Personal Data Protection at E-Commerce
Nowadays, Electronic Commerce (“E-Commerce”) continues to rapidly become the platform where consumer habits are most consantrated. In line with rapid developments on technology, devices and online platforms are getting to know their users more closely. In light of the Law on The Regulation of Electronic Commerce (the “E-Commerce Law”), which was entered into force last year, e-commerce actors were expected to provide extra tabs and transactions such as providing numerous information to the users, explaining provided services and conditions, determining a procedural guide to follow during online shopping. In addition to these, a framework for the personal data processing of users has been established with a brief article.
“Are liable for the preservation and protection of personal data obtained through transactions within the scope of the law.
Relevant personal data can not be transmitted or used for any purpose without the consent of the data subject.”
In addition to the obligations that have to be fulfilled in relation to the regulation of e-commerce, this regulation, which has introduced with the additions to the confidentiality policies, has acquired currency with the Law on the Protection of Personal Data no. 6698 (“Data Protetion Law”). In the law, personal data is defined as any information relating to an identified or identifiable natural person. As the personal data collection begins, electronic commerce site is regarded as the data controller.
Which data are processed by electronic commerce sites?
It is impossible not to leave a trace while surfing at the online world. The number of the pages that users viewed during their visits at the e-commerce sites, the length of the visit, site navigation habits, location, IP, time information and such data that may be related to the users are collected via cookies, even if the users do not shop or carry out any transaction. Even when the page is closed, the browser keeps track of the cookies. However, name, surname, address, phone number, Turkish Republic identity number, payment information, interests and such information is requested directly from the user during online shopping or creating membership.
Data Protetion Law is elaborately regulating the “sharing personal data with third parties” subject; a crucial subject in terms of both marketing activities and overall workflow. Such subject also has been regulated under the “Regulation on Service Providers and Intermediary Service Providers of Electronic Commerce”. Apart from the exceptions regulated under the Data Protetion Law; data transfer is explicitly hinged on the “express consent” of the related individual. Data sharings will be frequently examined during various inspections and examinations to ease the “Is my personal data being sold?” apprehension in the citizens’ mind. Consequently, it is vital to define the role and responsibilities of the parties at the receiving end of the data transfer on a legal basis.
Liabilities of E-Commerce Sites
The binding principles of personal data processing are respectively stated under the Data Protetion Law. Each of the aforementioned principles issue various liabilities for real and legal persons.
In principle, personal data cannot be processed without obtaining the express consent of the data owner. But in the event of some numerus clausus situations; obtainment of the express consent is not obligatory. In any case the liabilities remain same and binding as they are before; even while conducting the data processing acitivities listed as “exceptional” under the Data Protetion Law. For example, e-commerce websites are obliged to collect a number of personal data from their customers on account of establishing and performing particular agreements; but even such necessity does not remove their liability on elucidating.
Although the E-Commerce Law has encouraged electronic commerce sites to revise user and privacy agreements, it is not limited with that. Electronic commerce sites are waiting for a transformation such as many other personal data processing companies. Within this transformation, it is necessary to establish the mechanisms that data subjects may exercise their rights enumerated in the Data Protection Law, to make transperency foreground, to create clear informative texts and policies and to fulfill the obligations related to data security.
It is very important for companies to establish a mechanism of their own, in order not to be exposed to sanctions; in terms of personal data processing, storage, destruction, data security, registration, fulfillment of data subject’s requests; to act in accordance with the systematic manner about data clasification prescribed in the Data Protetion Law, during personal data processing, starting from the data collection phase.
How much time is left?
The Data Protetion Law has entered into force by publishing on the Official Gazette dated 07 April 2016. Some transitional provisions are envisaged in the sense of compliance of the ones subject to the Data Protetion Law. According to the Provisional Article 1; the deadline is 7 April 2018 for the reconciliation to the provisions of the Data Protetion Law regarding personal data which processed before the publication date of the Data Protetion Law. Although no time limit was set for the harmonization of personal data collected as of the publication date of the Data Protetion Law, a period of 6 months was respited with regard to the transitional period granted to provisions of obligations and sanctions. However, this period of time is also up by the date of 7 October 2016.
Even though the regulations which are planned to be entered into force within 1 year are late, the drafts shared with the public opinion are show that the government is working on this issue.
The Data Protetion Law, which will be further shaped by the audits and decisions of the Board of Personal Data Protection (“Board”) and its application area, provides investigation forms which step in by the citizen’s complaints as well as the Board’s reviews of its own motion. Especially, considering the interest in public, the compliant process which has started by the users of an e-commerce site may turn into a major audit that lead to inspection of all the processes in the companies.
As a conclusion, beginning from the year of 2018, e-commerce platforms are undergoing a major harmonization, compliance, transformation and control process. Undoubtedly, the market players who adapt to this process in a serial manner will have a competitive advantage against their competitors.
 Law on the Regulation of Electronic Commerce, No. 6563, Date of ratification: 23/10/2014, Article 10.
Vefa Reşat Moral, Managing Partner
İpek Aşıkoğlu, Jr. Associate.