Turkey: Article 29 Working Party's Updated Opinion on Consent under the General Data Protection Regulation

The Working Party on the Protection of Individuals with regard to the Processing of Personal Data ("Working Party") updated their opinion on consent under the General Data Protection Regulation ("GDPR"), which developed the concept of consent by providing further clarification and specification regarding the requirements and obligations for obtaining and demonstrating valid consent.

The GDPR, which will be effective as of May 28, 2018, defines consent as "any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her."^[1]

The Working Party, in their opinion, stated that consent will not be considered as "free" if the data subject is unable to refuse his or her consent, and also mentioned that the power imbalance between the data subject and the data controller is also taken into consideration by the GDPR.

According to Article 7(4) of the GDPR, when assessing whether or not consent is freely given, "utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract." By regulating this provision, the GDPR aims to narrow the scope of the term "the performance of a contract." According to the Working party, there needs to be a direct and objective link between the processing of the data and the purpose of the execution of the contract.

The Working Party mentions the term "granularity" while determining the existence of freely given consent. This means that, if personal data is processed for more than one purpose, the data subject should be free to choose which purpose he/she accepts, rather than having to consent to a bundle of processing purposes. Therefore, the data controller may have to obtain several consents for each purpose. In other words, when the data processing has multiple purposes, free consent should be sought and given for all of these purposes.

The GDPR also states that the data controller needs to demonstrate that the data subject is free to refuse or withdraw consent without detriment (i.e., that withdrawing consent does not lead to any costs), and it should also prove that the data subject has a free choice with regard to giving consent.

According to the Working Party, the data controller must apply the following rules to comply with the element of "specific," which is included in the definition of "consent" under the GDPR:

(i) The data controller needs to obtain a new and separate consent from the data subject for the new processing purpose.

(ii) The data controller should provide a separate opt-in for each purpose, in order to allow users to give specific consent for specific purposes.

(iii) The data controller should provide specific information regarding each separate consent request about the data in order to inform the data subjects and make them aware of the impact of the different choices that they have.

The Working Party also listed the minimum information required to be provided to data subjects for obtaining valid informed consent in terms of the GDPR. These are as follows:

(i) the identity of the data controller,

(ii) the purpose of each of the processing operations for which consent is sought,

(iii) the type of data that will be collected and used by the data controller,

(iv) the existence of the right to withdraw consent,

(v) information about the use of the data for decisions based solely on automated processing, including profiling,

(vi) if the consent relates to data transfers, information about the possible risks of data transfers to third countries in the absence of an adequacy decision and appropriate safeguards, where applicable.

It is important to note that the existence of the right to withdraw consent is a new criterion brought by the GDPR. This requirement was not included in the earlier EU Directive.

Even though the GDPR does not require this information to be conveyed to the data subjects in a specific form or shape, it brings higher standards with respect to the clarity and accessibility of the information. Accordingly, the Working Party stated that the information must be concise and easily accessible, and that the data controller should use clear and plain language which can be easily understood by an average person.

According to the Working Party, when consent is requested as part of a contract, the request for consent for data processing activities should be clearly distinguishable and separated from information about other matters. Furthermore, if consent is requested by electronic means, the consent request has to be separate and distinct from other material imparted by the same electronic communication. If the consent request for data processing is indistinguishable from information about other matters and incorporated into an agreement along with many other provisions, then the data subject cannot give consent freely and separately, since he or she is compelled to sign the agreement as a whole.

The EU Directive described consent as an "indication of wishes by which the data subject signifies his agreement to personal data relating to him being processed."^[2] The GDPR expands this definition, by clarifying that valid consent requires an unambiguous indication by means of a statement or by a clear affirmative action, which means that the data subject must have taken a deliberate action to consent to the particular data processing. Furthermore, in the Working Party's opinion, unambiguous means that it must be "obvious" that individuals have consented to the processing.

The GDPR also sets forth various new requirements for data controllers regarding the explicit consent they obtain from data subjects. For instance, according to Article 7 of the GDPR, the data controller is obliged to be able to demonstrate that the data subject has consented to the processing of his or her data. The same provision also states that the data controller must ensure that consent can be withdrawn by the data subject as easily as it can be given and that it can be withdrawn at any time.

The Working Party's updated opinion for the GDPR might also be considered as a guide for Turkish businesses in terms of structuring their data processing processes. For instance, according to the GDPR, the data controller must demonstrate that valid consent was obtained from the data subject and the data controller must also provide information on how to withdraw consent. The Law No. 6698 also imposes similar obligations on data controllers.

Although the Law No. 6698 is a separate and independent local regulation that is not directly subject to the GDPR, it is likely that the Turkish Data Protection Board, which is the main national authority on data-protection-related matters, would take the opinion of the Working Party into account when evaluating the validity of consent, as the Law No. 6698 is mainly based on the EU legislation and the implementation in the EU is currently the primary source of guidance. According to the Turkish Data Protection Board, umbrella consents (to a bundle of data processing purposes or as part of an overall agreement involving other matters) will be deemed invalid, which is in parallel with the "specific consent" principle and the granularity requirement in the EU. We expect that the opinion of the Turkish Data Protection Board will also take into account the implementation in the EU and will be shaped and developed further in time, as new cases arise. Data controllers may also benefit from the Working Party's updated opinion for clarity on the requirements of explicit consent and assess whether their current workflow for seeking and obtaining informed consent needs to be updated.

This article was first published in Legal Insights Quarterly by ELIG, Attorneys-at-Law in March 2018. A link to the full Legal Insight Quarterly may be found here.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.