TÜRKIYE Law and Practice Contributed by: Bora Yazıcıoğlu, Kübra İslamoğlu Bayer, Simge Yüce and Yiğit Aktimur, YAZICIOGLU Legal
sors’ accountability to the controller should be reinforced through data protection agreements that clearly define the processors’ roles, respon - sibilities, and obligations, with particular empha - sis on penalties and indemnity clauses for non- compliance. 3.4 Regulators and Enforcement As Türkiye currently lacks comprehensive data regulations beyond those pertaining to personal data protection, there is no specific regulatory body solely tasked with enforcement in this area. However, when relevant parties – such as IOT service providers, data holders, and data pro - cessing service providers – process personal data, the DPA will be responsible for overseeing compliance with the DP Law. That being said, sector-specific regulations may grant authority to certain regulatory bodies over specific data-related matters. Under Turkish law, there is no legislation explic - itly governing the use of cookies, with the only exception being the Electronic Communications Law (ECL), which includes limited provisions that apply only to electronic communications service providers. According to the ECL, service pro - viders can use cookies only for the purpose of ensuring communication or if subscribers/users are informed about the processing of their data and have provided explicit consent. To address this gap, in June 2022, the DPA issued its Guidelines on Cookie, Applications (“Cookie, Guidelines”), which includes recommendations on cookie, practices for all controllers. Annexes 4. Sectoral Issues 4.1 Use of Cookies
of the guidelines include a compliance checklist with examples of best practices, such as ban - ner usage and cookie, preference management platforms, as well as a sample cookie, policy. Privacy Notices for Cookies Controllers must meet the requirements for privacy notices when fulfilling the obligation to inform data subjects about cookies. Therefore, privacy notices regarding cookies should, at least, include the following, per the Commu - nique on Obligation to Inform: • identity of the controller and its representative (if any); • purposes for which personal data will be processed; • persons to whom personal data will be trans - ferred and the purpose of such transfer; • method and legal basis of the collection of personal data; • data subject’s rights. Moreover, the Cookie, Guidelines recommend that cookie, privacy notices include information on the name, purpose, duration of the cookies, and whether the cookie, is first-party or third- party. The Cookie, Guidelines also emphasise that when third-party cookies are used, both the website owner and the third party are responsi - ble for ensuring that users are informed about the cookies and obtaining their consent if required. Legal Bases for Processing When processing personal data, controllers must satisfy one of the following legal bases as provided by Article 5 of the DP Law: • explicit consent of the data subject is obtained;
483 CHAMBERS.COM
Powered by FlippingBook