Turkish Personal Data Protection Board has imposed its largest ever fine on WhatsApp
September 2021 – A day after the Irish Data Protection Commission (on 2 September 2021) imposed a record fine of EUR 225 million against the Facebook subsidiary WhatsApp, the Turkish Personal Data Protection Board (the “Board”) announced on 3 September 2021 that it had imposed an administrative fine of TRL 1,950,000 (approximately EUR 198,000) on the company.
- Blanket consent: Once a user approves the user agreement, it is deemed that he provides consent for the processing and transfer of personal data abroad with a single consent. Accordingly, the company’s explicit consent requirement did not meet the condition of “free will”;
- Free-will: By incorporating the consent for the processing of personal data into the agreement, the condition of “free will” was again violated.
- Lawfulness and fairness: In order to use the application, users have to provide explicit consent. Accordingly, this situation is a violation of the principle of “lawfulness and fairness”.
- Purpose limitation: WhatsApp requires explicit consent to transfer all personal data, yet it is unclear what data will be transferred and for what purpose. Accordingly, this is a violation of the principle of “purpose limitation”;
- Cross-border data flows: No explicit consent was obtained for the transfer of data abroad, nor was an application made to the Board regarding a letter of undertaking for cross-border data flows; and
- Cookie policies: Explicit consent was not obtained from users regarding the personal data processing activity to be carried out through cookies for profiling purposes.