Turkish Personal Data Protection Board Fines Amazon Turkey13 May, 2020
Opt-out Methods Are Inadmissible
Breach of International Data Transfer Rules
Since the Law No. 6698 came into force, there has been many disputes and challenges regarding the Law No. 6698 and its international data transfer rules. As mentioned in our previous posts regarding international data transfer rules of the Law No. 6698 (http://herdem.av.tr/turkeys-data-protection-authority-ruled-on-using-googles-g-mail-services), there was a dead-end which was resulting explicit consent of data subject to be only functional legal basis that can lawfully provide an international data transfer. By virtue of some other remedies provided by the Board such as data exporter-importer commitments (http://herdem.av.tr/turkish-data-protection-authority-highlights-crucial-points-regarding-turkish-standard-contractual-clauses-for-international-data-transfers) or binding corporate rules (http://herdem.av.tr/binding-corporate-rules-for-international-transfer-of-data), there are other alternatives to the explicit consent currently, yet, their functionality is questionable.
In light of such conflicts, no fines had been imposed by the Board for not complying with the international data transfer rules of the Law No. 6698 until the Decision 2020/173. The Board penalized Amazon Turkey for not complying with the international data transfer rules, hence such transfer was not based on duly obtained explicit consent, or adequate level of protection for transfer was not provided.
What’s Significant Regarding Electronic Commercial Communication?
In its previous decisions, the Board has contended that the existence of a specific legislation regulating the electronic commercial communication shall not be construed as if electronic commercial communications are exempted from the Law No. 6698.
In the Decision 2020/173, the Board underlines and maintains its approach on electronic commercial communications that even though there is a separate legislation for e-commerce in Turkey, electronic commercial communications include data processing by their natures, therefore, such communications have to be in compliance with the Law No. 6698. With such perspective, the Board states that it has authority to decide on and penalize regarding electronic commercial communications without any legal basis under the Law No. 6698. In this regard, the Board fined Amazon Turkey due to its electronic commercial communication activities without a legal basis under the Law No. 6698.
Background of Electronic Commercial Communication and Data Protection Conflicts
Electronic commercial communication regulations are regulated under the Regulation of Electronic Commerce Law dated November 5, 2014 numbered 6563 (“Law No. 6563”) with the Regulation on Commercial Communication and Electronic Commercial Messages dated July 15, 2017 (“Regulation on Commercial Communication”).
The Regulation on Commercial Communication stipulates that service providers have to obtain the individuals’ permissions to send them electronic commercial messages. Such permission has to be obtained and retained in line with the rules of the Regulation on Commercial Communication and the Ministry of Trade is entitled to implement the requirements of such legislation. Where a service provider does not obtain the permission to send electronic commercial messages duly, it shall be penalized under such regulations. On the other hand, the Board also considers such unsolicited commercial messages as an unlawful data processing, unless the explicit consent of the data subject is obtained, or any other legal basis is applicable.
In this respect, as stated in the Decision 2020/173 Amazon Turkey claimed that the Ministry of Trade has jurisdiction to conclude such complaints on electronic commercial messages, not the Board. However, the Board stated that this complaint was directed from the Ministry of Trade to the Board for an assessment regarding data protection regulations.
Other Neglected Rules of Obligation to Inform
Pursuant to the Communique on Principles and Procedures to be followed in Fulfillment of the Obligation to Inform, in cases where the data processing is based on the data subject’s explicit consent, data controllers are required to provide necessary information and explicit consent forms to data subjects separately. However, such regulation is generally neglected by data controllers in Turkey.
Accordingly, Amazon Turkey have bundled its so-called explicit consent statement and privacy notice which contains abroad scale of personal data together. The Board underlined that consent forms and privacy notices are to be provided separately.
Moreover, the Board also stated that personal data provided in Amazon Turkey’s privacy notice is not foreseeable for the user and not in compliance with the principle of processing personal data which is relevant with, limited to, and proportionality.
As stated in the Decision 2020/173, Amazon Turkey’s privacy notice was also misleading regarding the legal basis of the data processing which is necessary for entering into or performance of a contract. Despite of the fact that such processing shall be made without the explicit consent of data subjects pursuant to the Article 5(2)(c) of the Law No. 6698, Amazon Turkey’s privacy notice was stating that all data processing was based on the user’s explicit consent misleadingly.
Lastly, the Board stated that information and consent options regarding cookies which process personal data regarding the website visits has to be provided to data subjects when they enter the website with pop-up platforms. Yet, the Board did not argue any issues regarding different types of cookies.
Author: Aslı Naz Ünlü