The Board states that there are several mistakes and deficiencies regarding obligation to inform repeated commonly by data controllers in Turkey. First of all, many privacy statements/notices do not include all basic information to be provided to data subjects within the scope of obligation to inform. Pursuant to the Article 10 of the Law No. 6698 “the identity of the data controller and its representative, the purposes for which personal data will be processed, to whom processed personal data may be transferred (the group or groups of recipients) and the purposes of such transfer, legal basis and method of the collection, and the right of data subjects” must be provided to the data subjects at the time of collection of the personal data. Yet, as confirmed by the Board many statements/notices lack such basic information and are not provided at the time of collection of the personal data or not provided at all.
When it comes to specifying purposes and legal basis of processing, merely addressing purposes or legal basis of processing does not fulfil the obligation to inform. However, the Board states that data controllers tend to use such terms in the same sense. Moreover, many statements/notices also do not cover the group or groups of recipients efficiently according to the Board. Data controllers have to identify to whom processed personal data may be transferred and provide such information under “the groups of recipients and the purposes of such transfer” section of their statements/notices to data subjects.
According to the Communique on Principles and Procedures to Be Followed in Fulfillment of the Obligation to Inform (“Communique”), if legal basis of processing is the explicit consent of data subject, fulfilment of the obligation to inform and obtaining explicit consent shall be performed separately. On contrary to such rule, many data controllers tend to fulfill their obligation to inform and obtain explicit consent by forcing data subjects to give their consents under a mandatory click box to proceed in relevant transactions. Such forced click boxes usually include general confirmation terms such as “I have been informed by the data controller and I give my consent to processing activities”. Even though such forced click boxes and statements are unlawful and problematic in many ways, they are very common among data controllers, especially the ones operate in the sector of e-commerce. In this respect, in the Announcement the Board reminds such rule and encourages data controllers to fulfill their obligation to inform and request explicit consent separately. Moreover, the Board underlines that such forced click boxes are unlawful.
Time of Informing and Accessibility
Pursuant to the Law No. 6698 and the Communique, data controllers have to fulfil their obligation to inform at the time of collection of personal data. Time of informing is also linked to the accessibility of statements/notices. Nowadays personal data is collected generally by electronic platforms provided in websites, apps, or other internet-based channels. Yet, privacy statements/notices are hidden in such platforms in a way that is not easily accessible for users and not provided at the time of collection of the personal data.
Regarding this issue the Board states that statements/notices should be easily accessible and noticeable in a way that does not complicate data subjects’ access to such texts. Moreover, data controllers should fulfil their obligation at the time of collection of personal data.
In regard to the accessibility, the WP 29 recommends that privacy statement/notices should be made available through a direct link to them which is clearly visible on each page of the website. Moreover, in regard to mobile applications, privacy statement/notices should be made available for users both before (through the online store in which such application is presented to users) and after (within such application in easily accessible form which is never more than “two taps away”) such application is downloaded (Article 29 Working Party, Guidelines on Transparency under Regulation 2016/679, wp260rev.01, April 11 2018, p. 8).
Data Have Not Been Obtained from Data Subject
Obligation to inform gets more complex and ignored when the data have not been obtained from the data subject. According to the Communique, in cases where the data have not been obtained from the data subject, data controllers have to fulfill their obligation within a reasonable time following the collection of the personal data. Especially, such obligation has to be fulfilled at first communication if personal data is to be used to communicate with the data subject and at the latest at the time of the first transfer if personal data is to be transferred. In the Announcement the Board reminds such obligations regarding the cases where the data have not been obtained from the data subject.
Similarly, the Regulation (EU) 2016/679 (“GDPR”) also regulates obligation to inform in cases where the data have not been obtained from the data subject, yet, it sets a definite time limit in which the information have to be provided in its Article 14. Under the GDPR, obligation to inform have to be fulfilled at the latest within one month. Accordingly, the WP 29 states that one month is the maximum time limit to provide necessary information in any cases (Article 29 Working Party, Ibid., p. 15).
In the Turkish Personal Data Protection Authority’s guideline on implementation of the obligation to inform, layered informing is defined as providing some basic information related to the data processing as the first layer prior to directing data subjects to the second layer which is the main statement/policy that covers all necessary information to be provided to data subjects as per the Article 10 of the Law No. 6698.
In the Announcement the Board states that if the obligation to inform will be fulfilled by layered informing, data controllers have to provide basic information (such as the identity of data controller and purposes of processing) through the first layer and ensure that the information provided in the second layer is merely limited to the subject data processing activity.
In this respect, the WP 29 recommends that the first layer should include the details of the purposes of processing, the identity of controller and a description of the data subject’s rights. Furthermore, the WP 29 underlines that first and second layer should be consistent and should not contradict with each other (Article 29 Working Party, Ibid., p. 19).
Vague and General Statements
According to the Communique, the purposes of processing to be provided to data subjects have to be specified, explicit and legitimate. Furthermore, expressions that are general, ambiguous or that may lead data subjects to form an opinion that their data may be further processed for possible purposes other than the ones provided should be avoided. Additionally, data controllers have to perform their informing activities by using intelligible, clear and plain language.
The Board states in the Announcement that clear and plain language should be used in statements/notices and data controllers especially should avoid general, vague, incomplete, and misleading terms. In the same sense, data controllers have to refer their specified, clear, legitimate purposes limited to the processing activity. In this respect, the WP 29 recommends that language qualifiers such as “may”, “might”, “some”, “often” and “possible” should be avoided by data controllers (Article 29 Working Party, Ibid., p. 9).
One for All Privacy Policies Do Not Fulfill the Obligation to Inform
Aslı Naz Ünlü