In the decision numbered 2023/134 published by the Personal Data Protection Board (“Board”) on March 1, 2023, an administrative fine was imposed on the Tiktok application on the grounds that it violated the provisions of obtaining and processing personal data of the Personal Data Protection Law (“DP Law”).

In this decision;

  • Tiktok application updated its Privacy Policy in January 2021 and with this update, the default privacy setting for user accounts between the ages of 13 and 15 was changed to “private” and it was determined that only the videos shared by the followers approved by the user could be viewed and the people who could download and comment on the videos were limited, but there was a risk of negative consequences on the sensitive age group using the application due to the lack of any limitation in interaction as a result of the default privacy setting being set as “public” before the update,
  • In the Confidentiality Agreement on the website of the application, all of the processing conditions in Article 5 of the DP Law are stated, but since there is no clear information about which personal data is processed for what purpose and on the basis of which processing condition, the principles of “processing for specific, explicit and legitimate purposes” and “being connected, limited and proportionate to the purpose for which they are processed” in Article 4 of the DP Law are violated,
  • When creating an account in the application, it is stated that users will be deemed to have accepted the Terms of Service and Privacy Policy if they continue to create an account, but since the relevant text is not in Turkish while obtaining this approval, there is a possibility that users who approve the text may accept the terms of use without fully understanding the terms of use,
  • The Privacy Policy specified when creating or using an account on the platform has been prepared to fulfill the obligation to inform and no separate text regarding explicit consent is used, and for this reason, according to subparagraph (f) of Article 5 of the Communiqué on the Procedures and Principles to be Followed in the Fulfillment of the Obligation to Inform, the condition of fulfilling explicit consent separately from the obligation to inform is not met in terms of personal data processing activities carried out based on the explicit consent requirement,
  • Explicit consent was not obtained from the data subjects regarding the personal data processing activity carried out by TikTok using cookies for profiling purposes and the personal data processing activity carried out within this scope is not in accordance with the law

it was decided to impose an administrative fine of TRY 1,750,000 on Tiktok, which was determined that they did not take all necessary technical and administrative measures to ensure the appropriate level of security in order to prevent unlawful processing of personal data.

In addition, it has been decided to instruct Tiktok to translate the Terms of Service into Turkish within one month in order to inform the data subjects correctly, to make the Privacy Policy texts in question compliant with the KVKK within three months in order to inform these persons correctly, and to make a valid disclosure since it is understood that there is no disclosure in accordance with the provisions of the Communiqué on the Procedures and Principles to be Followed in the Fulfillment of the Obligation to Inform.

You can access the summary of the decision numbered 2023/134 via this link.