INSIGHTS
In The Know.

  • Home
  • Insights
  • Turkish Personal Data Protection Board has imposed its largest ever fine on WhatsApp

Search by

Turkish Personal Data Protection Board has imposed its largest ever fine on WhatsApp

September 2021 – A day after the Irish Data Protection Commission (on 2 September 2021) imposed a record fine of EUR 225 million against the Facebook subsidiary WhatsApp, the Turkish Personal Data Protection Board (the “Board”) announced on 3 September 2021 that it had imposed an administrative fine of TRL 1,950,000 (approximately EUR 198,000) on the company. 

In early 2021 the Board initiated an ex officio investigation after WhatsApp updated its Terms of Service and Privacy Policy to include the explicit consent of users regarding the processing of personal data and the transfer of personal data abroad. WhatsApp informed its users that without providing explicit consent, they would not be able to use the application and that their accounts would be deleted. 

Although WhatsApp subsequently withdrew the update to its Terms of Services and Privacy Policy, the Board conducted an examination and concluded as follows:

  • Blanket consent: Once a user approves the user agreement, it is deemed that he provides consent for the processing and transfer of personal data abroad with a single consent. Accordingly, the company’s explicit consent requirement did not meet the condition of "free will";
  • Free-will: By incorporating the consent for the processing of personal data into the agreement, the condition of "free will" was again violated.
  • Lawfulness and fairness: In order to use the application, users have to provide explicit consent. Accordingly, this situation is a violation of the principle of “lawfulness and fairness".
  • Purpose limitation: WhatsApp requires explicit consent to transfer all personal data, yet it is unclear what data will be transferred and for what purpose. Accordingly, this is a violation of the principle of “purpose limitation”;
  • Cross-border data flows: No explicit consent was obtained for the transfer of data abroad, nor was an application made to the Board regarding a letter of undertaking for cross-border data flows; and
  • Cookie policies: Explicit consent was not obtained from users regarding the personal data processing activity to be carried out through cookies for profiling purposes.

Along with the imposition of an administrative fine of TRL 1,950,000, the Board also instructed WhatsApp to ensure within three months that the texts of its Terms of Service and Privacy Policy comply with Turkish Data Protection Law and to fulfil its obligation to inform users in accordance with the Law.

For more information please contact Ceren Ceyhan, Associate, at cceyhan@gentemizerozer.com, and Osman Tuğberk Çakırca, Legal Trainee, at ocakirca@gentemizerozer.com