Data Protection Rules for Call Centers and Customer Support Services in Turkey

Introduction

Data protection rules for call centers and customer support services in Turkey are increasingly important for companies that communicate with customers, users, patients, passengers, subscribers, policyholders, bank clients, e-commerce buyers, hotel guests, telecom users, public service applicants, and platform members through telephone, live chat, email, WhatsApp, social media, ticketing systems, and help desk software.

Call centers process large volumes of personal data every day. A single customer support interaction may involve name, surname, phone number, email address, customer number, Turkish identity number, order details, payment information, delivery address, complaint records, service history, call recordings, voice data, authentication answers, transaction instructions, health information, location data, bank account information, device data, IP address, and sometimes special categories of personal data.

Under Turkish law, these activities are primarily regulated by Law No. 6698 on the Protection of Personal Data, commonly known as KVKK. KVKK applies to personal data processed wholly or partly by automated means, or by non-automated means forming part of a data filing system. It imposes obligations on data controllers and data processors, including lawful processing, privacy notices, data security, data subject rights, breach notification, transfer rules, and deletion obligations.

For businesses, call center compliance is not limited to playing a short recorded message at the beginning of a call. A compliant structure requires legal basis analysis, accurate privacy notices, strict access control, call recording governance, retention limits, outsourcing contracts, customer authentication rules, commercial communication consent management, data subject request procedures, vendor security, and cross-border transfer assessment.

Why Call Center Data Is High-Risk

Call centers are high-risk because they combine personal data, voice recordings, authentication processes, complaints, commercial transactions, and customer emotions in one environment. Customers often share sensitive information during support calls because they need quick assistance. They may disclose financial problems, health issues, family circumstances, delivery addresses, travel plans, insurance claims, dispute details, or identity verification answers.

Voice recordings are also personal data when they relate to an identifiable individual. The Turkish Personal Data Protection Authority gives the example that a customer’s voice recording containing an instruction in telephone banking may be accepted as personal data.

Call centers also create operational risk because many employees may access customer records. Outsourced call center providers may process data for multiple clients. Support platforms may store tickets in foreign cloud systems. Supervisors may review calls for quality control. Sales teams may use call records for marketing. If these processes are not governed properly, the company may face complaints, Board investigations, administrative fines, contractual liability, and reputational harm.

Personal Data Commonly Processed in Call Centers

Call centers and customer support units may process many categories of personal data. These commonly include identity data such as name, surname, customer number, identity number, date of birth, and account number. Contact data may include phone number, email address, delivery address, billing address, and communication preferences.

Customer transaction data may include order history, invoice information, subscription details, payment status, refund requests, warranty records, complaint files, support tickets, cargo tracking numbers, booking details, account activity, and service history.

Call center systems also process voice recordings, call date and time, call duration, agent notes, IVR selections, authentication questions, complaint categories, customer satisfaction scores, internal escalation notes, and quality evaluation scores. In digital support services, companies may process chat transcripts, screenshots, attachments, IP addresses, device information, browser data, account logs, and social media messages.

In some sectors, call centers process special categories of personal data. Healthcare call centers may process health data. Insurance call centers may receive medical information. Banks and fintech companies may process financial data and authentication records. Travel and hotel support lines may process passport, travel, and family data. Employee help desks may process HR, health, and disciplinary information. These categories require stricter controls.

Legal Basis for Call Center Processing

Under KVKK, personal data processing must have a legal basis. Explicit consent is only one legal basis. Article 5 also allows processing without explicit consent where processing is expressly provided by law, necessary for contract performance, necessary for compliance with a legal obligation, necessary for establishment, exercise or protection of a right, or necessary for legitimate interests of the controller provided that fundamental rights and freedoms are not harmed.

For call centers, different processing purposes may rely on different legal bases. Processing a customer’s phone number and order details to respond to a delivery complaint may be necessary for contract performance or customer service. Keeping complaint records may be necessary for consumer law obligations or protection of legal rights. Recording calls for proof of customer instructions may be necessary for the establishment or protection of rights. Processing call recordings for quality control may be based on legitimate interests if the process is transparent and proportionate.

However, explicit consent may be required for certain optional activities, such as using call recordings for unrelated marketing analysis, processing special categories of personal data where no other legal ground applies, recording calls beyond what is necessary, or sharing call data with third-party commercial partners for their own purposes.

The key point is that businesses should not rely on one broad consent statement for all call center activities. Each purpose should be matched with the correct legal basis.

Call Recording Under KVKK

Call recording is one of the most important data protection issues for customer support services. Many businesses record calls for quality control, dispute resolution, customer instruction verification, fraud prevention, employee training, complaint management, and legal evidence. Recording may be lawful, but it must comply with KVKK principles.

First, the purpose must be specific. A company should explain whether calls are recorded for quality control, customer request management, transaction proof, security, complaint handling, legal defense, or training.

Second, recording must be proportionate. If a call does not involve a transaction, instruction, complaint, or quality need, constant recording may require stronger justification. If call recording is mandatory in a regulated sector, the company should identify the relevant legal basis.

Third, data subjects must be informed before or at the beginning of the call. The Authority’s guidance on the obligation to inform recognizes that information may be provided through physical or electronic environments such as verbal notice, written notice, voice recording, or call center channels. It also emphasizes that informing and explicit consent must be handled separately if processing relies on explicit consent.

Fourth, call recordings should be retained for a defined period. Keeping all recordings indefinitely is risky. Retention should be based on the purpose, legal obligations, limitation periods, complaint periods, and sector-specific rules.

Privacy Notices in Call Centers

The obligation to inform is regulated under Article 10 of KVKK. At the time personal data is obtained, the data controller must inform data subjects about the identity of the controller, processing purposes, transfer recipients and purposes, collection method and legal basis, and Article 11 rights.

In call center practice, this obligation may be fulfilled through a layered method. The first layer may be an IVR message or short verbal notice at the beginning of the call. The second layer may be a detailed privacy notice on the company website, mobile app, customer portal, email, SMS link, or written document.

A call center privacy notice should explain:

Who the data controller is.
Which personal data may be processed during calls.
Whether calls are recorded.
Why calls are recorded.
The legal basis for processing.
Which departments or vendors may access records.
Whether data may be shared with public authorities, lawyers, payment providers, cargo companies, banks, insurers, or group companies.
Whether data may be transferred abroad.
How long call records are retained.
How customers may exercise KVKK rights.

The Board’s decision concerning a bank call center is useful in this context. The decision summary records that when the person contacted the bank through the call center, the KVKK disclosure text was presented to the caller; the Board found that the bank had fulfilled its obligation to inform in that respect.

Call Center Authentication and Data Minimization

Many call centers authenticate callers before sharing account information or performing transactions. Authentication may involve identity number, date of birth, customer number, phone number, one-time password, security questions, card information, address confirmation, or voice-based verification.

Authentication is important, but it must be proportionate. Call center agents should not request more information than necessary. For example, asking for a full identity number, full card number, and multiple personal details in every low-risk support call may be excessive. A risk-based authentication model is safer.

Businesses should avoid using easily discoverable personal information as the sole authentication method. They should also avoid asking customers to verbally disclose sensitive information in open environments where others may hear. Where possible, secure authentication methods such as OTP verification, mobile app confirmation, masked data checks, or customer portal login should be used.

Agents should be trained not to read full sensitive data aloud. For example, full card numbers, full identity numbers, passwords, or sensitive health details should not be repeated unnecessarily during recorded calls.

Customer Support Notes and Agent Comments

Call center agents often create internal notes after customer interactions. These notes may include complaint summaries, customer behavior descriptions, escalation reasons, legal risk comments, and service history. These notes are personal data if they relate to an identifiable customer.

Agent notes should be factual, necessary, and professional. Subjective, insulting, discriminatory, or excessive comments may create legal risk. For example, writing “difficult customer” or “aggressive person” without context may be problematic if later disclosed in a data subject access request or dispute. Notes should describe objective facts: “Customer requested cancellation,” “Customer objected to invoice amount,” “Customer stated that delivery was not received.”

Internal notes should also be access-controlled. Not every employee should access all complaint histories or call notes. Role-based access is essential.

Outsourced Call Centers and Data Processing Agreements

Many Turkish companies outsource call center operations to third-party service providers. Outsourcing does not eliminate the data controller’s responsibility. Under KVKK Article 12, if personal data is processed by another person on behalf of the controller, the controller is jointly responsible with that person for taking necessary security measures.

A company using an outsourced call center should sign a strong data processing agreement. The agreement should regulate processing instructions, confidentiality, access authorization, training, call recording rules, data security, sub-processors, breach notification, return or deletion of data, audit rights, cross-border transfers, and liability.

The outsourcing agreement should also prohibit the call center provider from using customer data for its own marketing, analytics, training, or other clients’ purposes unless separately and lawfully authorized.

The data controller should monitor the service provider. This may include audits, security questionnaires, access reviews, training records, incident reports, and quality checks. A controller that sends customer data to a poorly managed call center may face regulatory and commercial consequences.

Access Control and Internal Confidentiality

Call center data should be accessible only to authorized personnel. Agents should access only the records necessary for their assigned duties. Supervisors may access call recordings for quality review, but access should be logged and limited. IT teams should not casually access customer voice recordings or support notes unless technically necessary.

Practical measures include role-based access, unique user accounts, strong passwords, multi-factor authentication for admin panels, call recording access logs, screen masking of sensitive data, data loss prevention tools, export restrictions, and periodic access reviews.

Employees and call center agents should sign confidentiality undertakings. They should be trained not to disclose customer information to unauthorized persons, not to take screenshots or photographs of customer records, not to export lists, not to discuss customer matters publicly, and not to access records out of curiosity.

A Board decision concerning an airline’s call center records noted the controller’s statement that call center records were shared only with competent judicial and administrative authorities requesting them within their duties, and otherwise were accessible only to authorized call center personnel. This reflects the importance of limiting access and sharing.

Data Security Obligations for Call Centers

KVKK Article 12 requires data controllers to take all necessary technical and organizational measures to provide an appropriate level of security, prevent unlawful processing, prevent unlawful access, and ensure protection of personal data.

For call centers and customer support services, technical measures should include secure CRM systems, encrypted storage of call recordings, role-based access, secure authentication, call recording access logs, restricted exports, secure remote access, network security, malware protection, regular patching, data loss prevention, secure backups, and incident monitoring.

Organizational measures should include privacy policies, employee training, confidentiality agreements, clean desk rules, secure disposal of printed notes, customer authentication scripts, call escalation procedures, vendor due diligence, data processing agreements, retention policies, breach response procedures, and periodic audits.

Remote call center work creates additional risks. If agents work from home, the company should ensure secure VPN access, device management, prohibition on local downloads, privacy screens where appropriate, prohibition on personal device recording, secure headset use, and controls against unauthorized persons overhearing calls.

Retention of Call Recordings and Support Tickets

Call recordings and support tickets should not be retained indefinitely. Under KVKK Article 7, personal data must be erased, destroyed, or anonymized when the reasons requiring processing no longer exist, even if the data was originally processed lawfully. The By-Law on Erasure, Destruction or Anonymization sets principles for disposal and applies to data controllers under Article 7.

Retention periods should be determined according to the purpose of the record. A call recorded for customer service quality may require a shorter retention period than a call containing a financial instruction or legal complaint. Records related to disputes, claims, fraud allegations, or regulatory obligations may need longer retention.

A retention policy should separately address call recordings, IVR logs, agent notes, support tickets, chat transcripts, email correspondence, complaint files, customer satisfaction records, training recordings, authentication logs, and exported reports.

When retention periods expire, records should be securely erased, destroyed, or anonymized. Disposal operations should be documented.

Data Subject Rights in Call Center Operations

Customers and users have rights under KVKK Article 11. They may ask whether their personal data is processed, request information, learn processing purposes, know domestic and foreign transfer recipients, request correction, request erasure or destruction under legal conditions, request notification of correction or deletion to third parties, object to adverse automated results, and claim compensation for unlawful processing.

Call centers are often the first point of contact for these requests. A customer may say, “Delete my records,” “Send me my call recording,” “Correct my phone number,” “Stop calling me,” “Where did you get my data?”, “Who did you share my information with?”, or “I withdraw my consent.” These statements may trigger KVKK procedures.

Agents should be trained to recognize data subject requests and escalate them to the relevant team. Businesses should have scripts and workflows for privacy requests. Identity verification is essential before disclosing call recordings or account information. Providing a recording to the wrong person may itself cause a data breach.

When a customer requests access to a call recording, the company should assess whether the recording contains third-party personal data, agent personal data, confidential business information, or security-sensitive information. It may provide a transcript, partial recording, or masked copy where appropriate and legally justified.

Marketing Calls and Commercial Electronic Communications

Call centers are often used for telemarketing, campaign calls, customer acquisition, renewal offers, upselling, cross-selling, and satisfaction surveys. Marketing calls raise both KVKK and commercial electronic communication issues.

A company should distinguish service calls from marketing calls. A service call may concern an existing order, delivery problem, payment issue, appointment, reservation, contract renewal, or complaint. A marketing call promotes products, campaigns, discounts, new services, or offers.

Turkey uses the İleti Yönetim Sistemi (İYS) for managing commercial electronic message permissions and complaint processes. The Ministry of Trade describes İYS as a centralized structure where citizens’ communication approvals are collected and where individuals can view, control, and exercise rejection rights through a single platform.

Therefore, call centers making promotional calls should check consent and rejection records. They should not call individuals who have opted out, unless a legally recognized exception applies. Marketing consent should not be hidden inside customer service terms. It should be recorded and managed separately.

If a customer says during a call that they do not want further promotional calls, the system should update the marketing preference promptly.

Call Centers in Banking, Insurance, Healthcare, and Regulated Sectors

Some sectors require stronger call center controls.

In banking, telephone banking instructions, authentication records, customer financial data, and call recordings may be highly sensitive. Banking call centers should implement strong authentication, strict recording controls, fraud monitoring, and confidentiality. Voice recordings containing instructions may be personal data.

In insurance, call centers may process health data, accident details, policy information, claim files, payment data, and family data. Health data is a special category under KVKK Article 6 and requires stricter legal basis and safeguards.

In healthcare, appointment lines, hospital call centers, medical tourism support desks, and patient complaint units may process health data, diagnosis information, doctor appointments, medical reports, and treatment details. Access should be limited to authorized personnel, and call scripts should avoid unnecessary disclosure of sensitive health information.

In e-commerce, call centers commonly handle orders, refunds, addresses, payment status, complaints, and marketing permissions. Companies should avoid disclosing order details to unauthorized callers and should maintain proper authentication.

Chatbots, AI Assistants, and Digital Customer Support

Customer support is no longer limited to telephone calls. Companies now use chatbots, AI assistants, live chat tools, messaging platforms, social media support, and automated ticketing systems. These systems process personal data just like traditional call centers.

If a chatbot collects personal data, the customer must be informed. If the chatbot uses AI tools hosted abroad, cross-border transfer rules may apply. If customer conversations are used to train AI models, this must be separately assessed for legal basis, transparency, purpose limitation, retention, and customer rights.

Automated systems may also produce outcomes affecting customers, such as complaint classification, priority scoring, account restrictions, or fraud flags. Article 11 gives data subjects the right to object to adverse results arising from analysis exclusively through automated systems.

Companies using AI customer support should provide human escalation channels, especially for complaints, cancellations, financial disputes, healthcare matters, and high-impact decisions.

Cross-Border Transfers in Customer Support Systems

Many call centers and customer support services use foreign SaaS tools, global CRM systems, cloud-based help desk software, AI transcription tools, call recording platforms, analytics systems, and overseas technical support teams. These structures may involve cross-border transfers of personal data.

KVKK Article 9 was amended in 2024. Under the amended regime, personal data may be transferred abroad if one of the processing conditions under Articles 5 or 6 exists and there is an adequacy decision. If no adequacy decision exists, transfers may be possible through appropriate safeguards such as standard contracts, binding corporate rules, or written commitments approved by the Board. Standard contracts must be notified to the Authority within five business days after signature.

Customer support systems should therefore be mapped carefully. A company should know where call recordings are stored, where chat transcripts are hosted, whether foreign support teams access tickets, whether AI transcription providers process recordings abroad, and whether sub-processors are involved.

Privacy notices, vendor contracts, VERBIS records, and standard contracts should be consistent.

Call Recording Sharing With Authorities and Courts

Call center recordings may be requested by courts, prosecutors, administrative authorities, consumer arbitration committees, regulators, law enforcement, or auditors. Sharing may be lawful where requested by legally authorized authorities or necessary for legal proceedings. However, the company should document the request, share only necessary records, and avoid unnecessary disclosure.

The airline call center decision summary is relevant because it records that call center records were shared only with authorized judicial or administrative authorities requesting them within their official duties, except for access by authorized call center personnel.

A company should not casually share call recordings with business partners, media, unrelated departments, or unauthorized individuals. Sharing is a separate processing activity and requires legal basis.

Training and Quality Control

Call centers commonly review recordings for agent training and quality control. This may be legitimate, but it should be disclosed and proportionate. Customers and agents should be informed that calls may be reviewed for quality and training purposes where this is the case.

Training materials should avoid unnecessary use of real customer data. Where possible, recordings used for training should be anonymized or selected carefully. Sensitive calls involving health data, financial distress, children’s data, legal disputes, or highly private information should not be used broadly for training.

Quality evaluation scores concerning call center agents are also employee personal data. Employers should inform agents about quality monitoring, evaluation criteria, retention periods, and access rights.

Practical Compliance Checklist for Call Centers in Turkey

A business operating a call center or customer support service in Turkey should:

1. Map all personal data processed through calls, chats, emails, tickets, and CRM systems.
2. Identify the legal basis for each processing purpose.
3. Prepare a call center privacy notice.
4. Provide an IVR or verbal first-layer notice where appropriate.
5. Separate privacy notices from explicit consent.
6. Define whether and why calls are recorded.
7. Limit call recording to necessary purposes.
8. Establish customer authentication procedures.
9. Avoid excessive collection during calls.
10. Restrict agent access to customer records.
11. Log access to call recordings.
12. Train agents on confidentiality and KVKK.
13. Sign DPAs with outsourced call center providers.
14. Review call center software and cloud vendors.
15. Map cross-border transfers.
16. Manage marketing call permissions and opt-outs.
17. Define retention periods for recordings and tickets.
18. Establish data subject request procedures.
19. Prepare breach response procedures.
20. Audit call center practices periodically.

Common Mistakes in Call Center KVKK Compliance

One common mistake is playing a vague message such as “calls may be recorded for quality purposes” without providing a full privacy notice. Another is recording all calls indefinitely. A third mistake is failing to separate customer service calls from marketing calls.

A fourth mistake is giving call center agents excessive access to customer databases. A fifth is using outsourced call centers without data processing agreements. A sixth is storing call recordings in foreign cloud systems without Article 9 transfer assessment. A seventh is failing to update opt-out records when customers refuse marketing calls.

Another serious mistake is allowing agents to write subjective or unnecessary comments in CRM notes. Internal comments may later become evidence in a dispute or data subject request.

Companies also sometimes forget that agents’ own data is processed through quality monitoring, call scoring, and performance analytics. Employee privacy notices should address these activities.

Legal Consequences of Non-Compliance

Non-compliance may lead to complaints before the Turkish Personal Data Protection Board, administrative fines, data subject claims, consumer complaints, employment disputes, contractual liability, and reputational harm. KVKK Article 18 provides administrative fine categories for failures such as breach of the obligation to inform, breach of data security obligations, failure to comply with Board decisions, VERBIS-related violations, and failure to notify standard contracts under Article 9/5.

Risk increases where call centers process special categories of data, financial information, children’s data, health data, voice biometrics, or large-scale customer databases. Risk also increases when call recordings are disclosed without authorization, used for unrelated purposes, retained indefinitely, or transferred abroad unlawfully.

Conclusion

Data protection rules for call centers and customer support services in Turkey require a structured, operational, and risk-based compliance approach. Call centers process personal data continuously and at scale. They record voices, authenticate customers, create support histories, handle complaints, receive sensitive information, and often rely on outsourced providers and cloud-based software.

The most important compliance areas are lawful processing, privacy notices, call recording governance, customer authentication, data minimization, access control, confidentiality, outsourced call center contracts, marketing call permissions, retention periods, data subject rights, cross-border transfers, vendor security, and breach response.

KVKK compliance in call centers is not achieved by a single recorded message. A compliant system must connect legal texts with real operations: what agents say, what systems record, who can access data, how long recordings are stored, how vendors are controlled, how opt-outs are honored, and how customers exercise their rights.

For companies operating in Turkey, well-managed call center data protection reduces regulatory risk, improves customer trust, strengthens evidence management, protects employees and customers, and supports professional service quality. In a customer-facing environment, privacy is not separate from service quality; it is one of its essential components.