INFORMATION NOTE ON THE SUMMARY OF THE DECISION OF THE PERSONAL DATA PROTECTION BOARD DATED 10/03/2022 AND NUMBERED 2022/229


3 June 2022

You may find below our notes on the “Summary of the Personal Data Protection Board’s (“Board”) Decision dated 10/03/2022 and numbered 2022/229 on “unlawful processing of personal data through cookies used on the website/mobile applications by the data controller company operating in the e-commerce sector”.

Board’s Findings:

The following interpretations set forth under the decision of the Board are important:

  • Cookies are of two types: “strictly necessary cookies” and cookies that do not have this qualification.
  • “Strictly necessary cookies”, are necessary for the website to function properly; other cookies are functionality cookies, performance-analytical cookies, and advertising/marketing cookies.
  • In cases where there are no exceptions to the obligation to obtain explicit consent stipulated by the Personal Data Protection Law no. 6698 (“PDPL”), it is obligatory to obtain explicit consent from the data subject, especially for cookies that are not qualify as "strictly necessary cookies" within the framework of the "opt-in" mechanism.
  • In addition to informing the data subject, the pop-ups appearing while entering a website should be of a nature that will ensure the explicit consent of the data subject in terms of cookies that are not strictly necessary, unless there is an exception provided by the PDPL.
  • Related hyperlinks should be added to the said pop-ups so that the Privacy Policy and the Cookie Policy can be accessed separately and easily.
  • “Cookie Policies” should accurately include data processing purposes and which data processing purpose applies, to whom and for what purposes the data might be transferred, the collecting methods of personal data, legal reason(s), and other rights of the data subjects under Article 11 of PDPL.

Review: Until this decision, the Board did not have a clear approach to which types of cookies would be subject to express consent. Although the Board previously stated that it may accept cookies as personal data in some decisions, it did not evaluate the cookies within the scope of PDPL until the Amazon Turkey decision dated 27/02/2020 and no. 2020/1731 (“Amazon Turkey Decision”). As a matter of fact, in the Amazon Turkey Decision, it was mentioned that the consent regarding the cookies should be obtained by the opt-in method and that the consent obtained by the opt-out method would be assessed as invalid, however, no explanation was given as to which of the cookies should be subject to explicit consent.

Until this decision dated 10.03.2022, two different approaches were adopted in the market: The first was to ignore the types of cookies by proceeding only in accordance with the opt-in method specified in the Amazon Turkey Decision of the Board, and the second was the adoption of the market approach, which was also adopted in Europe in accordance with the European General Data Protection Regulation ("GDPR") and which is in line with this decision. With this decision, it is understood that the Board has adopted the GDPR practice regarding cookies, which has become widespread in Europe.

With this decision, the Board once again drew attention to the obligation of the data controller to explain to the data subject which data is processed and for what reasons, and the reasons for data transfer, if carried out, in accordance with the obligation to inform, and stated that the cookies used on the websites are also included within this scope.

The reasons for data processing in terms of cookies necessary for the operation of the website may remain within the scope of the explicit consent exceptions listed in Article 5.2 of the PDPL. In this case, “strictly necessary cookies” can be considered as the legitimate interests of the data controller and/or for the establishment of a right or directly related to the conclusion or performance of a contract. However, in terms of functionality cookies that are not mandatory for operating the website and that measure the performance of visits to the website or that are related to advertising/marketing, or that enable the personalization of the website, it is often difficult to find an exception other than express consent within the scope of PDPL article 5.1. For this reason, the data subject has the right to opt-in for these cookies. Therefore, in order for cookies that are not “strictly necessary”, the explicit consent of the persons visiting the website must be obtained. This explicit consent will also need to be obtained through the opt-in method, which the data subjects have the right to choose.

In addition, considering the well-established precedents of the Board regarding the international transfers, if the servers where cookies are stored, including cookies subject to explicit consent, are located abroad and/or if the servers of the parties providing services related to cookies are located abroad (E.g., Google, Meta, etc.) it will be the safest approach to integrate an explicit consent mechanism for the international transfer of cookies into the websites within the scope of PDPL.

As a result of the obligation to inform, the purposes of data processing, to whom and for what purpose the data transfer is made, data collection methods and legal reasons, and the rights of the data subject should be clearly and comprehensibly stated in the cookie policies. Finally, the hyperlinks to the privacy policy and the cookie policy should be added to the site separately so that they can be easily accessed by data subjects.

Should you have any queries on the above, please do not hesitate to contact us.

Güner Law Office was established in 1996 and has since grown into one of the major corporate, M&A, banking and finance, energy, TMT and dispute resolution practices in Turkey.

Contact

Ece Güner
Managing Partner
eg@guner.av.tr

Burçak Kurt Biçer
Partner
bkb@guner.av.tr

Uğurkan Şeber
Associate
us@guner.av.tr