On 23 May 2022, the Turkish Personal Data Protection Authority ("Authority") issued a decision ("Decision") on "cookies" used on websites and/or mobile apps by a data controller with a business in the e-commerce sector.
In its Decision, the Authority examined a complaint on cookies used by a data controller and decided to impose a monetary fine of TRY 800,000 (approx. EUR 45,000) due to unlawful data processing activity through cookies.
In summary, the Authority underlined the following points:
- The legal grounds for personal data processing via cookies differ depending on the type of cookie, i.e, whether it is a "strictly necessary cookie" or not.
- If a data controller uses a strictly necessary cookie, the data controller does not need to obtain explicit consent to processes personal data via such a cookie.
- If a data controller uses cookies other than strictly necessary cookies, the data controller must obtain the explicit consent of the relevant data subjects.
- At the stage of obtaining explicit consent, data controllers must use an opt-in mechanism rather than an opt-out mechanism.
- Data controllers are obliged to fulfil their obligation to inform on the usage of cookies, regardless of the types of cookies used.
The Authority classifies cookies
In its Decision, while evaluating the cookie practices on the website/mobile app of the data controller, the Authority made a distinction between strictly necessary cookies and not strictly necessary cookies.
- Strictly Necessary Cookies: cookies that are essential and necessary for directly operating a website and/or mobile app are classified as strictly necessary.
- Not Strictly Necessary Cookies: cookies that are not necessary for operating a web-site/mobile app, such as 'functional cookies', 'performance-analytical cookies' and 'advertising/marketing cookies' are classified as not strictly necessary cookies.
What are the legal grounds for data controllers using cookies?
The Authority states that legal grounds may vary depending on the type of cookie used. Accordingly, we summarise in the table below the cases where data controllers must obtain the explicit consent of data subjects to use cookies:
|
|
Is Explicit Consent Necessary? |
Strictly Necessary Cookies |
|
Not Strictly Necessary Cookies |
|
In this specific case, the Authority determined that the data controller uses not strictly necessary cookies. In this respect, the data controller is obliged to obtain the explicit consent of data subjects to process their personal data via such types of cookies. Accordingly:
- before using not strictly necessary cookies, users visiting the website/mobile apps are required to approve the operation with an active affirmative action at the time of accessing the website/mobile application;
- data controllers need to obtain the explicit consent of data subjects by using an "opt-in" mechanism that by default ensures that cookies do not work if data subjects do not provide their consent.
Obligation to inform on the usage of cookies and cookie policy
In its Decision, the Authority underlines that if data controllers process personal data via cookies, they must fulfil their obligation to inform on the usage of cookies as well.
In this specific case, the Authority determined that the data controller refers to its cookie policy to inform data subjects on the use of cookies; however, there is no link in the text that leads to the relevant policy.
Conclusion
In conclusion, the Authority imposed a monetary fine of TRY 800,000 (approx. EUR 45,000) on the data controller as it did not take adequate technical and administrative measures to ensure personal data security and did not fulfil its legal obligation.
Follow this link (in Turkish only) for the full text of the Decision.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
