It is also seen by the Institution that the applicant’s application to the Ministry of Commerce about contradiction to electronic commerce and personal data has been sent by the Ministry to the Institution with the request of this matter to be considered within the scope of the protection of personal data.
In the examination made by the Institution, the following issues have been determined:
I. In accordance with the Article 5 of Law on Personal Data Protection and the Article 5 of Regulation on Commercial Communication and
Commercial Electronic Messages (Regulation):
A. The Article 5 of the Law on Personal Data Protection is about the fact that personal data cannot be processed without the explicit consent of the data subject and in the second paragraph of the article, the cases where personal data can be processed without explicit consent are regulated.
B. According to Article 5 of the Regulation, the approval of the recipient is required in order to send commercial electronic messages and the approval given shall be valid until the right to refuse is used. According to the Article 7 of the Regulation, it is possible to get approval in written or any with kind of electronic communication means. The approval should include the name, electronic contract address of the person who agrees to receive electronic messages. According to Article 12 of the Regulation, the approval of the person is required for sharing personal data with third parties, processing personal data and using it for other purposes. Processing approval to be received before sending electronic messages for marketing purposes or when the approval for sending electronic messages received at latest can be counted within the scope of explicit consent according to the Article 5 of Law on Personal Data Protection.
C. While there is a separate legislation regarding commercial electronic message, considering that the commercial messages are sent to people by storing the information such as phone number, e-mail address in a data system, since the communication means used to transmit these messages are personal data, the processes of sending commercial electronic messages should also comply with the personal data protection legislation.
- It is stated in the examination made by the Board that; “…It is seen that there is no explicit consent given at the time of providing the necessary information for membership, that under the “General Settings” title in the “Communication Preferences” section on “My Account” tab entered after the membership process is completed, the description “e-mails are currently being sent to …. e-mail address” is included and when it is clicked on the “Promotional Emails” title, the expression of “select all the communication categories you want to be informed about” is included, however, it is seen that 10 titles appear on the screen as clicked/chosen beforehand and at the bottom of this section, it is seen that there is “please do not send me marketing e-mails anymore” box.”
- In the decision made, it is stated by the Board that the explicit consent should be received according to the system where individuals can consciously give their consent for processing of their personal data (opt-in), not according to the system in which the individual has been granted with automatic consent in advance and allows individuals to remove approval (op-out).
- In this context, as contrary to the claim of Amazon, it has been determined by the Board that no explicit consent was received at any stage while creating membership.
D. In case there are processing reasons other than explicit consent, receiving explicit consent by the data controller is considered as contradiction to the good faith.
E. In addition, in case there is a transaction requiring explicit consent, fulfilling the obligation of informing and obtaining explicit consent at the same time is considered to be contrary to the legislation.
- The Board has stated that although the Privacy Statement shared by the data controller contains a lot of information, it is a general information about data processing and therefore that does not mean that the persons were duly informed and explicit consent was received for processing the data of these persons.
II. In accordance with the Article 4 of Law on Personal Data Protection :
a. Article 4/2 of Law on Personal Data Protection regulates the obligation to comply with the principles of “lawfulness and fairness”, “being processed for specified, explicit and legitimate purposes” and “being relevant, limited and proportionate to the purposes for which they are processed”.
b. The Board states in its decisions that; in case of processing personal data belonging to the parties of the contract, obtaining explicit consent separately and imposing explicit consent as a condition of membership and service; obtaining explicit consent while the other personal data processing conditions are present, the right would be misused by the data controller due to the misleading the data subject and also states that the fact that the service is subject to the explicit consent condition would disable explicit consent.
- In the case subject to the decision, it is seen that the data controller attributes the processing of personal data to the terms of service. In this context, the Board assessed that this situation constitutes a contradiction to Article 4 of Law on Personal Data Protection.
- Amazon has stated that following information has been collected: “name, address, phone number, payment information; age; location information; persons to whom purchases have been sent; 1-contacts listed in clicking settings (including addresses and phone numbers); e-mail addresses of friends and others; the content of the evaluations and e-mails sent to the data controller; personal information and photos in the profile; pictures and video stored in connection with Amazon services, ID and documents related to identity and situation; corporate and financial information; credit history information; VAT numbers.”
- It is seen in this context that; within the scope of the execution of a contract between the member and Amazon.com.tr or the explicit consent of the member, the e-mail addresses of the contact persons of the member are also processed without relying on their explicit consent.
- The Board has stated about credit history information, situation information, and corporate and financial information that these data are not proportionate and limited. It is also stated that the processed data should be at least predictable by the individuals.
III. In accordance with the Article 8 of Law on Personal Data Protection :
a) Article 8 of Law on Personal Data Protection regulates that the transfer of personal data is subject to the explicit consent of the data subject and situations that the data can be transferred without explicit consent.
b) Explicit consent must be obtained while transferring is carried out at the latest. The explicit consent to be obtained after that will not comply with the legislation.
- In the Amazon Privacy Statement text, following expression is present: “Except the ones stated above, when personal information about you is shared with third parties, you will receive a notification and you will have the option to choose not to share this information.” The Board states in its decision that data processing should be subject to explicit consent in order to be able to talk about the right to not to choose to share as stated in the statement and also states in this context that, explicit consent of the data subject will not be sought for data transfer operations under the Article 8/2 and 3 of Law on Personal Data Protection and in such cases, the individuals will not be able to choose to not to share the data.
- The Board has also stated that issue of what to do with the data after the consent is reinstated is a separate discussion topic. It is evaluated that ambiguous statements evoke an opinion that an illegal action has been taken.
IV. In accordance with the Article 9 of Law on Personal Data Protection :
1)Article 9 of Law on Personal Data Protection regulates that transfer of personal data abroad is possible with explicit consent, that in case one of the conditions stipulated under the Article 5/2 and Article 6/3 of Law on Personal Data Protection exists and there is adequate protection in the country to be transferred to, if there is not adequate protection in Turkey and the data controllers in foreign country undertakes adequate protection and if the Board gives the permission, the data may be transferred without the explicit consent. [On 07.05.2020, the Institution has shared the announcement regarding the issues to be considered in the commitments to be prepared for transferring data abroad.]
2) The Institution has not yet shared an announcement about which countries will be considered safe.
- In this context, considering that the Board has not yet made a decision about the applications of the Data Controller regarding the undertakings and that the safe countries have not been announced; it is stated that the only possible way of transferring abroad is explicit consent.
3) The institution has stated that consent obtained in this way is invalid with the following statements: “Explicit consent also enables the subject data to determine the limits, scope and duration of the data that the person permits to be processed. Explicit consents of general nature that are not limited to a specific subject and are not limited to the relevant transaction are considered as “blanket consent” and are considered legally invalid. In this context, it is considered that it is not lawful to approve all actions (monitoring, transfer, sharing, storage, etc.) that fall within the scope of “data processing” with a single consent declaration, by informing that the “Privacy Statement” has been approved.”
V. In accordance with the Article 10 of Law on Personal Data Protection :
A) Article 10 of Law on Personal Data Protection is regulated as “… while personal data is being obtained, the data controller or the person authorised by the data controller is obliged to inform the data subjects about the identity of the data controller and of its representative, if any, the purpose of processing of personal data; to whom and for which purposes the processed personal data may be transferred, the method and legal basis of collection of personal data, other rights stated under the Article 11.”
B) It is stated in the decision that; in order to start data processing by visiting website, the obligation of informing should be fulfilled at the entrance to the website.
- In the case subject to the decision, the Board has stated that the processing by Amazon started when the website was visited, that it is not certain whether a person who visited the website for the first time has yet to enter into a contractual relationship with the data controller or whether he has a clear consent to the processing of his personal data or not, that it cannot be said that the person directly entered the website and gave explicit consent to these issues.
- In this context, the Board has concluded that; in this case, the obligation of informing was not fulfilled and explicit consent was not obtained and has decided to make the website in compliance with the legislation and to publish the decision on their website by deciding on 1.200.000,00 TRY of administrative fine for Amazon.