1. Introduction
One of the most important elements in the Protection of Personal Data is explicit consent. The concept of explicit consent is defined in personal data protection legislation and is defined in the European Data Protection Regulation1 ("GDPR") as follows:
"consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her"2
Personal Data Protection Law3 in Turkey ("KVKK") under Article 3 defines explicit consent is defined as follows:
"Explicit Consent: Freely given specific and informed consent"
The elements of consent are similar in both laws. One of the factors required for explicit consent is the withdrawal of consent, one of the conditions of validity. To be able to talk about the validity of an explicit consent, it is important to be withdrawn in the same way. The withdrawal of explicit consent is not regulated in KVKK, but it has a wide range of applications in GDPR. Under GDPR article 7, withdrawal of explicit consent is regulated.
In the WP294 opinions of the provisions and recitals in the GDPR, this means coding this situation according to the current interpretation.5 In accordance with the explicit consent guide published by European Data Protection Board ("EDBP")6, comments were brought on the basis that the open consent issued with GDPR has harsh sanctions by the EU7.
The Controller should allow the given consent to be withdrawn. The most important point here is that data subject concerned can withdraw her/his consent at any time and in the same way as the ease of consent she/he gives. It is important that the controller provides this convenience. So much so that the person concerned must be withdrawing her/his consent, in the same way as she/he has given approval. A system providing all of them must have been installed by the controller.
Another important point is that the data subject should be able to withdraw without detriment. The explicit consent and withdrawal by the controller should not turn into an imposition. For example; If the data subject has given explicit consent to process the location information to use a photo mobile application, but later fails to take advantage of the features of the photo application when she/he wishes to withdraw this consent, it will not be possible to mention a proper explicit consent and the possibility of withdrawing explicit consent. If the data subject gives consent by pressing only one button while using the application, she/he should be able to withdraw her/his consent by pressing a single button. The controller should not make it difficult for the data subject concerned to withdraw her/his consent.
Likewise, if the data subject gives explicit consent regarding the processing of data for the service she / he will receive, if it is not subject to any time limitation, it should not be kept while taking his consent. In accordance with the example given in the guide published by the EDPB8 a company selling tickets online for the music festival is available 24/7, and data is processed with 24/7 online clicks. However, it is stated that the subject data can only obtain the explicit consent has given during business hours during the week and only by calling the box office. Here, a clearly unlawful practice can be seen. How, when and in what way the controller takes explicit consent should be withdrawn. Otherwise, it will not be possible to speak of a proper consent.
It is also important to look at the withdrawal methods to talk about the validity of explicit consent. Because if the withdrawal of consent as in the examples puts data subject in trouble, then the validity of the consent at first cannot be mentioned. In the information element for consent in the GDPR definitions, the controller should first explain the right to withdraw to the data subject when clarification of personal data. Hereby, GDPR and EDPB both aim to maintain transparency.
The GDPR guidance on consent withdrawn by the Information Commissioner's Office ("ICO")9 and the legal basis for the transaction were examined. The controller should be clear and plain while obtaining consent from the data subject concerned, should state that withdraw the consent, use a clear language, if the data subject receives the consent electronically or on digital platform, ensure that the boxes do not appear marked, should provide opt-out option in the e-mails, the immediate destruction of the data of the data subject who withdraws consent and the data subject concerned who finally withdraw their consent should not be punished by the controller.10
The consent of the data subject concerned should be a positive action. The fact that the data subject is silent, continues with the pre-checked box or stays still indicates that there is no consent. For this reason, there will be no withdrawal of a consent here.
The aim of the GDPR and related legislation is to give explicit consent through the will of the data subject and by a real illumination by the controller. The data subject concerned should always be able to withdraw explicit consent without any sanction and in the same way that given consent.
For the validity of an explicit consent, apart from the elements in the legislation, it is necessary to check whether the consent is permitted to be withdrawn as mentioned above. Otherwise, it is not possible to talk about a lawful explicit consent. It is important to be reminded that it is not possible to mention the withdrawal of an explicit consent in these matters, since there is no explicit consent for personal data that can be processed by law. In cases where only explicit consent is required, the institution of withdrawing explicit consent will come into play.
Footnotes
1. EU General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679)
2. GDPR article 4/11 def. Of consent
3. Law on the Protection of Personal Data No. 6698 dated 24/03/2016
4. Working Party, the old name of EDBP
5. EDPB Guidelines 05/2020 on consent under Regulation 2016/679 Version 1.0 Adopted on 4 May 2020
6. On 25 May 2018, the EDPB replaced the Article 29 Working Party.
7. European Union
8. EDPB Guidelines on consent parag. 115
9. The UK's independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
About the Website
The website www.kavlak.av.tr/ (“Web Site”) was launched by Fırat Barış Kavlak ve Ortağı Aygen Kavlak (hereinafter referred to as “Kavlak Law Firm” or “Kavlak”). All of the natural persons or legal entities (“User”) who access and/or use and/or make use of the Website (“User”) are required to carefully read these Privacy Policy (“Policy”) applicable to any use of the Site.
By reading this Policy, users are informed that the necessary information about the usage and sharing of information within the scope of the Website is made to them in accordance with the Turkish Code of Commerce (Turkish Commercial Code No. 6102, Turkish Code of Obligations No. 6098, Personal Data Protection Law No. 6698) and general ethical principles. Protection and confidentiality of the information you provide to us is very importance for us. Due to the many possibilities and risks offered by the Internet, we would like to inform you about the following issues regarding the protection of your information about the use of our Site.
1. What is Personal Data?
In the KVKK, personal data is defined as any kind of information related to a natural person who is either identified or identifiable. In this regard, your name, last name, e-mail address, and phone number that you share with us are defined as personal data.
2. What Personal Data Are We Collecting?
During your visit to the Website, two types of data can be collected;
Users of the Website accept and declare that all commercial and/or personal information (“Information”) they share with us within the Website or in any other way with their express consent is correct and up-to-date. In the event that such information belongs to another third party (“Third Parties”), Kavlak shall accept that the user shares such third party information with Kavlak as required as a result of the necessary information and consent in accordance with the relevant Law and legal arrangements and we, as Kavlak shall not assume and accept any legal and/or criminal liability thereof.
Kavlak, within the scope of your information collected through the website, we will provide you gradual information, in accordance with the relevant Law and legal regulations and we will provide detailed information about our legal reason in keeping your information, the purposes for which we use your information, and the persons and/or organizations that we transfer your information to.
3. What is the consequence of not providing personal data to Kavlak?
You do not have to provide all personal data contained in this Privacy Policy in order to use the Website or to contact us in any other way, but if certain personal data are not provided, you may not be able to fully respond to your requests or use legal services.
You may end your e-bulletin subscription or any other subscriptions you have started by using the Web Site at any time by using the methods specified in the relevant messages.
4. What is the purpose of personal data collection by Kavlak?
As Kavlak, we collect your personal data with an aim to provide you with services, fulfill our legal obligations, make the Website more functional, sent you our e-bulletin via e-mail in case you subscribe to our e-bulletin service, and inform you on new services, and recent developments within Kavlak and we process your personal information in this regard.
5. Why and to whom do we transfer your personal data?
We may share your personal data with our affiliates based in Turkey that we collaborate to improve our advisory services as well as institutions and organizations collectively representing us during the period of our business relationship with them and/or our business partners that we cooperate to conduct our activities. In addition, we may share your personal data with courts and other public institutions to fulfill our legal obligations provided that such personal data sharing shall be limited thereof.
6. How do we keep your personal data?
Your personal data shared with Kavlak are kept with proportionate administrative and technical measures taken in compliance with the applicable legal regulations, provisions of the KVKK, and Kavlak Law Firms standards.
However, even though we have taken necessary information security measures, if personal data is damaged or if it gets received by third parties as a result of attacks to the Website and/or Kavlak, the institutions and organizations required by the law and you will be immediately notified and and necessary measures will be taken.
7. How long do we keep your personal data?
As Kavlak, we keep your personal data in compliance with the KVKK. We will delete or destroy your personal data, or otherwise make your personal data anonymous to continue to use when the purpose of processing personal data is no longer in effect as per Article 7/f.1 of the KVKK and/or upon expiry of the period of limitation under which we are obliged to process your personal data as per the applicable legislation.
8. What are your rights pursuant to the KVKK?
Pursuant to Article 11 of the KVKK, you are entitled to make the requests listed below by submitting an application to us via our application form regarding your personal data:
– Request to learn about whether your personal data are processed,
– Request for information on your personal data if such personal data are processed,
– Request to learn about the purpose for processing your personal data and whether such personal data are used in compliance with their intended purpose,
– Request to learn about third parties to which such personal data are transferred in Turkey or abroad,
– Request for correction of your personal data in case of incomplete or inaccurate processing of such personal data,
– Request for deletion or destruction of personal data,
– Request for notification to third parties, to which such personal data are transferred, of the processes for correction and/or deletion or destruction of your personal data in case such personal data are processed in an incomplete or an inaccurate manner,
– Raise an objection to any result against the person arising out of any analysis of such personal data exclusively by means of automated systems, and
– Claim for compensation of damages in case of damage arising out of any illegal processing of such personal data thereof.
As Kavlak Law Firm, we will reply to your requests free of charge as soon as possible within 30 days based on the nature of such requests. However, in case such requests require for any additional costs, the fee stipulated in the tariff determined by the Board shall be payable.
9. What is consequence of processing personal data of children?
This Website is designed for use by people who are over the age of 18 by Kavlak and our Website is not intended for children. In the event that parents or guardians suspect that children under their supervision share their personal data through our Website, we ask that they contact us regarding their requests regarding this data. In such a case, the data shall be deleted immediately.
10. What is the scope of the Privacy Policy?
The legal owner of this Website is Kavlak Law Firm and the legal rights of the content and/or various items within the Website belong to Kavlak and in some cases to other third parties. Any copying, unauthorized copying or imitation of the contents or elements of the Website is prohibited on the basis of the applicable legislations and is subject to the permission of the respective legal right holder.
The Website contains links to the web sites of third parties. Kavlak declares that it does not accept any liability or obligations for any third-party sites and/or contents and that the user cannot be held liable for any damages incurred by them. Users are encouraged to review privacy policies on the third party websites they visit via the links included.
11. May changes occur in the Website or this Policy?
Kavlak may at any time modify and change this Policy, any legal and/or other texts, any technical elements, contents or features contained within the website. Any such changes shall be deemed to be valid upon the publication of the same on the Website and it is the personal responsibility of you as the users to carry out the necessary examinations and readings regarding such changes and Kavlak shall not have any legal and/or criminal liability in this context.
12. How users may contact with Kavlak?
You may contact with us, Kavlak Law Firm, directly by sending an e-mail to [email protected] to share any comments and suggestions or to ask your questions regarding this Privacy Policy.
We are kindly requesting you to read carefully of the below given Clarification Text on Protection of Personal Data and learn about our purpose of processing your personal data and your associated rights within this scope.
a) Data Controller
Your personal data shall be processed by Fırat Barış Kavlak ve Ortağı Aygen Kavlak (“Kavlak Law Firm”), as a data controller, according to the below explained scope, pursuant to Law No. 6698 on the Protection of Personal Data (“KVKK”).
b) Purpose of processing personal data
The personal data of our estimable online visitors to be obtained under the E-Mail Subscription shall be processed by Kavlak Law Firm with a limited manner to send you latest affairs of Kavlak Law Firm and inform you any events and/or conferences organized by Kavlak Law Firm and/or in cooperation with Kavlak Law Firm; and to communicate with you for promotion or other similar purposes.
c) Method and legal reasons for collecting personal data
The personal data to be collected from you shall be automatically processed on an electronic environment by basing explicit consent to be obtained from you as specified in Article 5 of the KVKK.
d) Personal Data Categories and Types
Within the scope of the E-Mail Subscription, the below-mentioned personal data shall be obtained from you:
e) Transferring Personal Data
Your personal data as specified in (d) sub-clause of this Clarification Text shall be transferred by Kavlak Law Firm to our business partners and service providers residing within country, in line with accomplishment of the purposes as specified in (c) sub-clause and with a limited manner for the data processing conditions as specified in Article 8 of KVKK and purposes of specified above.
f) Your rights concerning protection of personal data as a data subject
You may communicate your requests in writing, regarding the rights of data subject regulated by Article 11 of the KVKK according to the Communiqué on Application Methods and Principles to the Fata Controller to the below given address of Kavlak Law Firm: Nispetiye Cad. Seher Yıldızı Sok. No:23/11 Etiler, İstanbul or by e-mail to the following e-mail address: [email protected] over your personal e-mail address that is provided in E-Mail Subscription.
We are kindly requesting you to read carefully of the below given Clarification Text on Protection of Personal Data and learn about our purpose of processing your personal data and your associated rights within this scope.
a) Data Controller
Your personal data shall be processed by Fırat Barış Kavlak ve Ortağı Aygen Kavlak (“Kavlak Law Firm”), as a data controller, according to the below explained scope, pursuant to Law No. 6698 on the Protection of Personal Data (“KVKK”).
b) Purpose of processing personal data
The personal data of our estimable online visitors to be obtained under the E-Mail Subscription shall be processed by Kavlak Law Firm with a limited manner, in order to inform you and communicate with you regarding the current national and global legal regulations, up-to-date legislation and the latest publications of Kavlak Law Firm.
c) Method and legal reasons for collecting personal data
The personal data to be collected from you shall be automatically processed on an electronic environment by basing on the legal ground as specified in Article 5 of the KVKK, which reads as follows: “It is necessary for the legitimate interests of the data controller, provided that the fundamental rights and freedoms of the data subject are not harmed.”
d) Personal Data Categories and Types
Within the scope of the E-Mail Subscription, the below-mentioned personal data shall be obtained from you:
e) Transferring Personal Data
Your personal data as specified in (d) sub-clause of this Clarification Text shall be transferred by Kavlak Law Firm to our business partners and service providers residing within country, in line with accomplishment of the purposes as specified in (c) sub-clause and with a limited manner for the data processing conditions as specified in Article 8 of KVKK and purposes of specified above.
f) Your rights concerning protection of personal data as a data subject
You may communicate your requests in writing, regarding the rights of data subject regulated by Article 11 of the KVKK according to the Communiqué on Application Methods and Principles to the Fata Controller to the below given address of Kavlak Law Firm: Nispetiye Cad. Seher Yıldızı Sok. No:23/11 Etiler, İstanbul or by e-mail to the following e-mail address: [email protected] over your personal e-mail address that is provided in E-Mail Subscription.