To print this article, all you need is to be registered or login on Mondaq.com.
July 2022 – On 20 June 2022, the Turkish
Personal Data Protection Authority (the
“Authority“) published guidelines (the
collect personal data and the use of personal data on online
environments such as websites, mobile applications, smartphones,
and tablets (hereinafter referred as the
Below we summarise the main issues covered in the
Types of cookies
Cookies are typically files that record information on
users’ website visits generated by the Website during a
user’s visit. The Guidelines classify cookies under three
fundamental groups, as follows:
1. Cookies by their durations
Session Cookies (Temporary Cookies) –
which are implemented to ensure the continuity of the user’s
session on the website and are deleted after the user’s session
Persistent Cookies (Tracking Cookies) –
which are not deleted when users close their internet browser, but
which are automatically deleted after a certain period.
2. Cookies by their usage purposes
Strictly Necessary Cookies – which are
necessary for the Website to work properly.
Functionality Cookies (Preference Cookies)
– which are used for personalisation by remembering
the preferences of users and providing functionality on the
Website, apart from strictly necessary cookies.
Analytical/Performance Cookies (Statistic Cookies)
– which are used to analyse the behaviour of users
and to make statistical measurement on the Website.
– which are used to track the online
movements of users on the Website, determine their personal
interests, and present advertisements to users related to their
3. Cookies by parties
First-Party Cookies – which are placed
directly by the Website visited by the user.
Third-Party Cookies – which are not
placed by the Website visited by the user but by a different, third
Rules for processing personal data through cookies
According to the Guidelines, data controllers need to consider
the following rules when processing personal data using
1. Data controllers must have a legal basis for data
- If there is a legal basis to process personal data other than
obtaining the explicit consent of data subjects, the implementation
of cookies based on this legal basis is legally permissible.
- If there is no legal basis other than obtaining the explicit
consent of data subjects, cookies may only be implemented by
obtaining the explicit consent of the data subject (i.e. Website
2. Data controllers need to consider Criterion A and
- Criterion A: relates to the implementation of cookies solely
for the purpose of providing communication over an electronic
necessary for information services (i.e. log-in, completing a form,
ordering a product, etc.) that the user explicitly requests to
Cookies that may be implemented without obtaining the explicit
consent of data subjects
Data controllers need to classify cookies as Criterion A and B
in order to implement cookies without obtaining the explicit
consent of users. Accordingly, the Guidelines define such types of
cookies as follows:
|Type of Cookies|
|User Input Cookies:||Cookies that keep track of the user’s choices on the
Website (e.g., selected product, ticked box, etc.).
|Authentication Cookies:||Implemented to identify and remember the user when they log
into a website, e.g., cookies implemented to visit a website or
access content (e.g., money transferring).
|User-Centric Security Cookies:||Implemented to increase the security of the Website in order to
provide a service that the user explicitly requests.
|Multimedia Content Player Cookies:||Implemented to store data in case of playing a video or
accessing text or audio content.
|User Interface Customisation Cookies:||Implemented to store a user’s preferences regarding a
service on the Website.
|Social Plugin Content-Sharing Cookies:||Located on the Website, integrated with social network
platforms, and implemented through social plugin modules.
|Cookies Implemented for Explicit Consent
|Implemented to remember user preferences regarding the consents
provided for the cookies that can be implemented in the presence of
|First-Party Analytics Cookies:||Used to measure the target audience of the site for the traffic
and/or performance statistics necessary for the proper functioning
of the Website.
|Cookies Used for Website Security||Implemented to ensure and protect Website security.|
|Load-Balancing Cookies||Used to ensure that all requests from a particular user are
always directed to the same server in the same pool to provide
consistency during transactions.
Cookies that may be implemented based on the explicit consent
of data subjects
Data controllers are required to obtain a user’s explicit
consent for cookies (i) that may not be considered under the scope
of Criterion A and B or (ii) will be implemented in a way that
exceeds the scope of these criteria. In this context:
- Social Plugin Tracking Cookies: Implemented for behavioural
advertising, analytics, or market research purposes beyond the
scope of Criterion B – explicit consent of the data subject
- Online Behavioural Advertising Cookies: Implemented for
research and market analysis, advertising, financial
record-keeping, fraud detection, product development, etc. –
explicit consent of data subject
How do data controllers obtain valid explicit consent of data
According to the Guidelines, data controllers must comply with
Turkish DP Law when implementing cookies based on the explicit
consent of data subjects. Accordingly:
Data subjects’ explicit consent:
- must be obtained by taking their active affirmative will, not
by using an opt-out mechanism;
- must be relevant to a specific issue, and the purpose of the
cookie, its duration, and whether it is a first- or third-party
cookie should be specified;
- needs to be periodically, but not constantly, requested, as
frequent intervals may cause “consent fatigue” and may
injure the free will of the data subject;
- must not be imposed as a condition to provide a service;
- must not be obtained by using cookie tools that prevent data
subjects from accessing the Website’s contents.
User visits to a website do not constitute approval of
explicit consent to run the cookies on the Website.
The cookie management tool needs to be located in a way
- data subjects may withdraw their explicit consent whenever they
user with equal font and size.
Cross-border data flows via cookies
The Guidelines also highlight cross-border data flows through
users’ personal data by implementing cookies abroad through
companies or servers located outside of Turkey, such activity must
comply with Turkish DP Law and the decisions of the Authority
regulating cross-border data flows.
Obligation to inform in cookie Implementation
Data controllers must fulfil their obligation to inform data
subjects about the processing of personal data via cookies
regardless of whether the data processing activity is based on the
explicit consent of the data subject or other legal bases. In this
- in case of privacy notices on a Website that contain
information on many subjects collectively, the obligation to inform
shall not be considered fulfilled;
- failure to provide information (e.g., by showing pop-up
messages) to a user at the first moment of the implementation of
cookies constitutes a violation of the obligation to inform;
- the name, purpose, duration, and type of the cookie must be
included in the information;
- in cases where third-party cookies are used, both the website
owner and the third party are mutually responsible for providing
information to the users or obtaining explicit consent in
accordance with the law.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
POPULAR ARTICLES ON: Privacy from Turkey