Key practice takeaways from the Kişisel Verileri Koruma Kurumu (KVKK) Turkey EUR 195,000 fine against WhatsApp (which echoes the Data Protection Commission Ireland decision in many respects):
- Consent as a legal basis can only be used when it is obtained for a specific data processing. Agreement to terms, which include transfers to third parties and cross border transfers, cannot constitute valid consent.
- Including transfers, especially ones that are not reasonably expected by users, as part of the terms in a manner which is non-negotiable, is a violation of the “fair and lawful” principle.
- Transfer of data must be proportional and limited to the purpose for which it is transferred.
- You must clearly state which data will be transferred and for what purpose. Not doing so is a violation of the transparency requirement.
- Beware if you structure something as acceptance of terms while making it appear you are relying on necessity for performance of a contract as your legal basis if you are actually relying on consent. This is not valid consent, because, at minimum, it is not freely given.
Read more here.