Sometimes 2min is plenty, even for law
Sometimes 2 min is plenty,
even for law.
  • Two-minute recap of recent developments in Turkish Data Protection Law

June ’22

  • Turkish Data Protection Law
Reading time: 76 seconds

In June 2022, the Turkish Personal Data Protection Authority (the “Authority”) published guidelines on the use of online cookies, opened draft guidelines on loyalty programs for public opinion, and announced five data breach notifications.

The Authority cooks guidelines on cookies

On 20 June 2022, the Authority published guidelines (the “Guidelines”) on the use of cookies to collect personal data and the use of personal data in online environments such as websites, mobile applications, smartphones, and tablets.

In summary, the Guidelines evaluate the use of cookies and provide information on:

  • the different types of cookies;
  • the rules for processing personal data through cookies;
  • cookies that may be implemented without obtaining the explicit consent of data subjects;
  • cookies that may be implemented based on the explicit consent of data subjects;
  • the elements of valid explicit consent;
  • cross-border data flows via cookies;
  • the obligation to inform before cookie implementation.

The Guidelines classify cookies under three fundamental groups: (i) cookies by their duration, (ii) cookies by their usage purposes; and (iii) cookies by parties. The Guidelines also define the types of cookies and the legal requirements to use them. In this respect, data controllers need to determine the types of cookies in use and ensure that the use of such cookies is in compliance with Turkish DP Law. For detailed information, please see our article here.

How are loyalty programs loyal to data privacy rules?

On 16 June 2022, the Authority published draft guidelines on the processing of personal data via loyalty programs (the “Draft Guidelines”) and announced that the Draft Guidelines will be available for public opinion until 16 July 2022.

The Draft Guidelines state that loyalty program operators are considered as data controllers, and customers who are beneficiaries of such programs are considered as data subjects.

In addition, the Draft Guidelines classify personal data processed through loyalty programs as follows:

  1. data that is actively and voluntarily provided by customers;
  2. data that is passively provided by customers; and
  3. data that is obtained from other sources.

The Draft Guidelines also touch on fundamental matters of Turkish data protection law: explicit consent and data controllers’ obligation to inform. Accordingly:

  • requesting explicit consent to carry out a loyalty program from a customer before providing a service shall not be deemed as implementing explicit consent as a pre-condition of services;
  • if a customer does not give explicit consent, such service may be offered without additional benefits. However, in such a case, advantages to be provided under the loyalty program must not (i) cause a significant disadvantage and (ii) affect the will of the data subject;
  • the obligation to inform must be fulfilled in compliance with Turkish DP Law and secondary legislation.

You can access the draft guideline here (available only in Turkish).

The Board announced the following data breach notifications in June
Data Controller Affected Data Subjects Affected Personal Data Number of Data Subjects
MBtech Mühendislik ve Danışmanlık Ltd. Şti. Employees, Users, Customers and Potential Customers Identity, Communication Information, Location, Information on Consumer Transaction, Personnel Information, Finance, Information on Professional Experience, Audio and Visual Records 500
Pegasus Hava Taşımacılığı Anonim Şirketi Employees Identity, Communication Information and Visual Records N/A
Barçın Spor Malzemeleri Ticaret ve Sanayi Anonim Şirketi Users, Customers and Potential Customers Identity, Communication Information, Information on Customer Transaction and Other (Membership Date) 187,930
Tofisa Tekstil Sanayi ve Ticaret Limited Şirketi Customers and Potential Customers Identity and Communication Information 42,373
ARG Denizcilik İnşaat Otomotiv Sanayi ve Ticaret Ltd. Şti,

İstek Gemi İnşa Bakım İnşaat Hırdavat Sanayi ve Ticaret Ltd. Şti, and

Safter Ulubay

 Employees Identity, Communication Information and Personnel Information Approx. 2,000

For more information please contact Ceren Ceyhan, Associate, at cceyhan@gentemizerozer.com, and Hatice Nur Arslan, Legal Intern, at narslan@gentemizerozer.com.

  • All Turkish Data Protection Law

September 15, 2023

August ’23

August 13, 2023

July ’23

July 13, 2023

June ’23

June 13, 2023

May ’23

May 10, 2023

April ’23

April 12, 2023

March ’23

March 8, 2023

January & February ’23

January 8, 2023

December ’22

December 13, 2022

November ’22

November 12, 2022

October ’22

October 12, 2022

September ’22

September 8, 2022

August ’22

August 5, 2022

July ’22

July 5, 2022

June ’22

June 5, 2022

May ’22

May 5, 2022

April ’22

April 5, 2022

March ’22

March 3, 2022

February ’22

February 3, 2022

January ’22

January 3, 2022

December ’21

December 3, 2021

November ’21

November 3, 2021

October ’21

October 3, 2021

September ’21

September 3, 2021

August ’21

August 2, 2021

July 21′

July 3, 2021

June ’21

June 13, 2021

May ’21

May 3, 2021

April ’21

April 3, 2021

March ’21

March 2, 2021

February ’21

February 2, 2021

January ’21

Found this interesting? Subscribe to our monthly Turkish Data Protection Law newsletter to get the latest news delivered to your inbox.

For detailed information on how we processes your personal data, please see the Clarification Text here.

© 2022 2minrecap.com | All rights reserved.

developed by mare.design