All Things Newz
Law \ Legal

Guidelines Published On The Use Of Online Cookies In Turkey – Data Protection


To print this article, all you need is to be registered or login on

July 2022 – On 20 June 2022, the Turkish
Personal Data Protection Authority (the
Authority“) published guidelines (the
Guidelines“) on the use of cookies to
collect personal data and the use of personal data on online
environments such as websites, mobile applications, smartphones,
and tablets (hereinafter referred as the

Below we summarise the main issues covered in the

Types of cookies

Cookies are typically files that record information on
users’ website visits generated by the Website during a
user’s visit. The Guidelines classify cookies under three
fundamental groups, as follows:

1. Cookies by their durations

Session Cookies (Temporary Cookies) –
which are implemented to ensure the continuity of the user’s
session on the website and are deleted after the user’s session
is over.

Persistent Cookies (Tracking Cookies) –
which are not deleted when users close their internet browser, but
which are automatically deleted after a certain period.

2. Cookies by their usage purposes

Strictly Necessary Cookies – which are
necessary for the Website to work properly.

Functionality Cookies (Preference Cookies)
which are used for personalisation by remembering
the preferences of users and providing functionality on the
Website, apart from strictly necessary cookies.

Analytical/Performance Cookies (Statistic Cookies)
which are used to analyse the behaviour of users
and to make statistical measurement on the Website.

Advertising/Marketing Cookies
which are used to track the online
movements of users on the Website, determine their personal
interests, and present advertisements to users related to their

3. Cookies by parties

First-Party Cookies – which are placed
directly by the Website visited by the user.

Third-Party Cookies – which are not
placed by the Website visited by the user but by a different, third

Rules for processing personal data through cookies

According to the Guidelines, data controllers need to consider
the following rules when processing personal data using

1. Data controllers must have a legal basis for data
processing. Accordingly:

  1. If there is a legal basis to process personal data other than
    obtaining the explicit consent of data subjects, the implementation
    of cookies based on this legal basis is legally permissible.

  2. If there is no legal basis other than obtaining the explicit
    consent of data subjects, cookies may only be implemented by
    obtaining the explicit consent of the data subject (i.e. Website

2. Data controllers need to consider Criterion A and
Criterion B:

  1. Criterion A: relates to the implementation of cookies solely
    for the purpose of providing communication over an electronic
    communication network.

  2. Criterion B: relates to when the use of cookies is strictly
    necessary for information services (i.e. log-in, completing a form,
    ordering a product, etc.) that the user explicitly requests to

Cookies that may be implemented without obtaining the explicit
consent of data subjects

Data controllers need to classify cookies as Criterion A and B
in order to implement cookies without obtaining the explicit
consent of users. Accordingly, the Guidelines define such types of
cookies as follows:

Type of Cookies
User Input Cookies: Cookies that keep track of the user’s choices on the
Website (e.g., selected product, ticked box, etc.).
Authentication Cookies: Implemented to identify and remember the user when they log
into a website, e.g., cookies implemented to visit a website or
access content (e.g., money transferring).
User-Centric Security Cookies: Implemented to increase the security of the Website in order to
provide a service that the user explicitly requests.
Multimedia Content Player Cookies: Implemented to store data in case of playing a video or
accessing text or audio content.
User Interface Customisation Cookies: Implemented to store a user’s preferences regarding a
service on the Website.
Social Plugin Content-Sharing Cookies: Located on the Website, integrated with social network
platforms, and implemented through social plugin modules.
Cookies Implemented for Explicit Consent
Implemented to remember user preferences regarding the consents
provided for the cookies that can be implemented in the presence of
explicit consent.
First-Party Analytics Cookies: Used to measure the target audience of the site for the traffic
and/or performance statistics necessary for the proper functioning
of the Website.
Cookies Used for Website Security Implemented to ensure and protect Website security.
Load-Balancing Cookies Used to ensure that all requests from a particular user are
always directed to the same server in the same pool to provide
consistency during transactions.

Cookies that may be implemented based on the explicit consent
of data subjects

Data controllers are required to obtain a user’s explicit
consent for cookies (i) that may not be considered under the scope
of Criterion A and B or (ii) will be implemented in a way that
exceeds the scope of these criteria. In this context:

  1. Social Plugin Tracking Cookies: Implemented for behavioural
    advertising, analytics, or market research purposes beyond the
    scope of Criterion B – explicit consent of the data subject
    is required.

  2. Online Behavioural Advertising Cookies: Implemented for
    research and market analysis, advertising, financial
    record-keeping, fraud detection, product development, etc. –
    explicit consent of data subject

How do data controllers obtain valid explicit consent of data

According to the Guidelines, data controllers must comply with
Turkish DP Law when implementing cookies based on the explicit
consent of data subjects. Accordingly:

Data subjects’ explicit consent:

  • must be obtained by taking their active affirmative will, not
    by using an opt-out mechanism;

  • must be relevant to a specific issue, and the purpose of the
    cookie, its duration, and whether it is a first- or third-party
    cookie should be specified;

  • needs to be periodically, but not constantly, requested, as
    frequent intervals may cause “consent fatigue” and may
    injure the free will of the data subject;

  • must not be imposed as a condition to provide a service;

  • must not be obtained by using cookie tools that prevent data
    subjects from accessing the Website’s contents.

User visits to a website do not constitute approval of
explicit consent to run the cookies on the Website.

The cookie management tool needs to be located in a way

  • data subjects may withdraw their explicit consent whenever they
    want, and

  • preference options for the use of cookies are displayed to the
    user with equal font and size.

Cross-border data flows via cookies

The Guidelines also highlight cross-border data flows through
the use of cookies. Accordingly, if a website operator transfers
users’ personal data by implementing cookies abroad through
companies or servers located outside of Turkey, such activity must
comply with Turkish DP Law and the decisions of the Authority
regulating cross-border data flows.

Obligation to inform in cookie Implementation

Data controllers must fulfil their obligation to inform data
subjects about the processing of personal data via cookies
regardless of whether the data processing activity is based on the
explicit consent of the data subject or other legal bases. In this

  • in case of privacy notices on a Website that contain
    information on many subjects collectively, the obligation to inform
    shall not be considered fulfilled;

  • failure to provide information (e.g., by showing pop-up
    messages) to a user at the first moment of the implementation of
    cookies constitutes a violation of the obligation to inform;

  • the name, purpose, duration, and type of the cookie must be
    included in the information;

  • in cases where third-party cookies are used, both the website
    owner and the third party are mutually responsible for providing
    information to the users or obtaining explicit consent in
    accordance with the law.

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.

POPULAR ARTICLES ON: Privacy from Turkey

Cookies: New Legislation


With France and Austria deciding on data protection issues in relation to Google Analytics, many more countries have followed suit in relevant changes to so-called web browser cookies.

New Finesses For Fines In GDPR Enforcement

Dittmar & Indrenius

The EU’s General Data Protection Regulation (GDPR) became applicable four years ago. Both the number and amounts of administrative fines imposed by the supervisory authorities of…


Source link

Related posts

New Legislation Shaping Australia’s Emissions Reduction Policy – Climate Change

Delhi High Court Issues Directions To MeitY- Tanul Thakur v. UOI – Trials & Appeals & Compensation

Dutch Conditional Withholding Tax On Dividends: Looking Ahead For Private Equity, Real Estate And Infrastructure Funds – Withholding Tax