The Communiqué on Commercial Electronic Message Management System Integrators [“Communiqué”] entered into force after being published in the Official Gazette dated 18.09.2024 and numbered 32666. The purpose of the Communiqué is to regulate the procedures and principles regarding the recording and processing of approval and rejection information through integrators via the Message Management System [“IYS”] in order to manage commercial electronic message sending processes more effectively. The Communiqué applies to service providers, integrators that provide this service in commercial electronic message sending processes, and organizations [“Organization”] authorized by the Ministry to establish the Commercial Electronic Message Management System pursuant to Article 10/A of the Regulation on Commercial Communication and Commercial Electronic Messages.
The issues regulated by the Communiqué can be summarized as follows:
A. INTEGRATOR AND SERVICE PROVIDER CONCEPTS
Within the scope of the Communiqué, the Integrator is defined as the company authorized by the Ministry of Commerce [“Ministry”] to provide services to service providers in terms of recording the consent and rejection information of the recipients in the IYS, obtaining consent through the IYS and exercising the right to reject, and the service provider is defined as the real or legal persons who are obliged to register with the IYS that send commercial electronic messages or on whose behalf the commercial electronic messages are sent.
The relationship between the integrator and the service provider is regulated within the framework of the IYS. Service providers are obliged to record the consent and rejection information received from the recipients in the sending of commercial electronic messages in the IYS. They may perform this process directly themselves or through integrators. These services cannot be provided to those who are not authorized as integrators.
Integrators support the service provider in transactions such as recording approval and rejection information in IYS, obtaining approval and exercising the right to reject. The service provider designates an integrator through IYS for the services it will receive, and this integrator is authorized to access the service provider’s data. In addition, integrators are responsible for ensuring that the service provider has access to the data they store during the service period and for transferring the data even if the integrator authorization is revoked. These transfers must take place within 15 days if requested by the service provider.
B. INTEGRATOR AUTHORIZATION
Requirements for Authorization
Companies wishing to be authorized as an integrator must meet the following conditions:
- Establishment as a Joint Stock or Limited Company: Those who wish to obtain integrator authorization must be established as a joint stock or limited liability company in accordance with the Turkish Commercial Code.
- Capital Requirement: Applicant companies must have a minimum paid-in capital of 1,000,000 Turkish Liras.
- Registered Shares: In joint stock companies that will apply for integrator status, the shares must be registered shares.
- Register of Managers and Representatives: The managers and authorized representatives of the company to be authorized as an integrator must not have been convicted of disgraceful crimes, cybercrimes or acts contrary to the Electronic Communications Law No. 5809.
- ISO Certifications: The company must have internationally recognized certifications in the areas of information security, personal data management and business continuity, including
- ISO/IEC 27001 (Information Security Management System)
- ISO/IEC 27701 (Personal Data Management System)
- ISO 22301 (Business Continuity Management System).
- Cyber Security Measures and Penetration Tests: Applicants must ensure the cyber security of their systems and regularly document the results of external penetration tests.
- Technical Competence and Staffing: The integrator must have adequate technical infrastructure and employ at least five personnel directly or through outsourcing, including network and network security experts, database experts, system experts, quality systems experts and software development experts.
- Communication Infrastructure: Integrators must have a communication infrastructure supported by data centers that can provide uninterrupted service 24/7.
- Business Continuity and Data Backup: Necessary backup systems should be established to ensure business continuity and regular backups should be made to prevent data loss.
C. DOCUMENTS REQUIRED FOR AUTHORIZATION APPLICATION
The documents that companies that will apply for authorization for integratorship must submit during the application are as follows:
- Application Form
- Company Establishment Documents
- Financial Statements
- Documents showing the amount of paid-in capital
- If the company is a joint stock company, documents showing registered shares
- Criminal records of the company’s managers and representatives, documents showing that they are clean from disgraceful crimes and information crimes
- Documents indicating the titles and areas of expertise of the personnel working within the company, their resumes and diplomas
- Copies of ISO/IEC 27001, ISO/IEC 27701 and ISO 22301 certificates held by the company
- Documents related to backup and data retention plans prepared to ensure business continuity
The organization will obtain the above-mentioned documents from the electronic systems of the relevant institutions open to access, or if this is not possible, from the applicant.
The organization shall subject the applications to a preliminary examination in terms of form and content and forward the complete applications to the Ministry of Trade within thirty days. As a result of the evaluation made by the Ministry, integrator authorization is granted to the applications that meet the necessary conditions. This authorization is non-transferable.
Those authorized as integrators shall be notified to the Organization by the Ministry. The Organization will ensure that an agreement is concluded with the integrator regulating all technical, administrative and financial procedures and principles, including the integrator’s remote access to IYS, and will also publish the list of integrators integrated into the system on the IYS website.
If the integrator fails to fulfill its obligations or loses the conditions for authorization, a period of thirty days will be given to remedy the breach, and if the necessary arrangements are not made within this period, the authorization will be revoked.
D. OBLIGATIONS OF THE INTEGRATOR
Integrators are obliged to carry out the integrator service in accordance with the legislation. Furthermore, actions that may harm the interests of buyers, service providers or the public should be avoided.
Integrators must ensure the security of IMS and take protective measures against unauthorized access and cyber-attacks. In addition, backup and disaster recovery plans must be established and all transactions must be recorded. The Ministry may impose additional obligations that may require compliance with national and international standards.
Integrators are obliged to ensure the security of personal data obtained during the course of their services and to prevent the misuse of such data. Service providers are also jointly responsible for the protection of personal data with integrators.
Integrators may use the trade secret information they learn during their integration services solely for the intended purpose of providing the service and may not disclose such information to third parties without the service provider’s consent.
Integrators are obliged to keep the consent and rejection information received to send commercial electronic messages. They are jointly and severally liable with the service provider for the submission of this information.
E. REVOCATION OF INTEGRATOR AUTHORIZATION
If integrators violate the legislation or lose the necessary conditions, they are given 30 days to remedy these violations. If the violations are not remedied, the integrator authorization shall be revoked by the Ministry. Integrators whose authorization is revoked cannot reapply for one year. This restriction also covers the managers and partners of the company subject to revocation.
F. CONCLUSION
Integrators play a critical role in providing the technological infrastructure and ensuring that service providers fulfill regulatory requirements. Likewise, service providers are obliged to ensure regulatory compliance and service quality in their cooperation with integrators.
The obligations and requirements set out in the Communiqué require both parties to work in harmony and ensure that digital services are provided in accordance with legal standards. In this framework, it is critical for integrators and service providers to clearly understand and implement their responsibilities, both in terms of legal compliance and sustainability of service quality.
The full text of the Communiqué is available at https://www.resmigazete.gov.tr/eskiler/2024/09/20240918-6.htm
Best Regards,
Balay, Eryiğit & Erten