In its decision dated September 28, 2023 and numbered 2023/1645, the Turkish Personal Data Protection Board (“Board”) evaluated a complaint regarding a local distributor of a massively multiplayer online game due to its unlawful processing of personal data.
In summary, the complainant (“Data Subject”) argued that the distributor of an online game (“Data Controller”), who is the sole authorized person responsible for making all transactions on behalf of the owner of the game and generates commercial revenues in Turkey, failed to provide a comprehensive response to their information request within the scope of the Turkish Personal Data Protection Law No. 6698 (“DPL”). Moreover, the Data Controller allegedly stated to the Data Subject that their personal data is not transferred to third parties, neither in Turkey nor abroad. However, the Data Subject claimed that pursuant to Data Controller’s privacy policy and cookie policy, the personal data collected from the players are transferred abroad. Additionally, the Data Subject stated that the Data Controller is using a third-party software to prevent cheating and fraud, which runs during each login to the game and scans all files and software on the computer and continues to run as long as the game remains open. The Data Subject further stated that their personal data was illegally obtained and transferred abroad through this third-party software.
On the other hand, in its defense, the Data Controller stated that the gaming sector is built upon the digital game contracts of which the parties are based abroad and thus, cross-border transfers are obligatory in terms of business processes. However, all servers used within the scope of gaming services are kept in Turkey. Moreover, the Data Controller underlined that the only personal data processed are e-mail address, IP address and if secure login application is selected by the data subjects, mobile phone number data and the processing is based on (i) the necessity due to compliance with a legal obligation to which the Data Controller is subject and (ii) necessity due to the legitimate interests pursued by the Data Controller, provided that this processing shall not violate the fundamental rights and freedoms of the data subjects within the scope of DPL. The Data Controller further emphasized that the personal data of data subjects are not shared with anyone, except for the purpose of fulfilling legal obligations and sharing personal data with judicial authorities pursuant to DPL.
Regarding the claims of third-party software, the Data Controller stated that such software does not scan all files on the players’ computer nor access the camera and microphone. Additionally, the personal data of the players are not transferred abroad through the software.
Last of all, the Data Controller set forth that only necessary cookies are used, and the cookie policy is displayed on the screen as a "pop-up" when the website is visited. On the other hand, as the privacy policy has been prepared prior to the entry of the DPL into force, a new compliance process has been initiated to update the privacy policy to make it compatible with the current data processing activities.
Subsequently, the Board evaluated the claims of both parties and decided to carry out an on-site inspection by visiting the office of the Data Controller and the headquarters of another company from which it receives services, as the Board could not reach a definitive conclusion as to whether the personal data of the Data Subject are transferred abroad by the Data Controller. As a result, the Board concluded that the personal data of players are not transferred abroad.
In this regard, the Board reached the following conclusions concerning the claims of the parties:
Unlawful processing of personal data through surveillance software: The Board determined that the surveillance software used by the Data Controller tries (i) to determine whether the player is using a bot software by analyzing the executable files opened in the computer at the moment the game is launched and (ii) to distinguish the type of executable files are open on the computer. Accordingly, the Board decided that the Data Controller only uses the special software to determine whether the players resort to cheating and fraud, and that there is no unlawful personal data processing activity by accessing the personal data on the players' computers during this use.
Data Controller’s Obligation to Inform: The Board determined that the privacy policy of the Data Controller is not compliant with the provisions of the DPL and underlined that it should be updated as soon as possible.
Cross-Border Data Transfers: As a result of the on-site inspection, the Board concluded that the game servers are kept domestically by the Data controller and the personal data of the Data Subject is not transferred abroad, as the Data Controller (i) purchased game servers to keep personal data domestically, (ii) concluded an agreement with a company for services related to servers, such as security and hosting services, and (iii) backed up the information within the scope of online games, such as game level, items used in the game, on a cloud computing platform, except for the players’ personal data.
Personal Data Processing Carried Out Through Cookies: The Board determined that the Data Controller’s processing of personal data through cookies is not incompliance with the provisions of the DPL, since:
The Data Controller uses necessary cookies, functional cookies, analysis/performance cookies and targeting/advertising cookies but only provides two options to the players, i.e. "use only necessary cookies" and "allow all cookies" and thus, obtainscollective explicit consent and data subjects are not given the opportunity to choose.
In line with the Cookie Policy of the Data Controller, various cookies are used by third party cookie providers abroad in the category of necessary cookies and thus, the Data Controller failed to obtain the explicit consent of the data subjects, contrary to the Guidelines on Cookie Practices.
In the light of the above explained, the Board decided to impose an administrative fine of TRY 750,000 (approx. EUR 22,946) on the Data Controller due to its failure to (i) obtain separate explicit consents for different types of cookies and (ii) obtain the explicit consent of the data subjects for cross-border data transfers via cookies.
Authors: Burak Özdağıstanli, Sümeyye Uçar, Begüm Alara Şahinkaya