In the application made to the Board, it was claimed that when accessing the website of a gaming platform, users were not informed about the cookie processing processes and express consent was not obtained for non-essential cookies.

As a result of the examination, the Board determined that personal data was processed by the data controller through non-obligatory cookies such as advertising and marketing purposes on the website without any conditions, and concluded that this situation constitutes a violation of the obligations regarding data security in the Personal Data Protection Law.

The Board imposed an administrative fine of 300 thousand lira on the game platform, which did not provide information about “cookies” and did not fulfill the explicit consent requirement, on the grounds that it did not fulfill its obligations regarding data security.


from the decision

In the decision, it was stated that in the Law on the Protection of Personal Data, the situations in which express consent can be obtained in the processing of personal data are regulated.

In the decision, where it was pointed out that the Law also includes provisions regarding the “Information Obligation of the Data Controller”, also, within the scope of the Law, all kinds of technical and administrative procedures necessary to ensure the appropriate level of security in order to prevent the illegal processing and access of personal data of the data controller and to ensure the preservation of personal data. It was stressed that he had a duty to take action.

In the decision, it was noted that there are many cookies on the complained site, there is no clarification in this framework, and the data controller does not seek explicit consent for cookies that are not mandatory and track user movements for purposes such as advertising or statistics.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *