Personal data refers to any information relating to an identified or identifiable natural person. Examples of commonly used personal data include: national identification number, name and surname, email address, postal address, genetic information, and shopping preferences.

Data Controller: A natural or legal person who determines the purposes and means of processing personal data, and who is responsible for the establishment and management of the data recording system.

Data Processor: A natural or legal person who processes personal data on behalf of the data controller, based on the authority granted by the controller.

Data Subject / Relevant Person: The natural person whose personal data is processed.

According to Law No. 6698 on the Protection of Personal Data (KVKK), the processing of personal data is defined as:
“Any operation performed on personal data such as collection, recording, storage, preservation, alteration, rearrangement, disclosure, transfer, acquisition, making available, classification, or prevention of use, either wholly or partially by automated means or non-automated means that form part of a data recording system.”

Personal data is categorized into two types: general personal data and sensitive personal data.

• General Personal Data: Includes all personal data that is not classified as sensitive.

• Sensitive Personal Data: Includes data on racial or ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance and dress, membership in associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data. (Any data that poses a risk of profiling or discrimination is considered sensitive data.)

Personal data cannot be processed without the explicit consent of the data subject. Within the scope of the Law, explicit consent means that the data subject gives approval for the processing of their personal data either at their own initiative or upon a request from the other party. This consent must include a clear expression of positive will by the individual. Unless otherwise required by specific legislation, explicit consent does not need to be in written form. It may also be obtained through electronic means such as email or call centers. In any case, the burden of proof lies with the data controller.

Explicit consent must meet the following three conditions:

• It must relate to a specific subject;

• It must be based on prior information;

• It must be given through free will.

Exceptions to the Requirement of Consent for the Processing of General Personal Data

In the following cases, general personal data may be processed without obtaining the explicit consent of the data subject:

• Where it is explicitly stipulated by law (e.g., insurance regulations, transportation regulations, labor legislation);

• Where it is necessary to protect the life or physical integrity of the data subject or another person who is incapable of giving consent due to actual impossibility or whose consent is not legally valid (e.g., mental illness, minority);

• Where it is directly related to the establishment or performance of a contract, and the processing of personal data belonging to the parties is required (e.g., inclusion of contact or bank details in a lease agreement);

• Where it is necessary for the data controller to fulfill a legal obligation (e.g., providing information to an administrative authority as required by law, employee registration procedures);

• Where the personal data has been made public by the data subject themselves (e.g., sharing contact information on a public network);

• Where data processing is required for the establishment, exercise, or protection of a legal right (e.g., providing information to a land registry office to establish property rights, processing data for after-sales services);

• Where it is necessary for the legitimate interests of the data controller, provided that such processing does not harm the fundamental rights and freedoms of the data subject (e.g., security camera recordings).

Exceptions to the Requirement of Consent for the Processing of Sensitive Personal Data

Sensitive personal data may be processed without the data subject’s explicit consent in the following cases:

• Where explicitly permitted by law;

• Data concerning health and sexual life may only be processed without explicit consent for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of healthcare services and financing, by persons or authorized institutions and organizations that are under a legal obligation to maintain confidentiality.

Fundamental Principles for Personal Data Processing

The processing of personal data must comply with the following principles:

• Be lawful and in accordance with rules of honesty;

• Be accurate and kept up to date where necessary;

• Be processed for specific, explicit, and legitimate purposes;

• Be relevant, limited, and proportionate to the purposes for which they are processed;

• Be retained only for the period prescribed by relevant legislation or for the time necessary to fulfill the purpose of processing.

Transfer of Personal Data Abroad

Personal data may not be transferred abroad without the explicit consent of the data subject. However, exceptions exist if:

• One of the legal grounds for processing without consent under the Law is present, and

• The foreign country to which the data will be transferred provides adequate protection, or the data controller in the foreign country commits in writing to provide adequate protection and the Personal Data Protection Board grants permission.

Obligation to Inform (Disclosure Obligation)

With the entry into force of the Communiqué on the Principles and Procedures to be Followed in Fulfilling the Obligation to Inform, data controllers or authorized persons acting on their behalf are required to inform data subjects at the time personal data is collected, providing information on the following matters:

• The identity of the data controller and, if applicable, its representative

• The purposes for which personal data will be processed

• To whom and for what purposes the processed data may be transferred

• The method and legal basis of data collection

• The rights of the data subject

Key considerations when fulfilling the obligation to inform:

• The obligation must be fulfilled in all cases where personal data is processed.

• If the purpose of processing changes, a new disclosure must be made before processing begins.

• If personal data is processed for different purposes by different units of the data controller, a separate disclosure must be made for each unit.

• The information provided must be consistent with the records submitted to the Data Controllers Registry (VERBIS).

• Fulfilling the obligation is not contingent on a request by the data subject.

• The burden of proof for fulfilling the obligation lies with the data controller.

• In cases requiring explicit consent, the disclosure obligation and the process of obtaining consent must be fulfilled separately.

• The purpose for processing must be specific, explicit, and legitimate. Vague or general expressions should be avoided.

• Wording that implies that personal data may be used for other potential future purposes must be avoided.

• The information must be conveyed using clear, plain, and comprehensible language.

• The legal basis for processing must be explicitly stated.

• The purpose of data transfer and the categories of recipients must be specified.

• The method by which data is collected—whether fully or partially automated, or non-automated but part of a data recording system—must be clearly indicated.

• Inaccurate, misleading, or incomplete information must be avoided when fulfilling the obligation.

Rights of the Data Subject

The data subject may exercise the following rights by applying to the data controller:

• To learn whether personal data is being processed;

• If so, to request information regarding the processing;

• To learn the purpose of the processing and whether data is being used in accordance with that purpose;

• To learn the recipients of personal data, especially if they are third parties located domestically or abroad;

• To request correction of incomplete or inaccurate data;

• To request deletion or destruction of personal data;

• To request notification of such correction or deletion to third parties to whom data was transferred;

• To object to adverse results that may arise from data being analyzed exclusively through automated systems;

• To demand compensation if the data subject suffers damage due to unlawful data processing.

Deletion / Destruction / Anonymization of Personal Data

When the reasons for processing no longer exist, personal data must be deleted, destroyed, or anonymized either by the data controller ex officio or upon the request of the data subject. In this regard, the Regulation on the Deletion, Destruction, or Anonymization of Personal Data has entered into force.

Data controllers who are required to register with the Data Controllers Registry must prepare a personal data retention and destruction policy aligned with their data inventory.

Definitions:

• Anonymization: Removing or altering identifiers so that the data can no longer be associated with an identifiable person.

• Deletion: Making personal data inaccessible and unusable for relevant users.

• Destruction: Making personal data completely inaccessible, irretrievable, and unusable for anyone.

• Anonymization (extended): Removing or modifying all direct and/or indirect identifiers in a dataset so that the data cannot be linked to a real person or distinguished within a group.

If all legal grounds for data processing cease to exist, the data controller must delete, destroy, or anonymize the personal data, either automatically or upon request. In doing so:

• All actions must be documented and stored for at least three years, unless otherwise required by law.

• The data controller must clearly explain the methods used in internal policies and procedures.

• Unless otherwise directed by the Data Protection Board, the data controller may choose the most appropriate method for deletion, destruction, or anonymization. If the data subject requests a specific method, the data controller must justify its choice.

Periodic Destruction

A data controller who has prepared a personal data retention and destruction policy is required to delete, destroy, or anonymize personal data during the first periodic destruction process following the date when the obligation to do so arises. The frequency of periodic destruction must be specified in the data controller’s data retention and destruction policy and may not exceed six months.

Ensuring Data Security

The obligations of data controllers regarding data security are as follows:

• Preventing the unlawful processing of personal data

• Preventing unlawful access to personal data

• Ensuring the secure storage of personal data

In this context, data controllers—i.e., organizations that collect personal data—must ensure hardware, software, and environmental security. Data controllers and data processors share joint responsibility for implementing these measures.

Although companies may receive support or collaborate with information security firms, this does not absolve them of their responsibilities under personal data protection regulations. Data controllers and data processors are prohibited from disclosing personal data they have accessed to unauthorized parties and from using it for purposes other than those for which it was processed. These confidentiality obligations remain in effect even after the termination of the data processor’s employment or engagement.

Application to the Data Controller

Data subjects may submit requests to the data controller:

• In writing,

• Through a registered electronic mail (KEP) address,

• Using secure electronic or mobile signature,

• Via an email address previously provided and registered in the data controller’s system,

• Or through a software or application developed for such requests.

The data controller must respond to the request within 30 days, free of charge (except in cases requiring additional costs). If the request is rejected, the data controller must provide justification for the denial in writing or electronically.

Complaint to the Board

If a request to the data controller is rejected, deemed insufficient, or not responded to within the specified timeframe, the data subject may lodge a complaint with the Personal Data Protection Board within 30 days of learning of the data controller’s response (or the end of the response period). The data subject’s right to claim damages under general provisions remains unaffected.

The data controller must provide the Board with any requested information and documents within 15 days and must allow for on-site inspections. The Board reviews the complaint and must issue a decision within 60 days. If no decision is issued, the request is considered denied. If the Board determines a violation has occurred, the data controller must implement the decision within 30 days.

Data Controllers Registry (VERBIS)

Under the Board’s supervision, a publicly accessible Data Controllers Registry (VERBIS) is maintained by the Presidency. Individuals or legal entities processing personal data must register with VERBIS before initiating any data processing. Data controllers are required to declare what types of personal data they process, for what purposes, and with whom they share such data. This information will be publicly accessible.

Crimes and Misdemeanors

Administrative fines imposed under the Law on the Protection of Personal Data include:

• Failure to fulfill the obligation to inform: 5,000–100,000 TRY

• Failure to fulfill data security obligations: 15,000–1,000,000 TRY

• Failure to comply with Board decisions: 25,000–1,000,000 TRY

• Failure to register with or notify the Data Controllers Registry: 20,000–1,000,000 TRY

Exceptions Under the Law

The provisions of the Personal Data Protection Law do not apply to cases where:

• Personal data is processed by real persons solely for personal or household activities, provided the data is not shared with third parties and data security is ensured;

• Personal data is processed for official statistics, or for research, planning, or statistical purposes after being anonymized;

• Personal data is processed for artistic, historical, literary, or scientific purposes, or under freedom of expression, without violating national security, public order, public safety, economic security, privacy, or personal rights;

• Personal data is processed within the scope of preventive, protective, or intelligence activities carried out by public institutions and organizations authorized by law for the purpose of ensuring national defense, national security, public safety, public order, or economic security;

• Personal data is processed by judicial authorities or execution offices for investigation, prosecution, trial, or enforcement proceedings.

Notable Board Decisions

Decision No. 2017/62 (21.12.2017) – Protection of Personal Data in Service Areas Such as Counters, Desks, and Offices:

Organizations in sectors such as banking, healthcare, postal and cargo services, tourism, retail, and government offices (e.g., tax or population registry departments) must take technical and administrative measures to prevent unauthorized individuals from accessing personal data at service points and to ensure that people in adjacent service areas cannot see, hear, or access each other’s personal data.

Decision No. 2017/61 (21.12.2017) – Online Directories and Guidance Services:

Internet sites and mobile applications that share users’ contact information without legal basis must immediately cease such data processing activities under Article 15/7 of the Law. The decision was published in the Official Gazette and on the Authority’s website, and non-compliant entities may face penalties under Article 18.

Decision No. 2018/10 Dated 31/01/2018 – Adequate Measures to Be Taken by Data Controllers in Processing Special Categories of Personal Data

The Personal Data Protection Board ruled that data controllers must:

• Establish a distinct, systematic, clearly defined, manageable, and sustainable policy and procedure to ensure the security of special categories of personal data;

• Implement necessary precautions for employees involved in the processing of such data;

• Take required security measures if such data is processed, stored, or accessed in electronic environments;

• Take required security measures if such data is processed, stored, or accessed in physical environments;

• Determine the methods to be used when transferring special category personal data.

Decision No. 2018/32 Dated 02/04/2018 – Exceptions to the Obligation to Register with the Data Controllers Registry

The following data controllers are exempt from the obligation to register with the Data Controllers Registry (VERBIS):

• Those who process personal data solely through non-automated means, provided it is part of a data recording system;

• Notaries operating under the Notary Law No. 1512 dated 18/01/1972;

• Associations established under the Law on Associations No. 5253 (dated 04/11/2004), foundations under the Foundations Law No. 5737 (dated 20/02/2008), and trade unions under the Law on Trade Unions and Collective Bargaining Agreements No. 6356 (dated 18/10/2012), only if they process personal data limited to their own employees, members, affiliates, and donors and in line with their purposes;

• Political parties established under the Political Parties Law No. 2820 (dated 22/04/1983);

• Lawyers operating under the Attorneyship Law No. 1136 (dated 19/03/1969);

• Certified Public Accountants and Sworn-in CPAs operating under Law No. 3568 (dated 01/06/1989).

Decision No. 2018/63 Dated 31/05/2018 – Misuse of Access Rights to Personal Data

In cases where employees who have access to personal data due to their roles or positions process data outside the scope of their authority, for personal reasons or unauthorized purposes, or share it with third parties, this constitutes a violation of Article 12(1) of the Personal Data Protection Law.

The Board ruled that data controllers must take all necessary technical and administrative measures to prevent such actions and ensure adequate data security.

Late Notification of a Personal Data Breach

A data controller who notified data subjects with a delay of 17 months and the Board with a delay of 10 months following a data breach was found to have exceeded the “as soon as possible” timeframe required under Article 12(5). The Board concluded that this constituted a data security violation and imposed administrative sanctions in accordance with Article 18.

Tying Explicit Consent to Service Conditions

The Board ruled that:

• If the processing of personal data is already justified under another legal basis, requesting explicit consent and making it a precondition for accessing the service or contract constitutes an abuse of right;

• Making explicit consent a requirement for receiving a service or entering into a contract invalidates the consent, as it is no longer given freely.

Processing or Transferring Excessive Personal Data

When a court requested specific personal data from a data controller, and the controller transferred more data than necessary, the Board ruled:

• This action could not be justified under Article 5(2)(ç) of the Law (legal obligation),

• It violated Article 4(1)(ç), which requires that data be processed in a manner that is relevant, limited, and proportionate to the purpose.

Therefore, the Board imposed administrative sanctions under Article 18 for failure to ensure data security in accordance with Article 12(1).