The Turkish Personal Data Protection Authority (the “Turkish DPA”),concerning the investigation initiated ex officio, into Meta and WhatsApp which processes the personal data of the data subjects in Turkey and is subject to the provisions of the Law on the Protection of Personal Data No. 6698 (“Law”) over imposed an administrative fine of TRY 2,665,000 (approx. EUR 128,560) separately for failure to fulfill their Data Controller’s Registry (VERBIS) registration and notification obligations. In addition, the Turkish DPA ordered Meta and WhatsApp to comply with the registration obligation within 30 days.
In 2023, the upper limit of a sanction is TRY 5,971,989 (approx. EUR 287,918) whereas the lower limit is TRY 119,428 (approx. EUR 5,758) which applicable to the violation subject of the administrative fine imposed on the social media and technology giant Meta, the parent company of social media applications such as Facebook and Instagram, and WhatsApp, which is an online messaging application with the highest number of users in Turkey and all over the world.
The Law refers to the Misdemeanors Law in determining the amount of sanction, and there is no regulation on the criteria by which administrative fines are imposed. For this reason, it is not clear whether the Turkish DPA determines the amount of the sanction according to the algorithm decision it has taken while determining the sanctions to be imposed for failure to fulfill the VERBIS registration obligation or according to a different algorithm decision. Data controllers may request information from the Turkish DPA regarding which aspects are taken as a basis in determining the amount of sanction. When the decision is published, we expect that the issues considered by the Turkish DPA in determining the amount of sanction will become clear.
Judicial remedy is also open against the decisions of the Turkish DPA, and the actions to be taken by Meta and WhatsApp regarding this issue will be known in the coming days.