Personal Data Protection Authority (hereunder referred as the "Authority") rendered its decision on WhatsApp's "Terms of Service" and "Privacy Policy". Just a day after the decision of the Irish Data Protection Commission (DPC) on WhatsApp, the Authority has also fined WhatsApp TL 1,950,000 (around EUR 197,600) on September 3, 2021. It is the largest fine ever imposed by the Authority.


"Terms of Service" and "Privacy Policy" of WhatsApp was updated on January 4, 2021, and it was declared that users who did not consent to the new update, which involved processing personal data and international transfer of personal data, would not be able to use the application as of February 8, 2021. As part of this update, users were required to share their personal data with Facebook in order to use the WhatsApp application.

On January 12, 2021, the Authority announced that it was investigating the updated "Terms of Service" and "Privacy Policy" ex-officio. The Authority also announced that the investigation will comprise different aspects of Law on Personal Data Protection no. 6698 (hereunder referred as the "Law") such as general principles of the Law, explicit consent, legal basis for processing, and international transfer of personal data.

For more information in Turkish:  WhatsApp'tan Gizlilik Sözleşmesi

Decision of the Authority

The decision of the Authority states the following:

  • A single explicit consent is obtained from the users without making distinction between processing personal data and international transfer of the personal data. The processing and transfer activities are presented to the data subject in a single text inseparably. This has been found to be against the condition that the consent must be freely given separately for each specific and explicit purpose.
  • The terms of transfer in the "Terms of Service" and "Privacy Policy" are presented by the data controller in a non-negotiable manner and the data subjects are forced to give consent to the contract as a whole. The use of the application is conditioned to the data transfer. This practice of the data controller constitutes a violation of the principle of "lawful and fair processing".
  • The processed personal data is not proportional and limited to the purpose for which they are processed, and it is not clearly stated in the "Terms of Service" or "Privacy Policy" which data will be transferred for what purpose. This practice of the data controller constitutes a violation of the principles of "processing for specified, explicit and legitimate purposes" and "processing only personal data that is relevant, limited and proportionate to the purposes for which they are processed".
  • Although the apparent legal basis is the establishment of the contract, the actual legal basis is in the nature of obtaining explicit consent. The data controller is obtaining consent by incorporating it into the contract as a condition of service. This was also found to be against the condition that the consent must be freely given.
  • As long as the servers are not located in Turkey, all kinds of processing mean international transfer of personal data. Therefore, it is obligatory to make the transfer in question in accordance with Article 9 of the Law titled "Transferring personal data abroad". The data controller did not receive explicit consent for transfer activities and did not provide an undertaking to the Turkish Data Protection Board to transfer data internationally. The data controller did not act in accordance with Article 9 of the Law.
  • The data controller does not obtain explicit consent from the data subjects regarding the personal data processing activity to be carried out through cookies for profiling purposes. The processing activity carried out within this scope is not compatible with the Law.

For all the above the Authority

  • fined WhatsApp with TL 1,950,000,
  • ordered WhatsApp to change "Terms of Service" and "Privacy Policy" in accordance with the Law within three months, and
  • ordered WhatsApp to revise the "Privacy Policy", since it is understood that the "Privacy Policy" is used as information provision, and it does not carry the requirements of a valid information provision.

As the decision of the Authority conforms with the Irish DPC with regard to the information provision and the transparency, an update to WhatsApp's "Terms of Service" and "Privacy Policy" according to the GDPR would mean the execution of the decision of the Authority as well. However, it is still a question on how the fine will be executed if WhatsApp refuses to pay and what will be the consequence of ongoing incompliance with the Law as WhatsApp does not have an establishment in Turkey. Whatsapp has the right to object against this decision before the courts.

WhatsApp is not registered to the Data Controllers' Registry (VERBIS), yet. Failure to comply with such obligation also causes a fine. Due to the fact that the deadline for the registration is extended until December 31, 2021, the Authority did not make any evaluation on VERBIS obligation.

For more information please visit our Linkedin page - Deris Intellectual Property

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.