Personal Data Protection and Privacy
1. Introduction
In the information age, personal data has become a fundamental source of economic and political power. However, when this power is used without legal limits to protect individual privacy, it disrupts social balance. In Turkey, the Law No. 6698 on the Protection of Personal Data (KVKK) and Article 20/3 of the Constitutionguarantee privacy as a fundamental right.
This article will examine in detail the definition of personal data, its protection principles, legal basis, and violations encountered in practice.
2. The Concept of Personal Data
2.1. Definition
According to Article 3 of the KVKK (Law on Protection of Personal Data):
"Personal data is any information relating to an identified or identifiable natural person."
This includes name, surname, Turkish national identity number, phone number, location, voice recordings, IP address, biometric data, and even shopping preferences.
2.2. Special Categories of Data
Article 6 of the Turkish Personal Data Protection Law (KVKK) classifies data such as "race, health, sexual life, and political views" as sensitive information and provides for stricter protection.
3. The Constitutional Basis of the Right to Privacy and Confidentiality
Article 20/3 of the Constitution:
"Everyone has the right to request the protection of their personal data."
With this article, privacy has become not only an ethical value but also a constitutional right .
The state's obligation is twofold:
-
Public authorities have a negative liability against data breaches
-
Providing effective supervision and protection against private companies is a positive obligation.
In its decision numbered 2016/13010, the Constitutional Court stated that "sharing personal data without consent violates the right to privacy.".
4. Fundamental Principles of the Personal Data Protection Law (KVKK)
According to Article 4 of the KVKK (Law on Protection of Personal Data), data processing activities must be based on the following principles:
-
Compliance with the law and the principle of honesty,
-
Being accurate and up-to-date,
-
Processing for specific, explicit and legitimate purposes,
-
Being relevant to the purpose for which they are committed, limited and proportionate,
-
Retention for the period stipulated in the relevant legislation or for the period necessary for the purpose for which they were processed.
These principles should be considered as a "reference code" in every data processing process.
5. Conditions for Processing Personal Data
Data processing must be based on one of the legal grounds specified in Articles 5 and 6 of the KVKK (Law on Protection of Personal Data):
-
Explicit consent,
-
Explicitly provided for in the law,
-
Formation or performance of the contract,
-
The data controller's legal obligation,
-
The establishment, exercise, or protection of a right,
-
Data that has been made public by the person concerned.
Any action taken without explicit consent unlawful .
6. Obligation to Provide Lighting
The data controller is obliged to inform the data subject before collecting data (KVKK Article 10).
The information notice should include the identity of the data controller, the purpose of data processing, the transfer of data, and the rights that can be exercised.
Failure to fulfill this obligation administrative fines of up to 1 million TL .
7. Data Security and Technical Measures
Data controllers must take the following measures in accordance with Article 12 of the KVKK (Personal Data Protection Law):
-
Preventing unauthorized access,
-
Encryption and logging,
-
Access control system,
-
Staff training,
-
Cyber incident response plan.
If these measures are not taken and a data breach occurs, the Board may impose both penalties and conduct audits.
8. Data Breach and Notification Obligation
In the event of a data breach,
-
To the Board within 72 hours,
-
the relevant person as soon as possible
(Article 12/5).
Institutions that failed to report were fined an average of 750,000 TL – 2,500,000 TL between 2024 and 2025
9. Obligation to Anonymize and Delete
When the purpose of data processing ends, personal data must either be deleted , destroyed , or anonymized (Article 7). This process is determined by the " Data Storage and Destruction Policy " document. In its decision numbered 2023/310, the Board emphasized that "anonymization must be irreversible."
10. Data Transfer and Privacy Agreements
When personal data is transferred to third parties, a written agreement is mandatory.
The agreement must include the following:
-
Purpose and duration of processing,
-
The responsibilities of the parties,
-
Data security measures,
-
Breach reporting procedure.
For data transfers abroad, permission from the Board or a list of countries providing adequate protection is required under Article 9 of the KVKK (Personal Data Protection Law).
11. Distinction Between Public Institutions and the Private Sector
Public institutions are also subject to the Personal Data Protection Law (KVKK); however, "security and judicial activities" constitute an exception.
In the private sector, obligations are heavier, especially in banking, insurance, e-commerce, and healthcare.
For banks, the Banking Regulation and Supervision Agency (BDDK) and KVKK guidelines, while for the healthcare sector, the Health Data Guide is implemented.
12. GDPR and International Comparison
12.1. EU (GDPR)
The EU's General Data Protection Regulation (GDPR) has set global standards.
Turkey has prepared a draft revision for its Personal Data Protection Law (KVKK) to bring it closer to this structure by 2025.
12.2. USA
There is no federal data protection law in the United States; state-based regulations (CCPA) apply.
12.3. Türkiye's Location
Türkiye has created a model application in its region with the KVKK (Personal Data Protection Law) and VERBİS (Data Registration and Information System); however, there is still a need for updating regarding "international data transfer and profile creation".
13. The Approach of Fairness and Justice
The Supreme Court and the Constitutional Court consider personal data breaches as "violations of personal rights".
-
Supreme Court 4th Civil Chamber, Case No. 2020/3106: “Unauthorized data sharing constitutes grounds for moral damages.”
-
Constitutional Court Decision No. 2018/14884: “Employers' monitoring of employee emails is limited to legitimate purposes and proportionality.”
The principle of fairness requires the data controller to strike a balance between protective measures and the privacy of the individual.
14. Administrative Sanctions and Penalties
The penalties imposed in 2025 pursuant to Article 18 of the Personal Data Protection Law are summarized as follows:
| Type of Violation | Penalty Range (TL) |
|---|---|
| Violation of the obligation to provide information | 100.000 – 1.000.000 |
| Failure to take data security measures | 200.000 – 2.500.000 |
| Not registering with VERBİS | 500.000 – 2.000.000 |
| Failure to comply with the board's decision | 300.000 – 3.000.000 |
In addition, criminal liability may arise under Articles 136-138 of the Turkish Penal Code due to the data breach
15. Conclusion and Evaluation
The protection of personal data is a guarantee of individual freedom and dignity in modern democracies. In Turkey, with the Personal Data Protection Law (KVKK), privacy has ceased to be an abstract concept and has become a legally enforceable right
In conclusion:
Data controllers must process data transparently and proportionately.
Personal data should be deleted when the purpose of its processing has ended.
Data breaches must be reported within 72 hours.
Anonymization and explicit consent policies are mandatory.
Privacy is not only a technical obligation, but also an ethical one.