TÜRKIYE Law and Practice Contributed by: Bora Yazıcıoğlu, Kübra İslamoğlu Bayer, Simge Yüce and Yiğit Aktimur, YAZICIOGLU Legal
• it is expressly provided for by law; • it is necessary for the protection of the life or physical integrity of the person (or of any other person who is unable to explain their consent due to physical disability or whose consent is not deemed legally valid); • processing of personal data of the parties to a contract is necessary, provided that it is directly related to the establishment or perfor - mance of the contract; • it is necessary for compliance with a legal obligation to which the controller is subject; • personal data has been made public by the data subject themselves; • data processing is necessary for the estab - lishment, exercise, or protection of any right; and/or • processing of data is necessary for the legitimate interests pursued by the controller, provided that this processing shall not violate the fundamental rights and freedoms of the data subject. The Cookie, Guidelines also refer to the ECL and provide two criteria for processing activi - ties where controllers rely on legitimate interest. Controllers are advised to perform a balancing test, weighing the individual’s rights and free - doms against the controller’s legitimate inter - ests, taking into account whether: • cookies are essential for communication via electronic communication networks; or • cookies are strictly necessary for information society services explicitly requested by the user. The Cookie, Guidelines also provide examples of the legal bases controllers may rely on for differ - ent types of cookies.
If the use of cookies involves the processing of special categories of personal data, the legal bases provided in Article 6 of the DP Law must be considered (see 4.3. Employment Privacy Law ). Moreover, the Cookie, Guidelines include several recommendations for cases where controllers obtain data subjects’ explicit consent for using cookies. For instance, using consent manage - ment platforms that allow data subjects to man - age their preferences is cited as a good practice. On the other hand, since frequent requests may cause “consent fatigue,” consent reminders are advised to align with the cookie’s lifespan. Furthermore, consent obtained through cookie, walls – where users must consent to access a website – is considered invalid, as consent must be freely given. In cases where cookies involve transferring data abroad, controllers should also consider the requirements outlined in the DP Law (see 5.1 Restrictions on International Data Transfers ). Special Considerations for Analytics Cookies The Cookie, Guidelines also categorise cookies based on the criteria outlined below. • Duration – session cookies and persistent cookies. • Purpose – essential cookies, functional cookies, performance/analytics cookies, and advertising/marketing cookies. • Parties – first-party cookies (placed by the visited domain) and third-party cookies (placed by external domains). While these categorisations align with EU prac - tices, there is a key distinction regarding perfor - mance/analytics cookies. Unlike the EU, explicit
484 CHAMBERS.COM
Powered by FlippingBook