12 Apr The Personal Data Protectıon Board’s TıkTok Decısıon
The Personal Data Protection Board (“Board”), after a long hiatus, published the first decision summary of 2023. Based on the news and complaints about TikTok, a social media platform, the Board initiated an ex officio investigation, and it has concluded the investigation that it carried out within the scope of the Personal Data Protection Law No. 6698 (“Law”) with its decision numbered 2023/134. You can reach the concerned decision here .
As a result of the review by the Board, it has been determined that;
- Before 2021, TikTok users between the ages of 13-15 had no restrictions on their interactions by having public profiles and users’ data that are under the age of 13 is collected without appropriate parental consent. And that this situation poses a risk regarding accessing the personal data of users in the sensitive age group,
- In the Privacy Policy of the data controller, all data processing conditions in Article 5 of the Law are listed, but there is no clear information about which personal data is processed for what purpose or under which data processing condition,
- The Terms of Service which the users will be deemed to have accepted when creating an account, have not yet been translated into Turkish,
- While creating an account on the platform and subsequently when using the platform, there is no clear explicit consent text prepared by TikTok, but the Privacy Policy prepared as a fair processing notice is used as an explicit consent text, and this situation does not meet the condition of seeking explicit consent separately from the fair processing notice.
.
In light of this evaluation, the Board ruled that a fine of 1,750,000 TL shall be imposed on the data controller, who is found to have not taken all the necessary technical and administrative measures to prevent the illegal processing of personal data. In addition, the Board has instructed the data controller to translate the Terms of Service into Turkish within 1 month and to make the Privacy Policy compatible with the Law and the Communiqué on Principles and Procedures To Be Followed In Fulfillment Of The Obligation To Informwithin 3 months.
The Board, which usually refrains from mentioning the data controller companies in its decisions, except for companies that are fined because of data breach notifications, acted unusually by specifically naming the data controller company in this decision. The Board, which usually issues a decision to inform the public when a new or different situation arises, has also differentiated here. In our opinion, the purpose of the Board here was to inform the public that action was taken against the data controller, who received an outcry from the public, and to reassure the public, rather than inform the public about a new case law. In addition, considering the size of the data controller company and the scope of the violation, it is noteworthy that the fine imposed is not close to the upper limit. However, we cannot make a sound assessment of the penalty given, as the defense of the data controller company is not included in the summary of this decision.
You can reach our İzmir Personal Data Lawyers to get expert legal support on the protection of your personal data or your company's personal data law compliance.
