A. IMPORTANT REGULATION CHANGES OF THE YEAR 2021
1. Amendments Introduced with the Directive on Measures to Prevent Laundering Crime Income and Terror Financing
With the Official Gazette dated 24.02.2021 and no. 31405 (Repetition 2), the Directive on Measures to Prevent Laundering Crime Income and Terror Financing (“Directive on Measures”) was published.
The coverage of the article on incumbents was expanded according to the amendments introduced. The lower limits of the transaction amount or the amount of multiple inter-connected transactions stipulated for the obligation to evidence identity in the transactions made by the incumbents was increased from TL 20.000 to TL 75.000. Obligations for obtaining the details of job and profession, and risk scoring to get to know the customer.
With the article 6/A introduced to the Measures Regulation, remote identification of real persons has become possible. Accordingly, if the legislation related to the main field of activity of the incumbent allows for the establishment of a contract with methods that would allow for the verification of the customer’s identity without face-to-face contact with the customer, then remote identification methods may be used in order to verify the identity of the customer during the establishment of a permanent business relationship with real persons.
It has been regulated that the audit of the Financial Crimes Investigation Board (“MASAK”) on the incumbent could be carried out with on-site or remote auditing methods, and fulfill the duty of auditing the incumbent through the treasury and finance experts employed at the Board and assigned to this task.
2. Amendments Introduced with the Regulation on the Compliance Program related with the Liabilities to Prevent Laundering Crime Income and Terror Financing
Amendments have been introduced to the Regulation on the Program for Compliance with the Liabilities to Prevent Laundering Crime Income and Terror Financing (“Compliance Program Regulation”) in the Official Gazette no. 31407 dated 26.02.2021.
The scope of the liabilities has been expanded and (i) Group A-powered enterprises listed in the foreign exchange legislation, (ii) financing, factoring and financial leasing companies, (iii) portfolio management companies, (iv) precious metals brokerage companies, (v) electronic currency organizations and (vi) payment organizations excluding those which intermediate invoice payments exclusively, payment order starting service exclusively, and submission of information related with the payment account exclusively have also been included among the incumbents who are required to create a Compliance program under the Regulation on the Program for Compliance.
The definition of “financial group” in the law on the Prevention of Laundering Crime Income dated 27 December 2020 and no. 5549 has also been included in this regulation. Accordingly, a group which comprises the financial organizations based in Turkey, which are affiliated with a parent organization headquartered in Turkey or abroad, or which controls this organization, and their branches, agencies, representatives and commercial agents and other similar units will be considered as a “financial group.” Detailed regulations have been set out on the nature of the financial group in the Regulation on the Program for Compliance.
The scope of the liability for creating a compliance program for financial groups has been described. Besides, the liability to review and update where required certain measures in every two years has been introduced. It has been stated that the responsibility for the supervision of the execution of the compliance program at the financial group level ultimately rests with the board of directors of the main financial institution within the scope of Article 6 of the Compliance Program Regulation.
In addition to the appointment of a compliance officer, an obligation to appoint assistant compliance officer has been introduced for the relevant obliged parties specified in the Compliance Program Regulation. The scope of the liability to establish a corporate policy has been expanded. The financial group has also been held liable for creating a corporate policy.
3. Amendments introduced with the Circular on the Appointment of Loss Adjusters in Value Loss Claims within the Scope of Highway Motor Vehicle Compulsory Financial Liability Insurance
The “Circular on the Appointment of Loss Adjusters in Value Loss Claims within the Scope of Highway Motor Vehicle Compulsory Financial Liability Insurance” dated 09.11.2021 and no. 2021/10 has stipulated that where any value loss is claimed by the right holders, the loss shall be identified by the loss adjusters licensed in the relevant branch.
According to the Regulation on Assignment of Loss Adjusters, published in the Official Gazette dated 25.08.2015 and numbered 29456, the insurer from whom loss of value is claimed, shall assign the loss adjuster on the basis of sequential order through the system established in the Insurance Information Center (SBM) to ensure fair distribution of job assignments.
It is stated that in the event that the loss adjuster is assigned by the right holder, the assignment can be made through the system to be established, while assigning a loss adjuster in accordance with the provisions of the relevant legislation without applying the sequential order procedure specified here could also be appropriate. Changes have been introduced in that SBM will establish the necessary IT infrastructure for the establishment of the loss adjuster assignment system and will take any kinds of measures regarding the operation of the system.
4. Amendments Introduced with the Regulation on Internal Systems in Insurance and Private Pension Industries
The Regulation on Internal Systems in Insurance and Private Pension Sectors in the Official Gazette dated 25.11.2021 and no. 31670 has aimed to strengthen the institutional structures of institutions operating in the insurance and private pension sector and to integrate the practices in the industry with the international system.
The regulation has included specifications to increase the effectiveness of the board of directors with regard to the internal systems, both directly and through the audit committee structure. Moreover, regulations have been introduced to establish an audit committee organization with professional membership attributes to continuously monitor the activities of the organizations, and to ensure the supervision of the functioning of the internal systems by the senior management.
The regulation has detailed the internal control, risk management, actuarial and internal audit functions as well as the qualifications of the unit and personnel responsible for carrying out these functions.
The regulation aims to create these control functions without being influenced by the other activities of the company, together and in integrity with the activities, and so that they ensure the personnel responsible for the internal systems can fulfill their duties without conflict of interest, and arrangements; and the regulations were introduced accordingly.
Information systems requirements and business continuity issues have been regulated in accordance with the actuarial requirements and the unique structure of the insurance industry in terms of cyber security.
The reporting requirements brought by the regulation, the development of a transparent management approach, and the effectiveness of the industry’s surveillance and supervision open to the public are considered as an important element that increases transparency.
Shared use of resources in insurance groups and financial groups has been aimed to ensure effective use of resources and productivity increase.
5. Amendment to the General Conditions Regarding the Amendment to the General Conditions of Highway Motor Vehicle Compulsory Liability Insurance
General Conditions for Amending the General Conditions of Highway Motor Vehicle Compulsory Liability Insurance were published in the Official Gazette dated 04.12.2021 and numbered 31679. In this framework, considering the aforementioned decisions, articles 18 and 19 of the Law No. 7327 dated 9 June 2021 and articles 90 and 92 of the Highway Traffic Law No. 2918 were amended.
Changes have been made to compensation for depreciation, permanent disability and lack of support. Article B2 of the General Conditions has been amended with article 9 of the Communiqué and, the requirement of using OEM parts has been introduced as a rule for the repair of vehicle damages within the scope of traffic insurance. In accordance with the aforementioned amendment, it is regulated that the damaged part can be replaced with an equivalent or reusable part only in cases where the approval of the right holder is obtained and where it is not possible to replace the damaged part with the OEM part. Similarly, the use of equivalent parts is also included in cases where the part that needs to be replaced is not original.
The depreciation calculation in Annex-1 of the General Conditions has been further elaborated. Likewise, the calculations of compensation for loss of support and compensation for injury have been further elaborated. Here, the aims was to make regulations in accordance with the SEDDK’s goal of minimizing the disputes and calculating the damage with a fair and realistic approach.
6. Regulation on the Amendment of the Regulation on the Principles of Implementation of Insurance Related to Personal Loans
The Regulation on the Amendment of the Regulation on the Principles of Implementation of Insurance Related to Personal Loans was published in the Official Gazette dated 29.12.2021 and no. 31704. This regulation has introduced amendments on issues such as entitlement, compulsory insurance, permanent data storage, informing the insured, obtaining health declarations, and surviving taxpayers.
B. IMPORTANT REGULATION CHANGES OF THE YEAR 2022
1. Regulation on Amendment to Commercial Advertisement and Unfair Commercial Practices
The Regulation on Amendment to Commercial Advertisement and Unfair Commercial Practices was published in the Official Gazette dated 01.02.2022 and no. 31737. This amendment introduced a regulation for analyzing the purchasing behaviors and other personal data of the consumer regarding any goods and services and specified that the offered price is a personalized price, and it should be included in the same space as the current price. Where discounted price is included, the obligation of stating the price before the discount has been introduced. It has been determined that the lowest price applied within 30 days before the discount is applied in the determination of the sales price before the discount. In advertisements where it is stated that a good or service is offered for sale with a tied loan, it is stated that the maturity of the loan, the interest rate, the monthly and annual percentage value of the total cost to the consumer and the repayment conditions should be included on the media where the advertisement is published.
In the event that a product or service offered for sale on the internet is sorted by comparing price, quality and similar aspects, it is regulated that the information on which criteria the ranking was created will be in the same field or in a way that can be easily seen on the pop-up screen where consumers can be directed with a link or warning sign. An obligation to include the phrase ‘advertisement’ in the ranking results displayed based on advertisements or sponsorships and similar agreements has been introduced.
C. KEY DEVELOPMENTS AND DECISIONS UNDER THE LAW ON THE PROTECTION OF PERSONAL DATA
Public announcement on COVID-19 PCR test result and vaccination information:
On 28 September 2021, the Agency posted a public announcement regarding the processing of vaccination information and PCR test result. The Agency referred to the letter of the Ministry of Interior, which requires the provision of a PCR test and/or vaccination information for collective participation of people in group activities, and the letter of the Ministry of Labor and Social Security which require a PCR test to be requested once a week from non-vaccinated employees, and stated that the data of vaccination and PCR test results processed within the scope of preventive and protective activities constitute an exception to the Law No. 6698 on the Protection of Personal Data (the “Law”). In this respect, the data processing activities of public institutions and private organizations based on and being limited with the letters of the Ministry of Internal Affairs and the Ministry of Labor and Social Security will not be considered within the scope of the Law, while any processing activities that exceed the scope of the relevant articles will be subject to the provisions of the Law.
Guidelines to be Considered in the Processing of Biometric Data under the Law on the Protection of Personal Data:
On 17 September 2021, the Personal Data Protection Authority (“Authority”) published the Guidelines to be Considered in the Processing of Biometric Data (“Guidelines”). The guidelines defines biometric data and includes processing conditions and principles in accordance with the Law on the Protection of the Personal Data.
The biometrical data include significant information about the data subjects due to their attributes. With the introduced Guidelines, the Authority introduces new responsibilities for the data controllers regarding the processing of the biometrical data with the goal of ensuring data protection and security in the processing of the biometrical data. The data controllers who are to process biometrical data should realize their activities in conformity with the principles and measures listed in the Guidelines.
Decision – Decision on sanction regarding the application of instant messaging:
The Personal Data Protection Authority (the “Authority”) identified that an instant messaging application (the “Application”) updated the service requirements and the principle of confidentiality as a prerequisite for the offered service. The authority started an ex officio inspection mainly on (i) transferring data abroad, (ii) binding the service to the requirement of explicit consent, and (iii) conformity to general principles. With the resolution dated 3 September 2021 and no. 2021/891, the Authority concluded as follows: y obtaining a single express consent for the processing and transfer of personal data abroad through the terms of service contract damages the “free will disclosure” element of the express consent; y the terms of service and the statements in the policy of confidentiality are presented in a non-negotiable nature, and the use of the application is tied to the condition of transfer, which is in violation of the principle of “compliance with the law and good faith” in Article 4 of the Law; y a conduct was performed against the principles of “processing for evident, clear and legitimate purposes” and the principles of “being related, limited and aligned with the objective of processing” in article 4 of the Law, y as long as the servers of the data controller are not located in Turkey, any processing activity regarding the personal data obtained from the persons in Turkey means the transfer of personal data abroad and the said transfer is not made in accordance with Article 9 of the Law; and y not obtaining explicit consent from the related individuals regarding the cookies used for profiling is not in accordance with the law. In this direction, the Authority ruled that (i) an administrative fine of TL 1,950,000 should be imposed on the data controller for not taking the necessary technical and administrative measures, (ii) the data controller should ensure conformity of their service requirements and policy of confidentiality text to the Law in 3 months, and (iii) the data controller should provide a clarification in accordance with the provisions of Article 10 of the Law and the Communiqué on the Procedures and Principles to be Complied with in Fulfilling the Clarification Obligation.
Other Resolutions:
In a decision regarding the data breach notification of an insurance company, the Authority decided to impose an administrative fine of TL 30,000 on the grounds that the data controller did not comply with the Personal Data Security Guidelines and did not take the required technical and administrative measures to ensure data security. The penalty amount was maintained law considering the economic condition of the data controller and that the error which caused to the violation was an exceptional case.
In a decision regarding the data breach notification of an insurance company, the Authority concluded that no action was required to be taken, considering that although there were health data among the affected data, 1 person was affected by the breach and the data controller informed the Authority as soon as possible.
In a decision regarding a bank’s data breach notification, the Authority considered that the data controller (i) did not limit the KKB queries of the personnel before the breach, (ii) did not carry out adequate inspection and supervision, (iii) imposed an administrative fine of TL 200,000 based on failure to take the required technical and administrative measures to ensure data security considering that the training on the Law for the Protection of Personal Data was not adequate.
In the decision regarding the data breach notification of an insurance company, the Authority determined that the data controller did not take the required technical measures to ensure data security, and imposed an administrative fine of TL 90,000. The decision no. 2020/357 dated 7 May 2020 is accessible here. y In a decision regarding the data breach notification of a bank, the Authority emphasized that (i) the control mechanism of the data controller was not at a sufficient level, (ii) the said errors should have been detected during the testing phase and the changes should have been corrected before they are released live, and imposed an administrative fine of TL 75,000 further to article 12/1 of the Law due to failure to take administrative measures.