In the present case complaints have been filed against AMAZON as "data controller" respectively before the Turkish Personal Data Protection Authority (hereunder referred as the "Authority") for breach of the Law on Personal Data Protection (no. 6698) (hereunder referred as the "Law") and before the Ministry of Commerce for breach of the Law on the Regulation of Electronic Trading (no. 6563).

Both complaints have been filed on the following grounds:

  • No explicit consent has been obtained for the purpose of sending electronic trading communications such as publicity, promotions, sales, whether when setting up the "user account" or when "shopping".
  • No explanation/information has been provided for processing data without explicit consent.

AMAZON asserted that:

  • The claims put forward are baseless as they have been made upon assumptions and probabilities and lack any documentary evidence to support them.
  • The complaint has been inappropriately filed with the Authority as the communications regarding electronic trading are subject to Law no. 6563 on the Regulation of Electronic Trading and thereby within the remit of the Ministry of Commerce.
  • For transparency and information purposes AMAZON provides its clients the texts "Terms of Use" and "Privacy Notice".
  • Only after the "user account" is set up AMAZON communicates electronically with its clients regarding its products and services.
  • When setting up the "user account" by clicking on the tab "create your AMAZON account", the client accepts the "Privacy Notice".
  • Likewise, when shopping, the client is reminded of the "Privacy Notice". By accepting it, the client accepts alongside with it the "Terms of Use and Sale" and the "Cookies Statement".
  • Additionally, AMAZON provides its clients the opportunity and means for easily selecting, limiting the fields/subjects about which they wish to receive commercial electronic messages or to refuse to receive commercial electronic messages at any time.
  • The clients of AMAZON not only are informed of the transfer of their data to foreign countries but have also given their consent for such transfer by accepting the "Privacy Notice".
  • AMAZON has filed with the Authority its written undertaking/affirmative covenant for the transfer of personal data out of the country and that it continues to correspond with the Authority on the subject.
  • The claims that AMAZON is unlawfully transferring personal data out of the country and is in breach of Law no. 6563 on the Regulation of Electronic Trading are unfounded and based on assumptions.

On the admissibility of the complaint filed before the Authority for breach of the Law

The Regulation on Commercial Communication and Commercial Electronic Messages rules under:

  • Art. 5/1 the receiver's prior consent is to be obtained before sending commercial electronic communications for purposes such as marketing the service provider's goods and services, promoting its firm or for increasing its visibility or renown.
  • Art. 7/1 the receiver's consent is to contain:
    • =the explicit affirmative consent in that the receiver accepts to receive electronic communications
    • =the receiver's name and surname, and
    • =the receiver's electronic communication address.
  • Art. 12/2 the prior consent of the concerned person must be secured for sharing her/his personal data with 3rd persons, for processing them or for using them for other purposes.

Art. 5 of the Law requires that "explicit consent" for processing personal communication data be secured before sending out electronic communications for trading purposes or, at the latest, at the time when sending the electronic message.

The Authority's (Legal) Principle Decision no. 2018/119 of 16.10.2018 rules that 

  1.   without priorly securing the receiver's "explicit consent" or
  2.  in the absence of the processing conditions mentioned under Art. 5/2,

the acts of data controller sending out electronic communications to the receiver's e-mail addresses or telephone numbers will be subject to prosecution pursuant Art. 18 of the Law.

To motivate its decision on the admissibility of the complaint the Authority states that:

  • Even though a separate body of legislation exists for commercial electronic communications, storing data such as telephone numbers, e-mail addresses in a database and sending electronic communications for commercial purposes to the individuals constitutes a data processing activity and thereby is also subject to and must comply with the Law.
  • The Authority's above referred (Legal) Principle Decision is not about sending of commercial electronic communications but about processing/handling of personal data. 
  • The complaint filed, also, before the Ministry of Trade has been transmitted from the Ministry to the Authority with a request for assessment in respect of the Law.

The Decision on Admissibility - On the basis of the above mentioned grounds and motivations the Authority has deemed the complaint admissible thereby decided, ex-officio, to investigate and rule on the case as it is empowered to do so according to Art. 15/1 of the Law.

The takeaway on the admissibility of the complaint filed before the Authority is:

  • The application of the Law on the Regulation of Electronic Trading no. 6563 does not exclude the application of the Law to the extent the case involves processing personal data.
  • It is within the remit of the Authority to assess and to decide on the case in the matter of processing personal data.

On "explicit consent" and "automatic consent"

The Authority considers that no "explicit consent" has been obtained for processing personal data for the purpose of sending communications of commercial nature because:

  • At the initial phase of setting up the "user profile" when entering the personal data for becoming member no such consent has been secured
  • Likewise, after the membership phase is completed, while setting up the "user account" no such consent has also been obtained since under the tab "communication preferences" in the "General Settings" appears the notice "e-mails are currently sent to the e-mail address...", by clicking the tab "Promotion e-mails" appears the notice "chose all the categories of communications you wish to be informed about" following which appear on the screen the headings of 10 categories as previously clicked while this screen ends with the notice "please stop sending me marketing e-mails".

The Law requires under the heading Definitions in Art. 3/1-a that "explicit consent" should concern "a specific subject" and be "freely-given" on the basis of the "information provided". In other words, "explicit consent" should be informed, specific and freely given, which taken together imply "intended consent". Within the meaning of the law "automatic consents" are not acceptable.

In the present case for securing consent the "opt-out" system has been used whereby the person is deemed to give her/his consent "automatically" to the processing of her/his data and in which the system does not allow withdrawing the consent.

Instead, the "opt-in" system must have been used to enable the person to give her/his consent knowingly to the processing of her/his data. 

In this regard the assertion of AMAZON that, by confirming and approving the "Privacy Notice", the person acknowledges and accepts the processing of her/his data cannot be accepted for the following reasons:

  • No "explicit consent" has been obtained at the initial phase of setting up membership.
  • Even though the "Privacy Notice" gives the impression that "explicit consent" has been duly secured, in fact this is not so because: 
    • = where there are grounds for processing personal data without "explicit consent", soliciting such consent is deemed as an act against the rules of bona rides (fairness).
    • = where "explicit consent" is required, providing information and securing consent together is not admitted as it constitutes breach of the Law. The "Communiqué on Principles and Procedures to Be Followed in Fulfillment of The Obligation to Inform" expressly provides under Art. 5/1-f that the duty of information and securing consent must be performed separately. 

The Authority considers that the information contained in the "Privacy Notice" is of "general nature" which, even though provides information regarding many aspects of processing of personal data, is not deemed appropriate for the purpose of securing "explicit consent" for processing personal data.

The decision of the Authority on "explicit consent" is that:

  • No "explicit consent" has been obtained for processing personal data for the purpose of sending out communications of commercial nature. 
  • "Automatic consent" is not admitted as it does not meet the legal requirements.
  • There are no other grounds for processing personal data other than "explicit consent".
  • As data protector, AMAZON is in breach of Art. 12 of the Law for failing to fulfill its obligation to take the necessary "technical and administrative measures" to provide the appropriate level of security in order to prevent unlawful processing of personal data.

The takeaway on "explicit consent" is:

  • At the initial phase of setting up the membership profile and user account no "explicit consent" is obtained. 
  • Obtaining "automatic consent" is not admitted.
  • The "Privacy Notice", considered to be of "general nature" and various notices appearing under said initial phase of setting up the membership profile and the user account are deemed inappropriate to secure "explicit consent". 
  • The "opt-out" system used for securing consent cannot be admitted as it does not meet the legal requirements. The "opt-in" system must be used in its place.

On the duty of information for the purpose to secure "explicit consent"

Against the data controller's assertion that "Privacy Notice" aims and serves the dual purpose of seeking "explicit consent" while it provides information for such purpose, the Authority considers that this is not so since providing information and securing consent together is not legally admitted and need to be performed independently and separately. For personal data processing requiring "explicit consent", providing information for such purpose and obtaining "explicit consent" together does not comply with Art. 5/1-f of the "Communiqué on Principles and Procedures to Be Followed in Fulfillment of The Obligation to Inform."

In assessing this point the Authority further considered that, in cases where there are grounds for processing personal data other than for "explicit consent", soliciting such consent would be deemed "deceitful and misleading thereby abusive use of right" and  would constitute an act against the rules of bona fides (fairness) , implying that in such cases the "Privacy Notice" may be in breach of the Law.

Furthermore, the Authority considers that the data controller's "Privacy Notice", while providing a lot of information of general nature about data processing, does not provide appropriate information to fulfill the obligation to inform data subjects on processing of their personal data for the purpose to obtain their "explicit consent".

The takeaway on fulfilling the obligation to inform and obtaining "explicit consent" independently and separately is:

  • In cases where personal data is processed on the basis of "explicit consent", procedures relating to the obligation to inform and to obtaining "explicit consent" should be performed independently and separately.

On imposing "explicit consent" as a condition of membership or provision of service

In accordance with Article 4/2 of the Law, the following principles shall be complied with for processing personal data:

  • processing shall be lawful and in conformity with rules of bona fides (fairness)
  • processing purposes are to be specific, explicit and legitimate 
  • processing is to be be relevant with, limited to and proportionate to the purpose. 

In "Privacy Notice", the data controller states that "You may choose not to provide certain information, but in this case you will not be able to use most of the Amazon Services." or "If you block or refuse our cookies, you cannot add products to your shopping cart, go to purchasing stage or use any Amazon service that requires you to sign in". 

The decision of the Authority is that imposing "explicit consent" as a condition of membership or provision of service harms "explicit consent", thereby is contrary to the principle of lawfulness and to the rules of bona fides (fairness)  for not being  relevant with, limited to and proportionate to the purpose for processing personal data.

The takeaway on imposing "explicit consent" as a condition of membership or binding it to the provision of service is:

  • Such practice and conditions are not admitted for they are considered to harm "explicit consent" thereby to be unlawful and against the rules of bona fides (fairness)  for not being  relevant with, limited to and proportionate to the purposes for processing personal data.

On the relevancy, proportionality and limitedness of data processing

The data controller declares to collect the following: "name, address, phone number, payment information; age; location information; persons to whom purchases have been sent; contacts listed in 1-Click settings (including addresses and phone numbers); e-mail addresses of friends and others; the content of the evaluations and emails sent to the data controller; personal information and photos in the profile; pictures and videos stored in connection with Amazon services, identity and status information and documents; corporate and financial data; credit history information; VAT numbers."

Regarding the personal data of data subject's friends and other acquaintances the Authority has deemed that:

  • "Credit history information, status information, corporate and financial information" data of the concerned individual are not relevant with, proportionate and limited to the purpose, as the processing of such data should, at least, be predictable by the data subject or the concerned individual.
  • The information on the friends or other acquaintances of the data subject being personal data belonging to these individuals their data and e-mail addresses are processed without their "express consent."

The Authority ruled that AMAZON as the data controller has acted contrary to the legal requirements according to which processing of personal data is to be relevant with, limited to and proportionate to the purposes for which they are processed.

The takeaway on the relevancy, proportionality and limitedness of data processing is:

  • The data controller can only process personal data, which is relevant with, limited to and proportionate to the purposes for which they are processed.
  • The data controller shall seek the consent of every data subject whose personal data it is collecting.

On the transfer of personal data to third persons

In "Privacy Notice" of the data controller, it is stated that "Except as provided above, when personal data about you is shared with third parties, you will receive a notification and you will have the option to choose not to share this data".

The Authority has noted that the data controller obtains consent of the data subject after the data is transferred whereas "explicit consent" needs to be obtained prior to the transfer or, at least, at the moment when the transfer takes place. The Authority considers that such practice of the data controller is reverse interpretation of the Law.

As per Art. 8/2 and 8/3 of the Law, personal data may be transferred without seeking "explicit consent" of data subject:

  1. Upon the existence of one of the conditions provided in Art. 5/2 provided that adequate measures are taken,
  2. Upon the existence of one of the conditions provided in Art. 6/3, and
  3. Where the provisions of other laws allow transfer of personal data without "explicit consent"

Since personal data can be transferred without "explicit consent" of the data subject in above listed cases, it is considered that the data subject will not have the choice not to share his/her data in such cases. Additionally, it is uncertain what will happen to the transferred personal data if the data subject withdraws her/his consent after the transfer is realized.

The takeaway on transfer of the personal data is that:

  • "Explicit consent" must be obtained prior to the transfer or, at least, at the moment when the transfer takes place. 

On the transfer of personal data abroad and "blanket consent"

As per Art. 9/2 of the Law, personal data may be transferred abroad without "explicit consent" of the data subject provided that one of the conditions set forth in the second paragraph of Article 5 and the third paragraph of Article 6 exists to the extent

  1. sufficient protection is provided in the foreign country where the data is to be transferred, 
  2. where sufficient protection is not provided, the data controllers in Turkey and in the related foreign country guarantee sufficient protection in writing and the Board authorizes such transfer.

The data controller claims that the consent of the data subject is obtained when the data subject creates the user account by accepting the practices specified in the "Privacy Notice"; likewise, when a registered customer places an order via the website, he is reminded that the "Privacy Notice, Conditions of Use and Sale and Cookies Statement" have been accepted.

Against the assertion of AMAZON, as data protector, that consent has been obtained, the Authority rules that implied consent based on the "Privacy Notice" and other statements cannot be accepted as "explicit consent" within the meaning of the Law. The assumption that the issues in the "Privacy Notice" were accepted by using the services cannot be qualified and retained as "explicit consent". Within the meaning of the Law "explicit consent" is about giving consent to the processing of personal data, knowingly, with his own free-will or upon the request from the other party. "Explicit consent" shall enable the data subject to determine the limits, scope, duration for allowing processing her/his data. "Explicit consents" of general nature that are not specified or not limited to a specific processing are regarded as "blanket consent" and are deemed legally invalid.

Approval of all actions that fall within the scope of "data processing" (monitoring, transfer, share, storage, etc. with cookies) with a single statement of consent is considered to be unlawful.

The takeaway on transfer of personal data abroad is:

  • The data controller must obtain the "explicit consent" of the data subject on the transfer of personal data abroad,
  • "Explicit consents" of general nature, the so-called "blanket consents" are legally invalid. 
  • "Explicit consent" should be limited to specific processing activity. 
  • "Explicit consent" cannot be implied and assumed as of the "Privacy Notice" or other statements in the website.  

On data controller's duty of information

The Authority notes, as it is understood from the "Cookies Statement", that the data processing starts simultaneously with the visit of data controller's website. At the access to its website AMAZON, as data controller, does not provide any information (e.g. pop-up messages) about the processing of personal data with different tools (e.g. cookies) and also does not request consent to such processing (e.g. "to continue browsing our site, you must approve our cookie notice").

In order to start data processing with the website visit, the obligation to inform must firstly be fulfilled, at the moment, when the website is accessed.

The Authority deems that by visiting the website, the data subject cannot be considered to have to have formed and declared "explicit consent" to the processing of his/her personal data since it is still uncertain whether a person who visits the website for the first time would enter into a contractual relationship with the data controller, or whether he/she will come to form an "explicit consent" to the processing of his/her personal data.

This situation is in breach of both the requirement of "explicit consent" in the processing of personal data and of the obligation to inform for such purpose.

The takeaway regarding data controller's duty to inform is:

  • The data controller shall inform the data subject of the data processing of his/her data with a view to secure her/his "explicit consent" prior to commencing the processing.

The points to take away from the Decision of the Authority

Taken together, the following points to take away from the Decision may have far reaching effects for firms operating on the internet such as social media, shopping, trading etc. to the extent their operational model shows similarities with that of AMAZON, as data controller.

In the present case the Authority retains that the operational model of AMAZON, as data controller, is wanting and does not meet the requirements of the Law on critical points such as "obligation to adequately inform the data subject", "absence of explicit consent" for "processing personal data", for "transferring personal data to third persons", for "transferring personal data out of the country". The Authority retains that whether in the initial phase of setting up the membership profile and the user account or at the subsequent stage of "shopping" the legal requirements of providing adequate information and of obtaining "explicit consent" have not been met. As a result, the Authority ordered AMAZON to review and bring its operational model in line with the Law.

  • The application of the Law on the Regulation of Electronic Trading no. 6563 does not exclude the application of the Law to the extent the case involves processing personal data.
  • It is within the remit of the Authority to assess and to decide on the case in the matter of processing personal data.
  • At the initial phase of setting up the membership profile and user account no "explicit consent" is obtained. 
  • The data subject should be able to choose the type of personal data he/she allows the data controller to process with an informed act. 
  • "Automatic consent" in which the types of personal data are opted-out, automatically, does not fulfill the conditions of "explicit consent" ("informed", "freely-given", "specific" otherwise meaning "intended consent").
  • The "Privacy Notice", considered to be of "general nature" and various notices appearing under said initial phase of setting up the membership profile and the user account are deemed inappropriate to secure "explicit consent". 
  • The "opt-out" system used for securing consent cannot be admitted as it does not meet the legal requirements. The "opt-in" system must be used in its place.
  • In cases where personal data is processed on the basis of "explicit consent", procedures relating to the obligation to inform and to obtaining "explicit consent" should be performed independently and separately.
  • Imposing "explicit consent" as a condition of membership or provision of service, harms "explicit consent" and is thereby unlawful and against the rules of bona fides  for not being relevant with, limited to and proportionate to the purposes for processing personal data.
  • The data controller can only process personal data, which is relevant with, limited to and proportionate to the purposes for which they are processed
  • The data controller shall seek the consent of every data subject whose personal data it is collecting. 
  • "Explicit consent" must be obtained prior to the data transfer or, at least, at the moment when the transfer takes place. 
  • The data controller must obtain the "explicit consent" of the data subject for the transfer of personal data abroad, 
  • "Explicit consents" of general nature, the so-called "blanket consents" are legally invalid. 
  • "Explicit consent" should be limited to specific processing activity.
  • "Explicit consent" cannot be implied and assumed as of the "Privacy Notice" or other statements in the website. 
  • The data controller shall inform the data subject of the data processing of his/her data with a view to secure her/his "explicit consent" prior to commencing the processing.

On the basis of the above grounds, the Authority 

  1. fined AMAZON with a total of TL 1,200,000 and 
  2. ordered AMAZON to review/change its website and practices to comply with the Law by reviewing/changing the personal data processing processes and the texts and various notices destined to the clients' attention/approval such as   "Privacy Notice", "Conditions of Use and Sale", and "Cookies Statement".

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.