The Concept of Explicit Consent in Personal Data Protection Law - Av. Lider Tanrıkulu

What is Explicit Consent?

The right to protect personal data is regulated as a fundamental right and freedom both internationally by Article 8 of the European Convention on Human Rights and nationally by Article 20 of the Constitution of the Republic of Turkey. The right to freely dispose of one’s own data and to determine the future of this data also derives its source from this fundamental right status. As a reflection of this, in both international and national regulations, the consent of the person concerned in activities such as the processing, storage and transfer of personal data is accepted as a reason for the legality of the action.

In the Law No. 6698 on the Protection of Personal Data, which is the dominant regulation in our country in the law on the protection of personal data, the existence of explicit consent is regulated as a state of lawfulness for the processing of personal data (Art. 5), the processing of special categories of personal data (Art. 6), the transfer of personal data domestically (Art. 7) and abroad (Art. 8). (1)

With the exception of the data processing activities listed in paragraph 2 of Article 5 of the Law and where there is a superior private or public interest, the general rule is to obtain the explicit consent of the data subject for the data processing activity to be carried out in accordance with the law.

Definitions of “Consent” under KVKK and GDPR

In Turkish law, the concept of consent is regulated as a reason for the lawfulness of the action in various legislations. Unlike these regulations, the concept of “explicit consent” is included in the KVKK and it is accepted that the action will be lawful with the explicit consent of the data subject, except for the exceptional circumstances listed in the law. The GDPR, which is the dominant regulation in EU law, regulates the concept of “consent” as a reason for compliance with the law in the processing and transfer of personal data, while stating that “explicit consent” will be sought only in the processing of special categories of personal data. Although this difference creates a perception that personal data processing activities can be carried out with a more flexible and general consent within the scope of the European Union regulations, in fact, the consent defined in the GDPR is a more comprehensive regulation that includes the explicit consent specified in the KVKK.

In the Law No. 6698; the elements of explicit consent are specified by listing the conditions of the person’s consent on a specific subject, based on information, and given with free will. Consent within the scope of the GDPR is defined as a freely given, subject-specific, informed and precise indication of the wishes of the data subject, which reveals that the data subject agrees to the processing of personal data concerning him/her, with a statement or explicit affirmative action. Ground 32 of the GDPR stipulates that consent may be freely given, specific, informed and unambiguous in writing, electronically or orally, and the same article states that it is the responsibility of the data controller to prove the existence of consent. Within the scope of the GDPR, it is regulated that consent cannot be given impliedly, and that it must be put forward and proven in the form of a positive declaration of will, and a definition including “explicit consent” has been made.

What are the Conditions of Explicit Consent?

Since the law clearly states the elements of explicit consent, the lawfulness of a data processing activity, except for the exceptional cases listed in the law, depends on the existence of an explicit consent obtained by providing these elements. In this case, the existence of the elements listed in the law, when and how the consent was obtained should be evaluated.

3.1. What are the Elements of Explicit Consent?

3.1.1. Consent Relating to a Specific Subject

Article 3 of the KVKK and Article 5/1-b of the GDPR jointly regulate that explicit consent must be obtained for a specific subject matter. By adopting the principle of “limited purpose”, both regulations aim to create a safeguard against the gradual expansion of the purpose for which consent is given over time. (2)

Explicit consent must be given in relation to and limited to a specific subject to which consent is given.

The data controller/data processor must obtain explicit consent for each element such as which personal data will be processed, for what purposes, for how long, and what the rights of the data subject are, based on information and in relation to the subject matter in which the data will be used. This is especially important for data controllers who process personal data for more than one purpose. Multiple processing activities may be carried out for more than one purpose in the provision of a good or service. In such cases, data subjects should be free to choose which purpose to consent to, rather than having to consent to a number of processing purposes. In this case, consent-seeking actions that require the data subject to consent to processing other than the minimum data processing activities necessary for the data subject to receive the relevant service will be unlawful.

If the subject or purposes of the consent given change, in order for a lawful data processing activity to exist, the data subject will need to be informed about the new current situation and explicit consent will need to be obtained again.

It does not seem possible to recognize the validity of unrestricted, open-ended, future-oriented, all-encompassing and general consents called “umbrella consent” or “blanket consent”, where the person consents to all kinds of data processing activities without specifying a specific subject and purpose, as they do not meet the element of certainty.

For example, checking the “I agree” option under a statement such as “Your phone number so that SMS can be sent to you for the advertisement and promotion of our products and services so that you can be informed about our campaigns, and your name, surname, phone number and e-mail information will be transferred to our business partners located abroad for the supply of products and services within the scope of your explicit consent.” will not mean that the explicit consent has been obtained in accordance with the Law. (3)

Data controllers should act in accordance with the data subject’s requests as far as possible, in particular where the consent of the data subject constitutes the legal basis for the processing.

3.1.2. Obtaining Consent Based on Information

In order for consent to be informed, the person giving consent must be informed about which personal data will be processed, for what purposes, for how long, his/her legal rights, the responsibilities of the data processor and how the data will be protected. Firstly, the individual is informed about how the data will be processed, and then he/she is provided with a choice as to whether or not to accept the data processing. (4)

In order to be able to say that the data subject has been informed, the following issues can be taken as criteria;

(a) Is the data subject an adult with the competence to understand what to consent to, or if not, does he/she have a legal representative?

(b) Is the consent obtained in writing?

(c) Is the consent reasonable and credible?

(d) Is the consent the product of an independent decision-making process?

(d) Is the consent up to date?

(e) Is it clearly stated what data will be collected, used and shared?

(f) Is the data collected to fulfill a specific purpose?

(g) Is it clearly stated what measures will be taken to protect the data?

(h) Are the persons who process the data and are responsible for processing the data identified?

(ı) Is it clear how the rights granted to the data subject will be exercised?

(j) Has the data subject been provided with specific and detailed information?

(k) Is the information provided to the data subject understandable, accessible and accurate? (5)

In practice, the obligation to inform is generally realized by providing the data subject with texts containing the above-mentioned elements in the form of “Clarification Text” and “Privacy Policy”. These texts must be clear, unambiguous, written in a way that the average person can read and understand, free of complex terminology, and placed in a place that is easily visible and accessible to the data subject. (6)

At the same time, since consent is a right that is firmly attached to the person and allows the person to dispose of his/her own data, the person concerned should be informed about the conditions under which and the methods by which he/she can withdraw it.

3.1.3.Consent Based on Free Will

Since the right to protection of personal data is a fundamental right, the data subject must be able to exercise this right freely and must have the freedom to choose whether or not to process the data. In cases where the data subject does not give consent, if he/she is subjected to discrimination, maltreatment, or any harm, etc. If it is in question to face consequences, a consent based on free will cannot be mentioned. While it is sufficient to state that consent must be given “freely given” in the KVKK, in the GDPR, this issue is regulated by Recital 42 as “consent shall not be considered as freely given if the data subject has no real or free choice or is unable to refuse or withdraw consent without suffering harm”.

In the decisions of the Authority and the Court of Justice, the hierarchy between the parties, for example, in cases where there is an employee-employer relationship, the fact that the employee faces the risk of losing his job if he does not consent to the processing of his personal data means that the consent is not freely given and the data processing activity should be considered unlawful.

At the same time, in the decisions of the institution, it has been revealed that cases where explicit consent is required in the provision of basic goods or services will also be considered unlawful. For example, in the event that the processing of personal data is imposed on the person in the membership agreement offered by a service provider, it has been revealed by the decision of the institution that the binding of the basic service to the explicit consent condition will cripple the explicit consent, this will be considered as an abuse of right by the data controller and administrative sanctions should be imposed in accordance with Article 18 of the law. With the GDPR, this issue is regulated in a much clearer and precise manner. Accordingly, it is regulated that non-negotiable bundled consents within the terms and conditions of the contract cannot be accepted. (7) In the dispute before the Court of Justice, the user was forced to check the box to participate in the lottery. By ticking this box, the user consents to the use of cookies. Article 7(4) of the GDPR prohibits such rushed forms of consent in order to benefit from the actual service.

3.2. When Should Explicit Consent be Obtained?

Although there is no explicit provision in the LPPD and general provisions on when consent should be obtained, it is stated that explicit consent must be obtained before the data processing activity, based on the fact that consent, which is a general reason for compliance with the law, must exist before the intervention.

Likewise, the consent obtained after the start of the personal data processing activity, although it is a technical consent, will not be sufficient to make the data processing activity lawful from the beginning, but will only make it lawful from the moment the consent is given. In this case, there will be an unlawful data processing activity in the process between the start of processing personal data without consent and the moment of consent. (8)

In the decision dated 27/02/2020 given by the Personal Data Protection Authority on Amazon Turkey Retail Services Limited Company, it was revealed that cookies are collected only when users log in to the site, in this case, obtaining consent after the processing of personal data would not be in accordance with the law and this situation is considered as an unlawful data processing activity.

3.3.In what form should explicit consent be obtained?

There is a regulation in both the LPPD and the GDPR regarding how to obtain explicit consent. In this case, as a general rule, it can be accepted that there is freedom of form between the parties in accordance with TCO.12. However, both the Personal Data Protection Authority and the GDPR regulate that the proof of consent belongs to the data controller. In this case, although there is no legal obstacle in giving consent verbally, there may be difficulties for the data controller to prove the existence of this consent and its compliance with the elements. For this reason, data controllers are required to obtain consent in writing or by other recorded methods that can be proved later. Explicit consents such as SMS, e-mail, explicit consent text, filling out the consent form, which can be proved later and which contain the affirmative declaration of will of the data subject will be in accordance with the law.

Although there is no clear regulation in the KVKK regarding the form of explicit consent, the GDPR states that this issue should be stated in the form of “declaration or active action”. In this case, data processing activities cannot be carried out based on the implied or presumed consent of the person.

In practice, it is often seen that providers of goods and services offer the data subject the option to click the box below if you agree to the processing of your personal data and the data subject shows his/her consent in this way. In these cases, it should be noted that the absence of consent is assumed and the person is offered a choice. Based on the absence of consent, if the person has consent, it should be ensured that he/she puts it into an active action for a positive declaration of will; he/she should check the box indicating that he/she has given consent. Consents obtained in this way are considered lawful as “opt-in” consent. However, if the existence of the person’s consent is accepted with the pre-marked boxes and an action must be taken to indicate the absence of consent, “opt-out” consent will be in question. In these cases, it will not be possible to talk about a consent in accordance with the law, since an action will be taken not to show positive will but to show negative will.

In the decision of the Personal Data Protection Authority dated 27/02/2020 on Amazon Retail Services Limited Company, it was stated that the goods and service provider did not obtain any explicit consent regarding promotional e-mails in the membership form, 10 boxes were automatically checked as promotional e-mails in the membership settings, the explicit consent of the individuals was not obtained but assumed and such a processing activity was unlawful, and the necessity of using a system in which the individual will consent to the processing of personal data with his conscious action was emphasized.

3.3.1. What is an Explicit Consent Text?

A frequently encountered method of obtaining consent in practice is the “Explicit Consent Text”. With this text, the consent of the person who is informed with the privacy policy or disclosure text regarding the processing of personal data is recorded. An explicit consent text must contain a statement that the data subject has been informed that he/she can withdraw his/her consent at any time, that he/she has been informed about which data, for what purposes and how they will be processed or transferred abroad, and that he/she consents to the data processing activity with his/her free will based on this information.

Atty. İrem MUTLU / Antalya Barosu

Translated by; Hasan ASGAROV

Bibliography 

1. Anı, Nevzat Ali. Kişisel Verilerin İşlenmesi ve Açık Rıza. İstanbul Üniversites iSosyal Bilimler Enstitüsü Özel Hukuk Anabilim Dalı Yüksek Lisans Tezi. İstanbul : s.n., 2018. s. 128.

2. Article 29 Working Party Guidelines on consent under Regulation 2016/679. [Çevrimiçi] [Alıntı Tarihi: 19 01 2023.] syf.12. https://ec.europa.eu/newsroom/article29/items/623051/en.

3. Kis¸isel Verileri Koruma Kurulunun 26/07/2018 tarihli ve 2018/90 sayılı Kararı. Kişisel Verileri Koruma Kurumu. [Çevrimiçi] [Alıntı Tarihi: 19 01 2023.] https://kvkk.gov.tr/Icerik/5420/2018-90.

4. GENEL VERİ KORUMA TÜZÜĞÜ IŞIĞINDA KİŞİSEL VERİLERİN İŞLENMESİNDE RIZA AÇIKLAMASI. SELEK, Arş. Gör. Ozan. 2, s.l. : Dokuz Eylül Üniversitesi Hukuk Fakültesi Dergisi, 2019, Cilt 21, s. 924.

5. Custers, Bart, et al., et al. Informed Consent in Social Media Use The Gap between User Expectations and EU Personal Data Protection Law. Script-ed: A Journal of Law and Technology. 2013, Cilt 10, 4, s. 438.

6. ARTICLE 29 DATA PROTECTION WORKING PARTY. Opinion 15/2011 on the definition of consent. [Çevrimiçi] [Alıntı Tarihi: 19 01 2023.] syf.20. https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2011/wp187_en.pdf.

7. Article 29 Working Party Guidelines on consent under Regulation 2016/679. ARTICLE 29 DATA PROTECTION WORKING PARTY. [Çevrimiçi] 28 11 2017. [Alıntı Tarihi: 25 12 2022.] syf.5. http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1358&tpa_id=6936.

8. KİŞİSEL VERİLERİN İŞLENMESİNDE, AÇIK RIZA HUKUKA UYGUNLUK NEDENİNİN, 95/46 SAYILI DİREKTİF VE GDPR’LA KARŞILAŞTIRMALI OLARAK İNCELENMESİ. ÇELİKEL, Serdar. 17, s.l. : Uyuşmazlık Mahkemesi Dergisi, Haziran 2021, Uyuşmazlık Mahkemesi Dergisi, Cilt 9, s. 172,173.

9. ARTICLE 29 DATA PROTECTION WORKING PARTY. Justice and Consumers Article 29 Newsroom. [Çevrimiçi] [Alıntı Tarihi: 19 1 2023.] https://ec.europa.eu/newsroom/article29/items/623051/en.

© 2020 Av. Lider TANRIKULU

logo-footer