29 Sep Brief on Personal Data Protection Authority’s Decision Dated 10.03.2022 Regarding Cookies Used in Website/Mobile Applications
İçindekiler
Data processing activities are encountered in new and various fields every day. The Personal Data Protection Board (“Board“) puts these areas under strict scrutiny within the scope of the Personal Data Protection Law No. 6698 (“KVKK“). Even minor practices encountered in online environments which can be overlooked are of significance for the Board in order to establish compliance to personal data law. In online environments, cookies are at the top of the issues concerning personal data law.
Within the framework of the Board’ decision dated 10.03.2022 and numbered 2022/229, the terms of use of online cookies and the transfer of information obtained through these cookies have been evaluated within the scope of KVKK. You can reach the concerned decision here .
Complaint On the Obligation to Inform and Transfer of Data Abroad Regarding the Cookies Used On the Website
It was stated in the complaint submitted to the Board that; (i) the obligation to inform regarding the use of cookies is not fulfilled, (ii) no explicit consent has been obtained for the use of cookies besides this information have been transferred abroad, (iii) the cookie policy presented on the concerned website does not reflect the truth, and (iv) the data processed by using analytical cookies on the website are transferred abroad illegally.
In their defense, the data controller:
- accepted that the data of the subject is not in the status of "strictly necessary cookies", which is necessary for the operation of the website and mandatory for the fulfillment of the service requested by users, but within the scope of the requirement that they should be processed for their legitimate interests,
- cookies that are not “strictly necessary cookies” are also necessary for the data controller company
- cookies are not presented as a prerequisite for the service provided,
- negotiations started with companies that offer technical solutions for obtaining explicit consent for the use of cookies,
- the use of cookies will improve the customer experience, otherwise it will deeply harm company’s own activities, will push the company out of competition and therefore there is no doubt that the company has a legitimate interest in the use of cookies and
- "tracking wall" applications which prevent a visitor from accessing the content of the website unless they approve the use of all cookies are not in practice and the use of the website continues effectively if cookies are disabled stated in their defense.
The Board's Evaluations On Usage of Cookies
Considering this information, the Board ruled that; in the case that they do not meet one of the conditions stipulated in the KVKK, the use of cookies other than "strictly necessary cookies" is subject to the explicit consent of the data subject. In light of the evaluations made, although the data controller claimed they had "legitimate interest", which is one of the conditions provided in the law, it is stated that it is not possible to rely on this condition in terms of the processing activity carried out and the explicit consent of the data subject should be acquired.
At the same time, it has been understood that there are advertising/promotional cookies in the cookie policy on the website of the data controller, and that third-party cookies are used for advertising and retargeting, therefore, personal data has been processed by the data controller via the advertising/marketing cookies. Nevertheless, it has been established that visitors of the data controller's website have only been informed with a pop-up, but their explicit consent have not been acquired.
Also, it has been observed that instructions that are provided within the cookie policy regarding how to turn off the notifications and cookies. However, in the case that no condition for processing personal data exists (other than explicit consent) with respect to functional cookies, performance-analytical cookies and advertising/marketing cookies, which are out of the scope of "strictly necessary cookies" (which ensure the proper operation of the website); it is subject to the voluntary active action of the visitors at the entry to the website.
Regarding data transfer, it has been determined that the transfer of personal data abroad can only be carried out based on explicit consent, and in this context, the operations carried out by the data controller by transferring personal data abroad through cookies are not in accordance with the law.
In light of the inspections, it was stated that information is provided regarding cookies in the Privacy and Personal Data Protection Policy of the data controller, however it should be updated to include a link which will direct the data subject to the cookie policy. It has been underlined that the data controller also created a Cookie Policy apart from the Privacy and Personal Data Protection Policy and the information that the data controller presented about cookies in the Privacy Policy should also be included in the Cookie Policy. In addition, it was emphasized that the policy in question should comply with the Communiqué on the Procedures and Principles to be Complied with in Fulfilling the Obligation to Inform (“Communiqué”).
Conclusion
In this context, evaluating the Cookie Policy it has been observed that;
- no accurate information has been provided regarding the numerous rights that a person has in accordance with Article 4 of the Communiqué and Article 11 of the KVKK and
- there is no detailed information with respect to which data processing activity coincides with which processing purpose and it is seen that the table displaying the purposes of each type of cookie is not clear enough to be understood by the data subject and consequently, it has been determined that the relevant policy is incomplete in terms of Article 5 of the Communiqué.
In the light of all the evaluations, it was decided to impose an administrative fine of 800,000 TRY on the data controller and to make the necessary arrangements in line with the evaluations made above.
Minor and overlooked issues such as cookie practices in online activities should be modified to be in compliance with the obligations of the KVKK. One of the most remarkable aspect of this decision is the Board’s evaluations regarding the processing of personal data without explicit consent and the transfer of this data abroad. When the decision is examined, it is clear that these issues are a point of emphasis for the Board and with this decision an important deficiency in the jurisprudence has been completed with a detailed evaluation. Consequently, this has become another aspect of KVKK compliance which companies should pay attention to in their websites or mobile applications.
You can reach our İzmir Personal Data Lawyers to get expert legal support on the protection of your personal data or your company's personal data law compliance.
