CCTV and Camera Recording Rules Under KVKK in Turkey
yazarı lawyerfbc
açık Nisan 30, 2026

Introduction

CCTV and camera recording rules under KVKK in Turkey are a critical compliance issue for businesses, employers, residential buildings, schools, hospitals, hotels, retail stores, factories, warehouses, offices, restaurants, banks, private clinics, shopping centers, logistics facilities, and public-facing service providers. Camera systems are widely used for security, workplace safety, theft prevention, access control, incident investigation, evidence preservation, visitor management, and protection of property. However, video surveillance is not legally neutral. A camera records identifiable individuals, and therefore camera footage generally constitutes personal data under Turkish Personal Data Protection Law.

Turkey’s main data protection legislation is Law No. 6698 on the Protection of Personal Data, commonly known as KVKK. KVKK applies to personal data processed wholly or partly by automated means, or by non-automated means forming part of a data filing system. Camera recordings usually fall within KVKK because they capture the image, movement, behavior, and presence of identifiable persons in a recorded environment. Under KVKK, the data controller must process such data lawfully, fairly, transparently, proportionately, securely, and only for a legitimate purpose.

The key legal point is that CCTV may be lawful, but only when it is properly designed and operated. A business may install cameras to protect employees, customers, visitors, and assets. An employer may use cameras to ensure workplace security. A residential building may use cameras at entrances and common areas. A school may use cameras for student safety. Yet camera monitoring becomes risky when it is hidden, excessive, installed in private areas, used for purposes beyond security, retained indefinitely, combined with audio recording without necessity, shared with unauthorized third parties, or implemented without a proper KVKK privacy notice.

Is Camera Recording Personal Data Under KVKK?

Camera footage is personal data when it relates to an identified or identifiable natural person. If a camera records a person’s face, body, clothing, movement, workplace behavior, entrance-exit time, vehicle, or other identifying characteristics, the footage can be linked to that person. Therefore, it is personal data under KVKK.

The same applies to CCTV images of employees, customers, visitors, students, patients, residents, delivery personnel, contractors, and passers-by. Even if the camera system is installed for security rather than identification, the recorded footage may still identify individuals. Therefore, the controller must comply with KVKK principles, including lawful basis, purpose limitation, proportionality, transparency, retention limitation, and data security.

Camera recording can also become more sensitive depending on the location and context. Footage from a hospital, clinic, school, workplace, religious facility, residential building, or employee rest area may reveal sensitive aspects of a person’s life. Camera systems in such environments require stricter risk assessment.

Legal Basis for CCTV Processing

Under KVKK, personal data processing requires either explicit consent or another legal basis under the law. For CCTV, explicit consent is usually not the most practical or appropriate basis, especially in public-facing or workplace environments where obtaining valid consent from every visitor, customer, employee, or passer-by may be unrealistic. Instead, CCTV processing is often based on legitimate interests, legal obligations, occupational safety, property security, prevention of unlawful acts, or establishment and protection of legal rights.

However, legitimate interest is not a blanket justification. The controller must balance its security interest against the fundamental rights and freedoms of data subjects. Camera monitoring should be necessary for a specific purpose and should not be excessive. If the same purpose can be achieved through less intrusive means, the controller should prefer those alternatives.

For example, a camera placed at a shop entrance to prevent theft and protect customers may be easier to justify than a camera constantly recording employees at their desks for general productivity control. A camera in a warehouse entrance may be proportionate, while a camera in a restroom, changing room, private prayer area, or medical examination room would be extremely difficult to justify.

Core KVKK Principles for CCTV Systems

CCTV systems must comply with Article 4 principles under KVKK. Personal data must be processed lawfully and fairly, accurately where necessary, for specified, explicit, and legitimate purposes, in a relevant, limited, and proportionate way, and only for the period required by law or by the processing purpose.

For camera systems, these principles mean the following:

First, the purpose must be clear. “Security” is a legitimate purpose, but the controller should specify whether the purpose is workplace safety, theft prevention, visitor security, facility security, incident investigation, or access control.

Second, the camera angle must be limited. Cameras should focus only on areas necessary for the stated purpose. A shop camera should not record neighboring private residences. A workplace camera should not capture private areas. A residential building camera should not record inside a neighbor’s flat.

Third, the retention period must be limited. Footage should not be kept indefinitely. The controller should define a short and reasonable retention period unless an incident, legal dispute, criminal complaint, insurance claim, or internal investigation requires longer preservation.

Fourth, access must be restricted. CCTV footage should be accessible only to authorized personnel, such as security managers, legal departments, HR in specific cases, or senior management where necessary. Ordinary employees should not freely access camera footage.

Fifth, data subjects must be informed. A camera system should not operate in a hidden or deceptive way except in very exceptional and legally sensitive situations.

Obligation to Inform: Camera Privacy Notices and Warning Signs

The obligation to inform is one of the most important requirements for CCTV compliance. KVKK requires the data controller to inform data subjects about the controller’s identity, processing purpose, transfer recipients and purposes, collection method and legal basis, and Article 11 rights. The Turkish Personal Data Protection Authority’s guidance on the obligation to inform lists these elements as the core content of disclosure.

In CCTV practice, this usually requires a layered notice system. The first layer is a visible warning sign placed at entrances and monitored areas. The sign should clearly state that camera recording is being conducted, identify the data controller, and refer to where the full privacy notice can be accessed. The second layer is a detailed CCTV privacy notice, available physically, digitally, on a website, through a QR code, at reception, or in employee documentation.

A compliant CCTV privacy notice should explain who the data controller is, why cameras are used, which areas are monitored, the legal basis of recording, who may receive footage, whether footage may be transferred to public authorities or service providers, how long recordings are retained, how footage is secured, and how data subjects may exercise their KVKK rights.

A warning sign saying only “This area is monitored by cameras” may be useful as a first-layer notice, but it is not always enough by itself. Data subjects should be able to access the full disclosure text easily.

CCTV in Workplaces

Workplace CCTV is common in Turkey, especially in factories, stores, warehouses, offices, hotels, restaurants, banks, hospitals, schools, and logistics centers. Employers may have legitimate reasons to use cameras: preventing theft, protecting employees, monitoring workplace safety, investigating workplace accidents, preventing violence, securing production areas, or protecting confidential materials.

However, employees have privacy rights. Camera systems should not be used as a general tool for constant pressure, excessive performance monitoring, or measuring every movement of employees. Workplace cameras should be installed only in areas where there is a real security or operational need.

The Turkish Personal Data Protection Board’s 2022/797 decision summary concerned workplace security cameras and facial recognition systems used for employee entry-exit. The complaint alleged, among other things, that cameras were placed in washroom areas to measure time spent in toilets and that facial recognition was disproportionate where alternatives existed. The decision is important because it shows that the Board examines workplace surveillance through transparency, proportionality, purpose limitation, and the availability of less intrusive alternatives.

Employers should therefore adopt a written CCTV policy. Employees should be informed before surveillance begins. Camera locations should be justified. Private areas must be excluded. Footage should be retained only for a defined period. Access should be limited. Use of footage in disciplinary proceedings should remain connected to the disclosed purpose and lawful basis.

Cameras in Private Areas: Restrooms, Changing Rooms, Prayer Rooms, and Medical Rooms

Camera recording in areas where people have a high expectation of privacy is one of the highest-risk practices. Restrooms, changing rooms, locker rooms, prayer rooms, breastfeeding rooms, medical examination rooms, sleeping rooms, and similar private areas should not be recorded by CCTV except in extremely exceptional circumstances, and even then only if there is a clear legal basis, strict necessity, and no less intrusive alternative.

In ordinary business practice, cameras in such areas should be avoided. Even cameras near these areas should be angled carefully so that they do not capture private activity. A camera placed in a corridor may be lawful if it records only the corridor, but it becomes risky if it captures inside restroom doors, changing areas, or medical rooms.

From a KVKK perspective, the issue is not only whether footage is watched. The act of recording itself is personal data processing. Therefore, a controller cannot defend an excessive camera placement merely by saying that no one reviewed the footage.

Audio Recording Through Security Cameras

Audio recording is far more intrusive than ordinary video recording. A standard CCTV system records images, but a camera with audio capability may record conversations, confidential information, private speech, business secrets, medical information, employee discussions, customer complaints, or privileged communications.

The Board has addressed the use of security cameras with audio recording capability in Decision No. 2020/212. The decision summary concerns a security camera system with sound recording features, showing that the Authority treats audio-enabled surveillance as a distinct and serious compliance issue.

Audio recording should not be used as a default security measure. In most ordinary workplaces, shops, offices, schools, and public-facing areas, video-only recording is usually sufficient for security purposes. If audio recording is considered, the controller should conduct a strict necessity and proportionality analysis, identify a clear legal basis, inform data subjects specifically, restrict access, define short retention periods, and assess possible criminal law risks relating to recording conversations.

In many cases, disabling audio recording is the safer and more proportionate solution.

Camera Recording in Schools and Educational Institutions

Schools and education institutions often use cameras to protect students, staff, and visitors. Cameras may be installed at entrances, corridors, playgrounds, school gardens, and common areas. However, schools process children’s personal data, and children require heightened protection. Therefore, CCTV in educational institutions should be designed carefully.

The Board’s 2023/1461 decision summary concerned image and audio recording by a camera in an educational institution. The complaint involved allegations that image and voice recordings were taken without explicit consent and referred to possible criminal law concerns.

Schools should avoid audio recording unless there is an exceptional and legally defensible reason. Cameras should not be placed in classrooms for continuous teacher or student surveillance unless a specific necessity exists and legal safeguards are implemented. Areas such as toilets, changing rooms, dormitory rooms, counseling rooms, and medical rooms must not be recorded.

Parents, students, employees, and visitors should be informed through layered notices. The school’s CCTV policy should define camera locations, purposes, access rules, retention periods, and procedures for sharing footage with public authorities.

Camera Recording in Residential Buildings and Apartments

CCTV in residential buildings is legally sensitive because cameras may record residents, visitors, neighbors, children, delivery personnel, domestic workers, and private living patterns. Cameras at building entrances, parking areas, elevators, and common spaces may be lawful for security if proportionate and transparent. However, cameras should not record inside private apartments, balconies, windows, neighboring homes, or areas beyond the security purpose.

The Board’s 2020/187 decision summary concerned a complaint about cameras placed by a neighbor inside a residential building, including cameras showing outside areas, the apartment entrance, and between floors. The complaint alleged unlawful recording, interference with peace, and violation of privacy.

Residential building managers, site administrations, and apartment boards should adopt a formal decision and written CCTV policy. The policy should define the purpose, camera locations, access rights, retention period, and procedure for responding to footage requests. Residents should be informed. Footage should not be accessible to all residents through shared screens or mobile apps unless strictly necessary and legally justified.

CCTV in Retail Stores, Currency Exchange Offices, and Public-Facing Businesses

Retail stores, jewelry shops, currency exchange offices, banks, markets, hotels, restaurants, and similar businesses often use CCTV for security and incident investigation. Such use may be legitimate, especially where there is risk of theft, fraud, violence, or disputes. However, businesses must still provide visible notice, limit recording to necessary areas, secure footage, and avoid unnecessary sharing.

The Board’s 2022/1249 decision summary concerned images recorded by security cameras at a currency exchange office and later shared with news agencies. The decision summary records the controller’s argument that visible warning signs were placed in areas easily seen by everyone and that camera monitoring was carried out for security purposes in accordance with the law. This decision highlights two important points: visible notification matters, and sharing footage outside the original security purpose may require separate legal assessment.

A business may record footage for security, but that does not automatically mean it may share the footage with media, social media accounts, business partners, or unrelated third parties. Sharing CCTV footage is a separate processing activity and must have a lawful basis.

Sharing CCTV Footage With Police, Courts, Prosecutors, or Public Authorities

CCTV footage may be requested by law enforcement, prosecutors, courts, administrative authorities, insurance companies, or lawyers. Sharing footage with authorized public authorities may be lawful where required by law or necessary for legal proceedings. However, the controller should document the request and transfer.

A company should not share footage casually or informally. Requests should preferably be written or properly recorded. The controller should share only the relevant footage and avoid disclosing unrelated individuals if possible. If the footage includes employees, customers, children, patients, or sensitive environments, the controller should be especially careful.

Where footage is needed for legal claims, incident investigation, disciplinary proceedings, or insurance disputes, the controller may retain relevant footage longer than the routine retention period, but this should be documented as a legal hold.

Sharing CCTV Footage With Media or on Social Media

Publishing or sharing CCTV footage with media outlets, social media platforms, or the public is high-risk. Even if the original recording was lawful for security, public disclosure is a new and more intrusive processing activity. It may expose the identity, behavior, private situation, or reputation of individuals.

Businesses should not publish CCTV footage to shame customers, employees, thieves, debtors, or disruptive visitors. Even where an unlawful act occurred, publication may violate personal data protection and personality rights. The correct route is usually to provide footage to authorized law enforcement or courts, not to publish it online.

Before sharing footage with any third party, the controller must assess the legal basis, necessity, proportionality, purpose compatibility, and possible harm to data subjects.

CCTV Retention Periods

Retention is one of the most important practical issues in camera recording compliance. KVKK does not set one universal CCTV retention period for every business. The correct period depends on the purpose, location, risk level, legal obligations, and technical structure. However, footage should be kept only as long as necessary.

The By-Law on Erasure, Destruction or Anonymization of Personal Data requires disposal when processing conditions no longer exist. It defines disposal as erasure, destruction, or anonymization; requires disposal operations to comply with KVKK principles and security measures; and requires records of disposal operations to be stored for at least three years unless other legal obligations apply.

For many ordinary business environments, a short retention period such as several days or a few weeks may be sufficient unless an incident occurs. Longer retention may be justified for high-risk facilities, financial institutions, production facilities, regulated environments, or locations with specific legal or security needs. The controller should define the retention period in its CCTV privacy notice and internal policy.

Footage related to a specific incident may be preserved separately until the investigation, legal claim, insurance process, disciplinary procedure, or court process is completed.

Data Security Obligations for CCTV Footage

CCTV footage must be protected against unauthorized access, copying, disclosure, alteration, deletion, or misuse. KVKK Article 12 requires data controllers to take all necessary technical and organizational measures to provide an appropriate level of security, prevent unlawful processing, prevent unlawful access, and ensure protection of personal data. If processing is carried out by another person on behalf of the controller, the controller remains jointly responsible with that person for security measures.

Practical CCTV security measures include strong passwords, restricted administrator access, role-based authorization, encryption where appropriate, secure network configuration, physical protection of recording devices, access logs, secure export procedures, automatic deletion according to retention periods, vendor confidentiality obligations, and periodic review of camera access.

CCTV systems should not use default passwords. Footage should not be stored on unsecured devices. Camera feeds should not be accessible through public links. Mobile access should be limited and protected by strong authentication. Exported footage should be encrypted or otherwise securely transferred.

CCTV Vendors and Data Processing Agreements

Many organizations outsource CCTV installation, maintenance, monitoring, storage, cloud hosting, alarm integration, or remote access to third-party security companies or IT vendors. If a vendor accesses or processes footage on behalf of the controller, it may be a data processor under KVKK.

The controller should sign a data processing agreement or include strong data protection clauses in the service contract. The contract should regulate confidentiality, access limitation, security measures, sub-processors, breach notification, deletion, return of footage, remote access, and liability.

The controller should also verify whether the vendor stores footage on foreign cloud servers or allows foreign technical support access. If so, cross-border transfer rules may apply.

Cloud-Based CCTV and Cross-Border Transfers

Cloud CCTV systems are increasingly common. They may store footage on remote servers, allow mobile access, provide AI-based analytics, or use foreign infrastructure. These systems can create cross-border transfer issues.

KVKK Article 9 was amended in 2024. Under the amended regime, personal data may be transferred abroad if one of the processing conditions under Articles 5 or 6 exists and there is an adequacy decision. If no adequacy decision exists, transfers may be possible through appropriate safeguards such as standard contracts, binding corporate rules, or written commitments approved by the Board. Standard contracts must be notified to the Authority within five business days after signature.

Organizations using cloud camera systems should identify where footage is stored, whether support teams abroad may access footage, whether backups are kept abroad, which vendors and sub-processors are involved, and what transfer mechanism applies.

AI Video Analytics and Facial Recognition

Modern camera systems may include AI features such as facial recognition, object detection, heat mapping, people counting, behavioral analytics, license plate recognition, emotion detection, or anomaly detection. These features increase privacy risk.

Facial recognition may process biometric data, which is a special category of personal data under KVKK. Biometric processing requires stricter legal basis and proportionality analysis. The Board’s 2022/797 decision concerning workplace facial recognition is important because it shows that biometric entry-exit tracking may be considered disproportionate if less intrusive alternatives exist.

People counting or heat mapping may be lower risk if properly anonymized and not linked to identifiable persons. However, if the system stores images, tracks individuals, identifies movement patterns, or links data to other records, KVKK applies more strongly.

Before adopting AI camera analytics, businesses should conduct a privacy impact assessment, update privacy notices, check vendor contracts, define retention periods, and assess whether the system is truly necessary.

CCTV and Data Subject Rights

Individuals recorded by CCTV have rights under KVKK Article 11. They may ask whether their personal data is processed, request information, learn the purpose of processing, know third parties to whom data is transferred domestically or abroad, request correction where applicable, request erasure or destruction under legal conditions, object to certain automated results, and claim compensation for unlawful processing.

In practice, a person may request access to footage showing them. The controller must evaluate such requests carefully because CCTV footage may also show other individuals. Providing full footage may violate third-party privacy. The controller may need to blur other individuals, provide a limited extract, allow controlled viewing, or reject the request with legal reasoning if disclosure would harm the rights of others.

Organizations should have an internal procedure for CCTV access requests. Security staff, HR, reception, and legal departments should know how to handle requests without casually sharing footage.

CCTV and VERBIS

Data controllers required to register with VERBIS should ensure that CCTV processing is reflected in their data inventory and registry entries where applicable. The By-Law on the Data Controllers Registry applies to natural and legal persons who determine the purposes and means of personal data processing and are responsible for establishing and managing the data filing system.

If camera recording is a regular processing activity, the data controller’s inventory should include visual and audio data categories where applicable, data subject groups such as employees, visitors, customers or students, processing purposes, legal basis, retention period, recipients, foreign transfer status, and security measures.

Privacy notices, VERBIS entries, retention policies, and actual CCTV practices should be consistent.

Practical CCTV Compliance Checklist Under KVKK

A business or institution using CCTV in Turkey should follow these steps:

  1. Define the specific purpose of camera recording.
  2. Identify the data controller.
  3. Determine the legal basis for recording.
  4. Conduct a necessity and proportionality assessment.
  5. Avoid recording private areas.
  6. Limit camera angles to necessary areas.
  7. Avoid audio recording unless strictly necessary.
  8. Prepare visible warning signs.
  9. Prepare a detailed CCTV privacy notice.
  10. Inform employees separately in workplace settings.
  11. Define a limited retention period.
  12. Restrict access to authorized personnel.
  13. Protect footage with technical security measures.
  14. Keep access and export logs where possible.
  15. Sign data processing agreements with CCTV vendors.
  16. Assess cloud storage and foreign access.
  17. Establish a procedure for data subject requests.
  18. Document sharing with public authorities.
  19. Delete, destroy, or anonymize footage when no longer needed.
  20. Review the system periodically.

Common Mistakes in CCTV Compliance

One common mistake is placing cameras without any warning signs or privacy notice. Another is using cameras for general employee pressure rather than a specific security purpose. A third mistake is placing cameras in private or semi-private areas.

A fourth mistake is enabling audio recording by default. A fifth mistake is retaining footage indefinitely. A sixth mistake is allowing too many employees to access footage. A seventh mistake is sharing footage through WhatsApp, email, media outlets, or social media without legal basis.

Other common mistakes include using cloud CCTV without cross-border transfer analysis, failing to reflect CCTV processing in data inventories, using facial recognition without biometric data compliance, and failing to respond properly to footage access requests.

Legal Consequences of Unlawful Camera Recording

Unlawful camera recording may lead to complaints before the Turkish Personal Data Protection Authority, administrative fines, orders to stop processing, deletion or destruction orders, employee claims, civil compensation claims, criminal complaints in serious cases, and reputational harm.

The legal risk increases where cameras record private areas, children, patients, employees, audio conversations, biometric data, or residential spaces. It also increases where footage is shared publicly or used for purposes unrelated to the original security reason.

A controller that can show a proper privacy notice, legitimate purpose, proportional camera placement, restricted access, defined retention period, secure storage, and documented sharing procedure will be in a stronger legal position than a controller operating cameras informally.

Conclusion

CCTV and camera recording rules under KVKK in Turkey require a careful balance between security needs and privacy rights. Camera systems may be lawful when they are used for legitimate purposes such as workplace safety, property protection, theft prevention, access control, or incident investigation. However, legality depends on transparency, necessity, proportionality, limited retention, data security, and respect for data subject rights.

The most important compliance steps are to define the purpose, place cameras only where necessary, avoid private areas, provide visible warning signs, prepare a detailed privacy notice, restrict access, set retention periods, secure footage, control vendor access, and avoid unnecessary sharing. Audio recording and facial recognition require additional caution because they are more intrusive and may involve higher legal risk.

Board decisions concerning workplace cameras, audio-enabled cameras, educational institutions, residential buildings, and sharing of security footage demonstrate that the Authority evaluates CCTV through the lens of KVKK principles, transparency, proportionality, and purpose limitation. Businesses and institutions should therefore treat camera systems not as simple security equipment but as regulated personal data processing systems.

A compliant CCTV framework protects both the organization and the individuals being recorded. It helps prevent security incidents while reducing regulatory risk, employee disputes, customer complaints, and reputational damage. In Turkey, responsible camera recording is not only a security practice; it is a personal data protection obligation.

Categories:

Genel

Yanıt yok

Bir yanıt yazın

E-posta adresiniz yayınlanmayacak. Gerekli alanlar * ile işaretlenmişlerdir

Our Client

We provide a wide range of Turkish legal services to businesses and individuals throughout the world. Our services include comprehensive, updated legal information, professional legal consultation and representation

Our Team

.Our team includes business and trial lawyers experienced in a wide range of legal services across a broad spectrum of industries.

Why Choose Us

We will hold your hand. We will make every effort to ensure that you understand and are comfortable with each step of the legal process.

Open chat
1
Hello Can İ Help you?
Hello
Can i help you?
Call Now Button