Two-Minute Recap Of Recent Developments In Turkish Personal Data Protection Law – June 2022

In June 2022, the Turkish Personal Data Protection Authority (the "Authority") published guidelines on the use of online cookies, opened draft guidelines on loyalty programs for public opinion, and announced five data breach notifications.

The Authority cooks guidelines on cookies

On 20 June 2022, the Authority published guidelines (the "Guidelines") on the use of cookies to collect personal data and the use of personal data in online environments such as websites, mobile applications, smartphones, and tablets.

In summary, the Guidelines evaluate the use of cookies and provide information on:

• the different types of cookies;
• the rules for processing personal data through cookies;
• cookies that may be implemented without obtaining the explicit consent of data subjects;
• cookies that may be implemented based on the explicit consent of data subjects;
• the elements of valid explicit consent;
• cross-border data flows via cookies;
• the obligation to inform before cookie implementation.

The Guidelines classify cookies under three fundamental groups: (i) cookies by their duration, (ii) cookies by their usage purposes; and (iii) cookies by parties. The Guidelines also define the types of cookies and the legal requirements to use them. In this respect, data controllers need to determine the types of cookies in use and ensure that the use of such cookies is in compliance with Turkish DP Law. For detailed information, please see our article here.

How are loyalty programs loyal to data privacy rules?

On 16 June 2022, the Authority published draft guidelines on the processing of personal data via loyalty programs (the "Draft Guidelines") and announced that the Draft Guidelines will be available for public opinion until 16 July 2022.

The Draft Guidelines state that loyalty program operators are considered as data controllers, and customers who are beneficiaries of such programs are considered as data subjects.

In addition, the Draft Guidelines classify personal data processed through loyalty programs as follows:

1. data that is actively and voluntarily provided by customers;
2. data that is passively provided by customers; and
3. data that is obtained from other sources.

The Draft Guidelines also touch on fundamental matters of Turkish data protection law: explicit consent and data controllers' obligation to inform. Accordingly:

• requesting explicit consent to carry out a loyalty program from a customer before providing a service shall not be deemed as implementing explicit consent as a pre-condition of services;
• if a customer does not give explicit consent, such service may be offered without additional benefits. However, in such a case, advantages to be provided under the loyalty program must not (i) cause a significant disadvantage and (ii) affect the will of the data subject;
• the obligation to inform must be fulfilled in compliance with Turkish DP Law and secondary legislation.

You can access the draft guideline here (available only in Turkish).

The Board announced the following data breach notifications in June

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.