To print this article, all you need is to be registered or login on Mondaq.com.
Legal analysis of Turkish Data Protection
Authority's decision on Amazon Turkey
Turkish Data Protection Authority
("DPA") fined Amazon's Turkish
subsidiary ("Amazon Turkey") for
TRY 1.2 million.
DPA's decision on the fine, which was published DPA's
website on 7 May 2020 ("Decision"),
gives insights on DPA's view on some important matters.
This Decision is particularly important as it is the first
decision that DPA has fined a data controller on "data
transfer abroad" and
We share our analysis below:
|A. Commercial electronic
||DPA states in the Decision that:
- Although, Ministry of Commerce is authorized to regulate and
supervise commercial electronic messages under the commercial
messages legislation, DPA is also authorized to regulate and
supervise personal data processing activities relating to
commercial messages. However, Amazon Turkey based its defence that
DPA is not authorised to impose a fine on commercial electronic
- Amazon Turkey is required to obtain "explicit
consent" to send commercial electronic messages for marketing
purposes but it does not.
- The function to uncheck the already checked boxes for not
receiving commercial electronic messages (opt-out) after
registering with the website does not meet the "explicit
consent" criteria. The function must be designed to check the
unchecked boxes to receive commercial electronic messages
- DPA also noted that when customers register with the website
they are deemed to approve "Privacy Notice". According to
DPA using this method means that (i) obligation to inform is
performed together with obtaining explicit consent and (ii)
explicit consent is obtained for processing activities that do not
require explicit consent. Also the Privacy Notice is a general
informative text on data processing (in other words, does not meet
the privacy notice criteria). DPA found all these to be against the
Turkish Data Protection Law
- Unlike GDPR and E-privacy Directive, under Turkish law, save
for very limited exemptions, sending commercial electronic messages
for marketing purposes is subject to the recipient's
"explicit consent" (i.e. there is no soft opt-in
- Hence Amazon Turkey must have used "opt-in" method
for getting consent for sending these messages. This is also an
established practice in Turkey.
- In this regard, the Decision includes no surprise on the
conclusion on breach to Turkish law with respect to commercial
electronic messages while division of powers between Ministry of
Commerce and DPA remains uncertain.
|B. Rule of Honesty and
||DPA found that:
- the below expressions in the Privacy Notice are against
DPL's general principles of "legality and honesty"
- "You can choose not to provide certain information, but
then you might not be able to take advantage of many of our Amazon
- "If you block or otherwise reject our cookies, you will
not be able to add items to your Shopping Cart, proceed to
Checkout, or use any Services that require you to Sign
- Amazon Turkey's collection and processing of
"friends' and other people's e-mail addresses"
breaches DPL as such data is collected and processed without the
explicit consents of those data subjects.
- Amazon Turkey's collection and processing of "credit
history information, status details, corporate and financial
information" are against the principle that processing must be
"connected to the purpose, limited and
- We are of the view that some sentences in the Privacy Notice
are indeed not clear but it is disputable to directly conclude that
having these sentences in the Privacy Notice qualifies Amazon
Turkey's related data processing activities to be against
- For instance, if one's friend's e-mail address is
processed to send a gift to such friend, then explicit consent
should not be required, this processing should be carried out based
on the "legitimate interest".
- In anyway, it is fair to say that DPA expects data controllers
to (i) match the collected data with the data processing purposes
and (ii) use a plain, simple and understandable language in their
privacy notices. Otherwise, facing fines may be inevitable.
|C. Data Transfer
- Based on the following expression "Other than as set out
above, you will receive notice when personal information about you
will be shared with third parties, and you will have an opportunity
to choose not to share the information." DPA concluded that
such data processing activity is based on explicit consent.
- However, explicit consent must be obtained before commencing
data processing activity at the latest. Hence obtaining consent
after sharing data would be against the DPL.
- Allowing the withdrawal of consent after transfer would not be
compliant with the DPL, and the consequences of withdrawal is
- It is concluded that the transfer is in breach of DPL due to
ambiguous statements on transfer.
- In Amazon's Privacy Notice, legitimate reasons for transfer
and the recipients of data are listed. Then there is the below
statement, which is found to be against the DPL by DPA:
- "Other than as set out above, you will receive notice when
personal information about you "will be" shared with
third parties, and you will have an opportunity to choose not to
share the information."
- When we look at Amazon website serving to the USA, we
understand that this expression is simply caused from a translation
- The English language version of Privacy Notice is as follows:
"Other than as set out above, you will receive notice when
personal information about you "might be" shared with
third parties, and you will have an opportunity to choose not
to share the information."
- We are of the view that if it had been translated correctly,
DPA may not find major breach of the DPL.
- It is really notable that a global e-commerce giant is fined
-among other reasons- due to a "translation error".
|D. Data transfer abroad
Method for obtaining consent
- For the purpose of obtaining permission for data transfer
abroad, Amazon Turkey has submitted to DPA the standard
undertakings executed with non-Turkish recipients of personal data.
However, as DPA has not yet granted a permission on such transfer
and as DPA has not yet announced the list of safe countries, DPA
stated in the Decision that the transfer could only be based on
- Amazon's defence that consent is obtained with the
following statements "By creating an account, you hereby
accept the practices stated in this Privacy Notice", and
"by placing an order, you accept Amazon.com.tr Privacy Notice, Terms
of Use and Sale and Cookie Notice" was not accepted and DPA
stated in the Decision that the consent cannot be obtained by
- Also, consents, which are not limited to a specific subject and
necessities of the relevant processes are considered as
"blanket consents" and deemed invalid. In this context,
DPA concluded that the approval of all "data processing
activities" (tracking with cookies, transfer, sharing, storage
etc.) with a single consent statement by the approval of the
"Privacy Notice" would not be compliant with DPL.
- Under Turkish law, personal data may be transferred abroad
based on "explicit consent".
- For data transfer abroad based on legal reasons other than
explicit consent the following methods are applicable: (i) transfer
to safe countries (to be announced by DPA), (ii) executing a
standard form undertakings and obtaining permission from DPA or
(iii) obtaining approval from DPA for Binding Corporate Rules (for
transfer between group companies).
- DPA has not yet announced the safe countries. As per DPL, one
of the criteria that DPA must consider for determining the safe
countries is "reciprocity". In fact, this condition ties
DPA's hands. For this particular reason, even the EU countries,
from which Turkey had derived its data protection legislation,
cannot be considered as safe countries.
- DPA does not accept the argument that data may be transferred
on the basis of the Convention No. 108, which facilitates data
transfers among the signatory countries (Turkey is a party to such
- The other option, "obtaining permission from DPA by
signing the standard undertakings published on DPA's
website" is not practical. As far as we are aware, there is
not a data controller who has convinced major data processor such
as Microsoft, Google etc. to execute an undertaking.
- DPA was aware of this problem in the market and was
"tolerating" transfers to foreign countries; and had not
yet impose a fine on this matter.
- This Decision is very important as it is the first time of
imposing a fine for data transfer abroad. It is particularly
striking that the fine was imposed when the undertaking executed by
Amazon Turkey was in review for permission by DPA. We are of the
view that this Decision is a message to the players in the market,
most of which transfers data abroad.
- It is stated that the data processing activity related to
cookies starts upon entry to the site.
- Consequently, it is concluded that, if a website visitor does
not shop or create account, merely visiting the site would not mean
acceptance of processing data through cookies.
- In this framework, it is seen that there is no information
notice on collection of personal data through cookies (e.g. pop-up
messages) and there is no request of permission for the processing
(e.g. "You should approve the cookie notice to continue
visiting our site").
- Consequently, it is concluded that neither information nor
explicit consent requirements related to cookies are being complied
- Unlike the EU, there is no specific legislation on
"cookies" under Turkish law.
- However, "cookie data" is listed as one of the
marketing data in DPA's guidelines.
- Due to lack of legislation, data controllers in Turkey has
found the solution by "imitating" the cookie policies
used in the EU.
- Data controllers was expecting a guidance, a legislation from
DPA on cookies.
- However, with this Decision, DPA made it clear that it
the meaning of DPL, and that a cookie notice must be provided and
an explicit consent must be obtained, if required.
- The cookies that require consent must be
"marketing/tracking" cookies, and that the
"mandatory/functionally cookies" can be used based on
"legitimate interest" legal basis.
- Due to lack of specific legislation on cookies, the content of
cookie notice still remains uncertain; but in any case, after this
Decision, it would be wise to add to the websites serving Turkish
market the cookie policies (in line with the privacy notice
principles under the DPL, to the extent possible) and to obtain
explicit consents for "marketing/tracking cookies".
- In light of the above, due to breach to rules on commercial
messages, General Principles, Data Transfer and Data Transfer
Abroad, DPA decided to fine Amazon Turkey for TRY 1,100,000 for not
taking the necessary technical and administrative measures under
- to fine for TRY 100,000 as the Privacy Notice contains many
information, and is a general information on processing of data
(i.e does not meet the criteria to be a privacy notice under DPL),
and does not fulfil the information obligation related to
- to instruct Amazon Turkey to update the "Privacy
Notice" and publish on Amazon Turkey website.
- It is no surprise that DPA found that Amazon Turkey's
activities relating to commercial messages are in breach of rules
on commercial messages while division of powers between Ministry of
Commerce and DPA remains uncertain.
- We are of the view that the Privacy Notice contains some
sentences that are not very clear; but this should not directly
mean that Amazon Turkey carries out illegal data processing
- The violation about "transfer of data" is caused by a
- It is surprising that Amazon Turkey is fined for the data
transfer abroad while Amazon Turkey's application for
permission to data transfer abroad is pending before DPA.
- It is also surprising that cookies are subject to fine while
there is no specific legislation on cookies under Turkish law.
- Our experience shows that DPA is open to dialog and to
listening the problems of the sector. On the other hand, maybe
Amazon Turkey didn't have the opportunity to communicate with
DPA its position on the matters that are subject to the fine in
You can reach the Turkish language version of the decision via
the following link: https://kvkk.gov.tr/Icerik/6739/2020-173
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
POPULAR ARTICLES ON: Privacy from Turkey