Reading Mode

Turkish Personal Data Protection Board Fines Amazon Turkey

13 May, 2020

Turkish Personal Data Protection Board’s (“Board”), in its decision numbered 2020/173 dated February 27, 2020 (“Decision 2020/173”), imposed fines on Amazon Turkey due to Amazon Turkey’s bundled privacy policy, opt-out system, and international data transfers procedures which are not in compliance with the Law on the Protection of Personal Data No. 6698 (“Law No. 6698”). Some significant points such as the jurisdiction of the Board on regulations of electronic commercial communications in Turkey or international data transfer issues were handled in this decision.

Opt-out Methods Are Inadmissible

Despite Amazon Turkey’s claims stating that all users accept the website’s terms and privacy policy indicating that they consent for direct marketing as they sign up to the website, thus they are entitled to opt-out from commercial messages, the Board stated that opportunity to opt-out of the processing is incompatible with the definition of explicit consent as stipulated under the Article 3 of the Law No. 6698. Consequently, data controllers are required to provide opt-in systems that enables data subjects to consent via their active actions.

Breach of International Data Transfer Rules

Since the Law No. 6698 came into force, there has been many disputes and challenges regarding the Law No. 6698 and its international data transfer rules. As mentioned in our previous posts regarding international data transfer rules of the Law No. 6698 (http://herdem.av.tr/turkeys-data-protection-authority-ruled-on-using-googles-g-mail-services), there was a dead-end which was resulting explicit consent of data subject to be only functional legal basis that can lawfully provide an international data transfer. By virtue of some other remedies provided by the Board such as data exporter-importer commitments (http://herdem.av.tr/turkish-data-protection-authority-highlights-crucial-points-regarding-turkish-standard-contractual-clauses-for-international-data-transfers) or binding corporate rules (http://herdem.av.tr/binding-corporate-rules-for-international-transfer-of-data), there are other alternatives to the explicit consent currently, yet, their functionality is questionable.

In light of such conflicts, no fines had been imposed by the Board for not complying with the international data transfer rules of the Law No. 6698 until the Decision 2020/173. The Board penalized Amazon Turkey for not complying with the international data transfer rules, hence such transfer was not based on duly obtained explicit consent, or adequate level of protection for transfer was not provided.

What’s Significant Regarding Electronic Commercial Communication?

In its previous decisions, the Board has contended that the existence of a specific legislation regulating the electronic commercial communication shall not be construed as if electronic commercial communications are exempted from the Law No. 6698.

In the Decision 2020/173, the Board underlines and maintains its approach on electronic commercial communications that even though there is a separate legislation for e-commerce in Turkey, electronic commercial communications include data processing by their natures, therefore, such communications have to be in compliance with the Law No. 6698. With such perspective, the Board states that it has authority to decide on and penalize regarding electronic commercial communications without any legal basis under the Law No. 6698. In this regard, the Board fined Amazon Turkey due to its electronic commercial communication activities without a legal basis under the Law No. 6698.

Background of Electronic Commercial Communication and Data Protection Conflicts

Electronic commercial communication regulations are regulated under the Regulation of Electronic Commerce Law dated November 5, 2014 numbered 6563 (“Law No. 6563”) with the Regulation on Commercial Communication and Electronic Commercial Messages dated July 15, 2017 (“Regulation on Commercial Communication”).

The Regulation on Commercial Communication stipulates that service providers have to obtain the individuals’ permissions to send them electronic commercial messages. Such permission has to be obtained and retained in line with the rules of the Regulation on Commercial Communication and the Ministry of Trade is entitled to implement the requirements of such legislation. Where a service provider does not obtain the permission to send electronic commercial messages duly, it shall be penalized under such regulations. On the other hand, the Board also considers such unsolicited commercial messages as an unlawful data processing, unless the explicit consent of the data subject is obtained, or any other legal basis is applicable.

In this respect, as stated in the Decision 2020/173 Amazon Turkey claimed that the Ministry of Trade has jurisdiction to conclude such complaints on electronic commercial messages, not the Board. However, the Board stated that this complaint was directed from the Ministry of Trade to the Board for an assessment regarding data protection regulations.

Other Neglected Rules of Obligation to Inform

Pursuant to the Communique on Principles and Procedures to be followed in Fulfillment of the Obligation to Inform, in cases where the data processing is based on the data subject’s explicit consent, data controllers are required to provide necessary information and explicit consent forms to data subjects separately.  However, such regulation is generally neglected by data controllers in Turkey.

Accordingly, Amazon Turkey have bundled its so-called explicit consent statement and privacy notice which contains abroad scale of personal data together. The Board underlined that consent forms and privacy notices are to be provided separately.

Moreover, the Board also stated that personal data provided in Amazon Turkey’s privacy notice is not foreseeable for the user and not in compliance with the principle of processing personal data which is relevant with, limited to, and proportionality.

As stated in the Decision 2020/173, Amazon Turkey’s privacy notice was also misleading regarding the legal basis of the data processing which is necessary for entering into or performance of a contract. Despite of the fact that such processing shall be made without the explicit consent of data subjects pursuant to the Article 5(2)(c) of the Law No. 6698, Amazon Turkey’s privacy notice was stating that all data processing was based on the user’s explicit consent misleadingly.

Lastly, the Board stated that information and consent options regarding cookies which process personal data regarding the website visits has to be provided to data subjects when they enter the website with pop-up platforms. Yet, the Board did not argue any issues regarding different types of cookies.

Author: Aslı Naz Ünlü

Recent Articles & Updates

Significant Impediment in Telecommunication: Recent decision of the General Court of the European Union

04 June, 2020 yesterday

Government Controlled Public Companies Exempted from Several Merger Regulations in Turkey

02 June, 2020 3 days ago

Personalized Medical Devices: Custom-made Medical Devices under Turkish Law

01 June, 2020 4 days ago

Government Aids for Airlines from IATA’s Standpoint: Liability or Relief ?

01 June, 2020 4 days ago

Special Report on Aviation: The Effect of the COVID-19 on Aviation Industry, Special Focus on Turkey

01 June, 2020 4 days ago

Data Transfer and COVID-19: Applicable Derogations

31 May, 2020 5 days ago

Legal Aspects of 3D Printing Intellectual Property Domains

31 May, 2020 5 days ago

Classified or Confidential Information: Entering into a Contract with State-Owned Enterprises and Turkish Armed Forces Foundation Companies

29 May, 2020 7 days ago

Non-Price Element Application in Negotiated Electronic Tendering Procedure

27 May, 2020 a week ago

E-Call and Automotive Industry: General Safety Regulations 2019/2144 of EU and Turkey

27 May, 2020 a week ago