Summary of the Board Decision on “the processing of personal data by the data controller operating in e-commerce sector through cookies used by the websites/mobile applications”
||10 March 2022
||Processing of personal data by the data controller operating in e-commerce sector through cookies used by the websites/mobile applications
The complaint letter submitted to the Authority states the following, in summary;
- It is not lawful to put forward legitimate interest as a compulsory condition for processing and the data controller has not been processing personal data on the basis of explicit consent of the data subject,
- The personal data processed under the activities of the website or the cookies used is transferred abroad as stated in Article 9 of the Law No 6698, and in this context the explicit consent of the data subject is not obtained,
- Besides, it is not stated in which data subject group the data subject is included, the processing purposes of the data categories and data types processed in relation to the member customer and guest customer are not fully explained and their scope is not understood,
- It is not clear which type of data is processed from the explanations under the marketing information data category; even though the data subject has not approved the commercial electronic message, “targeting and analysis” cookies are active in the browser and application; "targeting information" or evaluations showing "favorites" for the purpose of data processing, which is presented as the improvement of member customer experience on both the platform and mobile application, have the function of behavioral advertising cookies and are processed even though they do not need to be processed; even though they are the most appropriate purpose for the specified data category and data types, the explicit consent is not obtained for “remarketing, targeting, profiling and analysis in line with the explicit consent of the member customer, promoting and marketing the application, goods/products and services in line with the preference and taste of the member customer”,
- Even though the targeted cookies are active for the visitor it is not correct to state that there is no targeted advertising, they state that the IP address of the online visitor is processed due to the Law No. 5651 on the Regulation of Internet Broadcasts and Prevention of Crimes Committed through Such Broadcasts, and this is stated in the policy; however, in reality targeted advertising cookies are active on the site during the processing of the IP address, which is personal data, enabling the targeting,
- Obligation to inform for the cookies is not fully fulfilled because they show only one part of the cookies functioning and data processed,
- Although it is stated that non-members or non-member visitors are not subject to profiling or segmentation, most of the cookies used collect data directly from the visitor, and visitor traffic is increased by cross-site behavioral advertising, which shows that visitors are subject to targeted advertisements, segmentation or profiling.
Within the framework of the examination initiated on the subject, the data controller was reached for its defence. In its response letter, the controller states the following, in brief;
- Except for the cookies that are not in the status of "strictly necessary cookies", the other cookies are strictly necessary in order to provide the electronic commerce service offered to users online as the information society service provider,
- In terms of "strictly necessary cookies" and providing information society service, they are an information society service provider therefore some of the cookies they use in this context are "strictly necessary cookies" to provide service, and it is not necessary to obtain explicit consent from the website or mobile application users. As a community service provider, personal data is processed based on its legitimate interests, and session cookies can be given as an example within this scope, which are used to store user login, authentication, security, network management and user preferences.
- Cookies are not presented as a prerequisite for the service offered, and the provision of the electronic commerce service is not dependent on the acceptance of these cookies, unlike the practices called "cookie walls" or "tracking walls" in the EU; moreover, users visiting the page are informed about cookies and they are not asked to use the service provided that they accept cookies,
- Name-surname, contact information (phone number, address and e-mail address) and ID number information is processed under Article 5(2)(c) of the Law and the personal data in question is shared with the seller and the cargo company within the same scope,
- Since there is no local provider providing cookie service, all websites using cookies on the internet transfer data abroad. In this regard, there is information about this transfer both in the policy texts on the website and in the Data Controllers’ Registry Information System (VERBIS) record, and data subjects are informed within the scope of Article 10 of the Law,
- Cookies are outside the scope of the Regulation on Commercial Communication and Commercial Electronic Messages and the provisions of this Regulation do not apply to cookies; therefore, commercial electronic message approval is not required for cookie applications.
As a result of the assessment made on the subject, the Board evaluates that;
- “Strictly necessary cookies” are required for a website to function properly and personal data processing can be carried out without the explicit consent of the data subject based on one of the processing conditions in Article 5(2) and Article 6(3) of the Law,
- Explicit consent must be obtained for the processing activities carried out through cookies that are not “strictly necessary” and in the event that processing conditions listed in Article 5(2) and Article 6(3) of the Law,
- Even though the data controller relies on Article 5(2)(f) of the Law as legal basis for its processing activity carried out though cookies, the explicit consent must be sought for the processing through cookies that are not under he “strictly necessary cookies” category,
- It is understood that the data controller evaluates user preferences within the scope of strictly necessary cookies; however, it uses these cookies for the purpose of providing functionality other than necessary cookies, and in cases where the data subject does not clearly request the information society service, it is necessary to rely on explicit consent,
- The Law defines the explicit consent as “freely given, specific and informed consent” and considering that explicit consent is given through an “active action” as a principle, the data controller processes personal data without relying on any of the processing conditions listed in Articles 5 and 6 of the Law by using cookies that are not strictly necessary, and there is no explicit consent mechanism for such processing activity,
- In case there is no processing condition other than explicit consent regarding the cookies, other than strictly necessary cookies that enable the proper functioning of the website/application, such as functionality cookies, performance/analytical cookies and advertising/marketing cookies; it is necessary to obtain explicit consent from users visiting the website/mobile applications, according to the "opt-in" mechanism, which ensures that the data subjects consent to the operation of cookies with their voluntary active action at the time of accessing the website/mobile application, without letting the cookies work by default,
- In terms of transfer of data in Article 9 of the Law, the data controller has not submitted a written commitment to the Authority and considering that countries with adequate level of protection have not been determined yet, personal data can only be transferred abroad relying on the explicit consent. However, the controller has not obtained explicit consent from the data subjects in this regard, and the activities carried out by the data controller by transferring personal data abroad through cookies were not carried out in accordance with Article 9 of the Law, therefore, these activities should be aligned with Article 9 of the Law,
On the basis of the foregoing evaluations, the Board with its Decision numbered 2022/229 and dated 10 March 2022 decides:
- -to impose an administrative fine of 800.000 pursuant to Article 18(1)(b) of the Law on the data controller for the failure to take technical and organizational measures laid down in Article 12(1) of the Law, following the evaluation that the data controller processes personal data without relying on any of the conditions listed in Articles 5 and 6 of the Law by way of using cookies that are not “strictly necessary”, and the controller transfers personal data without relying on any of the transfer procedures set forth in Article 9 of the Law, which is contrary to Article 12(1) of the Law,
The Board also decides the data controller shall make necessary arrangements regarding the following issues:
- Due to the fact that the data controller processes personal data without relying on any of the conditions listed in Articles 5 and 6 of the Law by way of using cookies that are not strictly necessary and in terms of this processing activity, there is no mechanism to obtain explicit consent; in case there is no processing condition other than explicit consent regarding the cookies, other than strictly necessary cookies that enable the proper functioning of the website/application, such as Functionality Cookies, Performance/Analytical cookies and Advertising/Marketing cookies, the data controller shall obtain explicit consent from users visiting the website/mobile applications, according to the "opt-in" mechanism, which ensures that the data subjects consent to the operation of cookies with their voluntary active action at the time of accessing the website/mobile application,
- Data controller shall align its processing activities, which are carried out by way of transferring data abroad though cookies, with Article 9 of the Law,
- Data controller shall seek explicit consent of the data subjects in cases where the data subject does not explicitly request the information society services, and shall determine processing conditions after evaluating whether the cookies relating to user preferences are used by necessity in order to fulfil an information society service requested by the user.
Afterwards, the data controller shall inform the Board of the arrangements made within 30 days at the latest,
- On the other hand, it is found that the information requests of the data subject within the scope of Article 11 of the Law are fulfilled by the data controller.