İçeriğe atla
Start free
GDPR • EUROPEAN UNION

GDPR Cookie Consent EU Market Complete Guide for the

GDPR + ePrivacy Directive compliance for Turkish companies selling in the EU, CNIL/AEPD decision examples, and Schrems II data transfer rules. This page is not legal advice; working with a qualified legal advisor is recommended.

Updated June 8, 2026
Scope All companies offering services in the EU
Max. Fine 20M€ or 4% of turnover

What Is GDPR?

The General Data Protection Regulation (Regulation 2016/679) is the European Union's core legal framework for personal data processing and privacy. It has applied directly in all EU member states since May 25, 2018, with no need for transposition into national law.

The most critical feature of GDPR is its extraterritorial scope. Under Article 3, a company does not need a physical presence in the EU: any organization that offers goods or services to the EU market or monitors the behavior of EU citizens falls within the scope of GDPR. Examples such as Trendyol Europe, Hepsiglobal, and Getir UK fall into this group.

Practical takeaway for Turkish companies: if you offer e-commerce, SaaS, mobile app, or digital content services in the EU, GDPR compliance is required. For activities aimed solely at the Turkish domestic market, KVKK is sufficient.
Article 5

The 7 Core Principles of GDPR

These principles apply at every step of data processing; cookie management is subject to this framework as well.

Lawfulness, Fairness, and Transparency

Data may only be processed where there is a legal basis (consent, legitimate interest, etc.); the user must be informed.

Purpose Limitation

Collected data may only be used for the stated purpose; processing beyond that purpose is prohibited.

Data Minimization

Only data that is strictly necessary for the operation should be collected; loading unnecessary cookies violates this principle.

Accuracy

Processed data must be current and accurate; incorrect data must be deleted or corrected.

Storage Limitation

Data may not be stored longer than the purpose requires. Cookie retention periods must be proportionate to the purpose.

Integrity and Confidentiality

Data must be protected against unauthorized access, loss, or destruction through technical and organizational measures.

Accountability

The data controller must document and demonstrate compliance. Appointing a DPO, DPAs, and record-keeping fall within this scope.

GDPR and the ePrivacy Directive: Which One Regulates Cookies?

A common confusion: cookie consent rules come not directly from GDPR but from ePrivacy Directive (2002/58/EC) Article 5(3). GDPR, in turn, defines the quality of consent (Article 4(11) and 7).

ePrivacy Directive

The "obtain consent before loading cookies" rule comes from here (Article 5(3)). Explicit consent is required for all cookies except essential ones.

  • Legal basis: 2002/58/EC
  • Subject: Electronic communications + cookies
  • Rule: Prior consent required

GDPR

It requires consent to be "freely given, specific, informed, and unambiguous" (Article 4(11) and 7). It sets the quality standard.

  • Legal basis: 2016/679
  • Subject: General personal data processing
  • Rule: Consent quality + withdrawability

Read together, the conclusion is this: consent must be obtained before loading cookies under the ePrivacy rule, and that consent must meet the GDPR quality standard.

Article 12-22

Data Subject Rights

GDPR grants users eight fundamental rights. Withdrawing consent is among these rights.

Right to Be Informed

How, why, and for how long data is processed must be communicated transparently (Art. 13-14).

Right of Access

The user can request which of their data is being processed (Art. 15).

Right to Rectification

Incorrect or incomplete data must be corrected or completed (Art. 16).

Right to Erasure

Also known as the "right to be forgotten"; under certain conditions, erasure of data can be requested (Art. 17).

Restriction of Processing

The user can request that the processing of their data be restricted (Art. 18).

Right to Data Portability

Data must be delivered to the user in a machine-readable format or transferred to another platform (Art. 20).

Right to Object

Processing based on legitimate interest or public interest can be objected to (Art. 21).

Withdrawal of Consent

Consent must always be as easy to withdraw as it was to give (Art. 7(3)). This makes a "Withdraw" option in the banner mandatory.

Cookie Obligations Under GDPR

When the GDPR consent legal basis (Art. 6(1)(a)) is chosen, the banner design must meet the following requirements:

  1. Granular consent: the user must be able to accept or reject each cookie category (analytics, advertising, social media) separately. "Accept All" alone is not sufficient.
  2. Equally easy rejection: the "Reject" button must be presented with the same visibility and ease as the "Accept" button. The CNIL 2022 decisions are decisive on this point.
  3. Prior consent required: no analytics or marketing cookie should be loaded before consent is obtained.
  4. Information quality: the name, provider, and retention period of each cookie must be stated.
  5. Consent record: every consent given and rejected must be logged with a timestamp (burden of proof).
  6. Ease of withdrawal: the user must be able to withdraw previously given consent at any time.
ePrivacy Regulation: the ePrivacy Regulation, the updated version of the ePrivacy Directive, is, as of 2026, still under negotiation in the Council of the EU. Its entry into force remains uncertain.
Supervisory authorities

Consent Interpretations Across EU Countries

Each member state's supervisory authority applies interpretations of varying strictness.

Country Authority Strictness Special Rule
Germany BfDI + State authorities Very Strict TTDSG (2021) extra layer, "Cookie wall" banned
France CNIL Very Strict Reject button = as prominent as Accept button (mandatory)
Italy Garante Strict Scroll = not consent (2022 ruling)
Spain AEPD Moderate Flexibility exists, but penalties for violations are large
Netherlands AP Strict "Cookie wall" permitted with restrictions (except paywall)
Ireland DPC Moderate Headquarters country for Big Tech, decisions are relatively slow
Austria DSB Strict The most comprehensive enforcement on Schrems II
Poland UODO Flexible Flexible in practice, penalties are rare

Decision Examples from Major EU Authorities

Decisions reported in public, official sources. For the full text, please review cnil.fr and edpb.europa.eu.

PENALTY 150.000.000 € January 2022

Google LLC + Google Ireland

CNIL (France)

There was no "Reject" button, only "Accept" and "Manage All" options were offered. CNIL: "Accept and reject must be offered with the same ease."

PENALTY 60.000.000 € January 2022

Meta Platforms (Facebook)

CNIL (France)

The same missing "reject button" issue. Announced on the same day as Google.

PENALTY 35.000.000 € December 2020

Amazon Europe Core

CNIL (France)

Insufficient disclosure, and consent was not obtained before cookies were loaded.

IAB TCF v2.3: Current Status

IAB TCF v2.3 is the consent standard for the programmatic advertising ecosystem. v2.3 has been in effect since February 2026. cerez.io has IAB TCF v2.3 support (certification in progress).

Note for publishers: IAB TCF v2.3 certification is targeted for Q3 2026. Currently, Google Consent Mode v2 (5 signals) and 3rd-party script blocking (the data-cb-category attribute) are offered. For large publishers where TCF is mandatory for the programmatic vendor ecosystem, cerez.io is currently not suitable.

Our current solution works with Google AdSense and Ad Manager via Google Consent Mode v2; it is sufficient for small and medium-sized publishers.

cerez.io

cerez.io GDPR Compliance with

Which steps does our platform automate, and which remain your responsibility?

Automatic Cookie Scanning

With 217+ cookie definitions and BFS scanning, your site's cookies are detected and categorized. This meets the GDPR's disclosure obligation.

Automatic

Granular Consent Banner

Category-based toggles, equally visible accept/reject buttons, support for 3 languages (TR/EN/DE), and a consent withdrawal widget.

Automatic

Timestamped Consent Log

Every consent decision (accept/reject/category) is recorded with a timestamp and user identifier. This meets the GDPR's burden of proof.

Automatic

DPO Appointment and DPA

Appointing a DPO and preparing a Data Processing Agreement (DPA) is a legal advisory process; cerez.io does not automate these processes.

Legal advisor

Privacy Policy Text

Legal advice is required for GDPR-compliant cookie policy content. cerez.io offers policy template suggestions; legal approval remains your responsibility.

Partially supported

Google Consent Mode v2

5 signals (ad_storage, analytics_storage, functionality_storage, ad_user_data, ad_personalization) are transmitted automatically. GA4 and Ads compatibility is ensured.

Automatic

Frequently Asked Questions

Short answer: Yes. All Turkish companies that offer goods/services to the EU market or process EU citizens' data fall within scope under GDPR Article 3 (extraterritorial scope). Trendyol Europe, Hepsiglobal, and Getir UK fall into this group. If you operate solely for the Turkish domestic market, KVKK is sufficient.

Short answer: The GDPR governs general data protection law (2018), while the ePrivacy Directive (2002/58/EC) governs specific rules on electronic communications and cookies. Cookie consent rules come directly from ePrivacy; the GDPR only governs the quality of consent (freely given, informed, explicit, withdrawable). The ePrivacy Regulation is still awaiting approval by the EU Council.

Short answer: Google 150M€ (January 2022), Meta 60M€ (January 2022), and Amazon EU 35M€ (December 2020). Most of the penalties stem from the violation that the "reject button was not as prominent as the accept button." For the official decision texts, please review cnil.fr and edpb.europa.eu.

Short answer: Not currently available. IAB TCF v2.3 certification for publishers is targeted for Q3 2026. Currently, Google Consent Mode v2 (5 signals) and 3rd-party script blocking are offered. It is not currently suitable for large publishers where TCF is mandatory for the programmatic vendor ecosystem.

Short answer: Schrems II (July 2020) tightened EU-US data transfers. Additional safeguards (SCC + TIA) are required for US-based services such as Google Analytics 4, Meta Pixel, and HubSpot. The Austrian DSB and France's CNIL assessed Google Analytics as a Schrems II violation. The cerez.io consent banner provides disclosure about these transfers.

Short answer: Granular consent means the user can accept or reject cookie categories (analytics, advertising, social media) separately. It is mandatory under GDPR Article 7(2) and EDPB guidance. An "Accept All" button alone is not sufficient. cerez.io offers 4 categories by default (Necessary, Analytics, Advertising, Functionality) and records separate consent for each category.

Short answer: The GDPR does not specify a clear duration; EDPB guidance recommends between 6 and 12 months. cerez.io defaults to 365 days and can be configured per domain between 90 and 365 days. Consent must also be re-collected when a substantial change is made to the cookie policy.

EU market + Turkey = One platform

Dual GDPR + KVKK compliance, Google Consent Mode v2, automatic cookie scanning. Set up in 5 minutes.

Get Started Free View Plans

⚡ YASAL ZORUNLULUK 2025/10 Cumhurbaşkanlığı Genelgesi: Kamu, belediye, banka, üniversite, hastane, okullar için 21 Haziran 2026'ya WCAG 2.2 A zorunlu · Ceza: 5.000–25.000 TL/tespit
Detay →