A Recent Board Decision on E-Commerce Platforms
Introduction
In today's world, we now have the opportunity to purchase many products and services through e-commerce platforms with a single click from wherever we are. During these purchases, our personal data are collected and used through the websites or mobile applications of e-commerce platforms for various reasons such as order placement, management and delivery, post-order notification, advertising and marketing. However, with the advancement of technology and the widespread use of electronic commerce, the size of consumers' personal data, which is obtained at a limited level in traditional shopping methods, has increased significantly. This situation has brought along the risks of interference with security and personal rights. As a natural consequence, legislative bodies have had to enact legal regulations in several different areas in line with the objectives of protecting consumers and increasing trust in e-commerce platforms. One of the primary focal points of these regulations is undoubtedly the protection of personal data. Recently, personal data protection authorities also attached great importance to this issue about e-commerce platforms.
In this article, the legal nature and basic data protection obligations of e-commerce platforms, which have become an inseparable part of our daily lives, will be discussed, followed by a recent decision of the Personal Data Protection Board ("Board") addressing the personal data processing activities regarding the applications frequently used by these platforms.
E-Commerce Platforms and Personal Data
What is an Electronic Commerce Platform?
Under Art. 2 (a) of Law No. 6563 on the Regulation of Electronic Commerce ("E-Commerce Law"), electronic commerce refers to all kinds of economic and commercial activities carried out online without physically meeting each other.
In 2022, within the scope of the amendment[1] made to the E-Commerce Law, the concepts of "electronic commerce intermediary service provider", "electronic commerce service provider", "electronic commerce environment" and "electronic commerce marketplace" were introduced into our regulatory landscape. While websites or mobile applications where electronic commerce activities are carried out are defined as e-commerce environments, the environments where intermediary services are provided are called e-commerce marketplaces.
An e-commerce intermediary service provider is defined as an intermediary service provider that enables the contracting or placing of orders for the supply of goods or services of other e-commerce service providers, regardless of whether the e-commerce service provider itself sells on the e-commerce marketplace. E-commerce service providers, on the other hand, include sector actors that make contracts or take orders for the supply of their own goods or services in the e-commerce marketplace or in their own e-commerce environment. These classifications and definitions are important in determining the scope of responsibilities of e-commerce actors.
Platforms such as Trendyol, Hepsiburada, Getir, n11, or Amazon are the most concrete examples of these definitions that come to mind when considering these definitions.
Personal Data and Processing Activities of E-Commerce Platforms
Personal data, as defined in Law No. 6698 on the Protection of Personal Data ("KVKK"), refers to any information relating to an identified or identifiable natural person. Based on this definition, the name, surname, identity and passport number, address, shopping history, products and services purchased by real persons are all personal data.
A data controller is a natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system. E-commerce service and intermediary service providers, which are undoubtedly acknowledged as data controllers under the scope of the KVKK, have the authority to collect, record, store, and transfer certain personal data of consumers, whether through the establishment of a user account or through non-member shopping transactions. Therefore, e-commerce platforms and companies selling products or services through these platforms are subject to the KVKK in terms of the personal data they process.
E-commerce platforms have various methods to obtain personal data. Examples of personal data obtained and processed by e-commerce platforms include consumers' names, surnames, address information, account details, email addresses, messages and comments, photos, shopping history, and internet cookies. However, it is essential to emphasize that the data processed during e-commerce is not confined to these examples. Any data that identifies or has the potential to identify a real person will fall within the scope of the KVKK.
For instance, identity data is processed for transactions such as creating a membership or order record and issuing invoices. At the same time, contact data such as e-mail address, telephone number, and address are among the personal data required for the establishment of a sales contract and product delivery. Given that the payment for goods and services occurs over the internet, payment data such as credit cards, debit cards, and account information also fall within the scope of data that can be obtained by these platforms.
One of the most functional categories of data used by e-commerce platforms is the data collected through cookies. Cookies, which can be defined as small blocks of data placed on the computers, smartphones, or tablets of website visitors, can be used to obtain data ranging from the consumer's product choices to their shopping habits and how long they examine which product. This enables e-commerce platforms to discern consumer habits, shape the profile of the individual, and highlight services or products associated with this profile using various algorithms. Therefore, personal data collected by e-commerce platforms through cookies are actively used and even form the basis of marketing and advertising strategies.
Fundamental KVKK Obligations of E-Commerce Platforms
In e-commerce, data controllers should design their e-commerce environment and marketplaces in compliance with the fundamental principles of the KVKK and take appropriate actions to maintain compliance with these principles at every stage of their processing activities. During the processing of each personal data obtained, it should be ensured that at least one of the processing conditions outlined in Articles 5 and 6 of the KVKK is met.
Undoubtedly, one of the most fundamental obligations outlined by the KVKK is the obligation to inform. E-commerce platforms must inform the data subjects whose personal data they obtain and must request explicit consent for personal data processing activities that require explicit consent (such as sending commercial electronic messages). The responsibility to provide evidence of fulfilling the obligation to inform rests with the data controller.
In addition to the briefly mentioned obligations, e-commerce platforms have several significant responsibilities arising from the KVKK. These include ensuring data security, entering into a letter of undertaking with data processors, facilitating the exercise of data subject rights, and fulfilling the obligation to register with the Data Controllers Registry Information System (VERBIS).
The Board's Approach to E-Commerce Platforms
Among the recent decision summaries published by the Board, several decisions focusing on the personal data processing procedures of e-commerce platforms are noteworthy.
In the recently released Board decision dated 11.04.2023 and numbered 2023/567[2], it was alleged that, during the shopping process on the e-commerce website, users were prompted to save card information with the "add credit/debit card" button on the payment screen. Furthermore, it was asserted that saving this information was deemed mandatory to complete the shopping transaction. According to the response provided by the e-commerce website, it was stated that the request for payment information aimed to facilitate receiving payments for customer orders. Additionally, it was emphasized that individuals who added payment information had the flexibility to remove or modify their card details at any time through their account settings, putting the customer in control of this process.
As a result of the Board's investigation, in line with the complaint, it was determined that the shopping process could not be finalized without storing the card information in the system. Additionally, it was observed that even after the completion of the shopping, the card information was stored in the wallet section. The Board firstly referred to the "Recommendation No. 02/2021 on Data Processing Requirements for the Processing of Credit Card Data Only to Facilitate Subsequent Online Purchases" adopted by the European Data Protection Authority on 19.05.2021[3] and emphasized that the processing condition that can be relied upon in the continued processing of card information to facilitate purchases is explicit consent.
In the subsequent section of the decision, the principles of "being relevant, limited and proportionate to the purpose" and "processing for specific, explicit and legitimate purposes" in Article 4 of the KVKK are emphasized and it is underscored that completing the shopping and storing the card information in the membership account after shopping are different data processing procedures serving different purposes. Pursuant to the Board's opinion, each data processing procedure should be considered on a purpose-specific basis and the appropriate data processing condition should be determined. In this context, in terms of requesting card information for the completion of the shopping, various data processing conditions such as "establishment or performance of the contract", "fulfillment of the legal obligation" and/or "legitimate interest" stated in Article 5/2 of the KVKK may be relied upon and card information may be processed without seeking consent. However, storing card information in the consumer's membership account to facilitate subsequent purchases constitutes a change in purpose and may only be possible with consent.
Despite the e-commerce site's argument that card information can be deleted later, with the customer having control, the Board determined that this system misled consumers. Consequently, it was deemed contrary to the principle of compliance with "lawfulness and fairness" as outlined in Article 4 of the KVKK.
Considering the summarized grounds, the Board concluded that the fundamental principles of the KVKK were breached, and explicit consent was not obtained in accordance with the legislation, resulting in a violation of obligations related to data security. Consequently, the Board decided to impose an administrative fine of TRY 500,000 on the e-commerce website. Additionally, the data controller was instructed to form a new system for recording card information and to reorganize the information notices in a manner that incorporates the explicit consent processing condition.
Conclusion
Failure of e-commerce platforms to fulfill their obligations under the KVKK or non-compliance with the fundamental principles is evaluated in connection with data security and the Board may impose substantial administrative fines. The Board's sensitivity to this issue is understandable when considering the extensive volume of personal data handled by e-commerce platforms. The potential for large-scale violations underscores the importance of implementing appropriate measures to safeguard user data.
Therefore, it is essential for e-commerce platforms to prioritize the protection of personal data, and to design e-commerce environments and marketplaces in compliance with basic data protection principles from the design stage. Moreover, handling disclosure and consent processes separately for each processing activity is crucial to mitigate potential negative consequences, including substantial administrative fines or data breaches.
- For detailed information on the amendments to the E-Commerce Law, please see "What Changes Does the Amended E-commerce Law Bring?", Ecem Süsoy Uygun, Erdem & Erdem Newsletter, July 2022, https://www.erdem-erdem.av.tr/bilgi-bankasi/degisen-e-ticaret-kanunu-neler-getiriyor , Access Date: 05.02.2024.
- For the Summary of the Decision of the Personal Data Protection Board dated 11/04/2023 and numbered 2023/567 on the obligation to record credit/debit card information in order to shop from an e-commerce site, see https://kvkk.gov.tr/Icerik/7755/2023-567 , Access Date: 05.02.2024.
- For the European Data Protection Authority's "Recommendation No. 02/2021 on the Legal Basis for the Storage of Credit Card Data for the Sole Purpose of Facilitating Further Online Transactions" adopted on 19.05.2021, please see https://edpb.europa.eu/system/files/2021-05/recommendations022021_on_storage_of_credit_card_data_en_1.pdf , Access Date: 05.02.2024.
All rights of this article are reserved. This article may not be used, reproduced, copied, published, distributed, or otherwise disseminated without quotation or Erdem & Erdem Law Firm's written consent. Any content created without citing the resource or Erdem & Erdem Law Firm’s written consent is regularly tracked, and legal action will be taken in case of violation.
Other Contents
Typically, when an employee departs, their corporate email account remains active and accessible to the employer for a period of time. During this time, the email archive and new incoming messages are forwarded to the employee's manager or another colleague...
The processing of genetic data has the potential to affect not only the data subjects but also the persons with whom the data subject is genetically connected. “The Guidelines on Issues to be Considered in the Processing of Genetic Data” (“Guidelines”) published by the Personal Data Protection Authority...
The first “Artificial Intelligence Act” of all time, which includes rules and regulations that directly affect tools such as ChatGPT, Bard and Midjourney adopted by the European Parliament with a majority of votes. Thus, the European Parliament has officially taken the steps of a regulation that could be a turning point for...
In its decision regarding Case-300/21 and dated May 4, 2023, the Court of Justice of the European Union (“CJEU”) evaluates the right to compensation for an infringement of the European Union General Data Protection Regulation (“GDPR”) regulated in Article 82 of the GDPR. The CJEU decided that a mere...
ChatGPT, a large language model (LLM) developed by OpenAI, is an artificial intelligence (AI) system based on deep learning techniques and neural networks for natural language processing. ChatGPT can process and generate human-like text, chat, analyse and answer follow-up questions, and acknowledge errors...
The Personal Data Protection Law numbered 6698 (“PDPL”) introduces definitions for many concepts such as personal data, data controller, data processor and data subject. In terms of understanding and interpreting these concepts, secondary legislation, Personal Data Protection Authority (“Authority”) guidelines...
The Covid-19 pandemic and recent technological developments have significantly accelerated the digital transformation of all sectors. However, this rapid change especially in the financial sector (mobile banking, e-commerce, contactless payments, etc.) has brought some risks along with making life extremely...
Smartwatches have undeniably revolutionized our lives in the past decade. Apart from their core function as a timepiece, these wearable computers packaged in the form of a watch enable us to answer incoming calls, reply to messages and skim through social media notifications in seconds. Their steady rechargeable...
The Personal Data Protection Authority (“DPA”), on 16.06.2022, published the Draft Guidelines on Examination of Loyalty Programs within the Scope of Personal Data Protection Legislation (“Draft Guidelines”). The public has until 16.07.2022 to submit comments on them, and after these are evaluated...
The German Competition Authority (“Bundeskartellamt”) had previously found Meta (formerly Facebook) responsible for abusing its dominant position in the social network market by collecting and processing the personal data of its users without their consent and imposed measures on Meta and its associated...
Banks process large volumes of personal data in their daily operations. In order to deal with this sensitive information, the Turkish Personal Data Protection Authority, in cooperation with the Banks Association of Turkey, published Good Practice Guidelines on Personal Data Protection in the Banking...
The procedural rules on mass claims within European Union (“EU”) Member States is not uniform. To improve the position of consumers who might wish to make such claims, the European Parliament passed the Collective Redress Directive (“Directive”). The impact of the Directive is expected to...
In February 2020, the European Commission (“Commission”) published “A European Strategy for Data” as part of a wider drive concerning digital transformation and policy. Through this communication, the European Union (“EU”), defining itself as having a leading role in the data economy...
The Regulation on Protection and Processing of Personal Data by the Social Security Institution (the “Regulation”), the purpose of which is to determine the procedures and principles for processing data obtained within the scope of the duties and authority of...
The Personal Information Protection Law of the People’s Republic of China (“PIPL”) passed at the 30th meeting of the Standing Committee of the 13th National People’s Congress on 20 August 2021 and entered into force on 1 November 2021 as per Article 74...
In today's world, there is no doubt that data has become one of the most valuable assets and resources for some companies. The ability to collect, store, process, and analyze data on a large scale has dramatically changed...
