In its decision dated June 15, 2023 w. no 2023/1041, the Turkish Personal Data Protection Board (“Board”) evaluated a complaint against a service provider selling medical devices online for failure to provide proper notice on data processing activities to data subjects and forcing data subjects to provide explicit consent as a prerequisite of sale.

In summary, the consumer (“Data Subject”) argued that, in order to purchase medical devices, the service provider (“Data Controller”) requires data subjects (i) to provide personal data for commercial and marketing purposes and (ii) to provide explicit consent for cross-border data transfers.

On the other hand, in its response, the Data Controller stated that providing national identity number is optional and under no circumstance, the customers’ health data are requested; and the customers are only required to provide:

  • name, surname and address information, for the purpose of issuing an invoice in line with the provisions of the Tax Procedure Law No. 213,
  • e-mail address, for the purpose of creating an account for customers to track shipment,
  • phone number, to be provided to the cargo company, for the delivery of the medical device.

Moreover, the Data Controller emphasized that customers are provided with two checkboxes in an opt-in format, the checkbox for commercial communication is optional and even if customers have consented, they can withdraw their explicit consent at any time and without the need for any justification. The Data Controller further highlighted that providing consent does not constitute an obstacle to shopping on the website and is not a prerequisite for sales.

Additionally, the Data Controller mentioned that, as a subsidiary of a global group company, due to the obligation to participate in the international systems, the explicit consent needs to be obtained for cross-border data transfers in line with provisions of the DPL. However, the Data Controller explained that although customers are required to provide their explicit consent for cross-border data transfers to make purchases through the website, it is possible for customers who do not want to provide their explicit consent, to obtain the products from a sales channel other than the website by contacting the customer services, without additional costs.

In this regard, regarding the claim about Data Controller using Data Subject’s health data for commercial and marketing activities, the Board decided that as it cannot be assumed that the purchaser has diabetes, it cannot be concluded that the requested information is personal data within the meaning under the DPL or the purchasers’ health data are processed. Considering that the purchase and membership mechanisms function without providing consent to the personal data processing for commercial or marketing purposes, the Board evaluated that the Data Controller’s practices are in compliance with the DPL.

Moreover, the Board evaluated the practice of the Data Controller obtaining explicit consent for cross-border data transfers for sales made through the website and concluded that, for customers who do not give explicit consent to the transfer of their personal data abroad, there is an alternative sales channel available through customer services and this channel offers shopping opportunities to customers without any additional cost. In this context, the Board stated that as the Data Subject is able to obtain the product without any loss and without being forced to allow the transfer of their personal data abroad, the service cannot be deemed to be conditioned on explicit consent. However, the Board instructed the Data Controller to clearly and understandably show the alternative sales channel on the membership and sales screens, in order to ensure transparent information.

Authors: Burak Özdağıstanli, Sümeyye Uçar, Begüm Alara Şahinkaya