INSIGHTS
In The Know.

  • Home
  • Insights
  • Turkish Personal Data Protection Authority establishes the “strictly necessary” exemption on the use of cookies

Search by

Turkish Personal Data Protection Authority establishes the “strictly necessary” exemption on the use of cookies

May 2022 – On 23 May 2022, the Turkish Personal Data Protection Authority (“Authority”) issued a decision (“Decision”) on “cookies” used on websites and/or mobile apps by a data controller with a business in the e-commerce sector.

In its Decision, the Authority examined a complaint on cookies used by a data controller and decided to impose a monetary fine of TRY 800,000 (approx. EUR 45,000) due to unlawful data processing activity through cookies.

In summary, the Authority underlined the following points:

  • The legal grounds for personal data processing via cookies differ depending on the type of cookie, i.e, whether it is a “strictly necessary cookie” or not.
  • If a data controller uses a strictly necessary cookie, the data controller does not need to obtain explicit consent to processes personal data via such a cookie.
  • If a data controller uses cookies other than strictly necessary cookies, the data controller must obtain the explicit consent of the relevant data subjects.
  • At the stage of obtaining explicit consent, data controllers must use an opt-in mechanism rather than an opt-out mechanism.
  • Data controllers are obliged to fulfil their obligation to inform on the usage of cookies, regardless of the types of cookies used.

The Authority classifies cookies

In its Decision, while evaluating the cookie practices on the website/mobile app of the data controller, the Authority made a distinction between strictly necessary cookies and not strictly necessary cookies.

  • Strictly Necessary Cookies: cookies that are essential and necessary for directly operating a website and/or mobile app are classified as strictly necessary.
  • Not Strictly Necessary Cookies: cookies that are not necessary for operating a web-site/mobile app, such as 'functional cookies', 'performance-analytical cookies' and 'advertising/marketing cookies' are classified as not strictly necessary cookies.

What are the legal grounds for data controllers using cookies?

The Authority states that legal grounds may vary depending on the type of cookie used. Accordingly, we summarise in the table below the cases where data controllers must obtain the explicit consent of data subjects to use cookies:

 

Is Explicit Consent Necessary?

Strictly Necessary Cookies

  • Data controllers do not need to obtain the explicit consent of data subjects for processing this type of cookie.
  • Data controllers may process personal data via this type of cookie based on other legal reasons regulated under Turkish Personal Data Protection Law (“DP Law”), apart from the explicit consent of the data subject.

Not Strictly Necessary Cookies

  • Data controllers must obtain the explicit consent of data subjects if there are no other legal grounds regulated under DP Law to process their personal data via this type of cookies.
  • The Authority also stated that the data controller in question cannot use this type of cookie based on its legitimate interest.
  • Data controllers can process personal data via cookies for advertising, marketing, or performance analytics by obtaining the explicit consent of data subjects.

 

In this specific case, the Authority determined that the data controller uses not strictly necessary cookies. In this respect, the data controller is obliged to obtain the explicit consent of data subjects to process their personal data via such types of cookies. Accordingly:

  • before using not strictly necessary cookies, users visiting the website/mobile apps are required to approve the operation with an active affirmative action at the time of accessing the website/mobile application;
  • data controllers need to obtain the explicit consent of data subjects by using an "opt-in" mechanism that by default ensures that cookies do not work if data subjects do not provide their consent.

Obligation to inform on the usage of cookies and cookie policy

In its Decision, the Authority underlines that if data controllers process personal data via cookies, they must fulfil their obligation to inform on the usage of cookies as well.

In this specific case, the Authority determined that the data controller refers to its cookie policy to inform data subjects on the use of cookies; however, there is no link in the text that leads to the relevant policy.

Conclusion

In conclusion, the Authority imposed a monetary fine of TRY 800,000 (approx. EUR 45,000) on the data controller as it did not take adequate technical and administrative measures to ensure personal data security and did not fulfil its legal obligation.

Follow this link (in Turkish only) for the full text of the Decision.

For more information please contact Ceren Ceyhan, Associate, at cceyhan@gentemizerozer.com, and Hatice Nur Arslan, Legal Intern, at narslan@gentemizerozer.com