Turkish Data Protection Regulation and Cookie

On the 24th March 2016, Personal Data Protection Law No. 6698  was accepted in the Grand National Assembly of Turkey. Personal Data Protection Law No. 6698 was published in the Official Gazette dated April 7, 2016 and came into force at the date of its publication.

Throughout the following years the Personal Data Protection Board Authority adapted numerous by-laws and directives to further regulate the field of Personal Data. Furthermore the Authority released several guidelines on data protection. Some of them are;  guideline on personal data security (technical and organizational measures), guideline on erasure, destruction or anonymization of personal data

Cookie Policies, According to the Turkish Data Protection Authority

Back in January 2022, Turkish Data Protection Authority published their Draft Guidelines on Cookie Applications.

Amazon Decision

Back on 27/02/2020, Before the publication of the draft guideline, the Authority ruled on a case involving Amazon which became a landmark decision on cookie policies. According to the ruling:

  • Data Protection legislation, although has no direct reference to cookies or related technologies in it’s wording, is still applicable to cookies.
  • User’s access to the website does not constitute informed consent.
  • Blanket consents do not fulfill the obligation to receive informed consent. As such, broad statements about consent are also not considered compliant with the Turkish Data Protection Law.
  • Data Processing concerning commercial electronic correspondence is covered in a different legislation. That being said, acquisition of personal data, no matter to what end,  is still covered in Turkish Data Protection Law and thus has to to be compliant with the Turkish Data Protection Law.
  • Although Amazon received permission to transfer personal data abroad after this incident, it did transfer personal data abroad without receiving informed consent of the users before receiving the permission.

As a result, Amazon was fined 1.100.000 Turkish Liras and was ordered to get their services compliant with the law.

Draft Guideline on Cookie Applications

According to the opening statement of the draft Guideline: “With this guideline, it is aimed to create a guiding document as practical advice for all data controllers who operate a web page. Explanations presented within the framework of good practices set forth in the guide; helps data controllers in terms of processing data based on correct legal reasons, providing information in accordance with the Law, and obtaining explicit consent in accordance with the law.” As such this guideline is meant to provide advice for companies providing web based services to Turkey and elaborate Authority’s outlook into Cookie technologies.

Wording Of the Cookie Policy.

According to the preamble part of the guideline, technologies such as Facebook Pixel, local storage, beacon etc. are not covered in the guideline. The guideline only applies to cookies.

Classification of the Cookies

According to the guideline, Cookies are divided into three different classes with three subclasses . These are: 

  • Cookies Related to their Duration
  • First Party/Third Party Cookies
  • Cookies Related to their Purpose
  • Statistics Cookies
  • Marketing-Tracking Cookies
  • Technical Or Functional Cookies

 

According to the guideline, legal basis (as per Art.5(2)) and the purpose of data processing for every cookie classification has to be explained in the cookie policy  text.

Advertising and Marketing cookies are used by our business partners to profile your interests and to show you relevant advertisements. Your personal data collected through these cookies are processed by obtaining your explicit consent within the scope of paragraph (1) of Article 5 of the Law.

(figure 1: Translation of the Example in the Guideline)

The guideline also differentiates between first and third party cookies. Therefore, definition of the third and first party cookies should be made in a separate heading, indicating differences in between.

First-Party and Third-Party Cookies: Whether the cookie is first-party or third-party varies according to the cookie placed by the website or domain. First-party cookies are directly related to the website that the user visits by the URL (example.com.tr) shown in the browser’s address bar. Third-party cookies are placed by a different domain than the domain the user is visiting.

(figure 2: Translation of the Example in the Guideline)

Rights of Data Subject

Even though rights stated in article 11  in Turkish Data Legislation in line with GDPR, such terms should be localized. According to the Authority, any reference made towards GDPR shall not be considered as in compliance with Turkish Data Protection legislation. 

 

Rights of Data Subject

ARTICLE 11 – (1) Everyone, in connection with herself/himself, has the right to;

a) Learn whether or not her/his personal data have been processed;

b) Request information as to processing if her/his data have been processed;

c) Learn the purpose of processing of the personal data and whether data are used in accordance with their purpose;

ç) Know the third parties in the country or abroad to whom personal data have been transferred;

d) Request rectification in case personal data are processed incompletely or inaccurately;

e) Request deletion or destruction of personal data within the framework of the conditions set forth under article 7;

f) Request notification of the operations made as per indents (d) and (e) to third parties to whom personal data have been transferred;

g) Object to occurrence of any result that is to her/his detriment by means of analysis of personal data exclusively through automated systems;

ğ) Request compensation for the damages in case the person incurs damages due to unlawful processing of personal data

by applying to the data controller

 

(figure 3: Translation of the Article 11)

It should be noted that the wording of the Rights of Data Subject is very similar to 46/95/EC Directive, the predecessor of the GDPR.

User Interface of the Cookie Privacy Plugin

According to the aforementioned Amazon decision, data subject’s access to the website does not constitute informed consent. Therefore lack of popups on information concerning data processing that begins with user’s access infringes on Data Subjects rights in Article 11. The guideline goes into detail on how the Plugin should appear. As stated in the guideline,  the cookie preference has to be opt in, this is a contrast to the upholdings of the CCPA and LGPD.

(figure 4: UI Example Provided by the Authority)

In addition, the pop-up banner has to be easily accessible within the screen even after the user has determined their cookie preference.

Third Party Cookies

As mentioned before, the guideline differentiates first party and third party cookies. Furthermore, it provides “scenarios” in which cookie usage that requires informed consent is explored. According to the guideline that was published by the Authority, Processor has to receive informed consent for third party cookies that fall into the category of Social Media Tracking Cookies and Online Behavioral Advertising Cookies. Multimedia Player Session Cookies, (such as Video Player Cookies) Load Balancing Session Cookies, Social Media Buttons and Cookies Used for the Open Consent Management Platform does not require informed consent from the users.

That being said, URL addresses for the privacy policies of the third party cookie providers (including social media buttons and video player APIs/Plugins/UI)  should be provided in a separate heading to the policy.

Other Data Privacy Issues for Service Providers

For the purpose of collection of personal data,the third party services such as wordpress, facebook, google analytics etc. are considered to be extraterritorial data transfer due to the location of their servers. Since the list of approved countries for data transfer is yet to be announced by the authority, informed consent should be retrieved from the data subjects for cookies related to foreign service providers.

According to the checklist within the guideline, cookies have to be retained for duration specified in the policy, furthermore records of the informed consent on cookies has to be accessible for the data subjects.

Conclusion

Together with the Amazon decision, draft guidelines published by the authority showcases appropriate Cookie practices. It is very important for companies providing web services in the Turkish market to adhere to these regulations.

Turkish Data Protection Regulation and Cookie

On the 24th March 2016, Personal Data Protection Law No. 6698  was accepted in the Grand National Assembly of Turkey. Personal Data Protection Law No. 6698 was published in the Official Gazette dated April 7, 2016 and came into force at the date of its publication.

Throughout the following years the Personal Data Protection Board Authority adapted numerous by-laws and directives to further regulate the field of Personal Data. Furthermore the Authority released several guidelines on data protection. Some of them are;  guideline on personal data security (technical and organizational measures), guideline on erasure, destruction or anonymization of personal data

Cookie Policies, According to the Turkish Data Protection Authority

Back in January 2022, Turkish Data Protection Authority published their Draft Guidelines on Cookie Applications.

Amazon Decision

Back on 27/02/2020, Before the publication of the draft guideline, the Authority ruled on a case involving Amazon which became a landmark decision on cookie policies. According to the ruling:

  • Data Protection legislation, although has no direct reference to cookies or related technologies in it’s wording, is still applicable to cookies.
  • User’s access to the website does not constitute informed consent.
  • Blanket consents do not fulfill the obligation to receive informed consent. As such, broad statements about consent are also not considered compliant with the Turkish Data Protection Law.
  • Data Processing concerning commercial electronic correspondence is covered in a different legislation. That being said, acquisition of personal data, no matter to what end,  is still covered in Turkish Data Protection Law and thus has to to be compliant with the Turkish Data Protection Law.
  • Although Amazon received permission to transfer personal data abroad after this incident, it did transfer personal data abroad without receiving informed consent of the users before receiving the permission.

As a result, Amazon was fined 1.100.000 Turkish Liras and was ordered to get their services compliant with the law.

Draft Guideline on Cookie Applications

According to the opening statement of the draft Guideline: “With this guideline, it is aimed to create a guiding document as practical advice for all data controllers who operate a web page. Explanations presented within the framework of good practices set forth in the guide; helps data controllers in terms of processing data based on correct legal reasons, providing information in accordance with the Law, and obtaining explicit consent in accordance with the law.” As such this guideline is meant to provide advice for companies providing web based services to Turkey and elaborate Authority’s outlook into Cookie technologies.

Wording Of the Cookie Policy.

According to the preamble part of the guideline, technologies such as Facebook Pixel, local storage, beacon etc. are not covered in the guideline. The guideline only applies to cookies.

Classification of the Cookies

According to the guideline, Cookies are divided into three different classes with three subclasses . These are: 

  • Cookies Related to their Duration
  • First Party/Third Party Cookies
  • Cookies Related to their Purpose
  • Statistics Cookies
  • Marketing-Tracking Cookies
  • Technical Or Functional Cookies

 

According to the guideline, legal basis (as per Art.5(2)) and the purpose of data processing for every cookie classification has to be explained in the cookie policy  text.

Advertising and Marketing cookies are used by our business partners to profile your interests and to show you relevant advertisements. Your personal data collected through these cookies are processed by obtaining your explicit consent within the scope of paragraph (1) of Article 5 of the Law.

(figure 1: Translation of the Example in the Guideline)

The guideline also differentiates between first and third party cookies. Therefore, definition of the third and first party cookies should be made in a separate heading, indicating differences in between.

First-Party and Third-Party Cookies: Whether the cookie is first-party or third-party varies according to the cookie placed by the website or domain. First-party cookies are directly related to the website that the user visits by the URL (example.com.tr) shown in the browser’s address bar. Third-party cookies are placed by a different domain than the domain the user is visiting.

(figure 2: Translation of the Example in the Guideline)

Rights of Data Subject

Even though rights stated in article 11  in Turkish Data Legislation in line with GDPR, such terms should be localized. According to the Authority, any reference made towards GDPR shall not be considered as in compliance with Turkish Data Protection legislation. 

 

Rights of Data Subject

ARTICLE 11 – (1) Everyone, in connection with herself/himself, has the right to;

a) Learn whether or not her/his personal data have been processed;

b) Request information as to processing if her/his data have been processed;

c) Learn the purpose of processing of the personal data and whether data are used in accordance with their purpose;

ç) Know the third parties in the country or abroad to whom personal data have been transferred;

d) Request rectification in case personal data are processed incompletely or inaccurately;

e) Request deletion or destruction of personal data within the framework of the conditions set forth under article 7;

f) Request notification of the operations made as per indents (d) and (e) to third parties to whom personal data have been transferred;

g) Object to occurrence of any result that is to her/his detriment by means of analysis of personal data exclusively through automated systems;

ğ) Request compensation for the damages in case the person incurs damages due to unlawful processing of personal data

by applying to the data controller

 

(figure 3: Translation of the Article 11)

It should be noted that the wording of the Rights of Data Subject is very similar to 46/95/EC Directive, the predecessor of the GDPR.

User Interface of the Cookie Privacy Plugin

According to the aforementioned Amazon decision, data subject’s access to the website does not constitute informed consent. Therefore lack of popups on information concerning data processing that begins with user’s access infringes on Data Subjects rights in Article 11. The guideline goes into detail on how the Plugin should appear. As stated in the guideline,  the cookie preference has to be opt in, this is a contrast to the upholdings of the CCPA and LGPD.

(figure 4: UI Example Provided by the Authority)

In addition, the pop-up banner has to be easily accessible within the screen even after the user has determined their cookie preference.

Third Party Cookies

As mentioned before, the guideline differentiates first party and third party cookies. Furthermore, it provides “scenarios” in which cookie usage that requires informed consent is explored. According to the guideline that was published by the Authority, Processor has to receive informed consent for third party cookies that fall into the category of Social Media Tracking Cookies and Online Behavioral Advertising Cookies. Multimedia Player Session Cookies, (such as Video Player Cookies) Load Balancing Session Cookies, Social Media Buttons and Cookies Used for the Open Consent Management Platform does not require informed consent from the users.

That being said, URL addresses for the privacy policies of the third party cookie providers (including social media buttons and video player APIs/Plugins/UI)  should be provided in a separate heading to the policy.

Other Data Privacy Issues for Service Providers

For the purpose of collection of personal data,the third party services such as wordpress, facebook, google analytics etc. are considered to be extraterritorial data transfer due to the location of their servers. Since the list of approved countries for data transfer is yet to be announced by the authority, informed consent should be retrieved from the data subjects for cookies related to foreign service providers.

According to the checklist within the guideline, cookies have to be retained for duration specified in the policy, furthermore records of the informed consent on cookies has to be accessible for the data subjects.

Conclusion

Together with the Amazon decision, draft guidelines published by the authority showcases appropriate Cookie practices. It is very important for companies providing web services in the Turkish market to adhere to these regulations.