İş Kuleleri, Kule 3, Kat:2, 34330,
Levent / Istanbul, Turkey


T: +90 (212) 249 29 39

With its public announcement dated 03.09.2021, The Personal Data Protection Authority (“Authority”) has decided to impose an administrative fine to the WhatsApp application and to instruct the provision of information to the Personal Data Protection Board (“Board”).

With its Decision dated 12.01.2021 and numbered 2021/28, and within the framework of its Decision dated 09.02.2021 and numbered 2021/120, the Authority initiated an ex officio investigation in scope of the Law on Protection of Personal Data No. 6698 (“PDP Law”) on WhatsApp, especially on the issues of data transfer abroad, the condition of the service being subject to explicit consent and compliance with general principles..

Accordingly, as a result of the examination of both the defense letters received from Data Controller WhatsApp and the WhatsApp "Terms of Service" and "Privacy Policy" the Authority has found that;

  • The Terms of Service are defined as a contract with the user, the explicit consent of the relevant persons is obtained by giving approval to this contract,
  • In this context, a single explicit consent has been obtained from the users, without any optional right, regarding the processing of their personal data and their transfer to third parties abroad,
  • By including a provision regarding transfer in the Terms of Service, the component of "free will" of the explicit consent is damaged, since the processing and transfer activities are presented to the person concerned in an inseparable single text,
  • The terms regarding "transfer" in the Terms of Service and the Privacy Policy are presented as non-negotiable, and the data subjects are forced to give consent to the contract as a whole, and thus, explicit consent is tried to be eliminated,
  • The use of the application is subject to the transfer condition, and that acting without considering the interests and reasonable expectations of the data subjects constitutes a violation of the principle of “compliance with the law and good faith”,
  • Explicit consent is requested for the transfer of all personal data processed, however this data is not proportional and limited to the purpose for which they are processed. In addition, it is not clearly stated which data will be transferred and for what purpose,
  • The processing of personal data has been made a part of the contract and therefore the data subjects are asked to give their consent to the contract. However, since this process is in the nature of obtaining explicit consent in the processing of personal data, by adding it to the contract and imposing it as a condition of the service damages the element of “free will”,
  • All kinds of processing activities of personal data obtained from data subjects in Turkey, means the transfer of personal data abroad as long as its servers are not located in Turkey, however, since it was stated that no explicit consent was applied for the transfer activities by Data Controller WhatsApp for the said transfer and that no commitment application was made to the Board, the Data Controller WhatsApp has not acted in accordance with Article 9 of the PDP Law,
  • The data controller does not obtain explicit consent from the data subjects regarding the personal data processing activity to be carried out through cookies for profiling purposes, therefore the personal data processing activity carried out within this scope is not in accordance with the law.

    In this direction, it has been announced to the public that the Board has decided to impose an administrative fine of TL 1,950,000 on WhatsApp, the Data Controller.

    In accordance, it has been decided that the WhatsApp Terms of Service and Privacy Policy dated 04.01.2021, which have not been implemented yet but are currently presented to users as valid versions, should be revised to comply with the PDP Law within three months in order to inform the data subjects correctly.

    Finally, it has been determined by the Board that the Privacy Policy has been used as an “Information Statement” that did not contain the components of a valid information statement (in accordance with the PDP Law), therefore it has been instructed for the Data Controller WhatsApp to provide an appropriate information statement to inform the data subjects.