September 2021 – A day after the Irish Data Protection Commission (on 2 September 2021) imposed a record fine of EUR 225 million against the Facebook subsidiary WhatsApp, the Turkish Personal Data Protection Board (the “Board”) announced on 3 September 2021 that it had imposed an administrative fine of TRL 1,950,000 (approximately EUR 198,000) on the company.
- Blanket consent: Once a user approves the user agreement, it is deemed that he provides consent for the processing and transfer of personal data abroad with a single consent. Accordingly, the company’s explicit consent requirement did not meet the condition of "free will";
- Free-will: By incorporating the consent for the processing of personal data into the agreement, the condition of "free will" was again violated.
- Lawfulness and fairness: In order to use the application, users have to provide explicit consent. Accordingly, this situation is a violation of the principle of “lawfulness and fairness".
- Purpose limitation: WhatsApp requires explicit consent to transfer all personal data, yet it is unclear what data will be transferred and for what purpose. Accordingly, this is a violation of the principle of “purpose limitation”;
- Cross-border data flows: No explicit consent was obtained for the transfer of data abroad, nor was an application made to the Board regarding a letter of undertaking for cross-border data flows; and
- Cookie policies: Explicit consent was not obtained from users regarding the personal data processing activity to be carried out through cookies for profiling purposes.
For more information please contact Ceren Ceyhan, Associate, at firstname.lastname@example.org, and Osman Tuğberk Çakırca, Legal Trainee, at email@example.com.