Introduction
There are seven legal grounds for the processing of personal data provided in the Turkish Code on the Protection of Personal Data (“Code”). Data controllers must always ensure that these processing activities are based on one of these legal grounds. However, it may not be always clear which legal ground is the most appropriate for a given processing activity. For that reason, data controllers often tend to use “consent of the data subject” as a fit-for-all ground for most of their processing activities. But the chosen ground for processing also determines the rights of data subjects, as well as the obligations and the responsibilities of data controllers. If consent is not the most appropriate ground for processing, this may compromise the lawfulness of the processing. So it is important for data controllers to carefully assess the implications of using consent as a legal ground.
1. Consent as a Ground for Processing
Under the Code, consent must always be “explicit”. This requirement differs from the rules in the European Union, where there is a distinction between consent and explicit consent for different levels of processing activities. Explicit means that, for the consent to be valid, the data subject must give a clear statement or approve a consent text with an affirmative action, such as ticking a box or clicking an accept button. However, apart from being explicit, consent must also meet the other conditions provided in the Code.
According to the Code, explicit consent must be:
► Informed,
► Relating to a specific matter, and
► Freely given.
1.1. Informed
As mentioned above, the legal ground for the processing determines the rights of the data subject and if it is based on consent, this means that the data subject must be in control. To be able to exercise this control, the data subject must be well informed about the data processing, which means that data subjects must be aware of exactly what they are consenting to and how their personal data will be processed. Information to be given to data subjects is also outlined in the Art. 10 of the Code. As per the Article, data controllers must inform data subjects on:
► The identity of the data controller,
► The purposes of processing,
► The identity of the third parties to whom data may be transferred and for what purposes,
► The means of collection of personal data and its legal basis,
► The rights of the data subject provided in the Art. 11 of the Code.
The purpose of an informed consent is that data subjects can foresee the consequences of the processing and make informed decisions on matters which directly affect themselves, as consent implies that data subject is in control of the processing. Data controllers often tend to make too complicated consent forms which may be incomprehensible for data subjects. However, it is also argued that the technical aspects of certain processing activities in some fields such as cloud computing or big data analytics may never be expected to be understood by users. Nevertheless, data controllers have the obligation to make data subjects comprehend how the processing may affect them, which is why consent forms must be as concise, simple and to the point as possible. Overcomplicated consent forms may render the consent invalid.
1.2. Relating to a specific matter
Relating to a specific matter condition requires the consent to be granular, which means that each consent must in principle be given for a certain processing activity. The counter example of this is “blanket consent”, a term which refers to consent forms that embody a bundled consent for many unrelated processing activities in a single document. This sort of consent forms are illegal as they are deceiving in nature and limit the options of data subjects in opting-in for the processing. However, if more than one processing activities are interdependent and serve the same purpose, it is appropriate to obtain consent with a single consent form.
For consent to be specific, it also needs to be intelligible and refer clearly to the scope and the consequences of processing activities for the data subject. In many cases where data is processed based on consent, the purposes and the means of processing can change in time, and sometimes, these changes may not be foreseen from the beginning, such as the case in big data analytics. As these changes occur, it is important for data controllers to update their consent forms and keep their data subjects informed of these changes. A blanket consent which covers all possible future scenarios would not be specific and therefore, would be unlawful.
1.3. Freely given
For the consent to be freely given, the data subject must first of all be given a real choice whether his data should be processed or not. Consent can only be valid if there is no risk of deception, intimidation, coercion or significant negative consequences if the data subject does not consent.
Especially in contractual relationships where one party is in a much stronger position than the other, it may be very difficult to talk about a freely given consent for the processing of personal data. For example, in employment relationships, if the employer is holding consent as a requisite for employment, this may not be interpreted as a valid consent. In this case, the employer must process personal data of his employees on the grounds of his legal obligations, rather than consent. And for processing activities not essential to the employment relationship, the employer must be able to prove that there has been no coercion or intimidation in obtaining consent.
Another example may be the use of internet based services and their user agreements. As some of these services became almost a basic need for most people, not making use of them may not be an option for many. Although processing personal data to an extent may be essential for the use of these services, if the processing that is not essential to these services is also made a precondition for the use of services, this would be unlawful, as the data subject may feel like he does not have a choice. In this case, consent for the processing that is not strictly necessary for the use of services must be obtained with separate and independent consent forms from data subjects. It is a useful method to offer users to opt-in using pop-ups, or have an easily accessible privacy dashboard in the website.
A right to withdraw consent is also provided in the Code for data subjects. As consent must be freely given, it also should be easily withdrawn by the data subject. If the data subject cannot withdraw his consent without detriment, consent may not be deemed lawful. Making the withdrawal of consent difficult may also harm the rights of data subjects; if data subjects are unable to withdraw, consent would be unlawful. Data controllers have the obligation to make withdrawal as accessible as giving consent.
2. Relation with the Other Grounds
In practice it is quite common for data controllers to use consent for processing personal data even where it is not necessary and where they can rely on other grounds, such as “requirement by the law”, “necessity for the performance of a contract” or for the “legitimate interests of the data controller”. Especially big companies have this tendency because they make many contracts with their data subjects and they can insert clauses on the processing of the personal data and obtain consent as an integral part of the contract. However, as explained in the section above, if the processing is not strictly necessary for the performance of the contract, it may be deemed unlawful.
Where data controller can rely on other grounds, asking for consent is deemed illusory and inherently inappropriate, as the ground for processing affects the rights of individuals. Consent may be a useful instrument for certain processing activities, such as automated decision-making or overseas transfers of data to third countries in the absence of adequate level of protection, but if the data controller would still process personal data relying on other grounds without consent, it is misleading and deceiving to ask for consent and therefore unlawful. For example in online shopping, personal information such as address and billing information is necessary for the performance of a contract and therefore does not require the consent of the data subject. If the data controller still asks for consent for processing these personal data to use for other purposes, this would be unlawful.
Relying on consent gives data subjects stronger rights, such as right to erasure or right to withdraw consent. Withdrawing consent means the end of the processing and entails erasure of the personal data, hence the end of the relationship between the data controller and the data subject. If processing is also necessary for an extended period of time for the performance of a contract or required by the law, then the data controller may face a dilemma in case of withdrawal. For that reason, it is important to determine the lawful basis that most clearly reflects the nature of the relationship with the data subjects from the beginning, rather than only relying on consent.
3. Duration of consent
It is provided in the Art. 4 on the general principals on the processing that data shall be retained no longer than it is necessary for the purposes. However, there is no clear provision in the Code on how long consent for the processing lasts; the context in which consent is given will determine its duration.
For example, if a company obtained consent from its customers to give them promotions for only a certain season or a limited time, the consent will expire after such time ends. However, if a user of an online shopping website has opted-in to receive ad messages, these can be sent to the user until opting-out.
As processing operations or their purposes change and evolve, consents must be updated accordingly, as they may no longer be specific or informed anymore. As it is unlawful to ask for consent for unspecified processing activities that may happen in the future, broad interpretation of consent for further processing activities is also not legal.
4. Exception for the Use of Cookies
Cookies are small files sent to and stored in the terminal device (user’s computer, cell phone etc.) which automatically send information to the website. By recording users’ activities and data such as passwords, addresses, names, log-in information etc. they facilitate the use of web.
Although consent is required unless data controller does not have any of the other grounds to rely on, obtaining consent is not always very easy and practical, as the processing of personal data with the use of cookies is so entrenched and indispensable with the functioning of websites. Most websites start collecting personal data from its users from the moment of entering the website. For that reason in Europe, the E-Privacy Directive and the Article 29 Working Party have brought an exception for cookies.
Instead of directly asking users of a website to consent to the use of cookies by opting in, it is acceptable to give them an option to “opt-out” of the use of cookies. However, website owner must inform its users of the use of cookies and make them accessible the means to opt out if they do not wish to consent. Also, website owner must direct the users to take an affirmative action on their acceptance of cookies. To realize this, many websites use cookie banners in a visible location on the web page which do not go away until closing, providing users a link to their privacy policy pages where they provide information about the use of cookies.
Not all cookies require consent, as they are necessary for the functioning of the website; though information to be given to data subjects in accordance with the Art. 10 of the Code must still be found in the privacy policies. Cookies containing log-in information or shopping cart information can be given examples to these cookies. However, cookies which fall outside the scope of this exception still require consent; so again, as being the data controller, website owners must give their users to opt-out of the use of these cookies.
