Wed, Aug
52 New Articles

Storing and Processing Personal Data for E-Commerce Companies Under Turkish Law

Storing and Processing Personal Data for E-Commerce Companies Under Turkish Law

  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

In the last ten years, e-commerce has become the most important platform of today’s consumer habits, becoming a major competitor to both retailers and their suppliers. As a result, many giant retailers are now directing their investments towards e-commerce activities.

Since e-commerce is rapidly becoming widespread in Turkey (as it is around the world), it is more important than ever to understand the relationship between data privacy regulations and the e-commerce sector in recent years.

Turkey’s Personal Data Protection Law (Law No. 6698, or the “Law”), which is similar to the GDPR, contains the framework for processing personal data in Turkey. And pursuant to the Law, the Data Protection Authority (the “Authority”) has started ex officio examinations of companies in various sectors. 

Main Responsibilities of e-Commerce Companies Under The Data Privacy Law

Obtaining personal data clearly requires “explicit consent,” and under the Law, this explicit consent should be: (i) related to a specific topic, (ii) based on informative clarifications, and (iii) given freely. There is no specific requirement about how to obtain explicit consent, however; it can be given either as a statement or by a clear affirmative action. It is hoped that the Authority will clarify the rules about valid methods of obtaining this consent soon.

Companies engaged in e-commerce activities are responsible for complying with all obligations regulated under the Law. Under the Law, all companies must register with the Data Controller’s Registry System (VERBIS) before starting to process personal data. Companies which fail to do so may face severe sanctions.

E-commerce companies must also obtain explicit consent from data subjects before processing their personal data. If they are unable to obtain this explicit consent, the data subjects’ personal information should be immediately anonymized or erased from the system completely. In addition, e-commerce companies that conduct online sales in the absence of a signed membership contract must, at the ordering stage, obtain explicit consent from the data subject with respect to the storing and processing of the customer’s personal data, except where storing the personal data is necessary for the e-commerce company in order to comply with the terms of the sale contract. Finally, even for the general use of the site, it will be necessary to inform users about and obtain their explicit consent for the use of cookies and the processing of personal data. 

The meaning of “explicit consent” in e-commerce remains in debate, as e-commerce companies generally require their customers’ personal data before they render services to them, but it is unclear whether this practice satisfies the GDPR’s requirement that consent be given “freely.”

Sanctions that Companies Will Face If They Do Not Fulfill The Data Privacy Obligations

As mentioned above, the Authority carries out ex officio data protection examinations of e-commerce companies, and companies that do not fulfill their obligations may face penalties of up to TRY 1 million under Article 18 and Article 19 of the Law. Indeed, one of the most famous decisions by the Authority is the administrative fine of TRY 1.1 million it levied upon Facebook for its failing to take the necessary administrative and technical measures to prevent a data breach and failing to comply with the data security obligations, and an additional administrative fine of TRY 550,000 for its failure to make necessary notifications following the data breach. 


The obligations of companies regarding the protection and processing of personal data are changing and increasing within the scope of both the GDPR and Turkey’s Law No. 6698. Increasing personal data breaches and cybercrimes are forcing the Authority to take control of e-commerce companies which obtain personal data and process it for profit or share it with third parties without the explicit consent of the data subjects

By Nazli Sezer, Executive Partner, and Kaya Kayaoglu, Senior Associate, Sezer & Utkaner

This Article was originally published in Issue 6.8 of the CEE Legal Matters Magazine. If you would like to receive a hard copy of the magazine, you can subscribe here.

Turkey Knowledge Partner

NAZALI offers a broad range of services in the fields of Tax, Audit, Corporate and Commercial Law, Mergers & Acquisitions, Corporate Finance, Banking, Finance and Capital Markets, Protective Legal Services and Dispute Resolution, Personal Data Protection and Privacy, Social Security and Labor Law, Occupational Health and Safety, Competition Law, Intellectual Property Law and R&D, Compliance and White-Collar Crimes, Administrative Law, Real Estate Law, Customs and Foreign Trade, Accounting and Payroll, Financial Incentives and Advisory Services and Public Administration and Compliance through its partners, associates and consultants of different seniorities who have both public and private sector experience.

What sets NAZALI apart from others is that NAZALI offers a truly comprehensive service to its clients with experts from different disciplines working collaboratively as a team under one roof enabling us to evaluate all dimensions of legal matters together with financial and technical matters.

The services that NAZALI provides to its clients include the most appropriate solution with the support of technical departments specialized in their fields. In this context, NAZALI associates are supported by NAZALI technical team and work alongside the experts in the fields of finance, social security and customs matters. NAZALI has set out with the aim of providing the most efficient and comprehensive solution for its clients by adapting to the developing conditions and happily gained the trust of its clients by never compromising the quality of service.

As conditions continuously evolve, NAZALI always aims to further itself remaining true to its motto “GROW WITH KNOWLEDGE” and has set out with the aim of providing the most efficient and comprehensive solution for its clients by adapting to the developing conditions and happily gained the trust of its clients by never compromising the quality of service.

Firm's website: http://www.nazali.com

Our Latest Issue