In Decision no. 2021/891 dated 3 September 2021, the Turkish Data Protection Board (the “Board”) imposed an administrative fine in the amount of TRY 1,950,000 (approx. USD 235,000) on WhatsApp LLC (“WhatsApp”) for its failure, as a data controller, to obtain valid consent from its users to the processing and transfer of their personal data.
This decision takes a rather tough stance towards application providers, and touches upon quite a number of important principles for companies to comply with when it comes to consent-based processing and cross- border data transfers.
The Board held that, when obtaining explicit consent from the users of its application, WhatsApp had failed to comply with (i) the principle that consent should be freely given, (ii) the principle of good faith, and (iii) the principle that the processing of personal data should be relevant, limited and proportionate to the purpose for which the data is processed.
The Board also considered that all data processing activities conducted by WhatsApp after collecting personal data from users in Turkey should be deemed a cross-border data transfer, since the servers of WhatsApp are located outside Turkey, and should thus be subject either to specific consent from users or a prior approval of the Board. It further criticised the absence of specific consent to the use of cookies for profiling purposes.
The Board finally held that WhatsApp’s Terms of Service and Privacy Policy were insufficient to constitute a valid privacy notice under Turkish law, and ordered that the document be revised within three months to comply with the obligation to inform.
Freely given consent
The Board decided that the explicit consent obtained by WhatsApp could not be considered as freely given by its users, since (i) it was obtained through a provision in a service contract, and (ii) it was used as consent both to the processing of personal data and to the transfer of data outside Turkey, without providing any other option.
Although WhatsApp claimed to be processing personal data on the basis of legal exceptions to consent, the Board considered that the process of agreeing to the contract by nature amounted to obtaining explicit consent. Because such consent was incorporated into a service contract and imposed as a condition of service, the Board found that it lacked the element of free will and was thus invalid.
Good faith principle
According to the Board, the fact that the “data transfer” provisions were presented in a non-negotiable manner in the service contract, thus forcing users to approve the contract as a whole, meant that explicit consent was not validly obtained for the purpose of data transfers.
In addition, the fact that consent to the transfer of data was made a condition to the use of the application, without considering the interests and reasonable expectations of the users, was considered by the Board as a breach of the principle of good faith.
Obligation for the processing to be relevant, limited and proportionate to its purpose
The Board noted that WhatsApp requested consent to the transfer of all collected personal data, and determined that such data transfer was not proportionate and limited to the purpose for which the data is processed. Moreover, WhatsApp’s legal notices did not clearly identify which data would be transferred and for what purpose.
Data processing activities through servers located outside Turkey
In its decision, the Board held that all processing activities conducted after personal data was collected from users in Turkey, such as saving, storing, modifying and transferring the data, must be considered a transfer of personal data abroad to the extent WhatsApp servers are not located in Turkey. Therefore, such data transfers should comply with the rules applicable to international data transfers under Law No. 6698 on the Protection of Personal Data (the “Law”).
Since WhatsApp did not either obtain valid explicit consent for such data transfers, or enter into a written undertaking to protect the data and apply for prior approval of the Board to the cross-border data transfer, the Board concluded that the data transfers were not performed in compliance with the Law.
Use of cookies for profiling purposes
The Board finally determined that no explicit consent had been obtained from WhatsApp users regarding the processing of their personal data through cookies for profiling purposes, and that such data processing activity was not therefore compliant with the Law.
As result of its findings, the Board imposed an administrative fine in the amount of TRY 1,950,000 (approx. USD 235,000) on WhatsApp on the basis of Article 12 of the Law (failure to take the necessary technical and organisational measures to ensure data security).
The Board also ordered that WhatsApp’s Terms of Service and Privacy Policy be revised in accordance with the Law within three months. It further held that the Privacy Policy was intended to function as a privacy notice, but did not contain the mandatory elements to constitute a valid privacy notice under the Law, and should be thus be revised in accordance with Article 10 of the Law and the Communiqué on the Principles and Procedures to be Followed to Comply with the Obligation to Inform.
Share
Related persons
You can contact us for detailed information.
Legal Information
This briefing is for information purposes; it is not legal advice. If you have questions, please call us. All rights reserved.
You May Be Interested In
25 October 2024
Regulation on the Withdrawal of Human Medicinal Products and Foods for Special Medical Purposes
The Regulation introduces provisions regulating withdrawal processes in a specific and detailed way and aligning such processes with modern…
30 September 2024
Prohibition on Cash Payments, Order Procedures, and Advertising for Crypto Platforms
In the bulletin dated September 19, 2024, a new principle decision numbered 1484 was published, establishing certain principles and…
24 September 2024
Recent Developments in Healthcare Legislation – 2024 Summer Edition
We would like to share with you our information note where we have summarised the latest developments in the healthcare legislation…
10 September 2024
Turkish Data Protection Authority and Turkish Ministry of Trade sign cooperation protocol on targeted advertising and dark patterns
The Turkish Personal Data Protection Authority and the Turkish Ministry of Trade General Directorate of Consumer Protection and Market…
16 August 2024
Turkish Competition Law Newsletter – 2024 Summer Issue
We are pleased to share our quarterly newsletter on recent developments under Turkish Competition Law.