Turkish Personal Data Protection Code no. 6698 (“Code”) entered into force on April 7th, 2016 and the Data Protection Authority (“Authority“) was established at the end of 2016 as an independent authority to fulfil the requirements under the Code.
According to the Code, processing the data is defined as any operation which is performed on personal data, whether or not by automatic means, such as collection, recording, retrieving, retaining, and/or transmission, erasure or destruction. The Code also regulated the legal grounds for processing the personal data and explicit consent is introduced as one of the eight legal grounds. Despite the general impression that the explicit consent is superior to other legal grounds and a safer way of processing, it is merely one of the eight legal grounds to process the personal data as per the Code and requires a lot of hurdles to achieve.
Pursuant to the Code explicit consent is defined as “freely given, specific and informed consent”. Whereas, General Data Protection Regulation (“GDPR“) of EU provides a comprehensive definition for explicit consent and states that “consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”. That being said, in order to obtain an admissible and valid consent as per the Code and GDPR the consent must be;
(i) restricted to a specific subject
(ii) intended for informing and
(iii) expressed with free will
First of all, consent must be restricted to a specific subject and cannot be open-ended. Generic consents such as “all kinds of commercial transactions, banking transactions and data processing activities” are considered as “blanket consents” and deemed as invalid. For instance, the employers usually receive a generic, blanket consent from the employees at the beginning of the employment relationship, comprising consent for all processing activities without indicating the real purpose. Despite the employers usually believe that, obtaining the explicit consent is a safer way of processing data, such blanket consent would likely be inadmissible due to lack of being related to specific subject. Instead, in similar circumstances, the employers should make a detailed assessment in relation to as to whether other legal grounds could be the basis of data processing and obtain explicit consent only where necessary.
Secondly, consent must be based on proper information. In other words, in order for data subject to give explicit consent, the data subject must be fully informed about what they are consenting to and their right to withdraw the consent at any time. The data subject should not only be informed about the reasons and purposes of processing data but also the consequences of the consent. Moreover, the information should be drafted in a way that it is easy to understand, without complex legal terminology and with a font size that is easy to read.
Finally, the consent must be expressed by free will of the data subject. This element is the most problematic one and usually difficult to achieve in practice, particularly, if there is no balance in the powers of the parties. For instance, between the employee-employer or bank-customer relationship, it is usually impossible to accept that the consent is given by free will. The reason behind this is that, the powerful party to the relationship i.e. banks or employer, include more than one purpose for processing the data and the data subject, as the less powerful side, would not be able to freely choose the purpose that they want to give consent and refuse the others. Furthermore, consent should not be bundled up with other conditions and offered as a precondition to provide certain services. For instance, if the data subject is required to provide fingerprint to sign a membership contract with a sports club, it would be considered as a precondition for providing services and would not be a freely given consent.
Methods of Obtaining Explicit Consent
There is no specific reference in the Code in relation to the method of obtaining explicit consent. However, since the data controller is obliged to prove that explicit consent of data subject is obtained, it is advisable to obtain explicit consent in written form. Further, it is also valid and acceptable to obtain the consent via electronic signature, e-mails, by ticking the boxes in a website or any other electronic form. Although, it may seem to be simple to obtain the consent via ticking a box on the website, GDPR requires the electronic consents to be verifiable. Therefore, GDPR adopted double opt-in system under which verification email is sent to data subjects in order them to confirm their registration or subscription and then tick the box for consent for data processing. In addition silence and pre-ticked boxes are not considered as valid consent.
Despite the double opt-in is not yet a requirement under the Code, in Turkey it would be safer and easy to prove if the consent is obtained via double-opt in.
Consents Obtained Before the Code
Another question arising from the Code is that what will happen to the personal data obtained before publication date of the Code. The Code indicates that, the duly obtained consents received before the publication of the Code, shall be deemed as admissible unless the data subject indicates contrary within one year after the enactment of the Code.
After enactment of the Code, a lot of complaints submitted to the Authority in relation to advertisement notifications that the retailers, service providers or banks send via text messages or e-mails (or even via call to the data subjects). The Authority has decided that the processing activities should be immediately stopped if the data controllers or processors are sending the advertisements without the explicit consent of the individuals. In that context, only the data controllers who obtained legally valid consents before the enactment of the Code would continue to send advertisements, unless the data subjects use their right to withdraw the consent within one year after the enactment of the Code.
To summarize, obtaining explicit consent is an important issue under the Code and obtaining a valid and admissible consent requires serious effort. Contrary to general impression that explicit consent is a safer way of processing data, it could be more risky if not obtained properly. Therefore, the data controllers and processors should make detailed evaluation before setting up their procedures in relation to obtaining explicit consent from the data subjects regarding as to whether the explicit consent is in fact required and rely on the other legal grounds if the conditions are met.