3 June 2022
You may find below our notes on the “Summary of the Personal Data Protection Board’s (“Board”) Decision dated 10/03/2022 and numbered 2022/229 on “unlawful processing of personal data through cookies used on the website/mobile applications by the data controller company operating in the e-commerce sector”.
The following interpretations set forth under the decision of the Board are important:
Review: Until this decision, the Board did not have a clear approach to which types of cookies would be subject to express consent. Although the Board previously stated that it may accept cookies as personal data in some decisions, it did not evaluate the cookies within the scope of PDPL until the Amazon Turkey decision dated 27/02/2020 and no. 2020/1731 (“Amazon Turkey Decision”). As a matter of fact, in the Amazon Turkey Decision, it was mentioned that the consent regarding the cookies should be obtained by the opt-in method and that the consent obtained by the opt-out method would be assessed as invalid, however, no explanation was given as to which of the cookies should be subject to explicit consent.
Until this decision dated 10.03.2022, two different approaches were adopted in the market: The first was to ignore the types of cookies by proceeding only in accordance with the opt-in method specified in the Amazon Turkey Decision of the Board, and the second was the adoption of the market approach, which was also adopted in Europe in accordance with the European General Data Protection Regulation ("GDPR") and which is in line with this decision. With this decision, it is understood that the Board has adopted the GDPR practice regarding cookies, which has become widespread in Europe.
With this decision, the Board once again drew attention to the obligation of the data controller to explain to the data subject which data is processed and for what reasons, and the reasons for data transfer, if carried out, in accordance with the obligation to inform, and stated that the cookies used on the websites are also included within this scope.
The reasons for data processing in terms of cookies necessary for the operation of the website may remain within the scope of the explicit consent exceptions listed in Article 5.2 of the PDPL. In this case, “strictly necessary cookies” can be considered as the legitimate interests of the data controller and/or for the establishment of a right or directly related to the conclusion or performance of a contract. However, in terms of functionality cookies that are not mandatory for operating the website and that measure the performance of visits to the website or that are related to advertising/marketing, or that enable the personalization of the website, it is often difficult to find an exception other than express consent within the scope of PDPL article 5.1. For this reason, the data subject has the right to opt-in for these cookies. Therefore, in order for cookies that are not “strictly necessary”, the explicit consent of the persons visiting the website must be obtained. This explicit consent will also need to be obtained through the opt-in method, which the data subjects have the right to choose.
In addition, considering the well-established precedents of the Board regarding the international transfers, if the servers where cookies are stored, including cookies subject to explicit consent, are located abroad and/or if the servers of the parties providing services related to cookies are located abroad (E.g., Google, Meta, etc.) it will be the safest approach to integrate an explicit consent mechanism for the international transfer of cookies into the websites within the scope of PDPL.
Should you have any queries on the above, please do not hesitate to contact us.
Güner Law Office was established in 1996 and has since grown into one of the major corporate, M&A, banking and finance, energy, TMT and dispute resolution practices in Turkey.
Ece Güner Toprak
Burçak Kurt Biçer