With evolving technology, cookies have become one of the most important methods of personal data gathering. In many countries, institutions and/or legislators have embraced this update in our lives and adopted new rules. One of these countries is Turkey and recently, a guideline about the cookies that are used on websites and various mobile applications has been published by the Turkish Personal Data Protection Authority (“Authority”). In accordance with this guideline, the Authority has stated that personal data processing can also be carried out through cookies and underlined the necessity of fulfilling the obligations arising from the Personal Data Protection Law (Law) within the framework of these data processing activities.
Nowadays, desktop and mobile websites or applications used by many companies may have comprised an essential part of personal data processing activity, even though it had been not noticed before. The automatic filling of the contact form on a website with previously entered personal data, the “remember me” or “keep login” options in user logins if any, and referrals to social networks or sales sites through the websites are just a few examples of personal data processing activities carried out through cookies.
There are various types of cookies as you may see below. In this context, it is important to thoroughly analyze each cookie in cooperation with the information technologies units lawyers of the companies and to determine the path to be followed in accordance with the Law.
WHAT TYPES OF COOKIES ARE THERE?
WHAT TO DO?
In accordance with the guidance published by the Authority which is binding for all data controllers, it is recommended that the following steps are delicately followed.
- Find out!
–Which desktop and mobile websites or web applications are in use?
-Which cookies exist on the online platforms used? - Analyze!
-For which processes the cookies are used for,
-The necessity of the used cookies for company operations,
-The cookies’ expiration date,
-The connection of cookies with personal data transfer abroad - Compliance with the law
–Remove unnecessary cookies
-Include cookies in the personal data inventory
-Fulfill the appropriate information obligation for cookies
-Provide cookie usage options for online users
-When necessary, obtain explicit consent or fulfill other obligations
If cookies are thought to enable the processing of personal data in line with the analyses made, each data controller has to include the information about these cookies in their personal data inventory and fulfill the information obligation for cookies on the online platforms. In addition, depending on the types of cookies and the nature of the online platforms, it may be necessary to obtain explicit consent, give an option for choosing the usage of cookies for users and fulfill similar obligations.
Also, we would like to state that one of the highest administrative fines imposed by the Authority so far has been given due to the failure to provide accurate information on the personal data processed through cookies and the failure to justify appropriate legal grounds in this regard.
If any further assistance is required, please do not hesitate to contact our Office.
ATT. SİNEM İLİKLİ
TARLAN LAW OFFICE
ATT. AYLİN TARLAN
Tarlan Avukatlık Bürosu Bloğu 