In its decision dated September 28, 2023 and numbered 2023/1645, the Turkish Personal Data Protection Board (“Board”) evaluated a complaint regarding a local distributor of a massively multiplayer online game due to its unlawful processing of personal data.
On the other hand, in its defense, the Data Controller stated that the gaming sector is built upon the digital game contracts of which the parties are based abroad and thus, cross-border transfers are obligatory in terms of business processes. However, all servers used within the scope of gaming services are kept in Turkey. Moreover, the Data Controller underlined that the only personal data processed are e-mail address, IP address and if secure login application is selected by the data subjects, mobile phone number data and the processing is based on (i) the necessity due to compliance with a legal obligation to which the Data Controller is subject and (ii) necessity due to the legitimate interests pursued by the Data Controller, provided that this processing shall not violate the fundamental rights and freedoms of the data subjects within the scope of DPL. The Data Controller further emphasized that the personal data of data subjects are not shared with anyone, except for the purpose of fulfilling legal obligations and sharing personal data with judicial authorities pursuant to DPL.
Regarding the claims of third-party software, the Data Controller stated that such software does not scan all files on the players’ computer nor access the camera and microphone. Additionally, the personal data of the players are not transferred abroad through the software.
Subsequently, the Board evaluated the claims of both parties and decided to carry out an on-site inspection by visiting the office of the Data Controller and the headquarters of another company from which it receives services, as the Board could not reach a definitive conclusion as to whether the personal data of the Data Subject are transferred abroad by the Data Controller. As a result, the Board concluded that the personal data of players are not transferred abroad.
In this regard, the Board reached the following conclusions concerning the claims of the parties:
Unlawful processing of personal data through surveillance software: The Board determined that the surveillance software used by the Data Controller tries (i) to determine whether the player is using a bot software by analyzing the executable files opened in the computer at the moment the game is launched and (ii) to distinguish the type of executable files are open on the computer. Accordingly, the Board decided that the Data Controller only uses the special software to determine whether the players resort to cheating and fraud, and that there is no unlawful personal data processing activity by accessing the personal data on the players' computers during this use.
Cross-Border Data Transfers: As a result of the on-site inspection, the Board concluded that the game servers are kept domestically by the Data controller and the personal data of the Data Subject is not transferred abroad, as the Data Controller (i) purchased game servers to keep personal data domestically, (ii) concluded an agreement with a company for services related to servers, such as security and hosting services, and (iii) backed up the information within the scope of online games, such as game level, items used in the game, on a cloud computing platform, except for the players’ personal data.
Personal Data Processing Carried Out Through Cookies: The Board determined that the Data Controller’s processing of personal data through cookies is not incompliance with the provisions of the DPL, since:
The Data Controller uses necessary cookies, functional cookies, analysis/performance cookies and targeting/advertising cookies but only provides two options to the players, i.e. "use only necessary cookies" and "allow all cookies" and thus, obtainscollective explicit consent and data subjects are not given the opportunity to choose.
In the light of the above explained, the Board decided to impose an administrative fine of TRY 750,000 (approx. EUR 22,946) on the Data Controller due to its failure to (i) obtain separate explicit consents for different types of cookies and (ii) obtain the explicit consent of the data subjects for cross-border data transfers via cookies.
Authors: Burak Özdağıstanli, Sümeyye Uçar, Begüm Alara Şahinkaya