English (EN) Türkçe (TR)

Sanction Implemented by Turkey’s Personal Data Protection Board on WhatsApp LLC.

Sanction Implemented by Turkey’s Personal Data Protection Board on WhatsApp LLC.


Turkey’s Personal Data Protection Board ("the Board"), made its decision as a result of ex officio WhatsApp investigation into the controversial new terms of service. With the decision of the Board dated 03.09.2021 and numbered 2021/891, the Board decided to impose an administrative fine amounting to 1,950,000 TL on Whatsapp LLC.

On 11.05.2021, the Hamburg Data Protection and Freedom of Communication Commissioner (“the Hamburg Authority”) evaluated the same issue within the scope of GDPR and decided on the issue.

In this note, we will first examine the decision given by the Board within the scope of the Law on the Protection of Personal Data (“the Law”) and examine the similarities/differences between the Board’s decision and the decision given by the Hamburg Authority under the GDPR.

I. Sanction Implemented by the Board 

The Board decided to examine WhatsApp's updated terms of service ex officio , which is mandatory to be accepted in order to use the application, with its decision numbered 2021/28. In line with the decision dated 03.09.2021 and numbered 2021/891, as a result of the examination, the Board stated that the terms of service were defined as a "contract" made with the users and that acceptance of this contract was mandatory for the use of the application; determined that the text of the "Privacy Policy", which enlightens individuals about their data processing, was presented as an integral part of this contract.

As a result of these determinations the Board decisions are summarized as follows: 

i. Although WhatsApp states that it applies to the explicit consent requirement in the processing of personal data in exceptional cases, it is obligatory to give explicit consent to the processing and transfer issues in order to use the application,

ii. The fact that the processing and transfer of data is presented with a single explicit consent option without separating from each other, and the transfer issue is presented together with the contract, and the individuals are not left with the right to opt-out, violates the free will.

iii. Failure to rely on a "specific, clear and legitimate purpose" in the transfer of all personal data abroad, and the elimination of explicit consent by presenting the transfer issue without negotiation, constitutes a violation of the Law and the principle of honesty, and the imposition of express consent as a condition of service invalidates free will,

iv. The Whatsapp acted in violation of Article 9 by not seeking explicit consent or not applying for the permission of the Board, although the servers are abroad,

v. The Whatsapp did not rely on explicit consent in the processing of cookies for profiling purposes,

For the reasons listed above, it has been decided to impose an administrative fine of TL 1,950,000 on the data controller.

In addition, it is ruled that the text of the "Privacy Policy" currently in use shall be brought into compliance with the legislation within three months since this text does not contain the necessary elements of the obligation to inform.

In fact, this decision is a “record” for Turkey in terms of the amount of the sanction imposed. While the highest administrative fine that can be imposed for breach of data security obligations for 2021 was 1.966.862 TRY, the Board has decided to impose an administrative fine that is almost the highest limit.

On the other hand, is this punishment a deterrent? We would like to evaluate this with an example. Recently, the Irish Data Protection Authority has decided to impose a €225.000.000 sanction on WhatsApp for non-compliance with the transparency principle. First of all, although it is not certain, the number of WhatsApp users in Ireland as of 2017 is approximately 1.4 million, while this number is approximately 40 million as of 2019 in Turkey. While WhatsApp has such a large market size in Turkey, it is ironical that the maximum amount of sanctions that can be imposed by the Turkish data protection authority is almost a thousand times less than the sanction imposed by the Irish authority. Therefore, from the point of view of deterrence, it does not seem possible to accept that the Board has such a role "watchdog" among the data protection authorities.

II. Sanction Implemented by Hamburg Authority

On 11.05.2021, the Hamburg Authority announced its decision on the new terms of service that enable the processing of WhatsApp user data by Facebook, since WhatsApp user data will be transferred to Facebook. In its evaluation, the Hamburg Authority decided that even with the consent of WhatsApp users, there is no legal reason for the processing of data by Facebook and that the conditions for continuing to use the application violate free will. Considering for a moment the possibility of Facebook to process this data within the scope of the legitimate interest criterion, the Authority emphasized that such a criterion cannot be relied upon, since Facebook's legitimate interests and the personal rights of users are not in an equal balance.

III.  Comparison of Decisions

The most basic common point on which the Board and the Hamburg Authority are based is that the fact that the service conditions are mandatory for the continuation of the use of the application violates free will.  On the other hand, the most striking difference between the resolutions is that the Board only handles the said conditions shallowly in terms of WhatsApp, but the Hamburgs Authority's legal decision in data processing both in terms of WhatsApp and Facebook considers the situation from a more comprehensive and broad perspective.


You decide which cookies you allow or reject. You can change your decision at any time in your My Account area. Further information can also be found in our privacy policy.