The Personal Data Protection Board examines the applications of the data subjects on the violation of their personal data and evaluates the applications for data processing within the scope of the Personal Data Protection Code No. 6698 and shares the summaries of the decisions on the website. In this context, the Board's decision dated 27/02/2020 and numbered 2020/173 published on May 7, 2020 has a special significance both in terms of the points of contact and the amount of administrative fines applied as a result of the decision. As a matter of fact, the fact that Amazon Turkey Retail Services Limited Company, which is the subject matter of the decision, is one of the leading companies in the e-commerce sector in the world, is another reason for qualify the decision as a precedent.

In the decision, it is seen that, the petition dated 27.06.2019 claims Amazon processed personal data against the law and that Amazon offered its defense against the claims in the application. It was alleged in the petition that Amazon violated the provisions of explicit consent and data transfer abroad. Corresponding to these claims by Amazon, It is stated that the issue is within the scope of electronic commerce legislation and the petition should be directed to the Ministry of Commerce. Also, Amazon stated that Privacy Notice and Terms of Use presented on the website ensures transparentcy in accordance with the Law and that correspondence continues with the Authority regarding letter of undertaking on data transfer abroad.

In this decision, a detailed examination of Amazon's data processing applications has been made and points contrary to Code No. 6698 are specified, and the data processing applications of Amazon, which the Board touches upon in the decision, and its evaluations regarding these applications are listed below:

  1. Taking explicit consent of the data subject to send electronic messages for marketing purposes

The data subject accepts the applications included in Amazon's "Privacy Statement" by only entering the www.amazon.com.tr page. Therefore, data processing is started without the knowledge of the person only by visiting the website. No explicit consent of the person regarding the processing of contact information to send messages for marketing purposes is also obtained during the entry of information required to create membership on the website. Moreover, it is seen that the e-mail address to which messages will be sent and the categories to be e-mailed are already selected in the account of the person after the membership process.

The Board evaluated this issue with the Code No. 6698 within the framework of the Regulation on Commercial Communication and Commercial Electronic Messages. In order to send commercial electronic messages to the person, the law requires explicit consent and the regulation requires approval. In the present case, it was decided by the Board that Amazon did not take the necessary measures to ensure data security, since no approval / explicit consent was received from the data subject  when creating the membership. In addition, this issue was clarified by stating that commercial electronic messaging channels and sending process are also within the scope of personal data protection legislation.

  1.  Abuse of right and violation of the principles of being relevant, limited and proportionate to the purposes of processing data

The second determination in the decision is in the Privacy Statement text, "You may choose not to provide certain information, but in this case you will not be able to use most of the Amazon Services." or "If you block or refuse our cookies, you cannot add products to your shopping cart, go to the purchase stage or use any Amazon service that requires you to sign in." It is stated that contingent of explicit consent will mislead the data subject. The Board described this as the abuse of the data controller's right.

In addition, Amazon mentioned that the name, address, phone number, payment information of the data subject by Amazon; age; Location information; persons to whom purchases have been sent; Contacts listed in 1-Click settings (including addresses and phone numbers); e-mail addresses of friends and others; the content of the evaluations and emails sent to the data controller; personal information and photos in the profile; Pictures and video, identity and status information and documents stored in connection with Amazon services; corporate and financial information; credit history information; The collection of VAT numbers are collected by the Amazon but the Authority did not find it proportionate to gather the person's credit history, corporate and financial information as well as the collection of personal data belonging to their friends. For this reason, it has been decided that the data controller Amazon acts against the principles of being relevant, limited and proportionate to the purposes of processing data

  1.  Sharing personal data with third parties

   In the Privacy Statement, the mentioned article  "When the personal information about you is shared with third parties, except for those mentioned above, you will receive a notification and you will have the option to choose not to share it." As it is understood from the expression, the only possibility of choosing not to share the data of the data subject is possible after the data is shared. Regarding this, the Board stated that “the explicit consent must be obtained at the latest when the transfer activity takes place, the explicit consent to be obtained after that cannot be accepted in accordance with the legislation.” Was accepted acting against the provisions of the Code.

  1.  Transfer of personal data abroad

Another issue in the decision concerns the violation of the provisions of transferring data abroad. Although the letters of undertaking for data transfer abroad by Amazon are submitted to the Board, the only way to transfer the data is that the relevant person has explicit consent since the Board has not yet made a decision regarding this application of Amazon and the list of countries with sufficient protection has not been published by the Authority. The Board states, "By creating an account, you accept the practices specified in this Privacy Statement." and "When you place an order, you agree to Amazon.com's Privacy Notice, Terms of Use and Sales and Cookie Notice." stated that his statements would not mean that the explicit consent of the person concerned had been obtained. It was declared that general consent that are not limited to a specific subject and transaction are accepted as "blanket consent" and are legally invalid, and it is decided that Amazon has not fulfilled its data security obligations.

  1.  Starting the data processing activity by visiting the website without any warning

In the text prepared about the cookies on the website, “to know the browsers or device of the visitors of the site, to have more information about their interests; For providing the necessary features, services and additional purposes including the ones listed below, the expression “using cookies, pixels and other technologies (hereinafter referred to as“ cookies ”) is included. An evaluation has been made by the Board that data processing starts with visiting the website and the obigation to inform is not fulfilled in this regard. As a matter of fact, since there is no warning or a pop-up message saying “approve cookie notices” informing the data subject when entering the website, this situation has been qualified as both against explicit consent and obligation to inform.

Due to the above-mentioned reasons, 1.100.000 TL due to violation of  Paragraph 1 of Article 12 named Data Security Obligations of  Personal Data Protection Code, and 100,000 TL, due to violation of the obligation to inform regulated in Article 10,  and total 1.200.000 TL administrative fine was imposed. In addition, it has been decided that Amazon will be instructed to update its data processing policy and make it lawful.

As a result, the Board's decision dated 27/02/2020 and numbered 2020/173 is important in terms of examining the issues in detail and clarifying issues such as transferring data abroad and sending commercial electronic messages for marketing purposes. It is also a precedent for violations in the data processing policies of websites and e-commerce sites that are frequently used in daily life.