E-COMMERCE & KVKK | COMMERCIAL ELECTRONIC COMMUNICATION – 5N1K Introduction

With the developing technology, companies use information technology resources in order to carry out their business processes and activities. The use of information technology resources leads to more intensive personal data processing activities for many relevant persons such as customers and suppliers compared to the past, and exposes the relevant persons to segmentation and profiling activities through their personal data. It can be said that companies provide a significant portion of their revenues through the sending of commercial electronic messages through the personal data they obtain through the relevant activities. In this context, it is an indisputable fact that commercial electronic messages have surpassed traditional marketing activities and have become one of the methods used by almost every company. This article aims to discuss the concept of commercial electronic message in detail within the framework of the legislation.

What is a Commercial Electronic Message?
Definition of Commercial Electronic Message within the Framework of Legislation

Pursuant to Article 2/1-c of the Law on the Regulation of Electronic Commerce (“ETDHK”), commercial electronic messages are defined as messages containing data, audio and video content sent for commercial purposes and carried out electronically using means such as telephone, call centres, fax, automatic dialing machines, smart voice recorder systems, electronic mail, short message service.

Commercial electronic message is defined in Article 2 of the Regulation on Commercial Communication and Commercial Electronic Messages (“Regulation”) as any kind of communication made through electronic communication tools in order to promote the goods and services of real or legal persons or to do these on behalf of others.

Commercial Electronic Message within the Scope of Personal Data Protection Law

Commercial electronic message activities must be carried out in accordance with the commercial electronic message legislation mentioned above. Although the Ministry of Commerce is the authority in charge of supervising the relevant regulations pursuant to the ETDHK and the Regulation, since the name, surname, e-mail and telephone number contact information obtained from individuals for sending commercial electronic messages are personal data, commercial electronic message processes must also comply with the personal data protection legislation. As a matter of fact, as stated in the decision of the Personal Data Protection Board (“Board”) dated 27/02/2020 and numbered 2020/173; the Ministry of Trade referred the application in the relevant decision to the Personal Data Protection Authority (“Authority”) “to be evaluated within the scope of personal data protection legislation” and this situation has revealed that the applications of the relevant persons should be addressed in the context of personal data protection regulations.[1]

At this point, it will be important to refer to the Board’s Principle Decision dated 16.10.2018 and numbered 2018/119, which is binding pursuant to Article 15/6 of the Law on the Protection of Personal Data (“Law”).[2] With the relevant decision, it has been decided that the activities of advertising messages sent without obtaining the explicit consent of the data subjects should be stopped immediately by the data controllers.

Since the Board’s inclusion of the term ‘advertisement-containing message’ raises some questions, it will be necessary to refer to the definition of commercial advertisement stipulated under Article 4/1-n of the Regulation on Commercial Advertisements and Unfair Commercial Practices. Pursuant to the relevant regulation, commercial advertisement is defined as the announcements in the nature of marketing communication made by advertisers through written, visual, audio and similar means in any medium in order to ensure the sale or rental of a good or service in connection with trade, business, craft or a profession, and to inform or persuade the target audience.

Based on the above explanations, it is obvious that the definitions of advertising messages and commercial electronic messages are quite similar; however, they differ in terms of purpose. While an advertisement message aims to introduce and promote a product or service to a person and thus to ensure its release, a commercial electronic message has a commercial purpose. Accordingly, the commercial purpose is more comprehensive and includes the purpose of advertisement, but it does not always have to carry the purpose of advertisement. At this point, the issue of situations that do not require consent for sending commercial electronic messages, the details of which will be given under the heading 3.2. of this article, comes to the fore. This provision, which is stipulated by the Regulation, regulates that informative commercial electronic messages that do not carry advertising purposes are not subject to consent.[3]

As a result, with the relevant Principle Decision, it has been decided to immediately stop commercial electronic messages that carry advertising purposes. However, commercial electronic messages other than these are excluded from the scope.

Conditions for Sending Commercial Electronic Messages
Approval

Pursuant to Article 5 of the Regulation, the service provider who wishes to send commercial electronic messages shall obtain prior consent for commercial electronic messages sent to the electronic communication addresses of the recipients in order to promote and market its goods and services, to promote its business or to increase its recognition with content such as celebrations and wishes. The consent is valid until the right to refuse is exercised.

Due to the close relationship between commercial electronic messages and the Law, it will be useful to mention the definition of the term ‘consent’ in the relevant article within the scope of the Law. In Article 3 of the Law titled ‘Definitions’, explicit consent is defined as ‘Consent regarding a specific subject, based on information and expressed with free will’.

At this point, it will be necessary to mention two different system definitions that find a place in the agenda of commercial electronic messages:

Opt-in System: It is a system in which the individual gives consent to the processing of personal data with his/her conscious action.

 

Opt-out System: It is a system in which it is accepted that the individual automatically consents to the processing of his/her personal data without prior consent and allows individuals to remove this consent.

Considering the prior consent phrase in the Regulation, the consent to be obtained from individuals regarding electronic commercial message activities must be obtained based on the opt-in system. In addition, pursuant to the Board’s decision dated 23/12/2022 and numbered 2022/1358, within the framework of the definition of explicit consent stated in the Law, the opt-in system, not the opt-out system, should be used in the explicit consent statements to be obtained from the data subjects by the data controllers.[4]

In addition, it is also useful to mention two different models of the opt-in system.

Single opt-in is a one-step method that is completed by registering the e-mail address or telephone number obtained from the users to the list without requiring any follow-up or approval process.
Double opt-in is the method that allows the registration to be verified by sending a confirmation e-mail or SMS to the relevant communication channels based on the e-mail address or phone number obtained from the users.

Considering the Principle Decision dated 22/12/2020 and numbered 2020/966 published by the Board; it is necessary to emphasise the importance of the double opt-in model in terms of carrying out the processes regarding the sending of commercial electronic messages that require the consent of the data subjects.[5] It is frequently encountered with a scenario such as the sending of commercial electronic messages by data controllers to the data subject of another e-mail address, based on the inadvertent action of the data subjects who write a different e-mail address to the communication channel. In this respect, the Board has stated that confirmation mechanisms should be established within the scope of taking necessary administrative and technical measures for data controllers. Otherwise, the data controller, who has an active duty of care within the scope of the general principle of ‘being accurate and, where necessary, up-to-date’ stated in Article 4 of the Law, will be subject to administrative fine sanctions.

It is also worth noting that the establishment of double opt-in processes can be interpreted as a reputation enhancing activity on behalf of data controllers and will increase reliability. Although its sustainability in terms of implementation may be difficult when interpreted together with the size of the operation, data controllers who do not establish the double opt-in process should periodically check the accuracy and currency of the communication channels of the relevant persons.

Situations that do not require approval

Article 6 of the Regulation regulates situations that do not require consent:

In the event that the recipient provides his/her contact information for the purpose of contacting him/her, no separate consent is obtained for commercial electronic messages regarding changes, use and maintenance of the goods or services provided.

In this case, there is no need to check through IYS.

[Detailed information on IYS will be provided under heading 6 of this article].

Messages containing notifications regarding ongoing subscription, membership or partnership status, collection, debt reminder, information update, purchase and delivery or similar situations and the obligation to provide information imposed on the service provider by the relevant legislation do not require prior consent. However, no goods or services may be encouraged or promoted in such notifications.

In this case, there is no need to check through IYS.

In this context, commercial electronic messages that are not for advertising purposes, i.e. only informative, may be sent without prior approval. For example, product manuals that a company offers to its customer portfolio, a message that the product has been shipped or that the company has initiated an investigation upon the return of the product are informative and do not require approval from the relevant persons.

It is not mandatory to obtain prior approval for commercial electronic messages sent to the electronic communication addresses of recipients who are merchants or tradesmen. However, if the merchants and tradesmen exercise their right of refusal under Article 9, commercial electronic messages cannot be sent without their consent. In addition, before sending commercial electronic messages to merchant or tradesman recipients, the electronic communication addresses of merchant or tradesman recipients are registered in IYS by the service provider and it is checked whether the recipients have exercised their right of refusal through IYS.

It is not necessary to obtain prior approval for sending commercial electronic messages to addresses with corporate e-mail extensions or mobile phones with a company line of merchant and tradesman recipients. Accordingly, it is seen that the opt-out system is operated for sending commercial electronic messages within the relevant scope.

Pursuant to the legislation on capital markets, it is not mandatory to obtain approval for commercial electronic messages sent to customers for informational purposes by companies engaged in brokerage activities. In this case, there is no need to check through IYS.
Obtaining Consent

The necessary conditions/rules to be followed in the process of obtaining approval are stipulated in Article 7 of the Regulation:

Consent may be obtained in writing or by any electronic means of communication or through IYS. The consent includes the recipient’s affirmative declaration of will, name and surname and electronic communication address that the recipient accepts the sending of commercial electronic messages. Approvals received through IYS include a positive declaration of will and electronic contact address.
In the consent received in physical environment, the signature of the person giving the consent is sought.
In the event that the consent is received electronically, the information that the consent has been received shall be transmitted to the electronic communication address of the recipient within 24 hours, with the possibility of refusal. The provisions of this paragraph shall not apply to consents received through IYS.
Consent may not be requested by sending commercial electronic messages to the electronic communication address of the recipient.

Pursuant to the relevant article, it is ruled and prohibited that messages requesting consent for sending commercial electronic messages are also within the scope of commercial electronic messages.

If the consent is obtained by being included in the content of a contract such as a subscription, sales and membership agreement, it is obtained at the end of the contract, before the affirmative declaration of will or signature, under the commercial electronic message margin heading, by writing in at least twelve font size, giving the opportunity to refuse.

The consent to be obtained by embedding it into the contract may be considered as malicious and will be deemed invalid.

The consent given to one of the parties in an agency, specially authorised enterprise or dealership agreement shall be deemed to have been given to the other party to the agreement, limited to the goods, services or brand subject to this agreement.
The service provider may also use the approval for the goods and services offered as a promotion, provided that they are offered together with its own goods or services. However, this promotional relationship must be subject to a contract.
In the text of the consent, the affirmative declaration of will cannot be pre-selected.

In order to be able to talk about the existence of free will, which is one of the elements of explicit consent, the consent must be obtained by the active action of the persons concerned. In this respect, presenting the affirmative declaration of will as preselected by default will mean an unlawful provision of explicit consent.

The service provider cannot claim that the recipient’s consent to commercial electronic messages is a prerequisite for the provision of the goods and services it offers.

The data controller/service provider’s imposition of explicit consent as a condition of the membership and service it offers, and therefore as a condition of the contract, cannot be accepted as a consent given by the person concerned with his free will and will cripple the explicit consent. Accordingly, the relevant practice will be contrary to the principles of being in compliance with the law and good faith and being bound, limited and proportionate to the purpose of processing as set forth in Article 4 of the Law.

However, it is worth noting that; With its decision dated 08/07/2019 and numbered 2019/206, the Board stated that there is no action to be taken by the data controller within the scope of the Law regarding the fact that the data controller provides a discount advantage as an added benefit to the persons who are members of the website.[6]

Accordingly, it is not objectionable to condition the sending of commercial electronic messages on the provision of the ancillary rights offered by the data controller.

For approvals that are not received through IYS, the burden of proof regarding the receipt of the approval belongs to the service provider.

In this context, the signature to be obtained from the relevant persons for electronic message consents received in physical environment and keeping the log records of the relevant persons in terms of electronic message consents received in electronic environment is a practice that ensures the fulfilment of the correct and proof obligation.

Withdrawal of Consent

Article 9 of the Regulation regulates the right to refuse and the notification method:

The recipient may refuse to receive commercial electronic messages at any time without any justification. The recipient’s notification of refusal invalidates the consent for the communication channel through which the notification is made.

Since giving explicit consent is a right strictly bound to the person, the person may withdraw his/her explicit consent at any time and without any justification. As a matter of fact; a commitment that the explicit consent cannot be revoked will lead to an unlawful explicit consent since it is against personal rights.

The rejection notification to be made to one of the parties for the consent given within the scope of the sixth paragraph of Article 7 of the Regulation mentioned above shall be deemed to have been made to all parties. The party receiving the rejection notification is obliged to notify the other parties.
The service provider shall include in the commercial electronic message an accessible contact address, such as a customer service number, a short message number or a URL address dedicated only to the rejection notification, provided by itself or provided by IYS, so that the recipient can make a rejection notification. Whichever communication channel the commercial electronic message is sent through, the rejection notification is provided through the same communication channel in an easy and free manner.
The possibility of rejection notification is included in every commercial electronic message sent.
The exercise of the right of refusal by the recipient does not constitute an obstacle to the notifications that must be sent to the recipient in accordance with the provisions of the relevant legislation to which the service provider is subject.

Pursuant to Article 10 of the Regulation, the service provider shall stop sending commercial electronic messages to the recipient within three business days following the receipt of the recipient’s request regarding the refusal to receive the commercial electronic message.

Pursuant to Article 13 of the Regulation, the burden of proof in transactions subject to complaint belongs to the service provider and/or intermediary service provider. The service provider and/or intermediary service provider shall keep the approval records for three years from the date of expiry of the validity of the approval and other records regarding commercial electronic messages for three years from the date of registration. These records shall be submitted to the Ministry upon request.

Data controllers must keep the consent records and other records of commercial electronic messages for 3 years within the scope of the legal retention obligation imposed on them in case the recipients exercise their right of refusal, as they have the burden of proof in case of a possible complaint. Although 3 years is a period of time recognised by the Regulation and no unlawful data processing activity is carried out as long as it is kept; In case the period expires, the relevant data must be deleted, destroyed or anonymised in accordance with Article 7 of the Law and the Regulation on Deletion, Destruction and Anonymisation of Personal Data.

Commercial Electronic Message Content

The mandatory and optional elements in commercial electronic messages are stipulated in Article 8 of the Regulation. Pursuant to the relevant provision:

The content of the commercial electronic message must comply with the approval received from the recipient.
In the title or content of the commercial electronic message; MERSIS number and trade name for merchants, name and surname and Turkish Republic or tax identification number for tradesmen. In addition to these, the service provider may include other information that identifies itself, such as brand or business name.
In the content of the commercial electronic message sent using limited areas such as short messages; MERSIS number for merchants, name and surname and T.R. identification number for tradesmen are included. In addition to these, the service provider may include other information that identifies itself, such as brand or business name.
The content of the voice call shall include the trade name for merchants and the name and surname for tradesmen. In addition to these, the service provider may include other information identifying itself, such as its brand or business name.
In the commercial electronic message, depending on the type of electronic communication tool, at least one of the accessible contact information of the service provider such as telephone, fax, short message number and e-mail address is included.
If the nature of the commercial electronic message cannot be clearly understood from its content, a qualifying phrase such as promotion, campaign and information is included. This phrase is stated at the beginning of the message in messages sent via short message, in the subject section in messages sent via e-mail, and at the beginning of the call in voice calls.
In the event that there are promotions such as discounts and gifts in the commercial electronic message and promotional competitions or games, this issue shall be clearly stated in the message.
The conditions regarding the validity period of the promotions and the obligations that the recipient has to fulfil in order to benefit from them are presented in a clear and doubt-free manner, through easily accessible methods such as a URL address or customer service number dedicated to these issues.

In addition to all these, within the scope of the right of refusal and notification method regulated pursuant to Article 9 of the Regulation, the recipient, who has the opportunity to refuse to receive commercial electronic messages without any justification, must be provided with the possibility of refusal notification in every commercial electronic message. [See: 3.4.heading-3rd article]

Examples of Current Commercial Electronic Message Activities

Pursuant to Article 5 of the Regulation, the service provider who wishes to send commercial electronic messages shall obtain prior consent for commercial electronic messages sent to the electronic communication addresses of the recipients in order to promote and market its goods and services, to promote its business or to increase its recognition with content such as celebrations and wishes.

In this context, in addition to messages regarding discount campaigns, promotions, etc., holiday or special day greetings are also accepted as commercial electronic messages. Therefore, it is mandatory to obtain prior consent from individuals for content such as congratulations and wishes, as well as for holiday and special day greetings that serve to increase recognition.

In addition, it is worth noting that push notifications (“push notifications”), which we are frequently exposed to by mobile applications, are also within the scope of commercial electronic messages with the Board’s decision dated 13.04.2021 and numbered 2021/361.[7] With the relevant decision, the Board has subjected the sending of push notifications, which it defines as “push notifications”, to the prior consent of the users, without prejudice to the details of the application installation process design.

Intermediary Service Provider

Intermediary service providers are defined by the Regulation as real and legal persons who provide electronic commerce environment for the performance of economic and commercial activities of others.

Pursuant to Article 11 of the Regulation

The service provider may send commercial electronic messages to the recipients whose prior consent it has obtained, either by itself or through intermediary service providers.

Pursuant to this article, service providers are not obliged to work with intermediary service providers; however, since it is not possible for service providers, especially those with a large customer portfolio, to check the approval processes in each commercial electronic message sending and take action according to the database formed according to the conditions and situations of that day, working with IYS business partners will ensure that the activity is carried out in the most accurate and lawful manner.

The intermediary service provider provides technical facilities for the fulfilment of the obligations stipulated for the service provider by the Regulation.
The intermediary service provider is not obliged to control the content provided by real and legal persons using the electronic environment to which it provides services, and to investigate whether there is an illegal activity or situation related to this content and the goods or services subject to this content.
The intermediary service provider cannot obtain approval to send commercial electronic messages on behalf of others in order to promote and market their goods and services or to promote their business.
The intermediary service provider harmonises its system for sending commercial electronic messages with the IYS.

Although it is stipulated that intermediary service providers must harmonise their systems for sending commercial electronic messages with IYS, in practice, it may be witnessed that the number of data in the databases of service providers and the number of data in the IYS database are not equal. In this context, it will reduce the risk of the aforementioned problem if intermediary service providers manage the process automatically, rather than managing the process through manual entry.

The intermediary service provider does not initiate the sending of commercial electronic messages belonging to service providers that do not register with the IYS.
The intermediary service provider, who initiates the sending of commercial electronic messages in accordance with the instructions of the service provider, checks whether the recipients have consented via IYS before sending the message and does not start sending messages to recipients who do not have consent on IYS.
Message Management System

With the notification published by the Ministry of Trade of the Republic of Turkey on 4 January 2020, the Regulation has been amended and it has become mandatory for all service providers that send commercial electronic messages to register with the Message Management System (“IYS”). In this context, natural and legal persons who wish to send commercial electronic messages must register with IYS.

IYS is a system where data controllers can store and manage the consent provided by companies to send commercial electronic messages for advertising/promotional purposes, and recipients can reject or approve these messages and manage complaint processes. Consents that are not recorded in IYS are deemed invalid and commercial electronic messages with advertising/promotional content cannot be sent to recipients who do not have consent on IYS. In case the consent is obtained in writing or by electronic means of communication, the consents received must be recorded in IYS within three business days by the service provider.

In addition, all communications, including corporate and personal e-mails, regardless of the title of the addressees, must be recorded in IYS by data controllers/service providers. In this respect, it should be noted that even in cases that do not require consent for sending commercial electronic messages, it is mandatory to register recipients in IYS.

Recipients may also exercise their right of refusal through IYS. If the right of refusal is not exercised through IYS, the service provider is obliged to notify the IYS of the refusal notifications received within three business days.

Sanction

Pursuant to Article 12 of the ETDHK, penal provisions are regulated and the Ministry of Trade has the right to sanction data controllers based on the situations determined within the scope of the relevant provision. In addition, sanctions may also be imposed on data controllers by the Personal Data Protection Board due to the organic link between commercial electronic messages and personal data protection legislation.

Conclusion

In today’s age, with the increase in digitalised marketing activities, many people are the recipients of commercial electronic messages even though they do not want and do not give consent. The regulation of these transmissions, to which people are exposed by service providers, by the electronic commerce legislation aims to reduce this victimisation of the recipients to some extent.

In addition, sending commercial electronic messages inherently requires the provision of certain personal data. In this context, the processes should be carried out by taking into account the personal data protection legislation as well as the electronic commerce legislation. A process management that does not take into account the provisions of the Regulation, ETDHK and the Law will result in data controllers facing the risk of sanctions before both the Ministry of Trade and the Authority.

In the light of all these explanations, what is also tried to be conveyed in this study is the chain administrative sanction reactions that may be created by possible unlawful activities by scrutinising the intersection clusters of both the exclusive and coinciding regulations in the e-commerce legislation and the personal data protection legislation in which the commercial electronic message activity is born and its scope and development. What should be done by the legal persons where the title of service provider and data controller occur at the same time; is to avoid chain administrative sanction reactions by addressing their practices with a holistic approach.

[1] “Summary of the Decision of the Personal Data Protection Board dated 27/02/2020 and numbered 2020/173 regarding the application about Amazon Turkey Perakende Hizmetleri Limited Şirketi (Date of last access: 02.11.2023)

[2] Principle Decision of the Personal Data Protection Board dated 16/10/2018 and numbered 2018/119 on “Preventing data controllers and data processors from directing advertising notifications/calls to the e-mail addresses of data subjects or to their mobile phones via SMS or call” (Last accessed on 02.11.2023)

[3] Evaluation of the Personal Data Protection Board’s Decision dated 16/10/2018 and numbered 2018/119 “Regarding Messages and Calls”, Prof. Dr. Murat Volkan Dülger (Last accessed on 02.11.2023)

[4] Summary of the Decision of the Personal Data Protection Board dated 23/12/2022 and numbered 2022/1358 on “Failure to provide clarification and explicit consent texts regarding cookies on a website” (Date of last access: 02.11.2023)

[5] “Principle Decision of the Personal Data Protection Board dated 22/12/2020 and numbered 2020/966 on the personal data of third parties sent by data controllers to communication channels such as telephone numbers and e-mail addresses of individuals in violation of the Law”

[6] Summary of the Decision of the Personal Data Protection Board dated 08/07/2019 and numbered 2019/206 “Regarding the allegations that the data controller requested the processing of personal data on its website as a condition of service and did not duly fulfil its disclosure obligation”

[7] Summary of the Decision of the Personal Data Protection Board dated 13/04/2021 and numbered 2021/361 on “A bank sending promotional messages to the relevant person through mobile applications without their consent”