News
The Guidelines on Use of Cookies in Turkey
The Guidelines on Use of Cookies (the “Guidelines”) was published by the Personal Data Protection Authority (the “Authority”) on June 20, 2022 which outlines good practice examples to guide data controllers. The Guidelines explain principles on use of cookies for data controllers to process data on legal grounds, use appropriate privacy notices and obtain explicit consent from data subject legally if and when required.
Cookie Types
Cookies are defined as low-sized, rich-format texts that allow certain information about users to be stored on users' terminal devices when a website is visited.
In the Guidelines, types of cookies are divided into three categories according to their duration, intended purpose and parties.
i. Cookies according to their duration
a. Session Cookies:
Session cookies are called temporary cookies. When a user closes the internet browser, session cookies are deleted.
b. Persistent Cookies:
Persistent cookies are called tracking cookies. These cookies are not deleted when the user closes the internet browser. They are automatically deleted on a certain date. The processed data of user is transmitted to the server each time when the user visits a website.
ii. Cookies according to their intended purpose
a. Compulsory Cookies:
Compulsory cookies are mandatory not only for the website to work but also for fulfilling the information society services. Filling out forms and remembering privacy preferences and log-in to information society services can be given as examples.
b. Functional Cookies:
The purpose of functional cookies is to increase the function of use on the website.
c. Performance Cookies:
Performance cookies analyze the behavior of the users. Statistical measurement is figured out as a result of analysis. These metrics measure the impact of advertisements on relevant people.
d. Advertising/ Marketing Cookies:
Advertising cookies follow users’ online movements on the internet. Their target is to offer the advertisements to users based on their interests. Behavioral advertising is the most important type of advertising for the advertiser because it allows profiling of the target people.
iii. Cookies according to the parties
These cookies are determined by whether being placed by the URL or not.
Personal Data Protection Law numbered 6698 (“PDPL”) applies to Cookies
Although cookies are not explicitly regulated within the scope of PDPL, it is clear that PDPL applies for information society services, and analysis were made regarding cookies first with the Board decision dated 27.02.2020 and numbered 2020/173 (Amazon Turkey decision).
Legal Grounds for Cookies
The Guidelines announced by the Turkish Data Protection Authority outlines certain criteria that data controllers must consider while processing data within the scope of PDPL shed a light on the use of cookies in Turkey. There are two main criteria envisaged under the Guidelines:
Criteria A: The use of cookies is for providing communication over the electronic communication network.
Criteria B: The use of cookies is strictly necessary for the information society services that the user explicitly requests to receive the service.
General principles of Articles 5 and 6 of the PDPL apply while processing personal data when cookies are used.
The scope of Criteria A and B must also be taken into consideration when the processing condition is based on "legitimate interest" within the scope of Article 5/2/f of PDPL. A balance test should be applied by comparing the fundamental rights and freedoms with the legitimate interest of the data controller and the existence of a legitimate interest must be evaluated.
Use of Cookies Without Explicit Consent
User Input Cookies (Criteria B): These cookies track users' inputs and transmit them to the service provider. These cookies are first-party cookies and expire when the session ends. Typically, these cookies track the user as they fill the shopping cart and keep records of the products the user selects by clicking the button.
Authentication Cookies (Criteria B): These cookies are used to identify the user and created to prevent users from re-entering their names and passwords on every page request when they log into their accounts.
User Centric Security Cookies (Criteria B): Criteria B may be applied to cookies used to increase the security of a service explicitly requested by the user. User security cookies are expected to have a longer lifetime than log-in cookies which expire at session expiration to fulfill security purposes.
Multimedia Player Session Cookies (Criteria B): These cookies, which are also known as flash cookies, store the technical data needed to replay video or audio content until the session ends. When the user wants to access video or text content, they are considered within the scope of Criteria B since the user explicitly requests the service.
User Interface Personalization Cookies (Criteria B): These cookies are placed to remember service preferences with the explicit request of the user. The aim of these cookies is personalization, and their validity may change according to their purpose. For instance, on a multilingual website, a language preference cookie is used to remember which language option has been selected by the user.
Social Plug-in Content Sharing (like, share, comment) Cookies (Criteria B): Social plug-in modules allow social network users to share their favorite content and comments with their friends. When members of the social networks interact with the plugins, cookies are stored for the identification of the members of the social network. Criteria B does not apply to non-members of the social network or members of the social network that have logged out of their account. These cookies have to be session cookies and are recommended to expire with session.
Cookies Used for the Explicit Consent Management Platform (Criteria B): It is thought that the cookies used to remember the explicit consent for the preferences subject to explicit consent for a certain period of time on the web pages entered by the relevant people does not require an explicit consent.
First-Party Analytics Cookies (Criteria B): These cookies are required to provide the service. Considering that the use of website or application for the operation and daily management is related to the requested service, it is thought that first-party analytics can be considered within the scope of Criteria B. However, the use of these cookies for cross-tracking between different websites or applications for profiling will not comply with the principle of being relevant, limited and proportional to the purpose for which the data is processed.
Cookies Used for the Security of the Website (Criteria B): Cookies used for the security of the website are definitely necessary for the service requested by the user. For example, if firewalls are intended to limit the number of user requests per session by identifying the user, it may be considered a strictly necessary cookie for the service requested by the user under Criteria B. Other data processing conditions excluding explicit consent may also be in question for cookies serving this purpose.
Cookies Use Examples with Explicit Consent
Social Plug-in Tracking Cookies: Social networks offer social plug-in modules that can be integrated into websites to provide certain services that may be considered "explicitly requested" by their members. However, these modules can enable tracking of members/non-members for purposes such as behavioral advertising, analytics or market research.
Online Behavioral Advertising Cookies: Cookies used for behavioral advertising require explicit consent of the data subject. Since none of the advertising purposes fall within the scope of the information society services explicitly requested by the user, the explicit consent requirement contains the relevant cookies used for advertising purposes.
Explicit Consent Elements
Explicit consent must be related to a specific matter. Open-ended and indefinite consent cannot be accepted as explicit consent. The relevant person must be informed in advance. In addition, the consent must be given with an active affirmative action, therefore it is not accepted that the relevant person gives explicit consent to cookies by only accessing the website. Consent must be freely given. In addition, the explicit consent given in terms of cookies must be revocable.
Another important point is not to create consent fatigué, meaning that periodic reminders can be placed instead of obtaining the consent of the relevant person continuously.
In addition, while obtaining explicit consent within the scope of data processing through cookies, it is stated as a good practice example that a cookie management panel appears as soon as the website is entered and the "accept", "reject" and "preferences" buttons that are equal in terms of color, size and font are presented on the panel. Data processing activities that are not directly related to the performance of the basic service subject to the processing of personal data should not be based on the agreement that is made with the user. In the use of online advertising cookies, explicit consent should not be attached to documents such as "Terms of Use and Agreement" or "Privacy Statement".
Privacy Notice Elements
According to Article 10 of the PDPL and the provisions of “Communique on Principles and Procedures to Be Followed in Fulfillment of the Obligation to Inform” appropriate informing must be provided to the relevant data subjects for the use of cookies.
In all cases where personal data is obtained, the obligation to inform must be fulfilled by the data controller at the latest when the data is obtained. The proof of fulfillment of this responsibility lies with the data controller.
When third-party cookies are placed on the website, both the website owner and the third party must ensure that the users are clearly informed about the cookies before obtaining their explicit consent.
Information should be placed at the first entrance to the relevant website or platform for users visiting websites. Otherwise, there will be a violation of the obligation to inform since there is no informing in accordance with the law. Especially, the submission of privacy statements providing information on many other subjects does not mean that the obligation to inform is fulfilled.
Attention should be taken to ensure that the information texts for cookies are easily accessible and noticeable, and methods that make it difficult for the relevant people to access the information must be avoided.
Quick Take-Aways
It is recommended that the name of the cookies, the purpose of use, and the duration of use and whether the cookie is first, or third party should be clearly included in the informing text.
If the obligation to inform is related to a service for children, the informing should be provided with a clear and understandable informing text which is supported by visuals if necessary and at a level that children can understand.
While processing personal data through cookies; explicit consent within the scope of the conclusion or performance of an agreement cannot be imposed on the relevant person as a precondition of the agreement.
In this context, systems (opt-out) that allow later withdrawal of consents of people by assuming that individuals automatically consent to the processing of personal data without prior consent of them should not be used. Instead, systems (opt-in) must be used in which the individual will give prior consent to the processing of his or her personal data with his or her conscious action.
The rules for data transfer abroad must be complied if data transfer abroad is carried out with the use of cookies. Explicit consent is required for the transfer for the time being considering the PDPL. In addition, the data can be transferred abroad if there is a commitment for adequate protection in the relevant country and the Authority grants authorization stating that the data can be transferred abroad without obtaining explicit consent.
Article provided by INPLP member: Begüm Okumuş (Gün + Partners, Turkey)
Discover more about the INPLP and the INPLP-Members
Dr. Tobias Höllwarth (Managing Director INPLP)
News Archiv
- Alle zeigen
- Dezember 2024
- November 2024
- Oktober 2024
- September 2024
- August 2024
- Juli 2024
- Juni 2024
- Mai 2024
- April 2024
- März 2024
- Februar 2024
- Jänner 2024
- Dezember 2023
- November 2023
- Oktober 2023
- September 2023
- August 2023
- Juli 2023
- Juni 2023
- Mai 2023
- April 2023
- März 2023
- Februar 2023
- Jänner 2023
- Dezember 2022
- November 2022
- Oktober 2022
- September 2022
- August 2022
- Juli 2022
- Mai 2022
- April 2022
- März 2022
- Februar 2022
- November 2021
- September 2021
- Juli 2021
- Mai 2021
- April 2021
- Dezember 2020
- November 2020
- Oktober 2020
- Juni 2020
- März 2020
- Dezember 2019
- Oktober 2019
- September 2019
- August 2019
- Juli 2019
- Juni 2019
- Mai 2019
- April 2019
- März 2019
- Februar 2019
- Jänner 2019
- Dezember 2018
- November 2018
- Oktober 2018
- September 2018
- August 2018
- Juli 2018
- Juni 2018
- Mai 2018
- April 2018
- März 2018
- Februar 2018
- Dezember 2017
- November 2017
- Oktober 2017
- September 2017
- August 2017
- Juli 2017
- Juni 2017
- Mai 2017
- April 2017
- März 2017
- Februar 2017
- November 2016
- Oktober 2016
- September 2016
- Juli 2016
- Juni 2016
- Mai 2016
- April 2016
- März 2016
- Februar 2016
- Jänner 2016
- Dezember 2015
- November 2015
- Oktober 2015
- September 2015
- August 2015
- Juli 2015
- Juni 2015
- Mai 2015
- April 2015
- März 2015
- Februar 2015
- Jänner 2015
- Dezember 2014
- November 2014
- Oktober 2014
- September 2014
- August 2014
- Juli 2014
- Juni 2014
- Mai 2014
- April 2014
- März 2014
- Februar 2014
- Jänner 2014
- Dezember 2013
- November 2013
- Oktober 2013
- September 2013
- August 2013
- Juli 2013
- Juni 2013
- Mai 2013
- April 2013
- März 2013
- Februar 2013
- Jänner 2013
- Dezember 2012
- November 2012
- Oktober 2012
- September 2012
- August 2012
- Juli 2012
- Juni 2012
- Mai 2012
- April 2012
- März 2012
- Februar 2012
- Jänner 2012
- Dezember 2011
- November 2011
- Oktober 2011
- September 2011
- Juli 2011
- Juni 2011
- Mai 2011
- April 2011
- März 2011
- Februar 2011
- Jänner 2011
- November 2010
- Oktober 2010
- September 2010
- Juli 2010