Turkey publishes Regulation on Identity Authentication in Electronic Communications Sector


The Information and Communication Technologies Authority (ICTA) recently published the Regulation on the Authentication of the Identity of the Applicant in the Electronic Communications Sector (“Regulation”), which contains procedures and principles for authenticating the identity of applicants for documents related to the electronic transmission of subscription agreements, number porting, operator changes, qualified electronic certificate applications, registered e-mail applications and SIM card changes.

According to the Regulation, the identity of the applicant can be authenticated via one of the following methods:

  • e-government (e-devlet) system;
  • artificial intelligence or visual authentication through an authorised official together with a document with a near field communication feature compliant with the ICAO 9303 standard;
  • creating an enhanced PDF Electronic Signature compliant with the TSI EN 319 142 standard together with the Turkish Republic Identification Card; and
  • video recording of the applicant with the Turkish Republic Identity Card in face-to-face applications.

Operators and service providers are obliged to implement measures related to the information-system storage of an applicant's identity authentication information using encryption or methods that are mathematically irreversible and ensure the privacy, security and integrity of the logs related to all transactions within the related information systems.

Identity authentication through artificial intelligence and visual authentication

Operators and service providers will be responsible for implementing all necessary security measures for technological and operational risks. Visual authentication must be conducted in real-time without an interruption. Such authentication must be made through end-to-end secured communication.

Visual authentication must not be conducted unless there is explicit consent taken from the applicant by means of Turkish Personal Data Protection Law No. 6698. Additionally, the obligation to inform must be fulfilled separately.

Further details on identity authentication through artificial intelligence, near field communication, and the application of authorised official and Turkish Republic Identity Cards can be found in the Annexes of the Regulation. According to the Regulation, artificial intelligence will compare the face visual of the applicant obtained from the identity document chip and the real-time face visual of the applicant. Operators and service providers will be obliged to present a report related to the competency of the artificial intelligence algorithm.

Transaction documents and data storage

Operators and service providers are required to comply with all liabilities determined under the Regulation and other applicable pieces of legislation. To this end, the operator or service provider must create a PDF document containing each step of the identity authentication, which will then be presented to the applicant for approval. Each transaction specified in the Regulation will be recorded and the obtained data will only be used for processes by judicial and administrative authorities and the identity authentication of the applicant. The data will be stored for the period specified within the related legislation.

The Regulation goes into effect on 31 December 2021. For more information on this Regulation and data security in Turkey, contact your regular CMS consultant or local CMS expert: Dr Döne Yalçın.