DECISION OF TURKISH PERSONAL DATA PROTECTION BOARD RELATED TO “AMAZON TURKEY”admin
Through the decision dated 27.02.2020 and numbered 2020/173, Personal Data Protection Board (“Board”) imposed an administrative fine of 1.100.000 TL totally to Amazon Turkey Retail Services Limited Company (“Amazon”) on the grounds that it violates some obligations stated in the Law on the Protection of Personal Data (“Data Protection Law”) and this decision was announced to the public on 7 May 2020.
Since the KVKK came into force, discussions have been held in the light of some uncertainties in the rules regarding the transfer of personal data abroad. Until this Board’s decision numbered 2020/173, no penalty was imposed on the grounds that the provisions of KVKK regarding the transfer of personal data abroad were not complied with.
This decision is important for protecting personal data not only in terms of administrative fines imposed on Amazon, but also it includes detailed clarifications in many issues such as obligation to inform, explicit consent of the data subject, transfer of personal data abroad, and the Board’s expectations in this regard. In this respect, it is a guide that will affect the data processing conditions of other electronic commerce companies.
According to the said decision, the Board has imposed;
- a) an administrative fine of 1,100,000 TL within the scope of Article 18/1-b of the Law since the obligations regarding the data security stated in the paragraph Article 12/1 of the Law are not fulfilled by the data controller and,
- b) an administrative fine of 100,000 TL in accordance with the Article 18/1-a of the Law since the failure to fulfil the obligation of illumination regulated in Article 10 of the Law.
The obligations, which are considered to have been violated by Amazon in this Board decision, can be evaluated under four headings as follows:
- a) Not obtaining an explicit consent in compliance with the legislation:
The first point about violation of the law stated in the decision is that Amazon has not received explicit consent from the data subjects regarding the processing of their personal data. In the examination made by the Board, it was determined that membership is accomplished by entering the required information on the Amazon website, and without any explicit consent, the members were automatically registered with the approval of the auto message when the account settings were checked after completing the membership process. This situation was considered as contrary to the principle of “explicit consent” principle by the Board. According to the Board, it is necessary to use a system that allows individuals to give consent to the processing of their personal data with their conscious and actions.
A general clarification related to data processing (for example, the presentation of a text entitled “Privacy Statement”) does not imply explicit consent for transactions requiring explicit consent.
According to the Board decision, another point related to explicit consent is that the processing of personal data is stipulated for the service providing. The data controller has said in the text of the “Privacy Statement” that “You may choose not to provide certain information, but in this case you will not be able to use most of the Amazon Services.” or “If you block or refuse our cookies, you cannot add products to your shopping cart, go to the purchase stage or use any Amazon service that requires you to sign in.” and linked the processing of personal data with the terms of service. According to the Board decision, it constitutes a contradiction to the principles of “lawfulness and conformity with rules of bona fides” and “Being relevant with, limited to and proportionate to the purposes for which they are processed” in the processing of the personal data listed in Article 4 of the Data Protection Law. In the decision, it is stated that if the service is subject to the explicit consent condition, it will disable explicit consent.
In the examination made by the Board in terms of the personal data types Amazon collected, it has concluded that the data such as “users’ credit history, corporate and financial information” belonging to the persons which are not necessary to be processed were collected. Additionally, according to the Board decision, the e-mail addresses of the contact persons of the person concerned were processed without obtaining their explicit consent. In this regard, the Board has concluded in the decision that Amazon doesn’t act in accordance with the rules of law and the rules of bona fides and the principles of being relevant with, limited to and proportionate to the purposes for which the personal data are processed.
- b) Violation of the obligation to inform:
According to the Board decision, violation of the obligation to inform has occurred in the processing of cookies. The data of the people visiting the Amazon website were processed without any service. In the examination made by the Board, although this information was included in some texts, it was determined that the person should login to the texts in order to see this information, and apart from that, the information in question did not appear before the person by means of pop-up messages. Therefore, it has been concluded that there is no illumination in accordance with the law in terms of data processing made by Amazon in this respect and the provisions of the Communiqué on the Principles and Procedures to be Followed in Fulfilment of the Obligation to Inform are violated.
- c) Transfer of the Personal Data
In the examination of the Board, it was determined that data transfer processes are explained under the title of “Does Amazon Share Your Personal Information?” and herein an expression was included, “Other than as set out above, you will receive a notice when personal information about you shared with third parties, and you will have the opportunity to choose not to share the information.”
According to the decision in question, explicit consent must be obtained at the latest when personal data transfer activity takes place. Just saying that consent can be withdrawn after personal data transfer does not substitute an explicit consent in accordance with Data Protection Law. Therefore, according to the Board’s decision, it is an unlawful practice to send a notice that the assumed consent can be withdrawn after the personal data has been transferred.
In the event of a situation requiring explicit consent (for example, processing contact information for the purpose of sending messages for marketing purposes), explicit consent is obtained prior to processing the personal data in question and this must be made through the use of a system in which the conscious and active action of the individual for the processing of his personal data is possible. Being able to leave later, that is, providing the opt-out opportunity does not mean that the explicit consent was obtained in accordance with the law.
- d) Transfer of the personal data abroad unlawfully:
The most important aspect of the Board’s decision is the determination on violation regarding the transfer of personal data abroad. Because the large sum of imposed fines was imposed for this violation.
According to the Board, although Amazon is under an obligation to obtain explicit consent in order to carry out the transfer of the personal data abroad, it hasn’t obtained explicit consent in compliance with the law. The assumption that the matters in the privacy statement have been accepted by the use of Amazon services has been deemed as a consent is contrary to Article 12 of the Data Protection Law.
Since the list of the countries with an adequate level of protection was not published by the Board, Amazon had two options for transferring personal data abroad. These were a guarantee for sufficient protection or obtaining the explicit consent of data subject.
In the current case, Amazon has committed a sufficient protection to transfer personal data abroad without explicit consent, in accordance with Article 9 of the KVKK; however, this commitment is still under evaluation by the Board and has not been concluded. Therefore, according to the Board decision, at this stage, in accordance with the relevant legislation, Amazon had to obtain the explicit consent of those concerned. However, in the examination made by the Board, it has been determined that Amazon did not obtain explicit consent in accordance with relevant legislation.
In the light of the comprehensive decision outlined above, in the coming days, other e-commerce companies will need to update their personal data processing methods in compliance with this decision.