I. Introduction

The Working Party on the Protection of Individuals

with regard to the Processing of Personal Data ("Working Party") which is

established as per the Directive 95/46/EC of the European Parliament and of the

Council of October 24, 1995 ("EU Directive") updated their opinion on consent

under General Data Protection Regulation ("GDPR") which will be effective on

May 28, 2018.

The GDPR evolved the concept of consent under the EU

Directive and Directive 2002/58/EC of the European Parliament and of the

Council of 12 July 2002 Concerning the Processing of Personal Data and the

Protection of Privacy in the Electronic Communications Sector ("E-privacy

Directive) by providing further clarification and specification of the

requirements for obtaining and demonstrating valid consent. The Working Party's

opinion of November 28, 2017 mainly focuses on this evolution and sheds more

light onto EU Directive - GDPR - Turkish Data Protection Law ("Law No. 6698")

triangle. Law No. 6698 is based on the EU Directive, whereas its consent

related provision for processing personal data is adopted from the GDPR. Hence

the updated opinion answers most of the questions raised by Turkish companies

during their compliance processes.

II.

Elements of Valid Consent

Article 4(11) of the GDPR defines consent as: "any freely given, specific, informed and

unambiguous indication of the data subject's wishes by which he or she, by a

statement or by a clear affirmative action, signifies agreement to the

processing of personal data relating to him or her".

According to this provision, the consent of the data

subject means any (i) freely given, (ii) specific, (iii) informed and (iv)

unambiguous indication of the data subject's wishes by which he or she, by a

statement or by a clear affirmative action, signifies agreement to the processing

of personal data relating to him or her.

(i)

The Consent Must be Freely Given

Working Party in their opinion stated that consent

will not be considered as "free" if the data subject is unable to refuse his or

her consent and it can only be valid if the data subject is able to exercise a

real choice. Consent will not be free in cases where there is any element of

compulsion, pressure or inability to exercise free will. Working Party also mentioned

that the imbalance between the data subject and the controller (which mostly

occurs in the events where the data controller is a public authority or where

the data subject is an employee) is also taken into consideration by the GDPR.

The Article 7(4) of the GDPR plays an important role

while determining whether consent is freely given or not. According to this article,

when assessing whether consent is freely given, utmost account shall be taken

of whether, inter alia, the performance of a contract, including the provision

of a service, is conditional on consent to the processing of personal data that

is not necessary for the performance of that contract. By regulating this

provision GDPR aims to narrow the term "the performance of a contract". The Working

party states that there needs to be a direct and objective link between the

processing of the data and the purpose of the execution of the contract (e.g.

processing the address of the data subject in order to deliver the goods which

were purchased online).

The Working Party also mentions the terms

"granularity" while determining the existence of freely given consent. In cases

where a service involves multiple processing operations for more than one

purpose, the data subjects should be free to choose which purpose they accept. Therefore,

several consents may be warranted for each purpose. In other words, consent

should cover all processing activities carried out for the same purpose or

purposes. When the processing has multiple purposes, consent should be given

for all of these purposes.

For example, a company asks from its customers to give

their consent to send them their campaigns and promotions by e-mail messages

and also to share their personal data with other companies within their group

at the same time. According to the GDPR, this consent cannot be considered as granular

since there are no separate consents for these two separate purposes. Therefore,

the consent will not be valid.

According to the GDPR, the data controller also needs

to demonstrate that the data subject is free to refuse or withdraw consent

without detriment and it should be able to prove that the data subject has a

free or genuine choice on giving consent.

(ii)

The Consent Must be Specific:

According to the Working Party, to comply with the

element "specific" which is stated in the definition of "consent" under the

GDPR, the data controller must apply the following:

a. If a data controller processes data based on

consent and intends to process the data for a new purpose, the data controller

needs to obtain a new consent from the data subject for the new processing

purpose. The original consent will not legitimize new purposes for processing.

b. If the data controller seeks consent for various

different purposes, it should provide a separate opt-in for each purpose, to

allow users to give specific consent for specific purposes.

c. The data controllers should provide specific

information regarding each separate consent request about the data in order to

make data subjects aware of the impact of the different choices that they have.

(iii)

The Data Subject Must be Informed:

According to the Working Party, it is essential to

provide information to data subjects before obtaining their consent since it

will enable them to make informed decisions, understand what they are giving

consent to, and exercise their rights regarding their consent. The Working

Party listed the minimum information required for obtaining valid consent in

terms of GDPR. These are:

a. the identity of the data controller,

b. the purpose of each of the processing operations

for which consent is sought,

c. the type of data which will be collected and used

by the data controller,

d. the existence of the right to withdraw consent,

e. information about the use of the data for decisions

based solely on automated processing,

f. if the consent relates to data transfers, information

about the possible risks of data transfers to third countries in the absence of

an adequacy decision and appropriate safeguards

Even though most of the information listed above were

also included in the EU Directive, the GDPR expands the information that should

be provided with the data subject by stating that the data controller should

also inform the data subject that he/she can withdraw his/her consent. This

requirement was not included in the EU Directive.

Similar to the EU Directive, the GDPR also does not

require a certain form or shape of such information. Hence, the valid

information may be provided in various ways (e.g. written, orally, via audio or

video messages). However the GDPR also brings higher standards for the clarity

and accessibility of the information. Accordingly the Working Party stated that

the data controller should use clear and plain language which can be easily

understood by an average person. The Working Party does not allow long

illegible privacy policies or statements full of legal jargon.

(iv)

Unambiguous Indication of the Data Subject's Wishes

The Working Party exemplifies Article 7 (2) of the

GDPR which addresses pre-formulated written declarations of consent. According

to the Working Party, when consent is requested as part of a contract, the

request for consent should be clearly distinguishable from the other matters.

Also, if consent is requested by electronic means, the consent request has to

be separate and distinct; it cannot simply be a paragraph within terms and

conditions. This is especially of importance for e-commerce websites, along

with many other online platforms and other real and legal persons processing

personal data. That means no more incorporating data protection clauses into

Terms & Conditions or into employment contracts. The principle of being

"clearly distinguishable" is also linked with being "freely given". For

instance, if consent is indistinguishable and incorporated into an agreement

along with many other provisions, the data subject cannot consent freely and

separately but sign the agreement as a whole.

The EU Directive described consent as an "indication of wishes by which the data

subject signifies his agreement to personal data relating to him being

processed". The GDPR expands this definition, by clarifying that valid

consent requires an unambiguous indication by means of a statement or by a

clear affirmative action which means that the data subject must have taken a

deliberate action to consent to the particular processing.

The GDPR also brings new requirements for the data controllers regarding

the explicit consent they obtain. According to Article 7 of the GDPR, the data

controller is obliged to demonstrate the data subject's consent. The same

provision also states that data controller must ensure that consent can be

withdrawn by the data subject as easy as giving consent and at any given time.

III. Reflections of Article

29 Working Party's Updated Opinion to Turkish Personal Data Legislation

Law No. 6698 is based on the EU Directive which is

currently in force. The obligations of data controllers and the rights of the

data subjects set forth under the Law No. 6698 are basically in line with the

provisions under the EU Directive. Having said that, the Law No. 6698 requires

"explicit consent" of the data subjects for any kind of personal data

processing, not only for sensitive personal data, which is in line with the

GDPR. Accordingly, the Working Party's updated opinion for the GDPR may also

guide Turkish businesses in terms of structuring their processes.

For instance, according to the GDPR, the data

controller must be able to demonstrate that valid consent was obtained. Also, mechanisms

for data subjects to withdraw their consent must be available and easy to

apply, and the data controller must provide information on how to withdraw

consent. The Law No. 6698 also brings similar obligations to the data

controllers.

The Law No. 6698 is a separate and independent local regulation.

However, it is likely that the Turkish Data Protection Board, which is the main

authority on data protection related matter, would take the opinion of Working

Party as a basis while evaluating the convenience of the consent, as the Law

No. 6698 is mainly based on the EU legislation and the implementation in the EU

is currently the primary source. Turkish

Data Protection Board has already published its guideline document on consents,

and stated that umbrella consents will be invalid, which is in parallel with

the "specific consent" principle in the EU. We expect that the opinion of the Turkish

Data Protection Board takes shape in time by also taking into account the

implementation in the EU. Data controllers may benefit from the Working Party's

updated opinion for clarity on explicit consent and assess whether their

current flow for consent needs updates.

Authors: Gönenç Gürkaynak, Esq., İlay Yılmaz and Noyan Utkan, ELIG,

Attorneys-at-law

(First

published by Mondaq on January 16, 2018)