On 3 September 2021 the Turkish Data Protection Authority (DPA) made a public announcement regarding its ex officio investigation of WhatsApp LLC (the controller) and published an important decision discussing WhatsApp's data processing and data transfer operations. The Turkish Personal Data Protection Board's (the Board's) decision(1) is important and must be reviewed in detail since it demonstrates the Board's approach to international transfers and the direct collection of personal data from Turkey by controllers that are not established in Turkey (foreign controllers).
The updates consisted of WhatsApp sharing data with other companies in the same group. The updates were widely discussed by the general public in Turkey, criticised by legal professionals and even featured on TV news shows. As a result of this attention, the DPA and the Competition Authority initiated ex officio investigations against WhatsApp in January 2021.
In its announcement, the DPA stated that an ex officio investigation against WhatsApp within the scope of article 15(1) of the Law on the Protection of Personal Data (Law No. 6698) (DPL) had been initiated to look into the following issues, among others:
- data transfers abroad;
- explicit consent presented as a precondition of service; and
- compliance with the general principles of the DPL.
The Board examined:
- WhatsApp's response and defence letters; and
As a result, the Board held as follows:
- The controller had stated that the data processing was based on several statutory legal bases in the DPL and that explicit consent had been used only in exceptional cases. However, because the terms had been defined as an agreement that the user had entered into – by requesting the user's approval of the terms – this meant that the controller had relied on the explicit consent obtained through the terms. This explicit consent, however, was not in line with the DPL, since a single explicit consent had been obtained from users for the processing of their personal data and its transfer abroad to third parties without providing any options. The processing and transfer activities had been presented to the data subjects as a single text, which damaged the required free-will element of the explicit consent.
- Explicit consent had been requested for all processed personal data; however, such data was not relevant, limited or proportionate to the purposes for which they had been processed and the purposes for the transfer of such data had not been disclosed transparently in the relevant texts. In this respect, the controller's acts were contrary to the principles of "being processed for specified, explicit and legitimate purposes" and "being relevant, limited and proportionate to the purposes for which they are processed".
- The free-will element of the explicit consent had been damaged since it had been indicated that the processing of the personal data was part of the contract and it had been presented as a precondition of the service.
- All of the processing activities that the controller had executed on the personal data (eg, recording, storing and transferring it) after obtaining such data from data subjects in Turkey constituted transferring the data abroad since the servers were not located in Turkey. Therefore, such transfers had to comply with article 9 of the DPL, which regulates the conditions for transfers of personal data.
- The controller had failed to obtain explicit consent from the data subjects regarding the personal data processing activities to be carried out through cookies for profiling purposes. Further, the personal data processing activities carried out within this scope were not in accordance with the DPL.
In this regard, pursuant to article 12(1) of the DPL, the Board decided that an administrative fine of 1,950,000 lire (approximately $216,298.29) – the highest possible administrative fine under the DPL – would be imposed on the data controller for failing to take the necessary technical and administrative measures to prevent the unlawful processing of personal data.
Additionally, the Board instructed the controller to:
- keep the Board informed of these processes.
WhatsApp has the right to object to the decision before a Turkish court.
DPA's approach on direct collection and subsequent processing by foreign controllers
Any subsequent processing operations (eg, storing or transferring data) on personal data collected from Turkey, if performed in servers located outside Turkey, constitute an international transfer of personal data and are subject to article 9 of the DPL.
Pursuant to article 9 of the DPL, personal data can be transferred from Turkey abroad if:
- the explicit consent of the data subject is obtained;
- an undertaking signed by the data exporter and the data importer, subject to the DPA's approval, is obtained;
- the transfer is to a country that is on the DPA's safe countries list (the DPA has been authorised to publish this list but has not done so); and
- the DPA's approval of a set of binding corporate rules (BCRs) is obtained (so far, the DPA has not approved any BCRs).
Therefore, foreign controllers must comply with article 9 of the DPL prior to any subsequent processing.
The Board once again pointed out that explicit consent must be specific – consent for different activities should not be bundled together and blanket explicit consent must not be obtained (ie, the explicit consent for transfers to third parties and the explicit consent for processing personal data must be separate).
Further, explicit consent must be based on the free will of the data subject. Explicit consent must not be a precondition of the provision of the service.
For further information on this topic please contact Burak Özdağıstanli, Sümeyye Uçar or Bensu Özdemir at Özdağıstanli Ekici Attorney Partnership by telephone (+90 216 230 07 48) or email ([email protected], [email protected] or [email protected]). The Özdağıstanli Ekici Attorney Partnership website can be accessed at www.ozdagistanliekici.com/.