The complaint letter submitted to the Authority states the following, in summary;

• Cookie policy implemented by the data controller interferes in the fundamental rights of freedoms of the individuals and their right to privacy,
• Obligation to inform is not fully fulfilled, for the cookie policy published on the website contains incomprehensible and unspecified information,
• It is not lawful to put forward legitimate interest as a compulsory condition for processing and the data controller has not been processing personal data on the basis of explicit consent of the data subject, 
• The personal data processed under the activities of the website or the cookies used is transferred abroad as stated in Article 9 of the Law No 6698, and in this context the explicit consent of the data subject is not obtained, 
• Information is requested from the data controller within the scope of all the rights held in accordance with Article 11 of the Law; however, only information about the use of cookies is given in the response of the data controller,
• Besides, it is not stated in which data subject group the data subject is included, the processing purposes of the data categories and data types processed in relation to the member customer and guest customer are not fully explained and their scope is not understood,
• It is not clear which type of data is processed from the explanations under the marketing information data category; even though the data subject has not approved the commercial electronic message, “targeting and analysis” cookies are active in the browser and application; "targeting information" or evaluations showing "favorites" for the purpose of data processing, which is presented as the improvement of member customer experience on both the platform and mobile application, have the function of behavioral advertising cookies and are processed even though they do not need to be processed; even though they are the most appropriate purpose for the specified data category and data types, the explicit consent is not obtained for “remarketing, targeting, profiling and analysis in line with the explicit consent of the member customer, promoting and marketing the application, goods/products and services in line with the preference and taste of the member customer”,
• Even though the targeted cookies are active for the visitor it is not correct to state that there is no targeted advertising, they state that the IP address of the online visitor is processed due to the Law No. 5651 on the Regulation of Internet Broadcasts and Prevention of Crimes Committed through Such Broadcasts, and this is stated in the policy; however, in reality targeted advertising cookies are active on the site during the processing of the IP address, which is personal data, enabling the targeting, 
• The cookie policy on the website does not reflect the truth, the features of cookies and third-party cookies are not included fully and accurately, data retention periods are specified for a limited number of cookies, and some information is shared between two platforms by creating a membership via a social media platform and the login tab. used,
• Obligation to inform for the cookies is not fully fulfilled because they show only one part of the cookies functioning and data processed, 
• Furthermore, disabling the cookies in the browser or mobile is offered as a precaution, but disabling cookies in the browser makes the browser experience of the person completely unbearable, and personal data will be processed every time if the user does not block the use of cookies in the browser settings before visiting the site, Third-party analytical cookies cannot always be considered legitimate, these cookies do not benefit the user experience, the transfer of personal data abroad by using 14 analytical cookies on the website is not carried out in accordance with the Law; in its reply, the data controller emphasized that the e-Privacy Regulation regarding the use of such cookies in the European Union acquis is still in the draft stage; however, the e-Privacy Directive 2002/58, which was drafted as a regulation, is currently in force as the Directive 2009/136; the Directive no 2009/136 has rearranged the "right to refuse", which should be granted to the user with Article 5(3) the Directive no 2002/58 while applying behavioral advertising and analytical cookies, and currently, such cookie practices are subject to "consent" as defined in Directive 95/46, and this consent should be interpreted in accordance with the European Union General Data Protection Regulation (GDPR),
• Although it is stated that non-members or non-member visitors are not subject to profiling or segmentation, most of the cookies used collect data directly from the visitor, and visitor traffic is increased by cross-site behavioral advertising, which shows that visitors are subject to targeted advertisements, segmentation or profiling.

Within the framework of the examination initiated on the subject, the data controller was reached for its defence. In its response letter, the controller states the following, in brief;

• The personal data processed through cookies are “session token, buyer ID, hashed e-mail, sex, registration date, last date of login, e-mail permission, recipient VIP status and cookies that are not in the ‘strictly necessary cookie' status as specified in the Cookie Policy on web/mobile websites” and these are processed under the condition that the processing is necessary for the legitimate interests pursuant to Article 5(2)(f) of the Law,
• Except for the cookies that are not in the status of "strictly necessary cookies", the other cookies are strictly necessary in order to provide the electronic commerce service offered to users online as the information society service provider, 
• In terms of "strictly necessary cookies" and providing information society service, they are an information society service provider therefore some of the cookies they use in this context are "strictly necessary cookies" to provide service, and it is not necessary to obtain explicit consent from the website or mobile application users. As a community service provider, personal data is processed based on its legitimate interests, and session cookies can be given as an example within this scope, which are used to store user login, authentication, security, network management and user preferences.
• Analiytics, user behavior tracking and other online advertising cookies that are not in the category of "strictly necessary cookies" are used, in this context, a pop-up privacy notice appears after the first visit of the users to the website, later users are directed to the Privacy and Cookie Policies on the website. In the Cookie Policy, the user is informed of how cookies are used, the distinction and functions of first and third-party cookies, how third-party cookies are used for advertising and targeting, the cookie provider, cookie name, type, purpose, duration, and how to manage cookies.
• Cookies are not presented as a prerequisite for the service offered, and the provision of the electronic commerce service is not dependent on the acceptance of these cookies, unlike the practices called "cookie walls" or "tracking walls" in the EU; moreover, users visiting the page are informed about cookies and they are not asked to use the service provided that they accept cookies,
• Cookie practices were accepted in Europe until the GDPR entered into force, and the same practice was adopted and used by many companies in Türkiye; after its entry into force, GDPR introduced the condition to obtain consent from the user for tracking and online advertising cookies, excluding the "strictly necessary cookies" regulated by the e-Privacy Directive 2002/58; but in practice many companies still continue to apply pre-GDPR conditions for the use of cookies; in order to clarify this situation, it is essential to publish a guide by the Personal Data Protection Board to assist data controllers; regardless of the complaint made by the data subject, negotiations have started with companies that offer technical solutions to obtain consent for the use of cookies and to provide consent management; and after commercial agreements are made, information regarding the operation of the pages, providing explicit consent for cookies and user preference management, will be submitted to the Board, 
• Cookies are used not only by e-commerce sites but also in the entire internet ecosystem, and in today's world, the use of cookies has become a basic standard in terms of internet experience, therefore, especially e-commerce platforms cannot fulfill their basic functions without using cookies and cannot provide a quality service to their users, and also it is not possible to substitute cookies with another tool due to their functions and the use of cookies is mandatory for an e-commerce platform,
• There is no doubt that there are legitimate interests in the use of cookies, because the use of cookies is one of the basic requirements that feeds the decision support systems, such as improving the customer experience, providing service focused on customer preferences and otherwise, it will deeply damage the user experience and their own activities and push the companies out of sectoral competition,
• The benefit obtained as a result of data processing is proportional to the fundamental rights and freedoms of the data subjects. The essence of the use of cookies is to improve the user experience and to ensure that the relevant website is used in the most beneficial and easiest way for the user, in this context, it is aimed to provide a special experience to the users by taking into account the interests and wishes of the users,
• They are of the opinion that the personal data processing activities carried out within the scope of cookies provide the legitimate interest balancing test, in parallel with the EU's GDPR and e-Privacy Directive practices regarding the use of cookies and similar technologies, the processes of obtaining the explicit consent of the user and consent management processes have begun to be designed for "cookies that are not strictly necessary",
• Name-surname, contact information (phone number, address and e-mail address) and ID number information is processed under Article 5(2)(c) of the Law and the personal data in question is shared with the seller and the cargo company within the same scope,
• Privacy Policy and the Cookie Policy presented are complementary to each other and they contain detailed explanations regarding the data processed within the scope of the use of cookies. Issues the data subject claims not to have been clarified are actually covered in the Privacy Policy, in addition, those policy texts contain all the content specified in Article 10 of the Law, 
• There is no "tracking wall" application on their websites and mobile applications, and if cookies are deactivated as specified in the Cookie Policy, the website still functions and is open to visit effectively,
• Since there is no local provider providing cookie service, all websites using cookies on the internet transfer data abroad. In this regard, there is information about this transfer both in the policy texts on the website and in the Data Controllers’ Registry Information System (VERBIS) record, and data subjects are informed within the scope of Article 10 of the Law,
• Cookies are outside the scope of the Regulation on Commercial Communication and Commercial Electronic Messages and the provisions of this Regulation do not apply to cookies; therefore, commercial electronic message approval is not required for cookie applications.

As a result of the assessment made on the subject, the Board evaluates that;

• While there is no need to obtain explicit consent for the necessary cookies required for a website to function properly, the use of cookies for advertising, marketing and performance purposes is subject to the explicit consent of the data subjects,
• “Strictly necessary cookies” are required for a website to function properly and personal data processing can be carried out without the explicit consent of the data subject based on one of the processing conditions in Article 5(2) and Article 6(3) of the Law, 
• Explicit consent must be obtained for the processing activities carried out through cookies that are not “strictly necessary” and in the event that processing conditions listed in Article 5(2) and Article 6(3) of the Law, 
• Even though the data controller relies on Article 5(2)(f) of the Law as legal basis for its processing activity carried out though cookies, the explicit consent must be sought for the processing through cookies that are not under he “strictly necessary cookies” category,
• It is understood that the data controller evaluates user preferences within the scope of strictly necessary cookies; however, it uses these cookies for the purpose of providing functionality other than necessary cookies, and in cases where the data subject does not clearly request the information society service, it is necessary to rely on explicit consent,
• The Privacy Policy data controller shared on its website states that “… It uses it for targeted advertising/promotional purposes in order to present content and advertisements more relevant to your interests and to you… By matching the information obtained through cookies with other personal data belonging to you; it offers you more suitable content, personalized campaigns and products, and does not offer content or opportunities that you previously stated that you do not want.” The text also provides explanations on how the data controller uses third-party cookies for advertising and retargeting. Taking into account the list of third-party cookies, used on the website, presented in the complaint of the data subject, the data controller is processing personal data by using advertising/marketing cookies,
• A website notification appears on the lower left corner of the page informing that “Use of Cookies enable us to offer the website and our services more effectively. For detailed information, you can review the Privacy and Personal Data Protection Policy and the Cookie Policy.” However, there is no indication that the explicit consent of the data subject is sought in terms of cookies that are not strictly necessary,
• In addition, under the Cookie Management heading in the cookie policy, it is seen that users are directed in order to obtain information about the cookies according to the type of internet browser and to use the right to allow or reject them,
• The Law defines the explicit consent as “freely given, specific and informed consent” and considering that explicit consent is given through an “active action” as a principle, the data controller processes personal data without relying on any of the processing conditions listed in Articles 5 and 6 of the Law by using cookies that are not strictly necessary, and there is no explicit consent mechanism for such processing activity, 
• In case there is no processing condition other than explicit consent regarding the cookies, other than strictly necessary cookies that enable the proper functioning of the website/application, such as functionality cookies, performance/analytical cookies and advertising/marketing cookies; it is necessary to obtain explicit consent from users visiting the website/mobile applications, according to the "opt-in" mechanism, which ensures that the data subjects consent to the operation of cookies with their voluntary active action at the time of accessing the website/mobile application, without letting the cookies work by default, 
• In terms of transfer of data in Article 9 of the Law, the data controller has not submitted a written commitment to the Authority and considering that countries with adequate level of protection have not been determined yet, personal data can only be transferred abroad relying on the explicit consent. However, the controller has not obtained explicit consent from the data subjects in this regard, and the activities carried out by the data controller by transferring personal data abroad through cookies were not carried out in accordance with Article 9 of the Law, therefore, these activities should be aligned with Article 9 of the Law,
• A website notification appears on the lower left corner of the page informing that “Use of Cookies enable us to offer the website and our services more effectively. For detailed information, you can review the Privacy and Personal Data Protection Policy and the Cookie Policy.” and when both of these policies are clicked on, they direct the users to the main page with the Privacy Policies, and after a while, the page with the relevant policies appears on the screen,
• Privacy and Personal Data Protection Policy texts give the information that “… you can review our Cookie Policy for detailed information about the cookies used by the Cookie (Cookie) Usage and Management, the types of cookies, their purposes, storage periods and cookie management.” It is important to include a link that can directly direct the data subjects to the Cookie Policy in the text in question, in order to make the information about cookies easier to access, therefore, it is necessary to update the text to add a link that will directly redirect to the cookies,
• The data controller drafted a separate Cookie Policy other than Privacy and Personal Data Protection Policy, and considering that the data subjects are also directed to this text in terms of personal data processing activities carried out through cookies, it should be noted that the information provided by the data controller regarding cookies in the Privacy Policy should also be included in the Cookie Policy. Moreover, that text should comply with Article 10 of the Law and Communique on Principles and Procedures to Be Followed in Fulfillment of The Obligation to Inform (the Communique),
• Within this framework, Cookie Policy text provides explanation on the identity of the data controller in accordance with Article 4 of the Communique; however, there is no proper information on the purpose of the processing, to whom and with what purposes the data will be transferred, methods for collecting personal data and legal basis, and also the other rights stipulated in Article 11 of the Law,
• When the Cookie Policy in question is evaluated within the scope of Article 5(1)(g) of the Communique, it is seen that purposes for personal data processing are determined in this policy, but there is no detailed information about which personal data processing activity coincides with which processing purpose. Furthermore, although the purposes of each type of cookie are shown in the table, those purposes given are not clear enough to be understood by the data subjects,
• When the Cookie Policy in question is evaluated within the scope of Article 5(1)(ğ) of the Communique; due to their technical nature, the data controller has used a comprehensible, clear and simple language in the Cookie Policy for the cookies,
• When the Cookie Policy in question is evaluated within the scope of Article 5(1)(h) of the Communique, in the Cookie Policy issued by the data controller, it is not clearly stated which personal data is associated with which processing purpose and legal basis as a processing condition; and when evaluated under subparagraph (i), it is seen that which personal data is obtained by which method is not clearly stated in the Cookie Policy,
• The data controller should review the processes regarding the cookies currently used on the website and mobile application to ensure their compliance with the Cookie Policy, and within this framework, the Cookie Policy should be updated in accordance with Article 10 of the Law and the Communiqué.

On the basis of the foregoing evaluations, the Board with its Decision numbered 2022/229 and dated 10 March 2022 decides: 

• -to impose an administrative fine of 800.000 pursuant to Article 18(1)(b) of the Law on the data controller for the failure to take technical and organizational measures laid down in Article 12(1) of the Law, following the evaluation that the data controller processes personal data without relying on any of the conditions listed in Articles 5 and 6 of the Law by way of using cookies that are not “strictly necessary”, and the controller transfers personal data without relying on any of the transfer procedures set forth in Article 9 of the Law, which is contrary to Article 12(1) of the Law,

The Board also decides the data controller shall make necessary arrangements regarding the following issues:

• Due to the fact that the data controller processes personal data without relying on any of the conditions listed in Articles 5 and 6 of the Law by way of using cookies that are not strictly necessary and in terms of this processing activity, there is no mechanism to obtain explicit consent; in case there is no processing condition other than explicit consent regarding the cookies, other than strictly necessary cookies that enable the proper functioning of the website/application, such as Functionality Cookies, Performance/Analytical cookies and Advertising/Marketing cookies, the data controller shall obtain explicit consent from users visiting the website/mobile applications, according to the "opt-in" mechanism, which ensures that the data subjects consent to the operation of cookies with their voluntary active action at the time of accessing the website/mobile application,
• Data controller shall align its processing activities, which are carried out by way of transferring data abroad though cookies, with Article 9 of the Law, 
• Data controller shall update its Privacy and Personal Data Protection Policy by including a link that will direct the data subjects to the Cookie Policy in order to make the notice regarding the cookies easier to access, 
• Data controller shall review the cookie processes currently used on its website and mobile application to ensure their compliance with the Cookie Policy, and within this framework, update the Policy in accordance with Article 10 of the Law and the Communiqué on Principles and Procedures to Be Followed in Fulfillment of The Obligation to Inform,
• Data controller shall seek explicit consent of the data subjects in cases where the data subject does not explicitly request the information society services, and shall determine processing conditions after evaluating whether the cookies relating to user preferences are used by necessity in order to fulfil an information society service requested by the user.

Afterwards, the data controller shall inform the Board of the arrangements made within 30 days at the latest,

• On the other hand, it is found that the information requests of the data subject within the scope of Article 11 of the Law are fulfilled by the data controller.