info@gunaydinhukuk.org
Babacan Port Royal Residence B Block Flat:26 Kucukcekmece / Istanbul

Follow Us:
 
E-PAYMENT

Administrative LawInformation Technology LawWhat are my rights under the Protection of Personal Data (KVKK)?

In the digital age, our personal data (identity information, contact information, health data, financial information, etc.) are continuously collected, processed and stored by companies, public institutions and other organisations. This situation brings along serious risks such as misuse of personal data, sharing with unauthorised persons or exposure to cyber-attacks. In Turkey, the main law regulating the processing of personal data in order to protect the fundamental rights and freedoms of individuals is the Law No. 6698 on the Protection of Personal Data (KVKK), which entered into force on 7 April 2016. This law gives individuals the right to have control over their personal data and imposes significant obligations on data processing organisations (data controllers).

Legal Framework: Purpose and Basic Concepts of KVKK

The main purpose of the KVKK is to protect the fundamental rights and freedoms of individuals, especially the privacy of private life, in the processing of personal data and to regulate the obligations of real and legal persons who process such data and the procedures and principles to be followed.

  • Personal Data: Any information relating to an identified or identifiable natural person (name, surname, Turkish ID number, telephone, e-mail, IP address, photograph, etc.).
  • Special Categories of Personal Data: Data on race, ethnic origin, political opinion, philosophical belief, religion, sect, clothing, association/foundation/union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data. These data are under stricter protection.
  • Data Controller: The natural or legal person (e.g. a company, a hospital, an e-commerce site) who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.
  • Data Subject: The natural person whose personal data is processed (i.e. us).

Rights of the Data Subject (Individuals) under the LPPD

Article 11 of the LPPD clearly enumerates the rights of everyone whose personal data is processed. Everyone can exercise the following rights related to him/her by applying to the data controller:

  1. Right to Information:
    • To learn whether his/her personal data is processed or not.
    • To request information if his/her personal data has been processed.
    • To learn the purpose of processing personal data and whether they are used in accordance with their purpose.
  2. Right to Information on Data Transfer:
    • To know the third parties to whom personal data are transferred domestically or abroad.
  3. Right to Request Correction, Deletion or Destruction of Data:
    • To request correction of personal data in case of incomplete or incorrect processing.
    • To request the deletion or destruction of personal data in the event that the reasons requiring its processing disappear, although it has been processed in accordance with the provisions of KVKK and other relevant laws.
    • To request notification of such correction, deletion or destruction to third parties to whom the data are transferred.
  4. Right of Objection:
    • To object to the emergence of a result to the detriment of the person himself/herself by analysing the processed data exclusively through automated systems.
  5. The right to claim compensation for damages:
    • In case of damage due to unlawful processing of personal data, to demand compensation for the damage.

Obligations of the Data Controller

The LPPD also imposes important obligations on data controllers:

  • Obligation to Inform: While collecting personal data, the data controller is obliged to inform the data subject about the identity of the data controller, the purpose for which the data will be processed, to whom and for what purpose the data may be transferred, the method and legal reason for data collection, and the rights of the data subject.
  • Obligation to Obtain Explicit Consent: As a rule, personal data cannot be processed without the explicit consent of the data subject. However, explicit consent is not required in exceptional cases listed in the law, such as being clearly stipulated in the law, being directly related to the establishment or performance of a contract.
  • Obligation to Ensure Data Security: The data controller is obliged to take all necessary technical and administrative measures to ensure the appropriate level of security in order to prevent unlawful processing, access and retention of personal data.
  • Obligation to Notify the Personal Data Protection Authority: Data controllers are obliged to register with the Data Controllers Registry Information System (VERBIS) and to report information about their data processing activities.

Exercise of Rights and Application Process

A person who wishes to exercise his/her rights under the LPPD must first apply to the relevant data controller in writing or by other methods determined by the Personal Data Protection Board. The data controller must finalise this request free of charge within 30 days at the latest.

If the data controller rejects the request, finds the response inadequate or does not respond in due time, the data subject may file a complaint with the Personal Data Protection Board within 30 days from the date of learning the response of the data controller and in any case within 60 days from the date of application . The Board conducts the necessary investigation upon the complaint and may give instructions to the data controller or impose an administrative fine.

Law No. 6698 on the Protection of Personal Data (KVKK) provides individuals with important rights and control mechanisms over their personal data. Rights such as obtaining information, requesting correction or deletion of data, questioning data transfer and requesting compensation for damages are the most important tools to ensure the security of our personal data. Data processing organisations have serious obligations such as informing, obtaining explicit consent and ensuring data security. Individuals who believe that their personal data has been violated should first apply to the data controller, and if they cannot get results, they should file a complaint with the Personal Data Protection Board. In this process, getting support from an IT or KVKK law lawyer will ensure the effective protection of rights.

previous
Material and Moral Compensation After Traffic Accident
next
How to file a lawsuit for cancellation of administrative action?
https://gunaydinhukuk.org/wp-content/uploads/2022/05/ghb-1.png
Babacan Port Royal Rezidans Kartaltepe Mah. 1. Malazgirt Cad. No:6/2 B Blok Daire:26 Küçükçekmece / İstanbul
0212 951 05 15
info@gunaydinhukuk.org

Takip Edin:

SAYFALAR

FAYDALI LINKLER

YASAL UYARI

Bu web sitesinde yer alan içerikler Avukat & Müvekkil ilişkisi oluşturmaya yönelik değildir ve bir davet veya reklam olarak dikkate alınmamalıdır. Web sitesinde bulunan tüm içeriklerin telif hakkı Av. Cemal Vehbi GÜNAYDIN’a aittir. Web sitesindeki içeriklerin izinsiz bir şekilde kopyalanarak veya kısaltılarak başka web sitelerinde yayınlanmasının tespiti halinde hukuki ve cezai işlem uygulanacaktır.

© 2025 Günaydın Hukuk Bürosu – Tüm Hakları Saklıdır.