Sun, Sep
66 New Articles

Turkish Data Protection Authority’s Draft Guidelines on Cookies

Turkish Data Protection Authority’s Draft Guidelines on Cookies

  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

The Turkish Data Protection Authority (“DPA”) has published Draft Guidelines on Cookies (“the Draft Guidelines”) on January 11, 2022, providing explanations on cookies and practical advices for data controllers who process personal data through the use of cookies.

The Draft Guidelines mainly provides an introductory note on the definition of cookies and provides information as to the types of cookies. Upon providing a general definition of cookies, it categorizes cookies based on (i) timeframe (i.e. session cookies, permanent cookies), (ii) purpose (i.e. mandatory cookies, functional cookies, performance–analytical cookies, ad/marketing cookies), (iii) parties (i.e. first party cookies, third party cookies.) 

DPA further assesses the legal basis on the application of the Law No. 6698 on Protection of Personal Data (“DPL”) for processing of personal data through the use of cookies. Even though cookies are not explicitly regulated under the DPL, DPA concludes that Article 51 (3) of Law No. 5809 on Electronic Communications (“Electronic Communications Law”) applies to data controller operators, but does not explicitly apply to “information society services” (which are explicitly regulated in Article 5 (3) of the 2002/58/EC of the European Parliament (“Directive 2002/58/EC”). Therefore, DPA deduces that as Electronic Communications Law does not regulate information society services, DPL applies to processing of personal data through the use of cookies.

In the fourth section of the Draft Guidelines, the DPA elaborates on the conditions that need to be taken into consideration regarding cookies. Draft Guidelines state that personal data may be processed by the use of cookies if, (i) explicit consent is obtained, or (ii) if one of the conditions set forth in Article 5 or Article 6 of the DPL exists. It also recommends that a balancing test should be performed if “legitimate interest of data controller” is the sole basis for data processing, and that when performing such test, the two-fold European Union Criteria are recommended to be taken into account.

In the following sections, the DPA gives some use cases that do and do not require explicit consent. Accordingly, the Draft Guidelines lists the following types of cookies as the ones which do not require explicit consent: (i) cookies created as a result of users signing in and creating submission forms (i.e. when picking items to fill out an online-shopping basket), (ii) cookies that form as a result of identification verification tools, (iii) cookies created by the user’s security preferences, (iv) multimedia player session cookies, (v) cookies that help with network load balancing, (vi) cookies created by user interface personalization, (vii) add-on content for social networking such as liking, sharing, commenting on posts, (viii) cookies used for managing the explicit consent platform, (ix) first-party analytical cookies, and (ix) cookies used for security of the website.

The scenarios which do require explicit consent are listed as (i) social tracing add-ons (such as those used for marketing and behavioral or analytical research tools); (ii) online behavioral advertising cookies.

Furthermore, the Draft Guidelines elucidates the elements that must exist in lawfully obtained consent. Accordingly, a lawful consent must be (i) related to a definite subject; (ii) based on being informed; (iii) expressed with free will.  

Moreover, the Draft Guidelines mentions parties’ liability and notes that some websites may utilize “Cookie Walls” (i.e. if the user does not accept the collection of all cookies, the user is prevented from using the website). The Draft Guidelines concludes that a case-by-case evaluation must be made to determine whether such cookie-walls hinder explicit consent; however use of alternative options to cookie walls would be recommendable.

In the eighth section, the Draft Guidelines sets out how obligation to inform should be duly fulfilled before personal data is processed by cookies. By referencing Article 5 of the Communique on Procedures and Principles on Providing Explicit Consent and Article 10 of the DPL, it states that information notice should be clear, plain and easily accessible, and the methods that make it difficult for the data subjects to access it should not be used. Draft Guidelines also states that when a person visits a website for the first time, an information notice on cookies should be provided (e.g. through pop-up messages). It also recommends that the name and purpose of cookies along with the usage period of cookies and information on whether there is a first or third party exists should be included in the information notice.

In the ninth section, the Draft Guidelines cites the decision dated February 27, 2020 with number 2020/173 of the DPA, as an example of how DPA has previously decided in a case which involved the collection of cookies by a website.

Finally, the Appendix section of the Draft Guidelines includes documents for practical use such as “Check List for Use of Cookies”, good and bad examples regarding cookies, and a sample information notice.

As a side note, DPA makes it clear that the Guidelines on Cookies are published as a “draft” version, and welcomes opinions and evaluations from relevant parties in writing or by e-mail messages (çThis email address is being protected from spambots. You need JavaScript enabled to view it.) until February 10, 2022. 

By Gonenc Gurkaynak, Partner, Ceren Yildiz, Partner, Noyan Utkan, Associate, and Gamze Yalcin, Associate, ELIG Gürkaynak Attorneys-at-Law

Turkey Knowledge Partner

NAZALI offers a broad range of services in the fields of Tax, Audit, Corporate and Commercial Law, Mergers & Acquisitions, Corporate Finance, Banking, Finance and Capital Markets, Protective Legal Services and Dispute Resolution, Personal Data Protection and Privacy, Social Security and Labor Law, Occupational Health and Safety, Competition Law, Intellectual Property Law and R&D, Compliance and White-Collar Crimes, Administrative Law, Real Estate Law, Customs and Foreign Trade, Accounting and Payroll, Financial Incentives and Advisory Services and Public Administration and Compliance through its partners, associates and consultants of different seniorities who have both public and private sector experience.

What sets NAZALI apart from others is that NAZALI offers a truly comprehensive service to its clients with experts from different disciplines working collaboratively as a team under one roof enabling us to evaluate all dimensions of legal matters together with financial and technical matters.

The services that NAZALI provides to its clients include the most appropriate solution with the support of technical departments specialized in their fields. In this context, NAZALI associates are supported by NAZALI technical team and work alongside the experts in the fields of finance, social security and customs matters. NAZALI has set out with the aim of providing the most efficient and comprehensive solution for its clients by adapting to the developing conditions and happily gained the trust of its clients by never compromising the quality of service.

As conditions continuously evolve, NAZALI always aims to further itself remaining true to its motto “GROW WITH KNOWLEDGE” and has set out with the aim of providing the most efficient and comprehensive solution for its clients by adapting to the developing conditions and happily gained the trust of its clients by never compromising the quality of service.

Firm's website: http://www.nazali.com

Our Latest Issue