1. Introduction

In Turkey, the general legislation regulating processing of personal data is the Law on Protection of Personal Data No. 6698 ("Law"). Articles 5 and 6 of the Law describe the legal bases applicable for processing of personal data and sensitive personal data, while article 10 of the Law stipulates a general obligation to inform the data subject regarding purposes and methods of processing, irrespective of the legal basis of processing. On the other hand, the Law does not explicitly regulate processing of personal data through cookies1 which is a very popular method for most of the websites today. 

There is another law, the Law on Electronic Communication No. 5809 ("Law No. 5809"), entailing provisions on use of information within terminal equipment of the users. According to article 51 of the Law No. 5809, use of information within terminal equipment of the users for purposes other than establishing electronic communication by the electronic communication operators, is subject to explicit and informed consent of the users.

While article 51 of the Law No. 5809 gives a certain idea on the condition of using cookies (which is a type of information within terminal equipment) under Turkish law, the scope of this article is limited with electronic communication providers. In other words, article 51 of the Law No. 5809 is lex specialis to the Law, and there is no general and explicit regulation of cookies under Turkish law.

  1. The Approach of the Turkish Data Protection Authority

The Turkish Data Protection Authority ("DPA") has touched upon the issue in its decision no. 2020/173 on Amazon. In its decision, the DPA stated that although the data controller in question starts to process personal data of the users through the cookies as soon as the users open the website, the data controller has failed to obtain the explicit consent of the users and inform them in accordance with article 10 of the Law. The DPA further highlighted that since the data controller starts to process personal data of the users before entering into an agreement with them, it should perform its liability to obtain an active and explicit consent from the users as well as its liability to inform them as per article 10 of the Law, at the moment the user starts to use the website, without waiting for the moment where an agreement is executed between them.

The above stated decision provided some kind of guidance for data controllers processing personal data by using cookies; however, it did not entail further clarity on the following questions: Do all the cookies require the consent of the data subject? Are there any cases where cookies can be used without the consent? What is the best way to obtain the consent of the data subject for use cookies? Is a separate cookie policy needed or is it sufficient to have a privacy policy?

  1. The Draft Guideline on Cookies Published by the DPA

Finally, the DPA has announced a draft guideline on cookies ("Guideline") on January 11, 2022.2  The guideline is still in the form of a draft and the DPA expects opinions from the stakeholders on this draft. Even so, the Guideline includes important suggestions for the data controller processing personal data through cookies. This is a significant step for the DPA as the cookies have been a blurry area ever since the Law has entered into force.

The Guideline's perspective is very much in line with the relevant European guidelines.3 This is not surprising as the Law has been drafted by modeling the Data Protection Directive 95/46/EC, that is now replaced by the General Data Protection Regulation 2016/679.

Some of the important statements in the Guideline are as follows:

  • The Guideline makes a distinction between the cookies requiring data subject's explicit consent under the Law (i.e. social plugin tracking cookies and online behavioral advertising cookies) and the cookies not requiring such consent under the Law (e.g. user input cookies, authentication cookies, load balancing session cookies).

    In cases where consent is required, such consent must be an informed and active consent, in accordance with the principles of the Law. For example; using a mechanism where the data subject may either accept or decline use of cookies is deemed good practice, while bundling the explicit consent statement in terms and conditions of use (or a similar document) is not deemed good practice.
  • The Guideline also mentions the liability to inform the data subjects in accordance with article 10 of the Law. This liability to inform is irrespective of the liability to obtain explicit consent. In other words, even if the processing does not require explicit consent, the data controller must inform the data subject in accordance with article 10 of the Law. The draft guideline states that if a data controller processes personal data through the cookies, then it should mention the types of cookies, purposes of use and duration of use in the privacy policy prepared in accordance with article 10 of the Law.

In this respect, although the Guideline does not require a separate cookie policy, it recommends the data controllers to include information on cookies in their privacy policy. On the other hand, we are of the opinion that having a separate cookie policy would work as well, as long as both privacy policy and cookie policy are presented to the data subject when they visit the website. 

  1. Conclusion

In summary, although the Guideline may be subsequently changed, we expect that the DPA continues to follows the footprints of the European data protection authorities, as it mostly does in its decisions. Additionally, even if the Guideline is not formal yet, it is advisable for the data controllers processing personal data through the cookies to adapt their practices in line with the suggestions in the Guideline.

Footnotes

1 Cookies are small blocks of data created by a web server while a user is browsing a website and placed on the user's terminal equipment by the user's web browser.

2 Full text can be accessed through https://www.kvkk.gov.tr/SharedFolderServer/CMSFiles/1336263f-22bb-4da3-a1b9-aabc0e0e8bff.pdf .

3 Article 29 Working Party Working Document, 02/2013 providing guidance on obtaining consent for Cookies; Article 29 Data Protection Working Party, Opinion 2/2010 on online behavioural advertising.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.