FIVE IMPORTANT OBLIGATIONS OF E-COMMERCE COMPANIES WITHIN THE SCOPE OF TURKISH DATA PROTECTION LAW
1- What is e-commerce?
Changes in information technologies, globalization, and the tendency to liberalize trade around the world have brought electronic commerce (e-commerce) applications to the agenda, as a new concept beyond traditional trade practices. Under the Law on the Regulation of Electronic Commerce No. 6563, e-commerce is defined as “all kinds of online economic and commercial activities carried out electronically without physical confrontation”.
Through e-commerce, trade has moved away from traditional structures and procedures, has been moved to the electronic environment by virtualization and new principles, procedures, and possibilities have emerged in the field of trade. Thus, the purchase and sale transactions have accelerated and the geographical obstacles have disappeared for the parties of the transaction. E-commerce has become an important area for the retail sector in Turkey, so there are also many online stores operating in our country. The main goals of companies to open up to e-commerce are to increase the sales volume by delivering more products to more consumers at the lowest cost.
With the widespread use of e-commerce, many regulations have been made to protect the consumers’ trust in the platforms where e-commerce is carried out. These legal arrangements include secure electronic payment systems, various security measures, consumer law, and regulations in the field of personal data protection.
2- What is e-commerce company and which personal data does the e-commerce company process?
It is mandatory to establish an e-commerce company to be able to engage in e-commerce activities that allow 24/7 transactions without being dependent on working hours or geographical borders. This company may be a private company or a corporation.
E-commerce companies carry out their activities through the website hosting the relevant online store. The e-commerce site is an internet-based software, allowing the purchase of products belonging to the e-commerce company and displayed on the site through payment infrastructures. E-commerce companies can either use their e-commerce environment or they may prefer to use the e-commerce environment of a service provider who is an intermediary. E-commerce companies receive some personal data of users via any e-commerce site through the membership mechanism or sometimes without membership. In this context, information such as the user name, surname, address, telephone number, ID number, payment details, interests can be requested directly during shopping or during membership creation on the site.
3- What are the legislation that e-commerce companies are subject to within the scope of personal data protection?
a) Law on Regulation of Electronic Commerce
The most important regulation regarding e-commerce in our country is the Law on the Regulation of Electronic Commerce No. 6563 dated 23.10.2014, “regulating the principles and procedures regarding electronic commerce”.
Under the Law, e-commerce is defined as ” all kinds of online economic and commercial activities”. As can be understood from this definition, the scope of the e-commerce concept has been quite wide. Therefore, all kinds of economic activities such as goods, services, intellectual property, industrial rights can be the subject of e-commerce.
Under the Law, the service provider is defined as “a natural or legal person engaged in electronic commerce activities”. Based on this definition, it can be said that the “service provider” is the people or institutions engaged in direct e-commerce activities and includes e-commerce companies.
According to Article 10 of the Law, service provider;
– is responsible for the storage and security of personal data he has obtained due to the transactions he has made under this law.
– cannot transmit personal data to third parties without the consent of the person concerned and use it for other purposes.
Through this regulation, the lawmaker aims to establish trust in e-commerce and make e-commerce more widespread. In this context, the e-commerce company is held responsible for the storage and security of the data obtained during the stages of e-commerce within the framework of the objective care obligation. In addition, the e-commerce company’s ability to transfer the personal data obtained to third parties or use it for other purposes due to the transactions and services it provides under this Law depends on the data subject’s prior approval.
As can be understood from here, e-commerce companies are responsible for the security of the personal data they collect and keeping them closed to unauthorized access. In addition, personal data may not be transferred to third parties and used for other purposes without the consent of the data subject. By “other purposes” is meant the intended use, which is declared at the time of approval of the data subject. In other words, the personal data of the data subject will not be used for any other purpose than the purpose declared and approved by him.
b) Law on the Protection of Personal Data
Through the Law on the Protection of Personal Data (“Data Protection Law”) dated 24.03.2016 and numbered 6698 (“KVKK”), which came into force after the Law No. 6563, the procedures and principles to comply with the obligations of natural and legal persons who process personal data have been regulated. The Data Protection Law also arranges the principles that the data controller should follow during the processing of personal data.
The Data Protection Law reveals a wider area of responsibility than Article 10 of Law No. 6563. Within the framework of the Data Protection Law, e-commerce companies have certain obligations in terms of processing, erasure, destruction, anonymizing and transfer of personal data.
4- Who is the data controller in terms of e-commerce according to the Data Protection Law?
Under Article 3 of the Data Protection Law, the data controller is defined as “the natural or legal person who determines the purpose and means of processing personal data and is responsible for establishing and managing the data registry system.”. Within this framework, the service provider e-commerce company, which operates in electronic commerce, is the data controller within the scope of the Data Protection Law.
According to the Data Protection Law; “all the information relating to an identified or identifiable natural person” will be considered as personal data, while e-commerce companies will be considered as the data controller. E-commerce company as a data controller can perform operations such as collection, recording, storage, retention, alteration, transferring of personal data of users through the e-commerce site.
E-commerce companies collect information such as users’ identity, address, communication, analyse it, and uses it for marketing and advertising activities according to user/consumer behaviour.
5- What are the obligations of e-commerce companies within the scope of the Data Protection Law and other legislation?
To protect the rights of the data subject and to prevent illegal processing of personal data, the Data Protection Law has imposed some obligations on data controllers. In case of violating these obligations, the administration has been granted a wide margin of appreciation at the point of sanctions to be applied to the relevant data controllers, and administrative fines have been envisaged by stating the minimum and maximum terms of the sanctions to be applied to the data controllers.
During e-commerce, a kind of assurance to the society and consumers is created that the personal data of them will be protected and kept safe from unauthorized access by ensuring that personal data is processed in accordance with the law, used for its purpose, protected, not used without the consent of the data object and not transferred to third parties.
The obligations of data controller e-commerce companies within the scope of the Data Protection Law can be listed as follows:
a) Obligations regarding data security
Pursuant to Article 12 of the Data Protection Law, the controllers are obliged to take all necessary technical and administrative measures to provide a sufficient level of security in order to:
– prevent unlawful processing of personal data,
– prevent unlawful access to personal data,
– ensure the retention of personal data.
In this framework, the e-commerce company is obliged to create all kinds of administrative and technical infrastructures to ensure the security of the data obtained on the e-commerce platform. If any administrative and technical measures are taken in accordance with paragraph 5 of the same article, in case the processed personal data are obtained by other parties through unlawful methods, the data officer informs the concerned and the Personal Data Protection Board as soon as possible. Where necessary, the Board may announce such breach at its official website or through other methods it deems appropriate.
b) Obligation to inform
One of the primary obligations of the data controller is the obligation to inform regulated in Article 10 of the Data Protection Law and the procedures and principles of which are arranged within the scope of the Communiqué on the Procedures and Principles to be Followed in Fulfilling the Obligation to Inform (“Communiqué”). For the obligation to inform to be fulfilled, the persons whose personal data are processed should at least be informed about the elements listed in Article 10 of the Data Protection Law. Accordingly, the data controller is obliged to inform the data subjects about the following;
i) the identity of the controller and of his representative, if any,
ii) the purpose of data processing;
iii) to whom and for what purposes the processed data may be transferred,
iv) the method and legal reason for collection of personal data,
v) other rights referred to in Article 11.
The Data Protection Law did not restrict the obligation to inform of companies with the title of a data controller to any form requirement. Under Article 5 of the Communiqué, it is envisaged that this obligation to inform can be fulfilled by “using in a physical or electronic environment such as verbal, written, voice recording, call centre”. On the other hand, pursuant to Article 5 of the Communiqué, it is clearly stated that the burden of proof that this obligation to inform is fulfilled belongs to the data controller. Therefore, the liable party may perform the obligation to inform in written or oral form, but it will be easier to prove if it is in writing.
Another important point in terms of the obligation to inform is to receive a statement through various approval mechanisms from the user regarding that he is informed. In this context, for example, a checkbox created as a click or marking with a confirmation statement such as “yes”, “I read”, indicating that the user is informed, should be presented.
c) Obligation to obtain the explicit consent of data subject
Obtaining explicit consent of the data subject is among the primary obligations of the data controller in accordance with the Data Protection Law. However, in cases counted as limited in the Article 5/2 of the Data Protection Law, no explicit consent of the person is required.
In this framework, a separate assessment is required. Whether e-commerce companies have concluded a contract with the user in the process of providing products/services through the e-commerce site should be evaluated and open consent should not be sought in when such a contract exists. Because in this case, one of the exceptions of the explicit consent provided for in Article 5/2 of the Data Protection Law has been realized.
However, in the absence of such an exception, the explicit consent of the consumer should be obtained. In order to obtain explicit consent, it may be a method created as a click or marking with a confirmation statement such as “Yes”, “I agree”, which will enable the user to express his will clearly, or it is possible to use different methods.
It should be noted that the approvals regarding the fulfilment of the obligation to inform and obtaining explicit consent are performed separately. This situation stems from Article 5/1-f of the Communiqué, which stipulates that “If the personal data processing activity is performed based on the explicit consent condition, the obligation to inform and obligation to obtain explicit consent must be performed separately.”
On the other hand, it should be noted that even the data processing activities within the scope of the exceptions do not eliminate the responsibilities of the data controller. The data controller e-commerce company is required to fulfil its obligation to inform even in the presence of such exceptions.
The data obtained during the creation of membership is the information that can directly identify the person within the framework of the personal data definition in the Law. However, in the cookies method, information such as how the consumer uses the site, IP addresses, and location information, times of visiting the site are obtained, and it is also possible to identify people through this information. In terms of the data collected by the cookies method, the data subjects should be informed and their consent should be obtained.
Therefore, e-commerce companies are required to share the cookie methods used in their privacy policies with users and to obtain a confirming statement from data subjects such as “yes”, “I agree” and confirmation with a method such as a click or marking. Otherwise, e-commerce companies will be faced with processing the information without consent, that only they can process with the consent of the consumer.
E-commerce companies may reflect their privacy and cookie policies on their websites in different practices. In this context, cookie policies can be included in the clarification text or all policies can be taken part in a common text.
e) Obligation to Register to Data Controllers’ Registry
Pursuant to Article 16 of the Data Protection Law regulating the data controller registry, the registry of data controllers is defined as a register where the data controllers who are kept under the control of the Personal Data Protection Board and who are obliged to register before starting to process the personal data. E-commerce companies that are data controllers are obliged to register with the Data Controllers Registry (VERBIS), provided that they are not within the scope of the exceptions determined by the Board in accordance with Article 16 of the Data Protection Law. The data controller e-commerce company will be able to apply to the Data Controllers Registry with a notification that includes:
– identity and address of the controller and of his representative, if any,
– purposes for which the personal data will be processed,
– explanations about the group(s) of personal data subjects as well as about the data categories belonging to these people,
– recipients or groups of recipients to whom the personal data may be transferred,
– personal data which is envisaged to be transferred abroad,
– measures taken for the security of personal data.
– the maximum period of time required for the processing of personal data.
E-commerce, which has developed very rapidly since the 90’s, is at the centre of the attention of businesses of all sizes. In this context, e-commerce companies have legal obligations regarding the processing of personal data of many users/consumers.
Consequently, e-commerce companies must fulfil the obligations, outlined in the Data Protection Law and other legislation and summarized above, to avoid the sanctions regarding the processing of personal data.
You can contact us via email@example.com for more information about the obligations of e-commerce companies within the scope of the Data Protection Law and their alignment with the Law.