1. GOVERNING TEXTS
There is no specific legislation applicable to cookies and similar technologies. However, to the extent that cookies and similar technologies include or may be used to collect any data related to an identified or identifiable individual (personal data), then Law on Protection of Personal Data No. 6698 ('the Law') and its secondary legislation are also applicable to cookies and similar technologies which may be used by data controllers and processors.
In relation to the above, the most notable secondary legislation applicable to such cookies and other technologies are the following:
- Regulation on the Data Controller Registry 2017 (only available in Turkish here), which requires organizations to inform the Personal Data Protection Authority ('KVKK') about their processing activities related to, among other things, cookies and similar technologies including or used to collect personal data;
- Regulation on Deletion, Destruction or Anonymisation of Personal Data (2017) (only available in Turkish here); and
- Communication on Procedures and Principles Regarding the Data Controller's Obligation to Inform Data Subjects (2018) (only available in Turkish here) ('the Communication on Information Obligation').
1.2. Regulatory Authority Guidance
The KVKK, or any other public authority, has not issued any specific guidance regarding cookies and similar technologies.
However, the KVKK issued the following guidelines, that are also applicable to cookies and similar technologies including or used to collect personal data:
- Guidelines on Personal Data Security (only available in Turkish here), which include information on minimum technical and administrative measures generally expected by the KVKK for data controllers and processors;
- Guidelines on Erasure, Destruction, and Anonymisation of Personal Data (only available in Turkish here);
- Guidelines on Preparation of the Data Inventory (only available in Turkish here), which must also be deemed including personal data included in or collected via cookies and similar technologies; and
- Guidelines on Implementation of the Information Obligation (only available in Turkish here).
Furthermore, the precedents and principle decisions of the Personal Data Protection Board ('the Board') under the KVKK must also be considered as guidance. Such precedents and decisions are announced on the official website of the KVKK. In particular, one decision (only available in Turkish here) ('the Decision') against one major electronic commerce entity (Amazon Turkey Retail Services Limited TRY) includes, among other things, some determination about processing activities of the relevant data controller through cookies. It is the first time the KVKK has referred to cookies and relevant requirements in a decision.
Cookies & similar technologies: There is no definition of cookies or similar technologies in any Turkish legislation.
Consent: Explicit consent must be defined as freely given, specific, and informed consent, as per Article 3(a) of the Law. Accordingly, consent can be deemed valid if the following conditions are met:
- the data subjects should have the right to refuse to consent;
- the subject of the provided consent should be related to a specifically defined data processing activity; and
- necessary information regarding data processing activity should have been given before obtaining explicit consent, as required by the Law.
One of the obligations applicable to data controllers under the Law is the provision of detailed information to data subjects whose personal data is being processed. Accordingly, although the Law or the Communication on Information Obligation does not contain specific provisions on cookies and similar technologies, data controllers must inform the data subjects with respect to the following for cookies and similar technologies including or used to collect personal data (Article 10 of the Law):
- the identity of the data controller or its representative, if any;
- the purpose of processing of the relevant cookies and similar technologies and of personal data collected via such cookies and similar technologies;
- to whom and for which purposes the relevant data collected via the relevant cookies and similar technologies may be transferred;
- the method and legal basis for use of the relevant cookies and similar technologies and for collection of personal data collected via such cookies and similar technologies; and
- the rights of data subject stipulated under the Law.
Personal data can be processed on various legal grounds. Except for sensitive personal data (which cover race, ethnic origin, political beliefs, philosophical beliefs, religion, denomination or other faiths, clothing and attire, membership of an association, charity or union, health, sexual life, criminal convictions and security measures, and biometric and genetic data), which are subject to more restrictive processing conditions and require additional security measures, personal data can be processed in the following circumstances:
- if the data subject consent to the relevant processing activity; if clearly stipulated under laws;
- if mandatory for the protection of life or to prevent the physical injury of a person, in cases where that person cannot express consent or whose consent is legally invalid due to physical disabilities;
- if necessary for and directly related to the establishment or performance of a contract, and limited with the personal data related to the parties to the contract;
- if mandatory in order for a data controller to fulfill its legal obligations; if the data is made manifestly public by the data subject;
- if mandatory for the establishment, exercise, or protection of certain rights; or
- if processing the data is mandatory for the legitimate interests of the data controller, provided that the fundamental rights and freedoms of the data subject or any related person are not compromised.
In accordance with the Board's interpretation of the relevant provisions which is reflected in its precedents, if the processing activity can be based on any legal ground other than consent, the data controllers must not request for consent for such data processing activities and blanket consent will not be valid.
The same rules are also applicable to cookies. Each kind of cookie or similar technology must be evaluated separately, and the data controller must request consent only for the cookies and similar technologies used for data processing activities that require data subjects' consent.
For instance, the data controller should not request consent for the use of strictly necessary cookies. Furthermore, depending on the scope of the use, the data controller may also depend on its legitimate interest for general performance and functionality cookies. On the other hand, we advise that targeting and advertising cookies or analytic cookies must be subject to consent in general. Still, the scope of the requirement must be determined on a case by case basis, by analysing which cookie or similar technology is used, for what purposes, and whether or not it may be replaced with another cookie or technology not including or not collecting any or less personal data.
In summary, based on the nature and the scope of any cookie or similar technology, it will be determined whether the consent requirement is applicable. In any case, the data subjects must be provided with information about cookies and similar technologies including or used to collect personal data, as noted in section 3.1 above.
In addition, in the Decision the Board noted the following:
- setting cookies may be considered a data processing activity under the Law;
- the data controllers must not obtain consent for necessary cookies but optional cookies.
The consent must not be conditional to the provision of a service; and
- consent must be given specifically to processing activities requiring the same and, based on the definition of the consent, it must be deemed as informed consent. Consent cannot be used for further processing activities about which the data subjects have not been informed of. In case that any new activity which requires the use of persistent cookies, the data subject must be informed of this addition and must consent to such activity if the data controller cannot depend on another legal ground for the new processing activity.
On the other hand, it should be emphasised that even if data processing activities through cookies may be based on a legal ground other than explicit consent, international transfers of personal data is a type of processing activity which may require explicit consent even for strictly necessary cookies. In accordance with the Law, the transfer of personal data outside of Turkey is restricted. With respect to the transfer of personal data abroad, Turkish legislation does not give required comfort to implement the requirements of the General Data Protection Regulation (Regulation (EU) 2016/679)
('GDPR'). Therefore, irrespective of whether the personal data to be transferred abroad is sensitive data or not, any personal data can be transferred outside Turkey in accordance with Articles 8 and 9 of the Law.
4. COOKIES & THIRD PARTIES
Please see section 3.1, which is also applicable to cookies installed by third-party and third-party cookies. If any personal data is collected via cookies and similar technologies by third parties, the data controller (operator of the relevant website) must provide data subjects wth information on the transfer of their personal data to third parties and on the purposes of the same On the other hand, as there is no specific regulation for cookies and similar technologies, there is no definition for third-party cookies either. Therefore, it is the data controller's responsibility to inform data subjects about data processing activities and to obtain their consent if necessary and applicable. Therefore, for third-party cookies, the third party must be responsible for fulfilling these obligations. Although the data controller is in principle responsible for the obligations set forth under the Law, the data controller may have a contractual relationship with another party according to which the latter fulfills the obligation to inform and to obtain explicit consent on behalf of the data controller. Therefore, the third-party may have a contract with the website operator and contractually assign to the website operator the relevant responsibilities. However, any contractual relationship does not remove the data controller's responsibilities as per the Law. It is worth noting that in case such third parties are processing data as a data controller, they have their own responsibility to inform data subjects and obtain required consents when needed.
Moreover, the KVKK may also benefit from the discussions in the EU on the relevance of the provisions of the GDPR in case of any issue raised before the KVKK with respect to third-party cookies. Therefore, to be safe, it is advisable for a website operator to inform the visitors about which third- party cookies may operate on the website, to provide links to the relevant third-party's privacy and cookie policies for ease of reference, and to include necessary provisions in their contract with the relevant third parties for them to process their cookies in line with the applicable Turkish data privacy legislation.
5. COOKIE RETENTION
There are no specific rules with regard to cookie retention.
However, the provisions on data retention under the Law and its secondary legislation are also applicable to cookies and similar technologies including or used to collect personal data. As a general principle, personal data must be retained for the period of time stipulated by relevant legislation or as long as required for the purpose of processing. Personal data must be erased, destructed, or anonymised by the data controller, ex oﬃcio, or upon demand by the data subject, as soon as there is no legitimate reason to store it. In relation to the same, it is advisable to delete all session cookies when the session is finished. Persistent cookies can be stored for some period of time, but they should also be deleted after a reasonable time after the session, and the reasonable time will be determined on the basis of the purpose for the use of the relevant cookie and considering how long the relevant cookie reasonably needs to be retained for the applicable purpose. It is not advisable to retain cookies for an unlimited period of time.
As noted under section 3.2 above, consent must be required only for cookies and similar technologies used for data processing purposes for which the data controller cannot depend on other legal grounds to use the same. Consent must be specific to the data processing activities and therefore, data subjects must have the option to consent to such cookies and other technologies, or just to any of the same, based on their preferences.
A cookie or tracking wall which does not prevent the visitor to personalize their options and does require the visitor to accept all cookies and similar technologies in order to access the web service must not be acceptable from the perspective of Turkish legislation. In this regard, cookie walls are not compliant with Turkish legislation. In fact, the interfaces of websites must be designed to allow visitors to granulate their consent to certain types of cookies and similar technologies, subject to the consent requirement, as noted under section 3.2 above.
Moreover, data controllers processing personal data through cookies should also take into consideration their registration obligation with the Data Controllers' Registry ('VERBIS'). Irrespective of whether they are located in or outside of Turkey, all data controllers who process the personal data of Turkish residents are subject to the data protection legislation. For data controllers located in Turkey, there are some thresholds triggering the registration obligation. Data controllers located in Turkey must get registered with VERBIS if they have more than 50 employees or have a balance sheet with a volume of more than TRY 25 million (approx. €2.66 million). However, the relevant thresholds are not applicable to data controllers which are located outside Turkey and all of such data controllers subject to Turkish legislation must be registered with VERBIS even if they do not have more than 50 employees or have a balance sheet with a volume of more than TRY 25 million. The initial deadline for data controllers already processing personal data was 30 September 2020. The KVKK made an announcement that they will warn the data controllers who have failed to comply with the registration obligation and will grant the relevant data controllers some time to complete the registration with consideration of COVID-19 related issues affecting the data controllers. Legally speaking, the KVKK is authorised to apply an administrative sanction without granting any further period to data controllers, as the relevant deadline was already extended several times. Furthermore, the period to be granted by the KVKK may be a short period to complete such an extensive obligation, including all data processing activities related to Turkish residents. Therefore, it is advisable for non- compliant data controllers to start preparations and complete the registration as soon as possible.
Data controllers who will newly begin data processing activities in Turkey will have 30 days to complete the registration obligation.
As mentioned above, data controllers using cookies and similar technologies should inform data subjects accordingly. Those who fail to comply with the obligation to inform as per the Law will have to pay an administrative fine amounting from TRY 9,012 (approx. €959) to TRY 180,263 (approx. €19,200) for the year of 2020. The amounts will be updated for each year based on inflation rates.
In accordance with the interpretation of the Board in its established precedents, it will be deemed a breach to data security obligations not to obtain valid consent for any processing activity requiring the consent of the relevant data subject. Therefore, the data controllers who have failed to obtain consent for optional cookies and similar technologies for their service may be required to pay an administrative fine amounting from TRY 27,037 (approx. €2,880) to TRY 1,802,636 (approx. €192,000) for the year of 2020 and the amounts will be updated for each year based on inflation rates. The sanction may also apply to data controllers using cookie walls.
Furthermore, those who fail to meet the obligations for registration with VERBIS will be required to pay an administrative fine of TRY 36,050 (approx. €3,840) to TRY 1,802,636 (approx. €192,000) for the year of 2020 and the amounts will be updated for each year based on inflation rates.
In addition to the above, unlawful retention, processing, and transferring may also trigger criminal liability (judicial fine and imprisonment) of the data controllers' executives and the relevant officers depending on the case.
First published by OneTrust DataGuidance - Guidance Notes, in 26.10.2020