The Personal Data Protection Board (KVKK) announced that the social media platform TikTok was fined 1 million 750 thousand liras. The reason for the decision is the failure to provide the appropriate level of security in order to prevent the unlawful processing of personal data.
Review decision from KVKK to TikTok
Regarding the TikTok application on the internet and social media platforms, it has been announced that an investigation has been initiated upon complaints that the express consent was not duly obtained within the scope of the Personal Data Protection Law (Law) No.
The statement made by KVKK on the official website on March 1, 2023 includes the following statements:
Regarding the TikTok application on the internet and social media platforms, there are various news and complaints that express consent is not duly obtained under the Personal Data Protection Law (Law) No. 6698, there are illegalities in obtaining and storing personal data, and there are many security gaps in the software Based on this, it was decided by the Personal Data Protection Board to initiate an ex officio investigation within the scope of paragraph (1) of Article 15 of the Law No. 6698. As a result of the defense letters received from the data controller and the related Privacy Policy and Terms of Service, with the Decision No. 2023/134 of the Personal Data Protection Board;
- It is stated that TikTok’s Privacy Policy was updated in January 2021, and as a result of the update, the default privacy setting for user accounts between the ages of 13 and 15 was changed to “private”. together; The fact that there is no restriction on interaction by displaying the profiles as public by default before the specified update poses a risk within the scope of accessing the data of users in the sensitive age group, and it also shows that adequate measures are not taken to reduce the risks by determining the risks related to the users,
- Prior to the update of the Privacy Policy in January 2021, the personal information of children under the age of 13 using the application was viewed and data was collected about children without appropriate parental consent, so there is a risk of negative consequences for children who have used the application,
- In the Confidentiality Agreement on the website of the data controller, all of the processing conditions in Article 5 of the Law on the Protection of Personal Data are specified, but no clear information is given about which personal data is processed for what purpose and on which processing condition, The principles of “processing for specific, clear and legitimate purposes” and “being relevant, limited and proportional to the purpose for which they are processed” are violated,
- While creating a TikTok account, it was stated that if users continue to create an account, they will be deemed to have accepted the Terms of Service (Terms of Use) and Privacy Policy, however, the relevant text has not yet been translated into Turkish when approval is obtained in the Terms of Service, therefore the content is not presented to users in an easy-to-understand way and users can use It is possible that he will accept the terms without fully understanding,
- While creating an account on the platform or creating an account and using it actively, there is no case of obtaining explicit consent, TikTok’s Privacy Policy is essentially a text prepared to fulfill the obligation to enlighten, but it is also used instead of the explicit consent text, therefore, instead of the Clarification Obligation. Pursuant to subparagraph (f) of Article 5 of the Communiqué on the Procedures and Principles to be Complied with, the condition of fulfilling the express consent separately from the obligation of disclosure in terms of personal data processing activities carried out based on the condition of explicit consent,
- The data controller does not obtain explicit consent from the relevant persons regarding the personal data processing activity carried out using cookies for profiling purposes, and the personal data processing activity carried out within this scope is also not in accordance with the law.
As it is understood, in order to prevent the unlawful processing of personal data in paragraph (1) of Article 12 of the Law, it is understood that the data controller has not taken all kinds of technical and administrative measures to ensure the appropriate level of security. An administrative fine of 1,750,000 TL is imposed in accordance with subparagraph (b) of paragraph 1),
In addition, the data controller;
- Translation of the Terms of Service into Turkish within one month in order to inform the relevant persons correctly,
- To make the said Privacy Policy texts compatible with the Law within three months in order to inform the relevant persons correctly,
- Since it is understood that the Privacy Policy is used instead of the illumination text and does not contain the elements of a valid illumination, it is understood that there is an illumination in accordance with the provisions of Article 10 of the Law and the Communiqué on the Procedures and Principles to be Complied with in Fulfilling the Clarification Obligation.
It was decided to instruct.
News is updating…