With the publication of the Decision of the Personal Data Protection Authority (“Authority”), dated 10/03/2022 and numbered 2022/229 regarding “Unlawful processing of personal data through cookies used on the website/mobile applications by the data controller company operating in the e-commerce sector” (“The Decision”), on the website of the Authority on 23.05.2022, the discussions about cookies in the context of the Protection of Personal Data has come to the fore again. The Decision clarifies the procedures and principles to be followed by data controllers regarding personal data processed through cookies used in websites and mobile applications.
Within the scope of the evaluation of The Decision, it would be useful to first refer the definition and importance of cookies.
Small pieces of data files in which information about users/visitors are stored by websites visited on the internet are called “Cookies”. Cookies are divided into various types depending on their purpose of use, storage time and sources. When we look at the cookies in the most general sense of division; while Strictly Necessary (Mandatory) Cookies are cookies on the website/mobile application that enable the site/application to function properly, Functional Cookies enable the site to be shaped according to the preferences of the visitors, Analytical/Performance Cookies keep the information of how long the visitors use the site, in order to improve the site, whereas the Advertising/Marketing Cookies, provide personalized opportunities and advertisements according to visitor’s interests. 
The first of these points is the use of the cookies other than “Mandatory Cookies”. The Authority states that; since the data processing conditions stated in Articles 5/2 and 6/3 of the PDPL are not met when processing personal data through cookies other than mandatory cookies, explicit consent should be relied upon and that this explicit consent should be obtained from visitors at the time of entering the website/mobile application and the consent should be given with the conscious action (opt-in) of the individuals.
Another important point in the decision is related to the transfer of personal data collected through cookies to abroad. Considering that the data controller company has not submitted a commitment to the Authority and that the countries where there is adequate level of protection have not been determined by the Authority, the activities carried out by the data controller by transferring personal data abroad through cookies shall be governed by Article 9 of the PDPL, which regulates the transfer of personal data abroad. The Authority has determined that it is contrary to the Article 9 and has instructed the data controller to comply with Article 9 of PDPL in its activities carried out through cookies. The defense of the data controller company, which was subject to sanctions, that “since there is no domestic provider offering cookie service, all websites using cookies on the internet transmit data abroad” was also not accepted by the Authority.
The Authority had previously published the “Draft Guidelines on Cookie Applications” on 11.01.2022 to public comments and also made evaluations regarding cookies with its decision numbered 2021/85 and dated 03/02/2021. The Authority also imposed an administrative fine of 1,100,000 TL on Amazon Turkey, stating that it failed to fulfill its data security and disclosure obligations due to the fact that it had violated both the explicit consent requirement and the obligation to inform while processing personal data through cookies, with the decision dated 27/02/2020 and numbered 2020/173.
With this latest decision numbered 2022/229, the Authority has decided to impose an administrative fine of 800,000 TL on the data controller who operates in the e-commerce. The justification of this decision was that the data controller company did not establish an active consent mechanism although it was required to when one of the conditions regarding the processing of personal data listed in the PDPL does not exist and also that it transferred the data abroad inconsistent with PDPL.
Although there is no written regulation regarding cookies in Turkish Law yet, the Authority can impose sanctions on non-compliances in the processing of personal data through cookies, based on the secondary legislation it has issued and the general articles in the PDPL. In this context, the Decision dated 10/03/2022 and numbered 2022/229 published by the Authority has once again revealed the importance of the necessity of acting within the framework of the personal data protection legislation and the practices of the Authority for the protection of personal data by persons and institutions engaged in the processing of personal data with cookies through the website/mobile applications.
Although this Decision is consistent with the legislation, it raises question marks for data controllers due to reasons such as the fact that the list of adequate countries has not yet been announced by the Authority regarding the transfer of personal data abroad and there are no local providers offering cookie services in Turkey.