Decision of the Turkish Personal Data Protection Board About Whatsapp
WhatsApp Inc., which has made an overwhelming impression, has recently been the subject of various investigations of data protection boards. In the previous days, the Irish Data Protection Commission (DPC) has announced that it has completed its investigation and the relevant data controller company has been charged with 225 Million Euro administrative fine on the grounds that it does not comply with the transparency, disclosure and information obligations in its data processing activities. This investigation was conducted in a very technical way and focused on how WhatsApp processes its user’s data and whether their privacy policies are clear enough. The fine imposed as a result of this investigation is the largest to date and the second highest fine according to GDPR rules.
As a result of the investigation carried out in this context; the Board published an announcement and decision on the WhatsApp application on September 3, 2021. In this decision, the Board announced that the investigation was completed and as a result of this examining, it was decided to impose an administrative fine of 1.950.000 TL on WhatsApp.
According to the decision, the Board states briefly as follows:
The Terms of Service are in the nature of a contract between WhatsApp and the user, with the approval of this contract, express consent to the processing of personal data and transfer it to third parties abroad is obtained without giving any optional rights to the user. It is not possible to accept that the processing and transfer are approved if a provision is made in the contract stating that the transfer will be made abroad and the user approves this contract. In this case, it is stated that the element of “Disclosure with Free Will” of express consent was infringed.
Explicit consent is requested from the users regarding the transfer of all personal data processed, but these data are not proportional and limited information for the purpose for which they are processed, and it is not clearly stated in the texts that which data will be transferred for what purpose, and in this regard, it is stated that the principles of “Being Processed for Specific, Explicit and Legitimate Purposes” and “Being Relevant with, Limited to and Proportionate to the Purposes for Which They Are Processed” in the Article 4 of the Law were violated.
All kinds of processing activities such as saving, storing, changing, transferring the personal data obtained by the data controller from the relevant persons in Turkey after obtaining this data mean the transfer of personal data abroad as long as the servers are not located in Turkey, therefore, it is obligatory for the said transfer to be made in accordance with Article 9 of the Law titled “Transfer of Personal Data Abroad”. However, it has been declared by the data controller that no express consent is applied for transferring, additionally, considering that the data controller did not apply for a letter of undertaking to the Board, it did not act in accordance with the Article 9 of the Law.
It is stated that the data controller did not obtain explicit consent from the relevant persons regarding the personal data processing activity to be carried out through cookies for profiling purposes, and that the personal data processing carried out within this scope is not in accordance with the Law.
As a result of all these evaluations, the Board decided to impose a fine of 1.950.000 TL on the grounds that WhatsApp did not take the necessary technical and administrative measures to ensure the appropriate level of security in order to prevent the unlawful processing of personal data in accordance with Article 12/1 of the KVKK.