KVKK Fines TikTok Turkey

Finally, TikTok, which was banned on government devices in the European Union and Canada due to cybersecurity concerns, faced a large penalty from Turkey today. Personal Data Protection Authority, TikTok 1 million 750 thousand TL announced that he had been fined.

The reason for the decision is children’s viewing personal information and unauthorized data collection shared as In the statement it shared, the institution included the following statements:

KVKK’s TikTok statement:

“With regard to the TikTok application on internet and social media platforms, the express consent was not duly obtained within the scope of the Personal Data Protection Law (Law) No. 6698, There are violations of the law regarding the acquisition and storage of personal data. Based on various news and complaints about the security vulnerabilities of the software and the software, the Personal Data Protection Board decided to initiate an ex officio investigation within the scope of paragraph (1) of Article 15 of the Law No. 6698. As a result of the defense letters received from the data controller and the related Privacy Policy and Terms of Service, with the Decision No. 2023/134 of the Personal Data Protection Board;

• TikTok’s Privacy Policy was updated in January 2021, and as a result of the update, it is stated in the text. For user accounts between the ages of 13 and 15 Although it is stated that the default privacy setting has been changed to “private”, only the videos shared by the followers approved by the user can be viewed, the people who can download and comment on the videos are limited; The fact that there is no restriction on interaction by displaying the profiles as public by default before the specified update poses a risk within the scope of accessing the data of users in the sensitive age group, and it also shows that adequate measures are not taken to reduce the risks by determining the risks related to the users,
• Using the application before the update of the Privacy Policy in January 2021 Displaying personal information of children under the age of 13 and data about children is collected without appropriate parental consent, so there is a risk of negative consequences for children who have used the application,
• In the Confidentiality Agreement on the website of the data controller, all of the processing conditions in Article 5 of the Law on the Protection of Personal Data are specified, but no clear information is given about which personal data is processed for what purpose and on which processing condition, It violates the principles of “processing for specific, clear and legitimate purposes” and “being connected, limited and proportional to the purpose for which they are processed”,
• While creating a TikTok account, it was stated that if users continue to create an account, they will be deemed to have accepted the Terms of Service (Terms of Use) and Privacy Policy, however, the relevant text has not yet been translated into Turkish when approval is obtained in the Terms of Service, therefore the content is not presented to users in an easy-to-understand way and users can use It is possible that he will accept the terms without fully understanding,
• While creating an account on the platform or creating an account and using it actively, there is no case of obtaining explicit consent, TikTok’s Privacy Policy is essentially a text prepared to fulfill the obligation to enlighten, but it is also used instead of the explicit consent text, therefore, instead of the Clarification Obligation. Pursuant to subparagraph (f) of Article 5 of the Communiqué on the Procedures and Principles to be Complied with, the condition of fulfilling the express consent separately from the obligation of disclosure in terms of personal data processing activities carried out based on the condition of explicit consent,
• The data controller does not obtain explicit consent from the relevant persons regarding the personal data processing activity carried out using cookies for profiling purposes, and the personal data processing activity carried out within this scope is also not in accordance with the law.
• As it is understood, in order to prevent the unlawful processing of personal data in paragraph (1) of Article 12 of the Law, it is understood that the data controller has not taken all kinds of technical and administrative measures to ensure the appropriate level of security. In accordance with subparagraph (b) of paragraph 1) 1.750.000 TL administrative fine to the implementation,

In addition, the data controller;

• Translation of the Terms of Service into Turkish within one month in order to inform the relevant persons correctly,
• To make the said Privacy Policy texts compatible with the Law within three months in order to inform the relevant persons correctly,
• Since it is understood that the Privacy Policy is used instead of the illumination text and does not contain the elements of a valid illumination, it is understood that there is an illumination in accordance with the provisions of Article 10 of the Law and the Communiqué on the Procedures and Principles to be Complied with in Fulfilling the Clarification Obligation.
• to be instructed on

decided.”