The Personal Data Protection Board Announced Its Decision Regarding the WhatsApp Investigation Initiated Ex-Officio
The Personal Data Protection Board (“Board”) ex-officio initiated an investigation against WhatsApp LLC. (“WhatsApp”) with its decision dated 12.01.2021 and numbered 2021/28, as announced with our Client Alert dated 13.01.2021. The Board announced the Decision dated 03.09.2021 and numbered 2021/891 regarding the investigation. Within the scope of the Decision, the Board includes its findings and assessments on the WhatsApp Terms of Service and Privacy Policy with respect to transferring personal data abroad, obliging users’ consent to receive services and compliance with general principles.
The Board established and assessed that:
- The “declaration with free will” component of the explicit consent was violated, as only single explicit consent was obtained from the WhatsApp users without offering alternative right to process personal data and transfer to third parties residing abroad, to present the processing and transferring activities to the data subject in a single text inseparably, and imposing it as a condition to the service,
- The principle of “conforming with law and good faith” under Article 4 of the Law on the Protection of Personal Data (“PPDL”) was violated on the grounds that certain expressions regarding transfer under the WhatsApp Terms of Service and Privacy Policy were non-negotiable, and users are forced to give consent to the transfer as a whole, and the use of the application is conditioned to transfer,
- The principles of “processing for specific, explicit and legitimate purposes” and “being related, limited and proportional” were violated on the grounds that explicit consent for the transfer of all processed data was requested and there was no clear information regarding which data will be transferred for what purposes,
- Any processing activity performed on personal data obtained from persons in Turkey means the transfer of personal data abroad as long as the servers are not located in Turkey, however, WhatsApp did not obtain explicit consent for cross-border transfer activities or did not apply for a commitment to the Board, therefore, the rules regarding cross-border data transfers were not acted upon,
- Explicit consent for processing personal data through cookies for profiling purposes was not obtained,
and imposed TRY 1,950,000 administrative fine pursuant to Article 18/1-b of the PPDL.
Finally, the Board decided to instruct WhatsApp to bring the Terms of Service and Privacy Policy that is used instead of the clarification text, in conformity with the PDDL and its secondary legislation.
You may find the full text of the announcement regarding the Decision here. (Turkish).
All rights of this article are reserved. This article may not be used, reproduced, copied, published, distributed, or otherwise disseminated without quotation or Erdem & Erdem Law Firm's written consent. Any content created without citing the resource or Erdem & Erdem Law Firm’s written consent is regularly tracked, and legal action will be taken in case of violation.
Other Contents
With the decision of the Personal Data Protection Board (Board) dated 06.07.2023 and numbered 2023/1154, the “annual financial balance sheet total” adopted by the Board as an exception criteria to the obligation to register to the Data Controllers’ Registry has been increased from 25 million Turkish Liras to...
The decision by the Irish Data Protection Authority (Authority) dated 12.05.2023 on Meta Platforms Ireland Limited (Meta Ireland) (Decision) has been announced on 22.05.2023. Pursuant to the Decision, an administrative fine of 1.200.000.000 Euros was imposed on Meta Ireland...
The Regulation on the Collection, Storage and Sharing of Insurance Data (Regulation) entered into force through publication in the Official Gazette dated 18.10.2022 and numbered 31987. Some of the important provisions introduced by the Regulation are summarized...
On 05.08.2022, the Personal Data Protection Authority (“Authority”), published Guideline on Banking Sector Good Practices Regarding the Personal Data Protection (“Guideline”). The purpose of the Guideline is guiding data controller banks regarding the personal data processing activities carried out...
On 14.07.2022, the European Parliament Research Service published a briefing (“Briefing”) for the impact assessment (“IA”) of the regulation of the European Parliament and the European Council on harmonised rules on fair access to and use of data (“Data Act”), submitted on 23.02.2022...
The Regulation on Processing of Land Registry and Cadastre Data and Transactions Held in Electronic Environment regulating the procedure and principles regarding the process of the data in the Central Database of the General Directorate of Land Registry and the transactions held in electronic...
The Regulation on Process and Protection of Personal Data by the Social Security Institution (“Regulation”) entered into force through its publication in the Official Gazette dated 19.02.2022 and numbered 31755.
Regulation on Processing of Personal Data and Protection of Confidentiality in the Electronic Communications Sector was Published
The Personal Data Protection Board Ex-Officio Initiated An Investigation against WhatsApp
The Personal Data Protection Authority’s New Resolution
The Board’s Decision Regarding Registration Obligation of Commercial Enterprises Affiliated to Associations, Foundations and Unions to the VERBIS has been Published