+90 312 473 70 13
info@avakslab.com

KVKK

A. IN GENERAL
In today’s world, where technology has fully permeated everyday life, protecting the privacy of individuals’ personal data—such as identity, communication, health, and financial information, as well as private life, religious beliefs, and political opinions—has become crucial. Personal data is frequently processed by both the private and public sectors through automated information systems. While the use of this data provides certain conveniences and advantages to both individuals and service providers, it also brings the risk of misuse. Therefore, it is necessary to establish a legitimate and reasonable balance between these interests.

Efforts to create legislation for the protection of personal data in TĂŒrkiye date back to 1981. The Personal Data Protection Law No. 6698, which entered into force on April 7, 2016, marks a major milestone in this legislative process and has become an integral part of the legal system. This law has been drafted to reflect the best practices and principles in the field.

B. PURPOSE
With the constitutional amendment introduced by Law No. 5982 in 2010, an additional paragraph was added to Article 20 of the Constitution stating:
“Everyone has the right to request the protection of personal data concerning them. This right includes the right to be informed about personal data, to access such data, to request its correction or deletion, and to know whether it is being used in accordance with its intended purpose. Personal data may only be processed in cases stipulated by law or with the individual’s explicit consent. The principles and procedures regarding the protection of personal data shall be regulated by law.”

This provision guarantees the right of every individual to the protection of personal data as a constitutional right. In this context, the law determines under which conditions personal data may be processed and what rights and authorities individuals have over their data.

As stated in Article 1 of the Law, the primary objective is to protect fundamental rights and freedoms, particularly the right to privacy, during the processing of personal data, and to establish the obligations and procedures to be followed by real and legal persons who process personal data. The purpose of the Law is also explained in its preamble: to regulate the processing of personal data in a disciplined manner and to ensure the protection of fundamental rights and freedoms, especially privacy.

The Law aims to prevent the unlimited and arbitrary collection of personal data, unauthorized access, disclosure, or misuse of such data. It seeks to regulate how personal data can be processed under certain rules and conditions, introducing audit mechanisms to prevent unlawful processing. Another aim is to define the obligations and principles that data controllers must comply with.

According to this provision, the objectives of the Law are:

  • To protect individuals’ fundamental rights and freedoms in the processing of personal data

  • To regulate the obligations, procedures, and principles for real and legal persons processing personal data

  • To protect the right to privacy

  • To ensure data security

C. SCOPE

1. Scope of the Law
As stated in Article 2 of the Law, it applies to real persons whose personal data is processed, as well as to real and legal persons who process personal data either fully or partially by automated means, or by non-automated means as part of a data recording system.

The Law makes no distinction between public and private institutions; the principles and procedures apply equally to all. Thus, personal data processed by public institutions also fall under the provisions of this Law. However, it only protects data belonging to real persons, not legal entities—unless the data of a legal entity can be associated with an identifiable real person, in which case it is subject to the Law.

There is no difference in the Law between automated and non-automated data processing, provided the latter is part of a structured recording system.

Today, most personal data is processed automatically. Even data initially processed manually is rapidly being transferred into electronic formats. Hence, both “data processed fully or partially by automated means” and “data processed manually as part of a structured system” are protected under Law No. 6698.

The Law does not apply to personal data that is processed manually and is not part of any recording system. However, unlawful acts involving such data may still constitute a criminal offense under the Turkish Penal Code.

While Law No. 6698 excludes data belonging to legal entities, if such data enables the identification of real individuals, it may be covered under the Law.

2. Situations Outside the Scope of the Law
The Law applies only to data concerning real persons. Data of legal entities is excluded.

According to Article 28 of the Law, full and partial exceptions are defined. Full exceptions completely exclude the application of the Law, whereas partial exceptions only exempt certain provisions (e.g., the obligation to inform, data subject rights, registration with the data controller registry).

a. Fully Excluded Situations:

  • Personal data processed by real persons for personal or household activities, provided it is not shared with third parties and data security obligations are met

  • Data processed for research, planning, and statistical purposes after anonymization

  • Data processed for artistic, historical, literary, or scientific purposes or within the scope of freedom of expression, provided it does not violate national security, public order, or privacy

  • Data processed by public institutions authorized by law for national security, public safety, or intelligence purposes

  • Data processed by judicial authorities in the context of investigation, prosecution, or enforcement proceedings

b. Partially Excluded Situations:
Under certain conditions, Articles 10, 11 (except compensation claims), and 16 of the Law do not apply:

  • If processing is necessary to prevent crime or for criminal investigations

  • If the data subject has made the data public

  • If processing is necessary for the performance of supervisory or regulatory duties of public institutions

  • If processing is required for safeguarding the State’s economic and financial interests

3. Temporal Application of the Law
According to the Provisional Article 1(3), personal data processed before the enactment of the Law must be brought into compliance within two years. Data that does not comply must be deleted, destroyed, or anonymized. Lawful consents obtained before enactment remain valid unless revoked within one year.

4. Personal Application of the Law
The Law applies to real persons whose personal data is processed, and to real or legal persons who process such data. Legal entity data is generally excluded unless it enables the identification of a real person.

D. KEY CONCEPTS IN LAW NO. 6698

1. Explicit Consent
One of the core concepts introduced by the Law is “explicit consent,” defined in Article 3 as “freely given, informed, and specific consent.” According to Article 20 of the Constitution, personal data may be processed only in cases provided by law or with explicit consent.

The Law requires explicit consent for both regular and sensitive personal data:

  • Article 5(1): Personal data cannot be processed without explicit consent

  • Article 6(2): Sensitive personal data cannot be processed without explicit consent

  • Article 8(1): Personal data cannot be transferred without explicit consent

  • Article 9(1): Personal data cannot be transferred abroad without explicit consent

Explicit consent must:

  • Be related to a specific subject

  • Be based on adequate information

  • Be given voluntarily

General declarations such as “I accept the processing of my personal data” are insufficient unless specific details are provided. Secondary purposes such as international data transfers also require separate consent.

2. Anonymization
Anonymization refers to making data unidentifiable even when matched with other data. If the data can still identify an individual, it is not considered anonymized.

Common anonymization techniques include:

  • Masking: e.g., hiding parts of credit card numbers (**** **** 0006)

  • Aggregation: presenting data as collective totals

  • Data Derivation: converting full birthdates into age

  • Data Shuffling: rearranging individual data within a dataset to prevent identification

3. Data Subject (Relevant Person)
The term “data subject” refers to the real person whose personal data is processed. The Law does not apply to legal persons. The intent is to protect privacy and information security as part of fundamental rights.

4. Personal Data
Defined as any information relating to an identified or identifiable real person. This includes name, identity number, address, photos, voice recordings, fingerprints, and more. The Law does not provide a limited list, allowing the definition to expand as technology evolves.

5. Processing of Personal Data
Processing includes the entire lifecycle of data, from collection to deletion or anonymization. This includes:

  • Collection/recording

  • Storage/organization

  • Use/modification

  • Transfer

  • Dissemination/access

  • Blocking/deletion/anonymization

a. Automated Processing
Though not explicitly defined, automated processing generally refers to data processed by digital devices with minimal human intervention.

b. Manual Processing (as part of a data recording system)
Even if not automated, data processed within a structured recording system is subject to the Law. This includes both physical and digital systems organized by criteria such as name or ID number.

To process data lawfully under the Law, the following must be ensured:

  • Legal basis (consent or exemption)

  • Proper notification (disclosure)

  • Purpose limitation and data minimization

  • Compliance with fundamental principles