Data Protection Compliance for Online Marketplaces in Turkey

Introduction

Data protection compliance for online marketplaces in Turkey is one of the most important legal issues in modern e-commerce. Online marketplaces process large volumes of personal data belonging to buyers, sellers, seller representatives, couriers, delivery recipients, customer service users, visitors, employees, advertisers, influencers, payment users, and business partners. A single marketplace transaction may involve identity data, contact details, delivery address, billing information, payment records, order history, product preferences, search behavior, reviews, complaints, return requests, cargo tracking data, IP addresses, device identifiers, cookies, marketing preferences, fraud alerts, and customer support records.

Turkey’s main personal data protection legislation is Law No. 6698 on the Protection of Personal Data, commonly known as KVKK. KVKK applies to natural persons whose personal data is processed and to natural or legal persons processing such data wholly or partly by automated means or by non-automated means forming part of a data filing system. The law defines personal data broadly as any information relating to an identified or identifiable natural person, and it defines data controller and data processor roles according to who determines the purposes and means of processing.

Online marketplaces are also regulated under Turkish e-commerce legislation. The Ministry of Trade explains that Law No. 6563 on the Regulation of Electronic Commerce entered into force on May 1, 2015, and that the 2022 amendments and secondary regulations were introduced to address competition, multi-actor marketplace structures, and healthy growth in e-commerce. The official ETBİS legislation page also lists the Regulation on Electronic Commerce Intermediary Service Providers and Electronic Commerce Service Providers, the Law No. 6563, and other e-commerce regulations as part of the relevant framework.

For marketplace operators, KVKK compliance is not merely a website privacy policy. It is a full operational governance system covering account registration, seller onboarding, buyer transactions, payment flows, delivery, customer support, reviews, dispute resolution, cookies, mobile apps, marketing, fraud prevention, data retention, vendor contracts, data subject rights, and cross-border transfers.

What Is an Online Marketplace Under Turkish E-Commerce Practice?

An online marketplace is a digital platform that enables third-party sellers to offer goods or services to buyers through an electronic commerce environment. In Turkish e-commerce terminology, an “intermediary service provider” is defined in the commercial electronic communications regulation as a real or legal person providing an electronic commerce environment for others’ economic and commercial activities. The same regulation defines electronic commerce as all online economic and commercial activity conducted electronically without physical face-to-face interaction.

In practice, online marketplaces may include multi-seller retail platforms, food delivery platforms, travel booking platforms, accommodation marketplaces, service marketplaces, second-hand goods platforms, ticketing platforms, digital product platforms, freelance marketplaces, fashion platforms, electronics marketplaces, and B2B procurement platforms.

From a data protection perspective, the marketplace structure is complex because several parties may process personal data in the same transaction. The marketplace operator processes buyer and seller data to run the platform. The seller processes buyer data to fulfill the order. Payment providers process payment data. Cargo companies process delivery data. Call centers process support data. Advertising vendors process tracking data. Cloud providers and software tools process platform data. Therefore, a marketplace must map all data flows clearly rather than treating the transaction as a single simple sale.

Data Controller and Data Processor Roles in Marketplaces

The first question in marketplace data protection compliance is role classification. Under KVKK, the data controller is the person or entity that determines the purposes and means of processing personal data, while the data processor processes personal data on behalf of the controller upon authorization.

A marketplace operator will usually act as a data controller for buyer accounts, seller accounts, order management, platform security, customer support, fraud prevention, marketing, website analytics, mobile app operation, payment orchestration, marketplace policies, dispute resolution, and legal compliance. The operator decides what data is collected, why it is collected, how the platform functions, how long records are retained, and which vendors are used.

Sellers may also act as independent data controllers for the buyer data they receive to fulfill orders, issue invoices, manage returns, provide warranty support, and respond to customer questions. However, whether a seller is an independent controller or acts under certain marketplace instructions depends on the actual business structure. A marketplace may also act as a processor for certain seller-controlled activities, but in most consumer-facing marketplace models the operator has significant independent purposes and therefore acts as a controller for many core platform operations.

This role analysis should be reflected in marketplace terms, seller agreements, privacy notices, data processing agreements where appropriate, and internal data inventories. The marketplace should not assume that it is only a neutral technical intermediary. If it determines data flows, marketing tools, customer account structure, anti-fraud rules, support procedures, and platform analytics, it likely has controller responsibilities under KVKK.

Personal Data Processed by Online Marketplaces

Online marketplaces process many categories of personal data. Buyer data may include name, surname, phone number, email address, delivery address, billing address, account password, order history, product preferences, wish lists, reviews, return requests, complaint history, customer support records, payment status, invoice details, and marketing preferences.

Seller data may include seller representative identity information, trade name, tax number, MERSİS number, address, bank account details, contact persons, authorized signatories, seller performance metrics, seller support tickets, store ratings, sanctions, product compliance records, and marketplace agreement records. If the seller is an individual or sole proprietor, many seller records may also be personal data.

Digital data may include IP address, device ID, cookie ID, mobile advertising ID, login logs, fraud signals, clickstream records, search history, browsing behavior, abandoned cart data, location data, app permissions, push notification tokens, and security alerts.

Customer support data may include call recordings, chat transcripts, email correspondence, screenshots, complaint files, refund documents, cargo disputes, and dispute resolution records. In certain marketplace categories, special categories of personal data may also appear. For example, a health products marketplace may process health-related information, a pharmacy-like service may process medication-related data, and a second-hand platform may process identity verification data.

Core KVKK Principles for Marketplace Processing

KVKK Article 4 requires personal data to be processed lawfully and fairly, accurately and up to date where necessary, for specified, explicit and legitimate purposes, in a relevant, limited and proportionate manner, and only for the period laid down by law or required for the processing purpose.

For online marketplaces, these principles have practical consequences. The marketplace should not collect excessive registration data if an email and phone number are enough at the first stage. It should not retain abandoned cart data indefinitely. It should not use order history for unrelated profiling without proper transparency and legal basis. It should not share full buyer profiles with sellers if sellers need only delivery and invoicing details. It should not store identity documents for seller verification longer than necessary.

The principle of purpose limitation is especially important. Buyer data collected for order delivery should not automatically be used for unrelated advertising, third-party data sharing, or profiling. Seller representative data collected for contract execution should not be used for unrelated marketing unless a separate legal basis exists. Complaint data collected for dispute resolution should not be used broadly for product recommendation algorithms unless this purpose is legally assessed and disclosed.

Legal Bases for Marketplace Data Processing

Not every marketplace processing activity requires explicit consent. Under KVKK Article 5, personal data may be processed without explicit consent where processing is expressly provided by law, necessary for contract performance, necessary for compliance with a legal obligation, necessary for the establishment, exercise or protection of a right, or necessary for legitimate interests of the controller, provided that fundamental rights and freedoms are not harmed.

For example, processing buyer identity, contact, order, and delivery data may be necessary for performance of the marketplace transaction. Processing invoice and accounting records may be necessary for legal obligations. Processing complaint and return records may be necessary for consumer law compliance and protection of rights. Processing fraud signals may be based on legitimate interests or protection of rights, depending on the system.

However, explicit consent may be required for optional activities, such as behavioral advertising, certain cookies and SDKs, location-based marketing, sharing customer data with third-party commercial partners, optional profiling, and certain special category data processing. Consent must be freely given, specific, and informed, as KVKK defines explicit consent in those terms.

A compliant marketplace should therefore prepare a processing matrix matching each data category and purpose with a legal basis. A single broad consent clause cannot lawfully cover all buyer, seller, marketing, fraud, delivery, and analytics activities.

Privacy Notices for Online Marketplaces

Under Article 10 of KVKK, data controllers must inform data subjects at the time personal data is obtained about the identity of the controller, processing purposes, transfer recipients and purposes, collection method and legal basis, and rights under Article 11. The Communiqué on the Obligation to Inform also states that informing must be fulfilled regardless of whether processing is based on explicit consent or another legal basis, that explicit consent and informing must be performed separately, and that notices must use clear, plain, and intelligible language.

An online marketplace should have separate or clearly layered privacy notices for different data subject groups. Buyer notices should explain account creation, orders, delivery, payment, invoices, returns, reviews, customer support, fraud prevention, marketing, cookies, app permissions, data transfers, and retention. Seller notices should explain seller onboarding, store management, payment settlement, product compliance, seller performance monitoring, seller support, dispute procedures, and legal obligations. Visitor notices should explain cookies, analytics, advertising, browsing data, and website security.

A marketplace should also ensure that privacy notices match real operations. If the marketplace uses foreign cloud services, third-party analytics, advertising pixels, payment providers, cargo integrations, call centers, and seller dashboards, these should be reflected in the notice. A generic e-commerce privacy policy copied from another business will usually be insufficient.

Buyer Data Sharing With Sellers

One of the most sensitive marketplace issues is sharing buyer data with sellers. A marketplace may need to share certain buyer data with sellers so that sellers can prepare, ship, invoice, deliver, return, or provide support for the order. However, data sharing must be limited to what is necessary.

A seller usually needs the buyer’s name, delivery address, order details, and contact information required for delivery or support. But the seller may not need the buyer’s full account history, platform search behavior, marketing preferences, wish lists, unrelated purchases, or complaint history with other sellers.

Marketplace agreements should restrict sellers from using buyer data for purposes outside order fulfillment, invoicing, returns, warranty, and legal compliance. Sellers should be prohibited from adding buyers to their own marketing lists unless they have a valid legal basis and required consent. The marketplace should also prevent sellers from exporting excessive customer data or using buyer data to bypass marketplace rules.

Seller Data and Marketplace Governance

Seller data is equally important. Marketplaces collect seller information for onboarding, verification, payment settlement, product compliance, fraud prevention, taxation, sanctions screening, performance monitoring, dispute resolution, and marketplace policy enforcement. Where the seller is a natural person or sole proprietor, this data is directly personal data. Where the seller is a company, data relating to its representatives, employees, owners, or authorized signatories may still be personal data.

Seller dashboards should be secure. Access should be role-based. Seller employees should not share login credentials. Marketplace operators should implement multi-factor authentication for seller accounts, especially where bank account details, invoices, customer orders, and settlement data are available.

The marketplace should also define retention periods for rejected seller applications, suspended seller files, product compliance records, payment settlement records, and legal dispute files. Keeping all seller documents indefinitely without legal reason may breach KVKK storage limitation principles.

Payment Data and Financial Information

Online marketplaces process payment-related data through payment service providers, card processors, digital wallets, banks, installment systems, refund tools, and payment reconciliation systems. Payment data may include transaction amount, payment status, payment method, refund status, card token, masked card number, bank information, invoice information, and payment failure logs.

Marketplaces should minimize direct storage of sensitive payment details. Full card data should not be stored unless legally and technically justified under payment security standards and sector rules. Using licensed payment providers, tokenization, secure payment pages, and strong authentication can reduce risk.

The marketplace should also clarify the roles of payment providers. A payment institution may act as an independent data controller for certain regulated payment processing activities, while it may act as a service provider for certain technical activities. Contracts and privacy notices should reflect the actual structure.

Logistics, Delivery, and Cargo Data

Delivery is one of the main reasons why marketplaces share personal data with third parties. Cargo companies, courier platforms, warehouse operators, fulfillment providers, delivery tracking systems, and return logistics vendors may process buyer names, addresses, phone numbers, order numbers, delivery instructions, recipient names, and tracking data.

The marketplace should share only necessary data with logistics providers. Delivery instructions should not include excessive or sensitive information unless needed. For example, “leave at door” may be necessary, but detailed personal notes may create privacy risk.

Cargo tracking systems should also be secure. Public tracking links should not expose full customer addresses or phone numbers without authentication. Return labels should not reveal unnecessary personal data. Delivery records should be retained only for necessary contractual, consumer, accounting, and legal claim periods.

Customer Support, Complaints, and Dispute Resolution

Marketplaces receive large volumes of customer support requests through call centers, live chat, email, social media, ticketing systems, and in-app messaging. These records may contain order information, complaints, photos, identity verification details, payment issues, delivery disputes, product defects, and sometimes sensitive personal information.

Support teams should access only data necessary to resolve the request. Agents should avoid writing subjective or excessive notes. Call recordings and chat transcripts should have defined retention periods. If customer support is outsourced, a data processing agreement should regulate confidentiality, access, security, breach notification, and deletion obligations.

Complaint and dispute files may be retained longer where necessary to protect rights, respond to consumer arbitration committees, defend legal claims, or investigate fraud. However, once the legal need ends, files should be erased, destroyed, or anonymized under KVKK principles. The By-Law on Erasure, Destruction or Anonymization requires disposal when all processing conditions no longer exist and sets rules for notifying third parties where relevant data has been transferred.

Reviews, Ratings, and User-Generated Content

Reviews and ratings are central to marketplace trust, but they also involve personal data. A review may include a buyer username, product experience, photos, location, health-related information, family details, or complaint history. Seller responses may also include personal data if not moderated properly.

Marketplaces should design review systems to minimize privacy risks. Users should be warned not to include phone numbers, addresses, identity numbers, health data, or third-party personal data in reviews. The platform should moderate reviews that disclose excessive personal data. Review display names should be designed carefully so that buyers are not unnecessarily identifiable.

Where reviews are used for analytics, seller scoring, product ranking, fraud detection, or advertising, those purposes should be included in the privacy notice. If automated systems use reviews to produce negative results for sellers or buyers, fairness and objection mechanisms should be considered.

Cookies, Pixels, SDKs, and Behavioral Advertising

Online marketplaces often rely heavily on cookies, pixels, SDKs, device IDs, advertising IDs, customer match tools, retargeting platforms, analytics services, recommendation engines, and A/B testing tools. These technologies may process personal data when they identify or track users.

The Turkish Personal Data Protection Authority’s cookie guidance distinguishes strictly necessary cookies from advertising and marketing cookies. Strictly necessary cookies are used for core website operation and services explicitly requested by the user, such as login, forms, or privacy preference storage, and should not be used for marketing purposes. Advertising and marketing cookies are used to track users’ online movements to identify personal interests and show ads based on those interests.

For marketplaces, this means shopping cart cookies, authentication cookies, fraud prevention cookies, and privacy preference cookies may be treated differently from retargeting pixels, social media advertising cookies, behavioral analytics, and third-party ad cookies. Non-essential advertising cookies generally require a separate consent assessment, and they should not be activated by default if explicit consent is required.

A marketplace should maintain a cookie inventory, identify first-party and third-party cookies, provide a cookie notice, offer equal reject and accept options where consent is required, and update the cookie panel when new marketing tags are added.

Marketing Communications and İYS

Marketplaces often send promotional emails, SMS messages, push notifications, seller campaign messages, abandoned cart reminders, discount offers, loyalty campaigns, and product recommendations. These activities are not automatically lawful because a user has created an account or placed an order.

The commercial electronic communications regulation defines electronic commerce, electronic communication tools, service providers, intermediary service providers, and related terms, and it requires service providers and intermediary service providers to take necessary measures to preserve data obtained through their services and prevent unlawful access and processing. It also states that prior approval is required for personal data to be shared with third parties, processed, or used for other purposes under that regulation, subject to other legislation.

Marketplaces should separate transactional messages from marketing messages. An order confirmation, delivery update, return status, payment receipt, or security alert is different from a promotional discount campaign. Marketing permissions should be managed through compliant consent records and, where applicable, the İleti Yönetim Sistemi framework. Cookie consent, KVKK explicit consent, and commercial electronic message consent should not be treated as the same approval.

Fraud Prevention, Account Security, and Marketplace Integrity

Online marketplaces need fraud prevention systems to detect fake accounts, payment fraud, seller manipulation, review fraud, return abuse, stolen cards, counterfeit product schemes, bot activity, and account takeovers. These systems may process device IDs, IP addresses, login logs, order patterns, payment signals, delivery discrepancies, dispute history, seller performance, and behavioral indicators.

Fraud prevention can be a legitimate processing purpose, but it must be proportionate. Automated risk scoring should not be opaque or unfair. If a marketplace suspends a seller, blocks a buyer, cancels an account, or rejects a transaction based solely on automated analysis, Article 11 may become relevant because data subjects have the right to object to results against them arising from analysis exclusively through automated systems.

The marketplace should implement human review for serious consequences, keep risk models accurate, avoid discriminatory outcomes, and provide appeal channels for account restrictions. Fraud data should be retained only as long as necessary for security, legal claims, and compliance.

Children’s Data and Age-Sensitive Marketplace Categories

Some marketplaces sell products or services used by children, such as toys, games, digital content, education materials, children’s clothing, or family services. Others may allow users under eighteen to browse, create wish lists, leave reviews, or interact with sellers. Children’s data requires heightened care even where KVKK does not contain a separate children’s data chapter.

Marketplaces should avoid behavioral advertising to children, unnecessary profiling, and public display of children’s personal data. Reviews or photos uploaded by parents may also include children’s images. Platforms should moderate such content carefully and provide removal mechanisms.

If the platform offers products involving health, education, or minors, it should consider age-appropriate notices, parental involvement, and stronger default privacy settings.

Cross-Border Transfers

Online marketplaces frequently use foreign cloud infrastructure, global analytics tools, customer support platforms, advertising vendors, fraud detection tools, payment systems, recommendation engines, CRM platforms, and AI services. These arrangements may involve transfers of personal data abroad or access from abroad.

KVKK Article 9 was amended by Law No. 7499, and the Turkish Authority announced English translations of the By-Law on transfers abroad and standard contract texts in August 2024. The amended framework includes adequacy decisions and appropriate safeguards such as standard contracts, binding corporate rules, and approved written commitments. Under Article 9, standard contracts must be notified to the Authority within five business days after signature.

For marketplaces, this means that foreign SaaS tools are not merely technical choices. The marketplace must identify data categories, recipient countries, vendor roles, sub-processors, onward transfers, and Article 9 mechanisms. Advertising pixels, cloud customer support, mobile analytics, recommendation engines, and fraud systems should all be included in the transfer map.

Data Security Obligations

KVKK Article 12 requires data controllers to take all necessary technical and organizational measures to provide an appropriate level of security, prevent unlawful processing, prevent unlawful access, and ensure protection of personal data. If processing is carried out by another person on behalf of the controller, the controller is jointly responsible with that person for security measures.

For online marketplaces, technical measures should include encryption, secure authentication, multi-factor authentication for seller and administrator accounts, secure APIs, role-based access, logging, fraud monitoring, secure payment integrations, database segregation, vulnerability management, patching, secure backups, DDoS protection, and incident response tools.

Organizational measures should include privacy policies, seller data rules, employee confidentiality undertakings, access authorization procedures, vendor due diligence, data processing agreements, training, breach response procedures, retention schedules, and periodic audits.

Admin panels are a major risk area. Marketplace employees should not freely access buyer messages, order histories, payment data, seller bank accounts, or complaint records unless needed. Privileged access should be logged and reviewed.

Data Breach Notification

Marketplaces are attractive targets for cyberattacks because they hold large buyer and seller databases. Breaches may involve hacked accounts, leaked customer lists, exposed delivery addresses, stolen seller bank information, compromised admin panels, ransomware, malicious insiders, exposed cloud storage, or third-party vendor incidents.

KVKK Article 12 requires the controller to notify the data subject and the Board within the shortest time if processed data is obtained by others unlawfully. A marketplace should therefore maintain an incident response plan defining detection, containment, forensic review, notification assessment, customer communication, vendor coordination, legal review, and remediation.

Seller accounts should receive special attention. If a seller account is compromised, buyer data may be exposed even if the central marketplace database is not breached. Multi-factor authentication, suspicious login alerts, seller access logs, and API key controls are essential.

Retention and Deletion

Marketplaces store many types of data: buyer accounts, seller accounts, orders, invoices, delivery records, reviews, complaints, support tickets, call recordings, fraud logs, seller compliance files, marketing permissions, cookie consent logs, and analytics records. Not all of these should be retained for the same period.

KVKK requires data to be stored only for the period laid down by legislation or required for the processing purpose. The Data Controllers’ Registry By-Law states that a personal data processing inventory includes purposes, legal basis, data category, recipient group, maximum storage period, foreign transfers, and data security measures; it also provides that maximum storage periods in the Registry are a basis for erasure, destruction, and anonymization obligations.

A marketplace should define retention periods for each data category. Order and invoice records may need longer legal retention. Customer support tickets may be retained for complaint and limitation periods. Fraud logs may be retained for security and legal claims. Marketing audiences, abandoned cart data, browsing behavior, and old analytics exports should generally have shorter retention periods. Deleted accounts should be handled through a clear process that distinguishes legal retention from active account use.

VERBIS and Data Inventory

Online marketplaces often process personal data at large scale, so they should carefully assess VERBIS registration obligations. The Data Controllers’ Registry By-Law applies to natural and legal persons who determine the purposes and means of processing and are responsible for the data filing system, and it requires controllers under registration obligation to prepare a personal data processing inventory.

A marketplace inventory should include buyer data, seller data, employee data, visitor data, cookies, payment data, logistics data, customer support records, marketing data, fraud data, reviews, mobile app data, and vendor transfers. VERBIS records, privacy notices, retention policies, cookie notices, seller agreements, and transfer documentation should be consistent.

Practical KVKK Compliance Checklist for Online Marketplaces

An online marketplace operating in Turkey should:

1. Map all buyer, seller, visitor, employee, courier, and vendor data flows.
2. Identify controller and processor roles for marketplace, sellers, payment providers, logistics providers, and vendors.
3. Prepare separate privacy notices for buyers, sellers, visitors, and employees.
4. Match each processing purpose with a KVKK legal basis.
5. Limit buyer data shared with sellers to what is necessary.
6. Prohibit sellers from using buyer data for unauthorized marketing.
7. Secure seller dashboards and admin panels.
8. Review payment data flows and avoid unnecessary storage of sensitive payment data.
9. Sign data processing agreements with vendors where appropriate.
10. Prepare cookie and tracking technology inventories.
11. Obtain consent for non-essential advertising cookies where required.
12. Separate transactional messages from marketing communications.
13. Manage commercial electronic message permissions properly.
14. Implement fraud prevention with human review for serious automated outcomes.
15. Map cross-border transfers and apply Article 9 safeguards.
16. Define retention periods for all data categories.
17. Establish buyer and seller rights request procedures.
18. Prepare data breach response workflows.
19. Assess VERBIS registration and inventory duties.
20. Audit marketplace data practices periodically.

Common Mistakes in Marketplace Data Protection

One common mistake is treating the marketplace as merely a neutral intermediary and ignoring its controller role. Another is sharing excessive buyer data with sellers. A third is allowing sellers to use buyer data for independent marketing without proper consent.

Other common mistakes include activating advertising cookies before consent, using foreign analytics and advertising vendors without cross-border transfer analysis, retaining abandoned cart and browsing data indefinitely, failing to secure seller accounts, and storing payment data unnecessarily.

Marketplaces also sometimes fail to provide clear privacy notices for sellers. Seller representatives, store employees, and individual sellers are data subjects too. Another frequent error is failing to document fraud scoring, account suspensions, and automated risk decisions.

Conclusion

Data protection compliance for online marketplaces in Turkey requires a comprehensive and operational approach. Marketplaces process personal data at every stage of the platform lifecycle: browsing, registration, seller onboarding, product listing, search, advertising, order placement, payment, delivery, returns, reviews, customer support, dispute resolution, fraud prevention, and marketing.

The legal framework combines KVKK with Turkish e-commerce legislation. KVKK establishes core principles, legal bases, privacy notices, data subject rights, security obligations, retention rules, breach notification, and cross-border transfer requirements. Turkish e-commerce rules define marketplace-related actors and impose data preservation and security responsibilities on service providers and intermediary service providers in the electronic commerce environment.

For marketplace operators, the strongest compliance model is one that integrates privacy into platform architecture. Buyer data should be minimized. Seller access should be controlled. Payments should be secure. Logistics data should be limited. Cookies should be consent-based where required. Marketing permissions should be separated from service messages. Fraud systems should be fair and reviewable. Cross-border transfers should be mapped and documented. Retention should be purpose-based. Data subject requests should be handled efficiently.

A marketplace that protects personal data properly reduces regulatory risk, strengthens buyer and seller trust, improves cybersecurity readiness, supports investor and partner due diligence, and creates a more sustainable e-commerce business in Turkey.