Wed, Feb
44 New Articles

Storing and Processing Personal Data for E-Commerce Companies Under Turkish Law

Storing and Processing Personal Data for E-Commerce Companies Under Turkish Law

  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

In the last ten years, e-commerce has become the most important platform of today’s consumer habits, becoming a major competitor to both retailers and their suppliers. As a result, many giant retailers are now directing their investments towards e-commerce activities.

Since e-commerce is rapidly becoming widespread in Turkey (as it is around the world), it is more important than ever to understand the relationship between data privacy regulations and the e-commerce sector in recent years.

Turkey’s Personal Data Protection Law (Law No. 6698, or the “Law”), which is similar to the GDPR, contains the framework for processing personal data in Turkey. And pursuant to the Law, the Data Protection Authority (the “Authority”) has started ex officio examinations of companies in various sectors. 

Main Responsibilities of e-Commerce Companies Under The Data Privacy Law

Obtaining personal data clearly requires “explicit consent,” and under the Law, this explicit consent should be: (i) related to a specific topic, (ii) based on informative clarifications, and (iii) given freely. There is no specific requirement about how to obtain explicit consent, however; it can be given either as a statement or by a clear affirmative action. It is hoped that the Authority will clarify the rules about valid methods of obtaining this consent soon.

Companies engaged in e-commerce activities are responsible for complying with all obligations regulated under the Law. Under the Law, all companies must register with the Data Controller’s Registry System (VERBIS) before starting to process personal data. Companies which fail to do so may face severe sanctions.

E-commerce companies must also obtain explicit consent from data subjects before processing their personal data. If they are unable to obtain this explicit consent, the data subjects’ personal information should be immediately anonymized or erased from the system completely. In addition, e-commerce companies that conduct online sales in the absence of a signed membership contract must, at the ordering stage, obtain explicit consent from the data subject with respect to the storing and processing of the customer’s personal data, except where storing the personal data is necessary for the e-commerce company in order to comply with the terms of the sale contract. Finally, even for the general use of the site, it will be necessary to inform users about and obtain their explicit consent for the use of cookies and the processing of personal data. 

The meaning of “explicit consent” in e-commerce remains in debate, as e-commerce companies generally require their customers’ personal data before they render services to them, but it is unclear whether this practice satisfies the GDPR’s requirement that consent be given “freely.”

Sanctions that Companies Will Face If They Do Not Fulfill The Data Privacy Obligations

As mentioned above, the Authority carries out ex officio data protection examinations of e-commerce companies, and companies that do not fulfill their obligations may face penalties of up to TRY 1 million under Article 18 and Article 19 of the Law. Indeed, one of the most famous decisions by the Authority is the administrative fine of TRY 1.1 million it levied upon Facebook for its failing to take the necessary administrative and technical measures to prevent a data breach and failing to comply with the data security obligations, and an additional administrative fine of TRY 550,000 for its failure to make necessary notifications following the data breach. 


The obligations of companies regarding the protection and processing of personal data are changing and increasing within the scope of both the GDPR and Turkey’s Law No. 6698. Increasing personal data breaches and cybercrimes are forcing the Authority to take control of e-commerce companies which obtain personal data and process it for profit or share it with third parties without the explicit consent of the data subjects

By Nazli Sezer, Executive Partner, and Kaya Kayaoglu, Senior Associate, Sezer & Utkaner

This Article was originally published in Issue 6.8 of the CEE Legal Matters Magazine. If you would like to receive a hard copy of the magazine, you can subscribe here.

Our Latest Issue