The Obligation of E-Commerce Websites To Protect Personal Data

The purpose of Law No. 6698 on Protection of Personal Data (“KVKK”) dated 24.03.2016, within the scope of general provisions, is to protect the fundamental rights and freedoms of individuals, particularly the privacy of private life, in the processing of personal data, and to determine the obligations of data processor regarding the processing of personal data. Furthermore, it is explicitly stated within the scope of Law No. 6563 on Regulation of Electronic Commerce (“Law No. 6563”) that the service provider and intermediary service provider are responsible for the storage and security of personal data.

The obligations introduced for the protection of personal data in the field of e-commerce are of great importance. Regulations related to secure electronic payment systems, consumer law, and the protection of personal data have established a trust environment for consumers and accelerated the development of e-commerce websites. In light of the importance of preserving and securing the confidentiality of personal data that is accessed, our article will address the responsibilities of e-commerce websites regarding the protection of personal data.

What Personal Data is Used in E-Commerce Websites?

Companies operating in the e-commerce sector collect various data, including but not limited to, name, surname, identification information, population and residence information, IP addresses, as well as data processed during the shopping process such as personal interests, behaviors, website visits, and shopping habits through cookie policies.

Due to the significant importance of the nature of the collected data, service providers and intermediary service providers operating in the e-commerce sector are subject to specific regulations regarding data security and data storage responsibilities. Failure to fulfill legal obligations can result in e-commerce websites facing severe penalties, including fines and imprisonment.

Under Law No. 6563, the responsibility for data protection is not exclusively assigned to e-commerce websites. By incorporating the terms “service providers” and “intermediary service providers,” a company conducting sales through an e-commerce website is classified as a “service provider.”

What are the Obligations of E-Commerce Websites Under The Personal Data Protection Law?

Obligations Regarding Data Security:

Pursuant to Article 12 of the KVKK (Personal Data Protection Law), the data controller is required to take all necessary technical and administrative measures to ensure an appropriate level of security in order to prevent unlawful processing of personal data, unauthorized access to personal data, and to ensure the protection and preservation of personal data.In order to prevent the copying of data by other website owners, technical measures are taken through methods such as Digital Certificates, SSL (Secure Sockets Layer) security layer, and Firewalls. Despite the measures taken, if personal data is obtained by another party, the data controller has an obligation to promptly notify the affected individual and the Personal Data Protection Authority.

Obligation of Informing:

Under Article 10 of the KVKK (Personal Data Protection Law), the data controller is obligated to provide clear information to the data subjects regarding the identity of the data controller, the purposes for which their personal data will be processed, and the legal basis for such processing.

When fulfilling the obligation of informing, at least the following points should be provided:

  • The identity of the data controller and, if any, the representative.
  • The purpose for which personal data will be processed.
  • To whom and for what purpose personal data may be transferred.
  • The method and legal basis of personal data collection.
  • Other rights of the data subject as listed in Article 11 of the KVKK.

Moreover, in order to avoid penalties, e-commerce websites are required to publish a “Privacy Notice” on their websites that includes the aforementioned information regarding the obligation of informing.

The Obligation to Obtain Explicit Consent:

Article 5 of the KVKK (Personal Data Protection Law) states that personal data cannot be processed without obtaining explicit consent from the data subject. Explicit consent must be specific to a particular matter, based on being informed, and given freely and voluntarily. The KVKK (Personal Data Protection Law) states that obtaining explicit consent through electronic means and channels such as call centers is possible. In e-commerce websites, it is possible to obtain explicit consent by providing necessary information and adding a button such as “I agree” or “I confirm” to indicate consent. The instances where explicit consent is not required are limited to those listed in the second paragraph of the relevant article.

Obligation of Privacy and Cookie Policy:

Companies engaged in e-commerce use cookies to collect, store, and share data about activities on their websites. In addition to the cookies actively provided by the data subjects through creating active memberships, passive cookies are also collected. Data subjects need to be informed and their consent needs to be obtained regarding cookie policies and privacy policies. The data controller is required to inform users about the cookie methods used in their privacy policies and obtain consent through statements such as “Yes, I agree” by clicking on them.

Obligation to Register with the Data Controllers’ Registry:

According to Article 16 of the KVKK (Personal Data Protection Law), natural and legal persons who process personal data are obligated to register with the Data Controllers’ Registry (“VERBİS”) before commencing data processing activities. The registration application is made through a notification that includes the information specified in the relevant provision. The data controller is required to promptly notify any changes to the provided information.


The purpose of the Personal Data Protection Law No. 6698 and other related legislation is to enhance trust in the e-commerce sector and promote its expansion. Therefore, ensuring compliance with the KVKK (Personal Data Protection Law) in e-commerce companies is of great importance to avoid penalties and to achieve the objectives set forth by the regulations.

Please click to download bulletin for the PDF format