İş Kuleleri, Kule 3, Kat:2, 34330,
Levent / Istanbul, Turkey


T: +90 (212) 249 29 39

The Guideline on Cookie Practices (“The Guideline”), which closely concerns website operators that process personal data through cookies, has been published. The guideline published by the Personal Data Protection Authority (“DPA”) in June 2022 contains the DPA’s recommendations on the purposes for processing personal data.

What Topics Does the Guideline Cover?

The guideline covers the rules for data controllers operating websites, which process personal data. It is recommended for website owners to consider these rules with regard to the cookies they use. The guideline also regulates the scenarios of data collection through cookies covering situations where explicit consent is and isn’t required. In cases where explicit consent is required when processing personal data on websites, the elements of the explicit consent and how to make appropriate disclosure, and the issue of transferring data abroad are among the most important issues covered in this guideline.

Definition and Types of Cookies

Cookies are defined as low-dimensional rich text formats that provide certain information about users to be stored on users’ devices when a website is visited. Cookies have various types according to their due/period, the purpose of use, and their parties. Therefore, cookies could be classified as strictly necessary cookies (mandatory cookies), functional cookies, performance-analytical cookies, and advertising-marketing cookies.

Strictly necessary cookies are essential cookies for the operation of a website. If these cookies are blocked, some parts of the website may not work.

Functionality cookies are mostly used for customization and preferences used in websites or applications.

Performance & Analytics cookies are used to analyze the behavior of visitors on the website (estimation of the number of unique visitors, monitoring the browsing status of the website, etc.) This cookie type is a useful instrument to improve the relevant website.

Targeting and advertising cookies are used to follow users’ online actions in the internet environment. Thus, these cookies determine users’ personal interests and show advertisements to users according to their interests on the internet site.

Personal Data Processing Conditions for Cookies within the Scope of the Personal Data Protection Law (“PDP Law”)

To process personal data through cookies, the data controller should obtain the data subject’s explicit consent. In cases where one or more of the personal data processing conditions in the PDP Law are present, the explicit consent of the user is no longer required.

In cases where none of the personal data processing conditions in the relevant articles of the PDP Law are met, the data controller must obtain explicit consent from the data subject within the scope of the data processing activity. For instance, when the data subject purchase something on the e-commerce site owned by the data controller, the data controller may process the personal data without seeking explicit consent on the condition provided in the PDP Law stating that the “processing of personal data of the parties of a contract is necessary, provided that it is directly related to the establishment or performance of the contract”.

The Guideline also states that if cookies are used to provide communication over the electronic communication network, personal data could be processed without obtaining explicit consent. Data controllers who are “operators” from this exception under Electronic Communications Law No. 5809, with the scope of “providing communication”.

Obtaining Explicit Consent from the Data Subject

In order to obtain explicit consent from the data subject, the data controller must comply with some rules.

Firstly, explicit consent should be related to a specific matter. For this reason, the DPA recommends obtaining separate consent for each processing purpose when obtaining explicit consent. Also, the data controller should state the purposes (e.g., customization, analytics, or advertising), parties (first and/or third), and period of the cookies. Since explicit consent is requested for various purposes. In addition to the above, the DPA suggests a “Configure Preferences” button in order to obtain explicit consent separately and according to its purposes.

The data subject’s statement “I agree to the processing of my personal data”, which expresses general consent, cannot be assessed as explicit consent because it is deemed as open-ended and ambiguous.

Secondly, explicit consent obligation must be ultimately carried out by the data controller. Explicit consent must be included in all information concerning the data subject and relating to all data processing. Other than this, the privacy statement and cookie management panel must be separated. Moreover, the obligation to inform must be fulfilled by the data controller in every case where the personal data is obtained,  and at the time the data is obtained at the latest.

Thirdly, explicit consent must be expressed freely. An “explicit consent form” should be provided so that the data subject could withdraw their consent whenever they like. Additionally, in order not to affect the free will of the data subject, explicit consent should not be obtained at each entrance to the website. The data controller could obtain consent periodically in proportion to the lifetime of the cookies. The guideline advises data controllers to obtain explicit consent through tools such as pop-ups or banners and with “accept/decline” and “preferences” buttons. Once again, it is suggested that the cookies should be presented to the users in a way that it does not affect their free will (i.e., equal size, same color, etc.)

The data controller should avoid using a system that provides explicit consent automatically without obtaining the data subject’s consent in advance. It is necessary to use an opt-in system where the individual gives consent to the processing of their personal data with their own free will.

Transferring Personal Data Abroad

In cases where websites operating in Turkey use cookies through some companies located abroad and perform data transfer activities abroad, the transfer must be made in accordance with the provisions of the PDP Law. Apart from the explicit consent requirement, the Guideline states what to do if there is sufficient protection or if there is not enough protection, provided that the personal data processing conditions are present. The data controllers in Turkey and the relevant foreign country may transfer the personal data of the data subject abroad if they undertake (in writing) to provide adequate protection and if the DPA has provided permission to do so.

Who does the Guideline Concern?

The guideline closely concerns data controllers and website users whose personal data is processed, as well as data controllers who operate their websites and process personal data through cookies on these websites. 

Cookies that are not used in the processing of personal data are outside the scope of this guideline.

To Sum Up

The Guideline presents practical advice to all data controllers operating websites. With these recommendations, guidance is provided for data controllers to process data based on the correct legal ground and their obligation to inform and obtain explicit consent in accordance with the PDP Law.