18.04.2023

Kvkk Decısıon Numbered 2023/134 And Dated 01.03.2023

With the Personal Data Protection Authority Decision numbered 2023/134 and dated 01/03/2023, the data breach in "TikTok", which is available as an application on the Internet and social media platforms, was evaluated.  As a result of the evaluation made within the framework of Articles 4, 12, 15 and 18 of the Personal Data Protection Law, a violation was determined and the summary of the decision is as follows;
With the Personal Data Protection Authority Decision numbered 2023/134 and dated 01/03/2023, the data breach in "TikTok", which is available as an application on the Internet and social media platforms, was evaluated.  As a result of the evaluation made within the framework of Articles 4, 12, 15 and 18 of the Personal Data Protection Law, a violation was determined and the summary of the decision is as follows; 
The Board started an ex officio examination of TikTok, a social media platform (application) within the scope of the definition of data controller, as a result of many complaints and news on news sites that explicit consent was not duly obtained within the scope of the Law, that there are illegalities in obtaining and storing personal data, and that there are many security vulnerabilities in the software. At the end of the Board's examination, it was determined that the TikTok application updated its privacy policy in January 2021, and as a result of the update, the default privacy setting for user accounts between the ages of 13 and 15 was changed to "private", but before the update, all profiles were displayed publicly by default and there were no restrictions on interaction, which posed a risk in terms of accessing the data of users in the sensitive age group. In addition, it has been determined that TikTok's Privacy Agreement contains regulations contrary to the principles of "processing for specific, explicit and legitimate purposes" and "being connected, limited and proportionate to the purpose for which they are processed" in Article 4 of the KVKK; the Terms of Service text submitted to the user's approval does not have a Turkish translation and is therefore not understandable; the Privacy Policy is essentially a clarification text, but it is used as an explicit consent text, and there is no guidance on obtaining explicit consent when creating an account on the platform or when creating an account and actively using it.  As a result of these examinations, the Board has decided to impose an administrative fine of 1.750.000 TL on the data controller TikTok, to translate the Terms of Service text into Turkish within one month, to make the Privacy Policy texts in question compliant with the Law within three months and to make arrangements to make a disclosure in accordance with the provisions of Article 10 of the Law and the relevant Communiqué.