Bengü Bellek

Managing Attorney

04.10.2022

Explicit Consent Within The Scope Of Personal Data Protection

Personal data is described as “All kinds of information about an identified or identifiable natural person". in Article 3/1 (d) of the Personal Data Protection Law No. 6698 (PDPL). As can be seen from the definition given in the relevant legislation, the concept of personal data has a fairly broad meaning. Although the issue of personal data and the protection of it has emerged in the recent past, it is natural for a person to want to keep their certain information confidential.

With the development of technology, the importance of personal data has increased and access to it has become easier. The inability of the law to keep up with the speed of technology has made the rules of law insufficient in this area, and the need to protect personal data has emerged. In this context, many legal regulations have been made. However, as of the scope of the study, the decisions of the European Union's General Data Protection Regulation (GDPR) and the Court of Justice of the European Union (CJEU), which are also the inspiration of the PDPL in force in our country, will be examined in an explanatory nature of the regulation. 

The definition of personal data is also defined in GDPR as “any information relating to an identified or identifiable natural person”, and no change has been made in the definition while adapting the Regulation to our law. In the legal regulations, when the expression "identifiable" is examined, we can understand that it is not only the data that enables the precise determination of the data owner such as the person's name, surname, date of birth, but also the data such as the physical, family, economic characteristics of the person are within the scope of the definition. In the justification of the GDPR, it is stated that even data that has been anonymized through a number of transactions will be qualified as personal data if additional information can be attributed to a person. In the justification of the relevant article of the PDPL, all data that does not qualify as data on its own, but enables the identification of the person when associated with any record about the person, are included in the definition of personal data in the law. In the Patrick Breyer v Bundesrepublik Deutschland decision given by the CJEU in relation to this in 2016, it was stated that the storage of the IP addresses of the people entering the website means the storage of personal data, since the data owner can be determined by the information to be added to the existing data. However, if access to additional information is prohibited by law or technically requires a lot of effort and time, it is stated that it is difficult to reveal the identity of the person, so there is no identifiable person in the sense of GDPR. 

The processing of personal data, which is expressed quite broadly in the legal regulation and is easy to access, is subject to certain conditions. According to article 6/1 of the GDPR; 

“Processing shall be lawful only if and to the extent that at least one of the following applies:

(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

(c) processing is necessary for compliance with a legal obligation to which the controller is subject;

(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person

(e)processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks.”

It was emphasized that in order for the processing of personal data to be in accordance with the law, this process must be based on the consent given by the data owner in accordance with the GDPR or other legal regulation. The important issue here is how the consent is obtained. Because a consent that was not obtained in accordance with the law will not be valid and this will result in the unlawful processing of personal data. According to the GDPR justification, consent must be given freely and informed in writing or orally regarding the processing of personal data about the data owner himself, including electronic means, and with a clear confirmatory act in a manner specific to that processing. For example, checking the consent box that appears in front of us when visiting a website is a clear confirmatory procedure in this sense. Therefore, the data owner remaining silent or asking them for their consent via a previously checked box does not mean that the person has given consent. 

In the PDPL, the processing of personal data has been conditioned on expressing consent with the regulation in Article 5/1: “Personal data cannot be processed without the explicit consent of the person concerned." However, the personal data mentioned here are general personal data. In the article, similar to the GDPR, it is stated that explicit consent will not be sought if there are certain conditions. In parallel with the definition of consent in the GDPR, explicit consent is defined in the Law as "Consent related to a specific issue, based on being informed and explained with free will”

Although personal data are divided into general qualified data and special qualified data in the PDPL, as mentioned above, the processing of all kinds of data regardless of this distinction is made subject to the explicit consent of the data owner. In the GDPR, consent is one of the reasons that make the processing of personal data lawful. However, processing of personal data about people's ethnic origins, political opinions, philosophical beliefs, religion or other beliefs, way of clothing, association or trade union memberships, health, sexual life, criminal convictions and security measures, biometric and genetic has been conditioned to explicit consent.  In order for the explicit consent given by the data owner to be valid, it must first be given in relation to a specific subject. The general and open-ended statement of the person such as “I consent to the processing of my personal data” does not meet the explicit consent is given within the law. 

In addition, explicit consent must be obtained as a result of informing the data owner in detail about the subject. . According to Article 5 of the GDPR, transparency is one of the principles that are important in the processing of personal data. For this reason, it is necessary to obtain the data owners consent after informing them about; the identity of the person who will process the data, the purpose of processing the data, the kind of data that will be processed, and the way to revoke the consent. Additionally, when requesting consent from the data owner, it is necessary to communicate the request clearly to the other party. If consent is requested in a language that only someone with legal knowledge is able to understand, the received consent will not be valid because that way of speaking may not be understood by the average person.  The data owner is required to make this choice with their free will while giving consent. If the data owner gives their consent without a chance to choose or a chance to withdraw it, that consent will not be valid. For example, if a photo editing application on the phone forces the user to share their location in order to personalize the experience as a condition of using the application, it will invalidate the user's consent. Because it is not necessary to process such data in order to use a photo editing app. 

If there is a power imbalance between the data owner and the data processors, the given consent is also controversial. Because, the data owner will not have much choice but to give consent in this case. We can give data processing by public institutions, or obtaining consent from the employee on certain issues within the scope of an employment contract as examples of this situation. However, this does not mean that employers cannot show consent as a legal basis for data processing activities. The consent obtained from the data owner should not be subject to any conditions. . In Article 7, which regulates the consent conditions of the GDPR; when determining whether the consent is given with a free will or not, it is stipulated that if the processing of personal data is not necessary for the validity of the contract, the contract cannot be conditioned on giving consent for data processing.  

There is no regulation about the way consent is given in the GDPR. However, a very detailed guide on consent has been prepared by an independent working group called "Article 29 Working Party" established in 2011 under the EU. Accordingly, the word "explicit" means the form of expression of consent by the data owner. Therefore, in order to clearly understand that explicit consent has been received, it is necessary to obtain consent in writing. In some cases, the data processor will also be able to obtain the signature of the data owner in order to eliminate possible suspicions and risks that may arise in the future. However, this is not the only way to obtain the explicit consent of the data owner. For example, in digital and online environments, the data owner will also be able to give their explicit consent by different methods, such as filling out an electronic form, sending an e-mail, or scanning and sending a signed document.  

In Case C-673/17 Planet49, finalized in 2019, the CJEU ruled that the processing of the internet user's data with a consent obtained by a pre-marked box is contrary to the GDPR. In the present case, an online competition was organized by Planet49 and various data were requested from users for participation in the competition. However, the consent request is presented to the user with a pre-marked check box. In its decision, the CJEU emphasized that the consent given by the data owner must have been given with an active movement and stated that a pre-marked box does not meet this requirement. 

The increasing importance of personal data along with the developing technology has led to the need to adapt legal regulations to today's needs. However, as it is a newer field compared to other fundamental rights and freedoms, it is also clear that there is an area that needs to be developed with case law in order for legal regulations to be carried out healthily. 

When the concept of consent is examined together with PDPL and GDPR, it is seen that while these are envisaged as consent and explicit consent in GDPR, only the concept of explicit consent is used in the PDPL. Although explicit consent is regulated only as a condition for the processing of private personal data in the GDPR, the existence of explicit consent is sought regardless of the type of data the PDPL. However, when the justification for PDPL and the guidelines published by the Personal Data Protection Authority are examined, it can be said that the concept of explicit consent used in PDPL meets the concept of consent contained in GDPR.