In the last ten years, e-commerce has become the most important platform of today’s consumer habits, becoming a major competitor to both retailers and their suppliers. As a result, many giant retailers are now directing their investments towards e-commerce activities.
Since e-commerce is rapidly becoming widespread in Turkey (as it is around the world), it is more important than ever to understand the relationship between data privacy regulations and the e-commerce sector in recent years.
Turkey’s Personal Data Protection Law (Law No. 6698, or the “Law”), which is similar to the GDPR, contains the framework for processing personal data in Turkey. And pursuant to the Law, the Data Protection Authority (the “Authority”) has started ex officio examinations of companies in various sectors.
Main Responsibilities of e-Commerce Companies Under The Data Privacy Law
Obtaining personal data clearly requires “explicit consent,” and under the Law, this explicit consent should be: (i) related to a specific topic, (ii) based on informative clarifications, and (iii) given freely. There is no specific requirement about how to obtain explicit consent, however; it can be given either as a statement or by a clear affirmative action. It is hoped that the Authority will clarify the rules about valid methods of obtaining this consent soon.
Companies engaged in e-commerce activities are responsible for complying with all obligations regulated under the Law. Under the Law, all companies must register with the Data Controller’s Registry System (VERBIS) before starting to process personal data. Companies which fail to do so may face severe sanctions.
The meaning of “explicit consent” in e-commerce remains in debate, as e-commerce companies generally require their customers’ personal data before they render services to them, but it is unclear whether this practice satisfies the GDPR’s requirement that consent be given “freely.”
Sanctions that Companies Will Face If They Do Not Fulfill The Data Privacy Obligations
As mentioned above, the Authority carries out ex officio data protection examinations of e-commerce companies, and companies that do not fulfill their obligations may face penalties of up to TRY 1 million under Article 18 and Article 19 of the Law. Indeed, one of the most famous decisions by the Authority is the administrative fine of TRY 1.1 million it levied upon Facebook for its failing to take the necessary administrative and technical measures to prevent a data breach and failing to comply with the data security obligations, and an additional administrative fine of TRY 550,000 for its failure to make necessary notifications following the data breach.
The obligations of companies regarding the protection and processing of personal data are changing and increasing within the scope of both the GDPR and Turkey’s Law No. 6698. Increasing personal data breaches and cybercrimes are forcing the Authority to take control of e-commerce companies which obtain personal data and process it for profit or share it with third parties without the explicit consent of the data subjects.
By Nazli Sezer, Executive Partner, and Kaya Kayaoglu, Senior Associate, Sezer & Utkaner
This Article was originally published in Issue 6.8 of the CEE Legal Matters Magazine. If you would like to receive a hard copy of the magazine, you can subscribe here.