The applicant claimed in the petition subject to decision that; the activities conducted on Amazon.com.tr which is the service provider/intermediary service provider in accordance with the Law No. 6563 on the Regulation of Electronic Commerce violate the legislation on the protection of personal data, that no explicit consent is given by the relevant parties for send electronic commercial messages for advertising, campaigns, promotion purposes while creating a membership account or shopping online, that the reason for processing personal data is not specified, that there were statements such as “when you visit Amazon.com (website) or shop here, when you use Amazon products or services, when you use mobile Amazon apps or services provided by Amazon in connection with the above (collectively “Amazon Services”); (“Amazon”) it provides you website features and other products and services. Please review our Privacy Statement and Cookies Statement to understand how your personal information is collected and processed through Amazon Services. and “When you use any Amazon Service or send us emails, SMS or other communications from your desktop or mobile device, you communicate with us electronically. We will communicate with you electronically in various ways, for example e-mail, SMS, in-app instant communications or by sending or posting e-mail messages or communications on the website or through other Amazon Services such as our Message Center. For contractual purposes, you give consent to receive communications electronically from us and you acknowledge that all contracts, notices, disclosures and other communications we provide to you electronically comply with all legal requirements for the written communications, unless the applicable law provides a different form of communication.”, that with these statements, even people who only visit the website accepted the relevant provisions and they approved electronic communication by only visiting, that deeming as approval given will not be counted as a reason for compliance with the law within the scope of the Article 5/2 of the Law No. 6698, that accepting the terms of use and sale and consenting to electronic communication by creating a mandatory member account for shopping cannot be accepted as giving explicit consent with free will, that it has been stated in Board decisions that binding the explicit consent to the terms of service would disable explicit consent and although it was stated on Amazon website that the data can be transferred abroad, there is no explicit consent received in this regard and in the absence of the Board’s permission, there is a violation in terms of Article 9 of Law on The Personal Data Protection (LPDP) numbered 6698.
Data controller Amazon has claimed in its response given upon the request of the Institution that, the application should be rejected by stating that the procedures and principles regarding electronic messages were regulated by a separate legislation, that the Terms of Use and Privacy Statement have been submitted to ensure transparency in order to process personal data in accordance with the legislation, that electronic communication was established only with registered customers, that the Privacy Notice was accepted by these people while creating their accounts and that this issue was reminded them while ordering, that customers can choose, limit the fields they want to receive commercial electronic messages and they can reject electronic messages, that transfers to be made abroad are accepted with the text of the Privacy Statement, that the correspondence with the Institution regarding the transfer undertakings abroad continues, that the allegations made were ungrounded and they were based on assumptions.
It is also seen by the Institution that the applicant’s application to the Ministry of Commerce about contradiction to electronic commerce and personal data has been sent by the Ministry to the Institution with the request of this matter to be considered within the scope of the protection of personal data.
In the examination made by the Institution, the following issues have been determined:
I. In accordance with the Article 5 of Law on Personal Data Protection and the Article 5 of Regulation on Commercial Communication and
Commercial Electronic Messages (Regulation):
A. The Article 5 of the Law on Personal Data Protection is about the fact that personal data cannot be processed without the explicit consent of the data subject and in the second paragraph of the article, the cases where personal data can be processed without explicit consent are regulated.
B. According to Article 5 of the Regulation, the approval of the recipient is required in order to send commercial electronic messages and the approval given shall be valid until the right to refuse is used. According to the Article 7 of the Regulation, it is possible to get approval in written or any with kind of electronic communication means. The approval should include the name, electronic contract address of the person who agrees to receive electronic messages. According to Article 12 of the Regulation, the approval of the person is required for sharing personal data with third parties, processing personal data and using it for other purposes. Processing approval to be received before sending electronic messages for marketing purposes or when the approval for sending electronic messages received at latest can be counted within the scope of explicit consent according to the Article 5 of Law on Personal Data Protection.
C. While there is a separate legislation regarding commercial electronic message, considering that the commercial messages are sent to people by storing the information such as phone number, e-mail address in a data system, since the communication means used to transmit these messages are personal data, the processes of sending commercial electronic messages should also comply with the personal data protection legislation.
- It is stated in the examination made by the Board that; “…It is seen that there is no explicit consent given at the time of providing the necessary information for membership, that under the “General Settings” title in the “Communication Preferences” section on “My Account” tab entered after the membership process is completed, the description “e-mails are currently being sent to …. e-mail address” is included and when it is clicked on the “Promotional Emails” title, the expression of “select all the communication categories you want to be informed about” is included, however, it is seen that 10 titles appear on the screen as clicked/chosen beforehand and at the bottom of this section, it is seen that there is “please do not send me marketing e-mails anymore” box.”
- In the decision made, it is stated by the Board that the explicit consent should be received according to the system where individuals can consciously give their consent for processing of their personal data (opt-in), not according to the system in which the individual has been granted with automatic consent in advance and allows individuals to remove approval (op-out).
- In this context, as contrary to the claim of Amazon, it has been determined by the Board that no explicit consent was received at any stage while creating membership.
D. In case there are processing reasons other than explicit consent, receiving explicit consent by the data controller is considered as contradiction to the good faith.
E. In addition, in case there is a transaction requiring explicit consent, fulfilling the obligation of informing and obtaining explicit consent at the same time is considered to be contrary to the legislation.
- The Board has stated that although the Privacy Statement shared by the data controller contains a lot of information, it is a general information about data processing and therefore that does not mean that the persons were duly informed and explicit consent was received for processing the data of these persons.
II. In accordance with the Article 4 of Law on Personal Data Protection :
a. Article 4/2 of Law on Personal Data Protection regulates the obligation to comply with the principles of “lawfulness and fairness”, “being processed for specified, explicit and legitimate purposes” and “being relevant, limited and proportionate to the purposes for which they are processed”.
b. The Board states in its decisions that; in case of processing personal data belonging to the parties of the contract, obtaining explicit consent separately and imposing explicit consent as a condition of membership and service; obtaining explicit consent while the other personal data processing conditions are present, the right would be misused by the data controller due to the misleading the data subject and also states that the fact that the service is subject to the explicit consent condition would disable explicit consent.
- In the case subject to the decision, it is seen that the data controller attributes the processing of personal data to the terms of service. In this context, the Board assessed that this situation constitutes a contradiction to Article 4 of Law on Personal Data Protection.
- Amazon has stated that following information has been collected: “name, address, phone number, payment information; age; location information; persons to whom purchases have been sent; 1-contacts listed in clicking settings (including addresses and phone numbers); e-mail addresses of friends and others; the content of the evaluations and e-mails sent to the data controller; personal information and photos in the profile; pictures and video stored in connection with Amazon services, ID and documents related to identity and situation; corporate and financial information; credit history information; VAT numbers.”
- It is seen in this context that; within the scope of the execution of a contract between the member and Amazon.com.tr or the explicit consent of the member, the e-mail addresses of the contact persons of the member are also processed without relying on their explicit consent.
- The Board has stated about credit history information, situation information, and corporate and financial information that these data are not proportionate and limited. It is also stated that the processed data should be at least predictable by the individuals.
III. In accordance with the Article 8 of Law on Personal Data Protection :
a) Article 8 of Law on Personal Data Protection regulates that the transfer of personal data is subject to the explicit consent of the data subject and situations that the data can be transferred without explicit consent.
b) Explicit consent must be obtained while transferring is carried out at the latest. The explicit consent to be obtained after that will not comply with the legislation.
- In the Amazon Privacy Statement text, following expression is present: “Except the ones stated above, when personal information about you is shared with third parties, you will receive a notification and you will have the option to choose not to share this information.” The Board states in its decision that data processing should be subject to explicit consent in order to be able to talk about the right to not to choose to share as stated in the statement and also states in this context that, explicit consent of the data subject will not be sought for data transfer operations under the Article 8/2 and 3 of Law on Personal Data Protection and in such cases, the individuals will not be able to choose to not to share the data.
- The Board has also stated that issue of what to do with the data after the consent is reinstated is a separate discussion topic. It is evaluated that ambiguous statements evoke an opinion that an illegal action has been taken.
IV. In accordance with the Article 9 of Law on Personal Data Protection :
1)Article 9 of Law on Personal Data Protection regulates that transfer of personal data abroad is possible with explicit consent, that in case one of the conditions stipulated under the Article 5/2 and Article 6/3 of Law on Personal Data Protection exists and there is adequate protection in the country to be transferred to, if there is not adequate protection in Turkey and the data controllers in foreign country undertakes adequate protection and if the Board gives the permission, the data may be transferred without the explicit consent. [On 07.05.2020, the Institution has shared the announcement regarding the issues to be considered in the commitments to be prepared for transferring data abroad.[1]]
2) The Institution has not yet shared an announcement about which countries will be considered safe.
- In this context, considering that the Board has not yet made a decision about the applications of the Data Controller regarding the undertakings and that the safe countries have not been announced; it is stated that the only possible way of transferring abroad is explicit consent.
3) The institution has stated that consent obtained in this way is invalid with the following statements: “Explicit consent also enables the subject data to determine the limits, scope and duration of the data that the person permits to be processed. Explicit consents of general nature that are not limited to a specific subject and are not limited to the relevant transaction are considered as “blanket consent” and are considered legally invalid. In this context, it is considered that it is not lawful to approve all actions (monitoring, transfer, sharing, storage, etc.) that fall within the scope of “data processing” with a single consent declaration, by informing that the “Privacy Statement” has been approved.”
V. In accordance with the Article 10 of Law on Personal Data Protection :
A) Article 10 of Law on Personal Data Protection is regulated as “… while personal data is being obtained, the data controller or the person authorised by the data controller is obliged to inform the data subjects about the identity of the data controller and of its representative, if any, the purpose of processing of personal data; to whom and for which purposes the processed personal data may be transferred, the method and legal basis of collection of personal data, other rights stated under the Article 11.”
B) It is stated in the decision that; in order to start data processing by visiting website, the obligation of informing should be fulfilled at the entrance to the website.
- In the case subject to the decision, the Board has stated that the processing by Amazon started when the website was visited, that it is not certain whether a person who visited the website for the first time has yet to enter into a contractual relationship with the data controller or whether he has a clear consent to the processing of his personal data or not, that it cannot be said that the person directly entered the website and gave explicit consent to these issues.
- In this context, the Board has concluded that; in this case, the obligation of informing was not fulfilled and explicit consent was not obtained and has decided to make the website in compliance with the legislation and to publish the decision on their website by deciding on 1.200.000,00 TRY of administrative fine for Amazon.
[1] https://kvkk.gov.tr/Icerik/6741/YURT-DISINA-KISISEL-VERI-AKTARIMINDA-HAZIRLANACAK-TAAHHUTNAMELERDE-DIKKAT-EDILMESI-GEREKEN-HUSUSLARA-ILISKIN-DUYURU