The test results must be sent by the integrator to the Organisation within 15 days at the latest
  3. Those who act contrary to the Communiqué may face administrative fines according to Article 12 of the Law No. 6563 on the Regulation of Electronic Commerce
  • Transition Period

According to this regulation, those who wish to provide services in commercial electronic message approval and rejection procedures will be able to apply to the MKK with the necessary documents as of the effective date of the Communiqué Those who do not obtain an integrator authorisation from the Ministry within 6 months from the effective date of the Communiqué will not be able to perform commercial electronic message transactions on behalf of service providers and will not be able to perform transactions through IYS.

GRC LEGAL Comment

As it is known, before the Communiqué entered into force, in order to carry out commercial electronic message processes, it was possible to manage the message approvals of the recipients through the so-called IYS business partners With the Communiqué, it is seen that some of the conditions for becoming a business partner, which are stated on the IYS’s website, have been expanded, the process has been subjected to stricter conditions and transparency in electronic communication has been tried to be ensured

In view of the Communiqué’s stipulation that the relevant services cannot be provided without an integrator authorisation, it is questionable whether service providers will be obliged to work with integrators As a matter of fact, since the Communiqué does not include a clear provision on this issue, it seems possible for service providers to carry out IYS processes manually without the intermediation of an integrator

While these regulations introduced for integrators aim to provide a more secure communication environment, they also indicate a new standard in commercial communication processes The fact that the Communiqué is in line with other relevant legislation such as the Law on the Protection of Personal Data and the Law on the Regulation of Electronic Commerce is an important step in ensuring interdisciplinary harmonisation with the regulations.

[1] https://dergipark.org.tr/en/download/article-file/119114

About the Author

handegozetici

Hande Gözetici

Academy Categories

PDPL Bulletin – September 2024
Exceptions to Mediation Processes as a Condition for Litigation