1. SUMMARY

Personal Data Protection Board (“The Board”) has evaluated that;

• Before the change of the Platform’s Privacy Policy in January 2021, the profiles of users who are in the sensitive age group were public by default, and this poses a risk in terms of accessing the data of users in this age group,

• Prior to the amendment, personal information of children under the age of 13 using TikTok was displayed, and their data was collected without appropriate parental consent,

• TikTok’s Non-Disclosure Agreement states all of the data processing terms in Article 5 of The Personal Data Protection Law (“The Law”), but does not provide clear information about the purpose for which data is processed and on the basis of which processing term, and in this context, the principles specified in Article 4 of the Law are violated,

• TikTok's Terms of Service does not provide a Turkish translation of the relevant text when obtaining approval, and since the content is not presented in an easily understandable manner, users may accept the terms without fully understanding them,

• TikTok's Privacy Policy is used both as a notice and an explicit consent, therefore, the term of fulfilling explicit consent separately from the notice is not met,

• When profiling, explicit consent is not obtained from the data subjects regarding the data processing activity,

in its published decision about social media platform TikTok. On the basis of these evaluations, The Board imposed an administrative fine of 1,7500,000 Turkish liras on TikTok and decided to instruct TikTok on certain matters.

2. MATTERS TO BE CONSIDERED UNDER THE DECISION

As a result of this decision of The Board;

1. Although The Law does not specify the terms for processing personal data of persons in the sensitive age group, in the decision in question, the Board found it risky to process the personal data of persons in the sensitive age group without the consent of their eligible parents. In this respect, the data controller, whose services are also used by sensitive age groups, may need to make a risk assessment, and take measures to mitigate these risks.

2. In terms of personal data processing activities carried out on the condition of obtaining explicit consent from the data subject, explicit consent must be fulfilled separately from the notice in accordance with the legislation.

3. When carrying out personal data processing activities, care should be taken to ensure that these activities are carried out in accordance with the general principles set out in Article 4 of The Law.

4. Data controllers who use cookies for profiling activities must obtain explicit consent from the data subjects to carry out these activities in accordance with the legislation.

5. The terms of service and notice must be provided in Turkish language so that users in Türkiye can easily understand these texts and do not accept them without fully understanding them.

For your information.

GÜNGOR LAW FIRM