Following its recent announcement on Binding Corporate Rules for intra-group cross-border data transfers, the Turkish Data Protection Board (the “Board”) has made two other significant publications impacting the conditions under which personal data collected in Turkey can be transferred abroad. The first is an announcement on the matters to be addressed in the written undertaking executed for cross-border data transfers, and the second is a summary of the Amazon Turkey decision, in which the Board imposed a sizeable administrative fine.

Under the announcement, four years after the entry into force of Law No. 6698 on the Protection of Personal Data (the “Law”), the Board determined the procedures and principles applicable to the undertaking mechanism used for the transfer of personal data from Turkey to countries that are not recognized to provide an adequate level of data protection. The Amazon Turkey decision, on the other hand, bears significance not only as the first case in which an administrative fine was imposed for the transfer of personal data abroad, but also to the extent it provides guidance to data controllers on the conditions for cross-border data transfers, the validity of consent, the information obligation, and the processing of personal data in the context of commercial electronic messages.

The Board has taken a strict approach to a number of key issues relevant to companies which transfer data abroad. These companies should carefully consider the potential implications of the recent publications on their own data processing activities.

1. Announcement
   Below is a summary of the principles set forth by the Board’s announcement with respect to the undertaking mechanism used for cross-border data transfers:

Formal requirements:

• Applications for international data transfers should be made by the authorized signatories of the data controller, and should include documents evidencing the signature authorities of the parties to the undertaking. The signature circular of the data controller in Turkey, and the original or a certified copy of apostilled documents evidencing the signature authorities of the data importer, should be attached to the application.
• While preparing the undertaking, the minimum contents of the undertaking templates published on the Board’s website should be reflected without making any modifications. Any additional provision should be included under the title “Additional provisions”. Sentences that contain an undertaking should be in the future tense.

Contents of the undertaking:

• The relationship between the transferring parties should be correctly identified and the corresponding undertaking template form (controller to controller or controller to processor) should be used, depending on the legal status of the data importer. Detailed information on the parties’ legal status should be provided and any documents supporting such relationship (e.g. agreement) should be attached to the application.
• Transfers of data abroad that are carried out on the basis of explicit consent will not be subject to the undertaking.
• Among the headings of Annex-1 to the undertaking, the data subjects groups, data categories, the purpose of processing, and the legal grounds for the transfer should be clearly set forth in sufficient detail, including the relationship between them, and the basic principles set out under the law should be complied with. Where the transfer of data is based on a legitimate interest of the data controller, the balancing test mentioned under Board decision no. 2019/78 dated 23 March 2019 should be conducted, and the outcome of such assessment should be set forth in detail, along with the underlying reasoning.
• The Board made it clear that the heading “recipients and recipient groups” indicated under Annex-1 of the undertaking refers to the controller or the processor located in the country where the data importer resides in onward data transfers. The Board further indicated that data controller to whom the data importer transfers personal data in onward data transfers should be the authorized institutions and organizations within the scope of the data importer’s legal obligations, and that onward data transfers to any other data controller or data processor cannot be realized by relying on the same undertaking. For these, a separate undertaking should be executed with the relevant data controller or data processor, or the same undertaking can be executed to the extent the purpose and nature of the data transfer permit.
• While determining the technical and administrative measures to be taken by the data importer, the relevant guidelines and decisions of the Board should be taken into consideration, and any document evidencing such measures should be attached to the application.
• Data retention periods should be set out together with the rationale used to determine these periods. If a retention period is determined based on a legal provision, the underlying legislation should be specified.

2. Amazon Turkey decision

A claimant had applied to the Board, alleging that (i) Amazon sends electronic commercial messages without obtaining explicit consent, and (ii) even though Amazon’s Privacy Notice stipulates that the data is being transferred abroad, no explicit consent is obtained regarding such data transfer. Following this application, the Board initiated an ex officio investigation against Amazon and examined the claims submitted through the application under the headings set out below.

Consent for electronic commercial messages: Amazon argued that allegations regarding unlawful electronic commercial messages should be submitted to the Ministry of Trade, that the customer approves the Privacy Notice while creating an Amazon account, and that registered customers can easily select and limit the areas for which they want to receive electronic commercial messages, or reject the same, at any time. The Board held that while there is separate legislation for electronic commercial messages, sending electronic commercial messages by storing personal data (phone number, e-mail address) in a data registry system constitutes a data processing activity, which must be carried out in accordance with the Law. The Board determined that no explicit consent was obtained during the account creation process, that some items appeared as pre-ticked boxes in the “Contact Preferences” heading of the user account following completion of the membership process, and that a box stating “please do not send me marketing e-mails” was at the bottom of this section. Regarding this practice, the Board indicated that consent must be obtained through a system in which the person takes a positive action (opt-in) rather than automatically giving consent through a pre-ticked box (opt-out). The Board further noted that there are statements in the Privacy Notice indicating that the user approves the Privacy Notice merely by visiting amazon.com.tr, which gives the impression that the data subject’s explicit consent is obtained while fulfilling the information obligation. Emphasizing that the information and explicit consent processes should be carried out separately, the Board held that the information obligation had not been duly carried out and that explicit consent had not been legally obtained, on the grounds that the Privacy Notice includes a large amount of information and is thus of a general nature. The Board decided that Amazon had failed to comply with its data security obligations, as it had not obtained explicit consent for sending electronic commercial messages.

Cross-border data transfer: On the transfer of data abroad, Amazon indicated that (i) customers were not only aware of their data being transferred abroad, but also consented to such processing by accepting the Privacy Notice, and (ii) the approval process for its written undertakings relating to cross-border data transfers was still pending before the Board. The Board noted that to the extent it had not yet taken a decision with regard to Amazon’s application for the approval of cross-border transfers, and the list of countries with an adequate level of protection had not been published yet, the only method for the transfer of personal data abroad was explicit consent. The Board did not accept Amazon’s argument that consent was obtained through the Privacy Notice, since this amounted to implied consent. The Board also held that obtaining explicit consent for all data processing activities (monitoring through cookies, transfer, storage, etc.) through a single consent form would be considered as “blanket consent”, and thus ruled that the explicit consent was not obtained in accordance with the Law. The Board further noted that the data transfer section of the Privacy Notice includes the following statement: “Save for the foregoing, you will receive a notification when your data is being shared with third parties and will be allowed to choose not to share this information”. The Board considered this sentence to constitute a breach of the law in several respects, and concluded that Amazon had also failed to comply with the provisions on the transfer of data to third parties.

Validity of consent: Upon examination of certain statements in Amazon’s Privacy Notice (“You may choose to not share certain information but in that case you may not benefit from most of Amazon Services.” or “If you block or refuse our cookies you may not add products to your shopping cart, be directed to the purchase process or use any Amazon service that requires you to log in.”), the Board determined that the provision of service was conditioned on the processing of personal data. In line with its precedents, the Board held that conditioning an agreement upon explicit consent violates the requirement that the processing be carried out in compliance with the law and good faith principles, and that it be relevant, limited and proportionate to what is necessary for the processing purposes.

Proportionality principle: Upon the review of the categories of data processed by Amazon, the Board indicated that the processing of credit history information, status information, and corporate and financial information was not proportionate and limited to the purpose of processing, and that the data processed should at least be predictable for the data subjects. The decision also indicates that the personal data of data subjects’ friends is considered as personal data for the concerned person, and that processing the e-mails of a member’s contacts without their explicit consent breaches the principle that the data processing must be relevant, limited and proportionate.

Information obligation: Lastly, the Board examined the data processing activities of Amazon in terms of the information obligation. Upon review of the “Conditions of Use and Sale”, the Board noted that data processing activities conducted through cookies commence at the time when a user first visits the website, and that at this stage, it would not yet be determined whether the user will enter into a contractual relationship or give consent to the processing. Accordingly, the Board indicated that even though the relevant texts published on the website provide information on such processing, the information obligation was not fulfilled upon the initial visit to the website (e.g., through pop-ups) and that no system was put in place to obtain consent for this processing. The Board concluded that this was a violation of both the information obligation and the explicit consent requirement.

In light of of these considerations, the Board imposed an administrative fine of TRY 1,200,000 (approx. EUR 160,000) on Amazon, on the grounds that:

– Amazon had failed to duly obtain the data subjects’ consent to receive commercial electronic messages, and to comply with the basic principles set out under the Law and the obligations regarding domestic and international transfers of personal data (TRY 1,100,000, approx. EUR 146,600); and

– The Privacy Notice includes a large amount of information and is thus of a general nature, and Amazon failed to duly fulfil its information obligation relating to cookies (TRY 100,000, approx. EUR 13,300).

The Board further instructed Amazon to bring its website and practices in compliance with the Law, to revise its data processing activities and update the Privacy Notice, Conditions of Use and Sale, and Cookie Notice, and to inform the Board of the outcome.