Suzan Melisa Erdem



Digital Transformation in Trade

DIGITAL TRANSFORMATION IN TRADE: What are the legal aspects of digitalization in trade in terms of PDPL?

With the spread of the internet, trade, like many other things in our world, has undergone a transformation and become digitalized. Undoubtedly, this change has had legal consequences that affect our daily lives and has come with some regulations for the protection of the consumer. 


Electronic commerce or e-commerce is a type of shopping in which we purchase goods or services from the internet and conclude a sales contract electronically in this way. Although this shopping usually takes place from the company to the end consumer, it can also take place between companies or from the end consumer to the company with the spread of the internet and social media. The area where the problems related to consumer rights are most common and the regulations in this direction are concentrated is the sales made from the company to the consumer.

The most important problems of virtual sales are related to security and data privacy. In distance sales contracts, it is important to notify the consumer of the seller's name, title, full address, telephone information, the price and characteristics of the product, the form of performance, and the use of the right of withdrawal. The fact that this information is shared by the seller increases the reliability of the seller and the legal security of the consumer.


We often use the websites of companies in internet shopping. Membership to these sites may be required, as well as shopping without a member. In both cases, personal data of the consumer such as name, surname, address, telephone, TR ID number, payment information, interests, location information, ethnicity, gender, biometric data, religious beliefs, web cookies and political opinions etc. are processed on these sites. 

Cookies, which are frequently encountered during our visits to websites, are saved by that commercial enterprise for reasons such as improving the experience of users, seeing the preferences of visitors, and personalizing advertisements. Therefore, although cookies cannot be considered as personal data on their own, they are considered personal data when combined with other data.


Personal Data Protection Law (PDPL) is a law that entered into force in 2016 within the scope of European Union harmonization laws for the purpose of data protection and aims to protect fundamental rights and freedoms and protects consumers against personal data breaches. E-commerce site owners are considered as "data controllers" within the scope of this law and in accordance with Article 12 of the PDPL, the data controller is obliged to ensure the processing and protection of personal data in accordance with the law and to take the necessary security measures to prevent unlawful access. 


In accordance with Article 5 of the PDPL, explicit consent must be obtained for the processing of personal data. Explicit consent should not be vague or open-ended. However, according to the law, some situations eliminate the obligation to obtain explicit consent, some of these situations are as follows; 

1. Provided that it is directly related to the establishment or performance of a contract, the processing of personal data of the parties to the contract is necessary: Personal data requested for membership on websites does not require explicit consent, provided that they comply with Article 4 of the Law. Accordingly, it is considered legitimate to request data such as the name, surname, telephone, e-mail address of the consumer. 

2. Explicit consent is also not required if it is explicitly included in the law or if it is mandatory for the data controller to fulfill its legal obligation. 

3. In cases where the data subject has been made public by himself/herself, for example, the profile photos or user name-surname information we have uploaded to the website are also such and do not require explicit consent for processing. 



The data controller, that is, the company, has an obligation to inform the consumer that personal data is processed on the websites where we shop online. The obligation of disclosure means informing the relevant person about the purposes for which personal data will be used and with whom it will be shared. 

Pursuant to Article 10 of the PDPL, the data controller is obliged to inform the consumer about the identity of the data controller and, if any, its representative, the purpose for which the personal data will be processed, to whom and for what purpose the processed personal data can be transferred, the method and legal reason for personal data collection. Although this obligation means the obligation of clarification, it is important to write it in a clear and understandable language. 



Personal data 3. The data controller is obliged to report the situation to the Board immediately, even if it can be accessed by individuals, that is, if there is a data breach. In order to prevent such access, data controllers are obliged to take the necessary measures, otherwise criminal sanctions may be imposed. 

In a Board decision, "In the event that the person is directed to the account of another user while logging in to the website of the car rental company with the username and e-mail address registered in the system, that a third person accesses their personal data such as address, phone number, TR ID number and driver's license information as a result of incorrect redirection, that making personal data available is a personal data processing activity, and that the personal data of four people becomes available to other users due to the incorrect operation of the algorithm used to update the customer information in the data recording system of the data controller, the data controller does not fulfill its obligation to protect the data in Article 12 of the PDPL.

Accordingly, in another decision, an administrative fine was decided for the airline company in the event that a person who entered their PNR and surname for the check-in process on the airline company website accessed the flight information and other personal data of 4 different people they did not know, and even accessed many transaction rights such as cancellation and change of tickets.



It is seen that the clarification text, explicit consent text and cookie text are mandatory texts to be presented to consumers on websites. E-commerce sites should ensure that their algorithms work correctly and that websites are secured against other malicious accesses in order to protect consumers' data. In order to protect the rights of consumers, that is, all of us, and to ensure the security of our data, all e-commerce companies must process and maintain our data in accordance with the PDPL, otherwise large criminal sanctions may be imposed on data controllers (e-commerce site owners). 

Sektörden Diğer Yayınları