News and developments
The Decision of the Personal Data Protection Board Regarding the Cookies
Since there is no particular legislative regulation on the personal data processing through the cookies within the scope of the Law on Protection of Personal Data No. 6698 (“Law”), it brings to mind the question of how this processing activity will be carried out.
Recently, with the Guideline on Cookie Practices published on the website of the Personal Data Protection Board (“Board”), the processing of personal data through cookies has been clarified for the website operators. In addition, some principles on the processing policies of cookies have been determined by the decisions made by the Board. In this article, we aim to examine the most recent decision of the Board regarding the data processing activities made through cookies.
The following issues were briefly mentioned in the complaint petition which is the subject of the Board’s decision dated 10.03.2022 and numbered 2022/229, regarding the unlawful processing of personal data through cookies used on the website/mobile applications by the data controller company operating in the e-commerce sector:
In this regard, the Board was requested to take necessary action.
In the letter sent by the data controller to the Board upon the complaint of the data subject, the following issues were addressed:
As a result of the investigation carried out on the subject, the Board has emphasized that while the explicit consent of the data subject will not be required for the proper functioning of a website, the use of cookies working for advertising, marketing, and performance purposes is subject to the explicit consent of the data subject. Furthermore, the Board has emphasized that the cookies are necessary for the proper functioning of the website are strictly necessary cookies and the personal data processing can be carried out based on one of the data processing conditions in the Law without the explicit consent, but in the case of performing personal data processing activities with cookies that are not strictly necessary cookies, explicit consent is required.
The Board has stated that when the website is accessed, the data subject is directed to the Privacy and Personal Data Protection Policy and the Cookie Policy with a pop-up which is appearing in the corner of the page. However, it has been pointed out that there is no indication that the explicit consent of the data subject was obtained in terms of cookies which are not strictly necessary. Also, the Board has ordered to take the necessary technical and administrative measures and not to obtain the explicit consent of the data controller for operating functional cookies, performance-analytical cookies, and advertising/marketing cookies other than strictly necessary cookies. Additionally, the Board has given the data controller 30 days to establish the required system for obtaining explicit consent according to the ‘opt-in’ mechanism, and to update the Cookie Policy text on the website.
You may access the Decision by this link.
To see our other articles, you may follow the NSN Bulletin via the link.
Authors: Bilge Derinbay, Hande Ülker Pehlivan
Contact: [email protected]