Turkish DPA’s WhatsApp Decision
Updated: Oct 12, 2021
Authors: Burak Özdagıstanli, Sümeyye Uçar, Bensu Özdemir
On 03.09.2021 the Turkish Data Protection Authority (“DPA”), made a public announcement regarding the ex officio investigation of WhatsApp LLC (“Controller”) and published an important decision discussing the data processing and data transfer operations of the Controller. The Turkish Personal Data Protection Board’s (“Board”) decision w. no 2021/891 dated 03.09.2021 is very important and must be reviewed in detail since it shows the approach of the Board in international transfers and direct collection of personal data from Turkey by controllers that are not established in Turkey (“Foreign Controllers”).
As a result of such attention given to the updates of WhatsApp by the public, the DPA and the Competition Authority initiated ex officio investigations against WhatsApp in January 2021.
Announcement by DPA and Board’s Decision
In the announcement by the DPA, the DPA stated that an ex officio investigation on WhatsApp within the scope of paragraph 1 of Article 15 of the Law on the Protection of Personal Data numbered 6698 (“DPL”) was started to investigate the issues of data transfer abroad, the explicit consent presented as a pre-condition of service, compliance with general principles of the DPL and others.
· Although it is stated by the Controller that the data processing is based on several statutory legal basis in the DPL and the explicit consent is only used in exceptional cases, because the Terms are defined as an agreement that is entered into with the user by requesting the approval of the user to the Terms, this means that Controller relies on the explicit consent obtained through the Terms. This explicit consent, on the other hand, is not in line with the DPL since a single explicit consent is obtained from the users for the processing of their personal data and transfer of their personal data abroad to third parties, without providing any option. The processing and transfer activities are presented to the data subject in a single text which damages the required free will element of the explicit consent.
· Explicit consent is requested for all processed personal data however such data are not relevant, limited and proportionate to the purposes for which they are processed and the purposes for transfer of such data are not disclosed transparently in the relevant texts. In this respect, Controller’s acts are contrary to the principle of “being processed for specified, explicit and legitimate purposes” and “being relevant, limited and proportionate to the purposes for which they are processed”.
· The element of "free will " of the explicit consent has been damaged since the processing of personal data is indicated as a part of the contract and is presented as a pre-condition of the service.
· All processing activities executed on personal data (such as recording, storing, transferring) after obtaining such data from data subjects in Turkey means that the personal data are being transferred abroad since the servers are not located in Turkey. Therefore, such transfer must be in compliance with Article 9 of the DPL which regulates the conditions for transferal of personal data.
· The Controller did not obtain explicit consent from the data subjects regarding the personal data processing activity to be carried out through cookies for profiling purposes, and the personal data processing activity carried out within this scope is also not in accordance with DPL.
In this regard, pursuant to Article 12/1 of the DPL, the Board decided that an administrative fine of TRY 1.950.000 (approx. USD 216.298,29), which is the highest possible administrative fine under the DPL, shall be imposed on the data controller for failing to take the necessary technical and administrative measures to prevent the unlawful processing of personal data.
Additionally, the Board instructed the Controller to;
· Inform the Board regarding stated processes.
WhatsApp has the right to object against the decision before a court of law in Turkey.
Important Lessons to be learned from the WhatsApp Decision
1- DPA’s approach on direct collection and subsequent processing by foreign controllers: Any subsequent processing operation (such as storing, transfer etc.,) on personal data collected from Turkey, if performed in servers located outside Turkey, is an international transfer of personal data and is subject to Art. 9 of the DPL.
Pursuant to Art. 9 of the DPL, personal data can be transferred from Turkey to abroad if;
- Explicit consent of the data subject is obtained
- An undertaking signed by Data Exporter and Data Importer that is subject to DPA’s approval is obtained
- Transfer to a country that is listed in the DPA’s safe countries list (The DPA is authorized to publish this list but has not done so).
- BCR – subject to DPA’s approval (The DPA did not approve any BCRs to this date)
Therefore, foreign controllers must comply with Art. 9 of the DPL prior to any subsequent processing.
Therefore we recommend that instead of using revised/edited Privacy Policies prepared under the GDPR or other legislation, a specific privacy notice should be prepared and used for Turkey.
3- Explicit Consent: The Board once again points out that explicit consent must be specific, and it should not be bundled and a blanked explicit consent must not be obtained (i.e. explicit consent for transfer to third parties and explicit consent to process personal data must be separate).
Further, explicit consent must be based on freewill of the data subject. Explicit consent must not be a pre-condition of provision of the service.