It has been ascertained that WhatsApp LLC (WhatsApp/data controller) has updated its Terms of Service and Privacy Policy in a way to include explicit consent of the users to the processing and transfer of personal data to third parties established outside of Türkiye, and it announced that users who do not give explicit consent in this scope would not be able to use the application and would have their accounts deleted.

With the Personal Data Protection Board Decision No. 2021/28 dated 12.01.2021 and Decision No. 2021/120 dated 09.02.2021, it has been decided to initiate an ex officio examination on WhatsApp within the scope of Article 15(1) of Personal Data Protection Law No 6698, with regard to and particularly on transfer of personal data abroad, subjecting the services to the precondition of explicit consent, and compliance with general principles. In this regard, as a result of the examination of the defence statement received from WhatsApp together with the WhatsApp “Terms of Service and Privacy Policy” texts, it has been determined that the Terms of Service offered to the users by the data controller had been basically defined as a contract with the user; furthermore the Privacy Policy, as a text to ensure transparency, indicating which data would be processed for what purposes, was essentially displayed as a part of the Terms of Service, and that the contract would not enter into force without the approval of the Terms of Service.

Within this scope; Personal Data Protection Board Decision No 2021/891, dated 03.09.2021 states that:

• The data controller has declared that each personal data processing activity is carried out based on different processing conditions, and that the explicit consent requirement for personal data processing is used in exceptional cases; however, the explicit consent of the data subjects is obtained upon their approval of the contract owing to the fact that Terms of Services is defined as a contract with the user. In this context, a single explicit consent is obtained from the users, without giving a right of option, to process their data and transfer it to third parties established abroad; and processing and transfer activities are presented to the data subject inseparably in a single text by including a provision concerning the transfer in the contract, which damages the element of “freely given explicit consent”,
• The statements regarding the “transfer” in the Terms of Service and Privacy Policy are presented in a non-negotiable manner by the data controller, where the data subjects are compelled to give their consent to the contract as a whole, thereby attempting to exclude explicit consent, which resulted in subjecting the use of the application to precondition of transfer of personal data. Furthermore, the data controller’s acting without considering the interests and reasonable expectations of the data subjects constitutes violation of the principle of “lawfulness and fairness” set out in Article 4 of the Law,
• Explicit consent is requested for the transfer of all personal data processed; however, this data is not proportional and limited to the purpose for which they are processed, and additionally, the texts in question do not clearly state which data will be transferred for what purposes; in this regard, the data controller acts in violation of the principles of “processing for specified, explicit and legitimate purposes” and “being relevant, limited and proportionate to the purposes for which they are processed” in Article 4 of the Law,
• Data subjects are asked to accept the contract by means of making the processing of personal data a part of the contract, after which it is declared that personal data are processed on the basis of the conditions for processing personal data, particularly the provision of “Processing of personal data of the parties of a contract is necessary provided that it is directly related to the establishment or performance of the contract”. However, although this activity appears to be giving consent to the contract, the actual activity amounts to giving consent for the processing of personal data in nature, and in this respect, including explicit consent in a contract as a condition for a service damages the element of “freely given consent”,
• All kinds of processing activities such as recording, storage, alteration, transfer of the personal data obtained by the data controller from the data subjects residing in Türkiye are deemed to be the transfer of personal data abroad if the servers are not located in Türkiye. Therefore, such transfers shall be made in compliance with the Article 9 of the Law, titled “Transfer of Personal Data Abroad”. However, as declared by the data controller, no explicit consent is obtained for the transfer activities, furthermore, the data controller has not applied for the commitment (regarding the transfer of personal data abroad) to our Authority, acting contrary to the Article 9 of the Law,
• No explicit consent is obtained from the data subjects regarding the personal data processing activity to be conducted through cookies for profiling purposes, and the personal data processing activity carried out in this context is contrary to law.

On the basis of the foregoing, it has been decided to impose an administrative fine of TRY 1.950.000 pursuant to Article 18(1)(b) of the Law on the data controller for the failure to take all necessary technical and organizational measures to prevent the unlawful processing of personal data as set out in Article 12(1) of the Law,

In the relevant Decision, it has also been decided that;

• -The Terms of Service and Privacy Policy texts dated 04.01.2021, which were said to have not put into effect by the data controller, is currently presented to the users as the application’s current version. In this respect, the texts in question must be brought into compliance with the Law within three months to provide clear and correct information to data subjects,
• The Privacy Policy text is used as a substitute for privacy notice and does not satisfy the requirements of obligation to inform. Accordingly, the data controller must fulfil its obligation to inform in accordance with the Article 10 of the Law and provisions of “Communique on Principles And Procedures To Be Followed In Fulfilment Of The Obligation To Inform.

Furthermore, the data controller must inform the Board regarding the results of the above-mentioned procedures.

Respectfully announced to the public.