TikTok was fined 1,750,000 TL for collecting data on children under the age of 13 without parental consent and failing to take administrative and technical measures to ensure the appropriate level of security.
Regarding the subject, in the summary of the decision numbered 2023/134 of the Personal Data Protection Board; Tiktok Pte.Ltd. evaluates the data breach against him;
- Before the update of the Privacy Policy in January 2021, the personal information of children under the age of 13 using the application was viewed and data was collected about children without appropriate parental consent, so there is a risk of negative consequences for children who have used the application,
- In the Confidentiality Agreement on the website of the data controller, all of the processing conditions in Article 5 of the Law on the Protection of Personal Data are specified, but there is no clear information about which personal data is processed for what purpose and on which processing condition, The principles of "processing for specific, clear and legitimate purposes" and "being connected, limited and proportional to the purpose for which they are processed" in Article 4 are violated,
- It has been understood that the data controller did not obtain explicit consent from the relevant persons regarding the personal data processing activity carried out using cookies for profiling purposes, and that the personal data processing activity carried out within this scope is not in accordance with the law.
In order to prevent the illegal processing of personal data in paragraph (1) of article 12 of the Law, article 18 of the Law (1 ), it was decided to impose an administrative fine of 1,750,000 TL in accordance with subparagraph (b).
In addition, the Data Controller;
- Translation of the Terms of Service into Turkish within one month in order to inform the relevant persons correctly,
- Bringing the said Privacy Policy texts into compliance with the Law within three months in order to inform the relevant persons correctly,
- Since it has been understood that the Privacy Policy is used instead of the illumination text and does not contain the elements of a valid illumination, it has been decided to instruct it in accordance with the provisions of Article 10 of the Law and the Communiqué on the Procedures and Principles to be Complied with in Fulfilling the Clarification Obligation.
You can access the whole decision from the link.
To request a quotation for the following: Cyber Security, Digital Transformation, MSSP, Penetration Testing, KVKK, GDPR, ISO 27001 and ISO 27701, please click here.