TR-TR 
EN-US 
On September 3, 2021, following the Irish Data Protection Commission’s decision to fine fine Whatsapp EUR 225,000,000, Turkish Personal Data Protection Board (“Board”) has published a summary of its review of Whatsapp application, in which the Board has fined the company TRY 1,950,000 for failing to take necessary technical and administrative measures to ensure data security in violation of Article 12(1) of the Law on Personal Data Protection No. 6698 (“Law”).
The Board stated that Whatsapp had previously updated its Terms of Service and Privacy Policy to include explicit consent to the processing of personal data of users who want to use the Whatsapp application and transfer of their data to third parties abroad, that the application requests Turkish users to accept the new Terms of Service to continue using the service, and that it started an ex officio investigation against Whatsapp following the mentioned changes.
First, the Board explained that Whatsapp states that different data processing conditions are used in terms of various personal data processing activities within the scope of the application in question and that the explicit consent requirement for personal data processing is an exception. However, since Whatsapp's Terms of Service defines itself as a contract with the user, it has been determined that the explicit consent of the relevant persons is obtained when the contract is approved. In its evaluation, the Board also took into account that a single explicit consent was obtained from users without the providing an option whether to consent to processing of personal data and transfer of data to third parties residing abroad by Whatsapp and that the processing and transfer activities were presented to the data subject in a single text inseparably, by placing a provision regarding the transfer in the contract. As a result of this evaluation, the Board decided that the element of “free will” of explicit consent was damaged. Further, it is emphasized in the ruling that, explicit consent was not obtained from users regarding the personal data processing activity to be carried out through cookies for profiling purposes.
In addition, the Board evaluated that the statements regarding the transfer of data in the Terms of Service and Privacy Policy by Whatsapp were presented in a non-negotiable manner and that the relevant persons were forced to give consent to the contract (Whatsapp's Terms of Service) as a whole, thus trying to exclude explicit consent and in this context, the use of the application was dependent on the acceptance of personal data transfer condition. Accordingly, the Board decided that this application of Whatsapp constitutes a violation of the principle of "lawfulness and fairness" as stipulated under Article 4 of the Law, considering that Whatsapp acts without considering the interests and reasonable expectations of the data subjects concerned.
Additionally, the Board stated that explicit consent is requested for the transfer of all personal data processed by Whatsapp, however, this data is not proportional and limited to the purpose for which they are processed, and that it is not clearly stated in the aforementioned Terms of Service and Privacy Policy which data will be transferred for what purpose. In this context, it has been evaluated by the Board that Whatsapp violates the principles of "personal data being processed for specified, explicit, and legitimate purposes" and " personal data processing being relevant, limited, and proportionate to the purposes for which they are processed" under Article 4 of the Law.
Moreover, the Board evaluated that because the servers are not in Turkey, all processing operations performed on personal data (such as recording, storing, and transferring) after collecting such data from data subjects in Turkey result as the personal data being transferred abroad. As a result, such a transfer must comply with Article 9 of the Law, which governs the conditions for personal data transfer to abroad. In this context, considering that Whatsapp has declared that it does not apply to explicit consent in any way for data transfer activities to the Board and the necessary undertakings for data transfer abroad are non-existent, the Board decided that Whatsapp has not acted in accordance with Article 9 of the Law.
In conclusion, the Board decided to impose an administrative fine of TRY 1,950,000 on Whatsapp, which it determined did not take all kinds of necessary technical and administrative measures to ensure the appropriate level of security in order to prevent the unlawful processing of personal data.
Following the imposition of an administrative fine, the Board instructed Whatsapp to comply with the Law in 3 months with respect to Terms of Service and Privacy Policy in order to accurately inform data subjects.
Finally, the Board also instructed Whatsapp to make a disclosure in accordance with the provisions of Article 10 of the Law and Communique on Principles and Procedures to be Followed in Fulfillment of the Obligation to Inform, since it was understood that the Privacy Policy was used as mentioned above, instead of a proper and valid text to fulfill the obligation to inform in terms of Turkish data protection legislation.
Simge Kılıç, Esra Temur
